Edit tour

Windows Analysis Report
gZY58wycW0.exe

Overview

General Information

Sample name:	gZY58wycW0.exe renamed because original name is a hash value
Original sample name:	b7003532f5aa5fa69a130596caab741b.exe
Analysis ID:	1583229
MD5:	b7003532f5aa5fa69a130596caab741b
SHA1:	3bacf9bcb9e610c7e3e60db6ab25fd6b095e6a01
SHA256:	e9b09d935be319887782ca4ea497e451f9bd6bcec6099c9aae8e0661fa2ee61e
Tags:	exeValleyRATuser-abuse_ch
Infos:

Detection

GhostRat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected GhostRat

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to capture and log keystrokes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for available system drives (often done to infect USB drives)

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to clear windows event logs (to hide its activities)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found evasive API chain (may stop execution after accessing registry keys)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Installs a global mouse hook

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Sleep loop found (likely to delay execution)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

gZY58wycW0.exe (PID: 7572 cmdline: "C:\Users\user\Desktop\gZY58wycW0.exe" MD5: B7003532F5AA5FA69A130596CAAB741B)

explorer.exe (PID: 7592 cmdline: explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: explorer.exe PID: 7592	JoeSecurity_GhostRat	Yara detected GhostRat	Joe Security

Suricata Signatures

ET MALWARE Anonymous RAT CnC Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-02T09:07:14.099929+0100	2052875	1	A Network Trojan was detected	192.168.2.8	49707	34.1.142.70	80	TCP
2025-01-02T09:09:48.656645+0100	2052875	1	A Network Trojan was detected	192.168.2.8	49713	34.1.142.70	80	TCP
2025-01-02T09:10:51.642452+0100	2052875	1	A Network Trojan was detected	192.168.2.8	49715	34.1.142.70	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: gZY58wycW0.exe	ReversingLabs: Detection: 73%
Source: gZY58wycW0.exe	Virustotal: Detection: 68%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: gZY58wycW0.exe

Joe Sandbox ML: detected

Source: gZY58wycW0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Windows\SysWOW64\explorer.exe	File opened: z:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: x:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: v:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: t:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: r:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: p:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: n:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: l:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: j:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: h:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: f:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: b:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: y:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: w:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: u:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: s:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: q:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: o:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: m:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: k:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: i:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: g:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	File opened: [:	Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045D1B0 FindFirstFileA,FindClose,	0_2_0045D1B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00454CC6 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_00454CC6
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004E1E9B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_004E1E9B
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00446C90 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_00446C90

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC8A70 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

1_2_04EC8A70

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 4x nop then mov eax, dword ptr fs:[00000000h]		0_2_00468731
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 4x nop then inc ebp		0_2_00472821

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.8:49707 -> 34.1.142.70:80
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.8:49713 -> 34.1.142.70:80
Source: Network traffic	Suricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.8:49715 -> 34.1.142.70:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 34.1.142.70 80

Jump to behavior

Source: Joe Sandbox View

ASN Name: ATGS-MMD-ASUS ATGS-MMD-ASUS

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_00468650 ioctlsocket,recvfrom,

0_2_00468650

Source: global traffic

DNS traffic detected: DNS query: bf.jlkj9699.com

Source: gZY58wycW0.exe	String found in binary or memory: http://www.eyuyan.com
Source: gZY58wycW0.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$
Source: gZY58wycW0.exe	String found in binary or memory: http://www.eyuyan.comservice
Source: gZY58wycW0.exe	String found in binary or memory: https://m.weibo.cn/detail/
Source: gZY58wycW0.exe	String found in binary or memory: https://passport.weibo.com
Source: gZY58wycW0.exe	String found in binary or memory: https://passport.weibo.com/visitor/genvisitor2
Source: gZY58wycW0.exe	String found in binary or memory: https://passport.weibo.comcb=visitor_gray_callback&tid=&from=weibohttps://passport.weibo.com/visitor
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/ajax/statuses/mymblog?uid=
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/ajax/statuses/mymblog?uid=Host:
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/ajax/statuses/show?id=
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/u/2653906910
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.com/u/2653906910data/list/created_atdata/list//midhttps://weibo.com/
Source: gZY58wycW0.exe	String found in binary or memory: https://weibo.comhttps://m.weibo.cn/detail//Host:
Source: gZY58wycW0.exe	String found in binary or memory: https://www.weibo.com/
Source: gZY58wycW0.exe	String found in binary or memory: https://www.weibo.com/&locale=zh-CN&isGetLongText=truehttps://www.weibo.com/ajax/statuses/show?id=Ho
Source: gZY58wycW0.exe	String found in binary or memory: https://www.weibo.com/ajax/statuses/show?id=

Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to capture and log keystrokes

Source: C:\Windows\SysWOW64\explorer.exe	Code function: [esc]	1_2_04ECF470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: [esc]	1_2_04ECF470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: [esc]	1_2_04ECF470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: [esc]	1_2_04ECF470

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_00471720 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00471720

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00471720 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_00471720
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0043AB70 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,		0_2_0043AB70

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_00471880 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_00471880

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04ECBA20 GetDesktopWindow,GetDC,GetDC,CreateCompatibleDC,GetDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,ReleaseDC,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,CreateCompatibleBitmap,SelectObject,SetStretchBltMode,GetSystemMetrics,GetSystemMetrics,StretchBlt,_memset,GetDIBits,_memset,_memmove,DeleteObject,DeleteObject,ReleaseDC,_memmove,DeleteObject,DeleteObject,ReleaseDC,

1_2_04ECBA20

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04ECF110 Sleep,CreateMutexW,GetLastError,SHGetFolderPathW,lstrcatW,CreateMutexW,WaitForSingleObject,CreateFileW,GetFileSize,CloseHandle,DeleteFileW,ReleaseMutex,DirectInput8Create,GetTickCount,GetKeyState,

1_2_04ECF110

Source: C:\Windows\SysWOW64\explorer.exe

Windows user hook set: 0 mouse low level C:\Windows\System32\DINPUT8.dll

Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004E4A4E GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_004E4A4E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045D360 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_0045D360
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004E6575 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_004E6575
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045B5D0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	0_2_0045B5D0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0046FF80 GetKeyState,GetKeyState,GetKeyState,CopyRect,	0_2_0046FF80

Source: C:\Windows\SysWOW64\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000D330
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001D330
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10009340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_10009340
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10021370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_10021370
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100214B0 GetPropA,NtdllDefWindowProc_A,	0_2_100214B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10011630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_10011630
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000F750
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_1001D8E0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10005900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_10005900
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10005940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_10005940
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10007A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10007A30
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000DA90
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000FD50
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_1001FD50
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10013DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10013DA0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_1001FEA0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10006210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_10006210
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100062B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_100062B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10008310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_10008310
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10006350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006350
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_1000C3F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000E440
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10004510 NtdllDefWindowProc_A,	0_2_10004510
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10006560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006560
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10008710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_10008710
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10014790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10014790
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001E7F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1001C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001C800
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100048E0 NtdllDefWindowProc_A,	0_2_100048E0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10012AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012AD0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10020B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10020B70
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_1000CBC0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10004BD0 NtdllDefWindowProc_A,	0_2_10004BD0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10012BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012BF0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10008CB0 GetPropA,NtdllDefWindowProc_A,	0_2_10008CB0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10008D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_10008D40
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10002E40 NtdllDefWindowProc_A,	0_2_10002E40
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10014EA0 GetPropA,NtdllDefWindowProc_A,	0_2_10014EA0

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECB1D9 ExitWindowsEx,	1_2_04ECB1D9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECB1A8 ExitWindowsEx,	1_2_04ECB1A8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECB20A ExitWindowsEx,	1_2_04ECB20A

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00452ED0	0_2_00452ED0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004E3CEF	0_2_004E3CEF
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048C140	0_2_0048C140
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049C1F0	0_2_0049C1F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004902B1	0_2_004902B1
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0046C380	0_2_0046C380
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00490464	0_2_00490464
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004A0410	0_2_004A0410
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004906DE	0_2_004906DE
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048C680	0_2_0048C680
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B4770	0_2_004B4770
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004D88E6	0_2_004D88E6
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004888A0	0_2_004888A0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004DC9AA	0_2_004DC9AA
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00490B10	0_2_00490B10
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00488BB0	0_2_00488BB0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B4C10	0_2_004B4C10
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049CC90	0_2_0049CC90
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00490FE0	0_2_00490FE0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048D140	0_2_0048D140
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B5170	0_2_004B5170
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0043D190	0_2_0043D190
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00455240	0_2_00455240
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00491210	0_2_00491210
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004D13B0	0_2_004D13B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B55C0	0_2_004B55C0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048D930	0_2_0048D930
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045DA20	0_2_0045DA20
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00491C50	0_2_00491C50
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00481D4D	0_2_00481D4D
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00479D10	0_2_00479D10
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004A1EC0	0_2_004A1EC0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B6000	0_2_004B6000
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004822B2	0_2_004822B2
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049E3E0	0_2_0049E3E0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004CA6A0	0_2_004CA6A0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049670E	0_2_0049670E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00456730	0_2_00456730
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00482810	0_2_00482810
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049695E	0_2_0049695E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B6A7E	0_2_004B6A7E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00466AC0	0_2_00466AC0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004CABB0	0_2_004CABB0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B6CCE	0_2_004B6CCE
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048EDB0	0_2_0048EDB0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0042AFE3	0_2_0042AFE3
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004CB270	0_2_004CB270
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0047F2F0	0_2_0047F2F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004BF290	0_2_004BF290
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B7340	0_2_004B7340
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00497450	0_2_00497450
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004BF4C0	0_2_004BF4C0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048F5F0	0_2_0048F5F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0047F620	0_2_0047F620
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00497780	0_2_00497780
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0047F7B0	0_2_0047F7B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004BB8F0	0_2_004BB8F0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048FB09	0_2_0048FB09
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045FB30	0_2_0045FB30
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00483C20	0_2_00483C20
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004BBD10	0_2_004BBD10
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0047BE10	0_2_0047BE10
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004B7EC0	0_2_004B7EC0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0049FE90	0_2_0049FE90
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0048FFC6	0_2_0048FFC6
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100293A1	0_2_100293A1
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10017540	0_2_10017540
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000B6E0	0_2_1000B6E0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10003970	0_2_10003970
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10017BA0	0_2_10017BA0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10002250	0_2_10002250
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10028B99	0_2_10028B99
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_1000EDA0	0_2_1000EDA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC75C0	1_2_04EC75C0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC5D90	1_2_04EC5D90
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC7850	1_2_04EC7850
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC2470	1_2_04EC2470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EE4C1F	1_2_04EE4C1F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EE5D9D	1_2_04EE5D9D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EE6D7F	1_2_04EE6D7F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED3D20	1_2_04ED3D20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EE56C1	1_2_04EE56C1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECFEA0	1_2_04ECFEA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC3670	1_2_04EC3670
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECD7E0	1_2_04ECD7E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EDF7B2	1_2_04EDF7B2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED080F	1_2_04ED080F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EE5170	1_2_04EE5170
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED3940	1_2_04ED3940
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED43E0	1_2_04ED43E0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA0031	1_2_02CA0031
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA8373	1_2_02CA8373
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CAB884	1_2_02CAB884
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA5054	1_2_02CA5054
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB9973	1_2_02CB9973
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB9EC4	1_2_02CB9EC4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB3F68	1_2_02CB3F68
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CABF3C	1_2_02CABF3C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CBB4D5	1_2_02CBB4D5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA7CE2	1_2_02CA7CE2
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CAB4A4	1_2_02CAB4A4
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA2474	1_2_02CA2474
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB9422	1_2_02CB9422
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA7C3E	1_2_02CA7C3E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E245DE	1_2_04E245DE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E13D97	1_2_04E13D97
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E136DF	1_2_04E136DF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E01E2F	1_2_04E01E2F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E06F7F	1_2_04E06F7F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0574F	1_2_04E0574F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E2673E	1_2_04E2673E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E25080	1_2_04E25080
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0302F	1_2_04E0302F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E101CE	1_2_04E101CE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0D19F	1_2_04E0D19F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E1F171	1_2_04E1F171
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E132FF	1_2_04E132FF
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0FA99	1_2_04E0FA99
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0720F	1_2_04E0720F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E24B2F	1_2_04E24B2F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E0FB3D	1_2_04E0FB3D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1001941E	1_2_1001941E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10005050	1_2_10005050
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10002470	1_2_10002470
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1000B880	1_2_1000B880
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1000B4A0	1_2_1000B4A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1001B4D1	1_2_1001B4D1
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1001996F	1_2_1001996F
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10007A00	1_2_10007A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10019EC0	1_2_10019EC0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1000BF40	1_2_1000BF40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10013F64	1_2_10013F64
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1000836F	1_2_1000836F

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 004E2DAF appears 50 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 004D2C88 appears 110 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 100260E2 appears 34 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 004882E0 appears 77 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 004B0DB0 appears 97 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 00487ED0 appears 79 times
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: String function: 00488060 appears 38 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04EDBAA0 appears 32 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 04E1B45F appears 33 times

Source: gZY58wycW0.exe, 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexy.ProxyGet.dll6 vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000003.1414337067.00000000026F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000002.3887167334.0000000002423000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000003.1412992780.0000000000895000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000003.1412927235.0000000002644000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameyyjson.dll. vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000000.1411982991.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs gZY58wycW0.exe
Source: gZY58wycW0.exe, 00000000.00000000.1411982991.00000000004F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamexy.ProxyGet.dll6 vs gZY58wycW0.exe
Source: gZY58wycW0.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs gZY58wycW0.exe
Source: gZY58wycW0.exe	Binary or memory string: OriginalFilenamexy.ProxyGet.dll6 vs gZY58wycW0.exe

Source: gZY58wycW0.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/0@1/1

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC84F0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle,CloseHandle,	1_2_04EC84F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC7FA0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetModuleHandleA,GetProcAddress,GetCurrentProcessId,OpenProcess,	1_2_04EC7FA0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EC80C0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,	1_2_04EC80C0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC75C0 wsprintfW,MultiByteToWideChar,GetDriveTypeW,GetDiskFreeSpaceExW,_memset,GlobalMemoryStatusEx,swprintf,swprintf,

1_2_04EC75C0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC69C0 _memset,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle,CloseHandle,

1_2_04EC69C0

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004A8F90 CoCreateInstance,

0_2_004A8F90

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004E4F04 FindResourceA,LoadResource,LockResource,

0_2_004E4F04

Source: C:\Users\user\Desktop\gZY58wycW0.exe

File created: C:\Users\user\Desktop\??V

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Mutant created: \Sessions\1\BaseNamedObjects\2024. 8.14

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Process created: C:\Windows\SysWOW64\explorer.exe			Jump to behavior

Source: gZY58wycW0.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gZY58wycW0.exe	ReversingLabs: Detection: 73%
Source: gZY58wycW0.exe	Virustotal: Detection: 68%

Source: C:\Users\user\Desktop\gZY58wycW0.exe

File read: C:\Users\user\Desktop\gZY58wycW0.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\gZY58wycW0.exe "C:\Users\user\Desktop\gZY58wycW0.exe"
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dinput8.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: inputhost.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: devenum.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msdmo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: avicap32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4657278A-411B-11d2-839A-00C04FD918D0}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Window detected: Number of UI elements: 38

Source: gZY58wycW0.exe

Static file information: File size 1826816 > 1048576

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004544C0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004544C0

Source: gZY58wycW0.exe

Static PE information: real checksum: 0x1c0026 should be: 0x1cb5a5

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004D0870 push eax; ret	0_2_004D089E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004D2C88 push eax; ret	0_2_004D2CA6
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10026100 push eax; ret	0_2_1002612E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100209F7 pushfd ; mov dword ptr [esp], edx	0_2_100209F9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EEB406 push cs; iretd	1_2_04EEB3DA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EECC1C push ebp; retf	1_2_04EECC20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EEB5B6 push ebx; ret	1_2_04EEB5B7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EDBAE5 push ecx; ret	1_2_04EDBAF8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EECBF8 push ebp; retf	1_2_04EECC20
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04EEB304 push cs; iretd	1_2_04EEB3DA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB2639 push ecx; ret	1_2_02CB264C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CBEF9A push ebx; ret	1_2_02CBEF9B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CBECE8 push cs; iretd	1_2_02CBEDBE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CBEDEA push cs; iretd	1_2_02CBEDBE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E1B4A4 push ecx; ret	1_2_04E1B4B7
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10012635 push ecx; ret	1_2_10012648
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_100112C9 push eax; retf	1_2_100112CA

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00452ED0 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,KiUserCallbackDispatcher,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	0_2_00452ED0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00458390 DestroyIcon,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	0_2_00458390
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045C7C0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	0_2_0045C7C0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00458A60 IsIconic,IsZoomed,	0_2_00458A60
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004CED80 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_004CED80
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10025780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_10025780
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10021800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_10021800
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_10004E30 IsWindowVisible,GetWindowRect,CreateCompatibleDC,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,CreateCompatibleDC,SelectObject,DeleteObject,	0_2_10004E30

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04ECB13A OpenEventLogW,OpenEventLogW,ClearEventLogW,CloseEventLog,

1_2_04ECB13A

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Window / User API: foregroundWindowGot 907	Jump to behavior
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Window / User API: foregroundWindowGot 854	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 363	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 3525	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Window / User API: threadDelayed 5482	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-103535

Source: C:\Windows\SysWOW64\explorer.exe

Evasive API call chain: RegOpenKey,DecisionNodes,Sleep

Source: C:\Users\user\Desktop\gZY58wycW0.exe

API coverage: 4.9 %

Source: C:\Windows\SysWOW64\explorer.exe TID: 7716	Thread sleep count: 363 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7756	Thread sleep count: 43 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7756	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7764	Thread sleep count: 3525 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7764	Thread sleep time: -35250s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7756	Thread sleep count: 5482 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 7756	Thread sleep time: -5482000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Thread sleep count: Count: 3525 delay: -10

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0045D1B0 FindFirstFileA,FindClose,	0_2_0045D1B0
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00454CC6 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_00454CC6
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004E1E9B __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_004E1E9B
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_00446C90 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_00446C90

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC8A70 GetLogicalDriveStringsW,lstrcmpiW,lstrcmpiW,QueryDosDeviceW,lstrlenW,__wcsnicmp,lstrcpyW,lstrcpyW,lstrcatW,

1_2_04EC8A70

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC7D80 GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,

1_2_04EC7D80

Source: explorer.exe, 00000001.00000002.3885906948.0000000002D57000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:

Source: C:\Windows\SysWOW64\explorer.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\explorer.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04ED9777 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_04ED9777

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04ED78AB VirtualProtect ?,-00000001,00000104,?

1_2_04ED78AB

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004544C0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_004544C0

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0041916B mov ebx, dword ptr fs:[00000030h]	0_2_0041916B
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0040271E mov eax, dword ptr fs:[00000030h]	0_2_0040271E
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0040A984 mov ebx, dword ptr fs:[00000030h]	0_2_0040A984
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_0040B2FE mov ebx, dword ptr fs:[00000030h]	0_2_0040B2FE
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CA0B11 mov eax, dword ptr fs:[00000030h]	1_2_02CA0B11
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04E000CD mov eax, dword ptr fs:[00000030h]	1_2_04E000CD

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_0043DC60 GetProcessHeap,RtlAllocateHeap,

0_2_0043DC60

Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004DBE4F SetUnhandledExceptionFilter,	0_2_004DBE4F
Source: C:\Users\user\Desktop\gZY58wycW0.exe	Code function: 0_2_004DBE3D SetUnhandledExceptionFilter,	0_2_004DBE3D
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ECEB40 Sleep,CloseHandle,GetLocalTime,wsprintfW,SetUnhandledExceptionFilter,CloseHandle,EnumWindows,EnumWindows,Sleep,EnumWindows,Sleep,CreateEventA,Sleep,RegOpenKeyExW,RegQueryValueExW,CloseHandle,Sleep,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,WaitForSingleObject,CloseHandle,Sleep,CloseHandle,	1_2_04ECEB40
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED9777 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_04ED9777
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_04ED6364 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_04ED6364
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CB015B _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_02CB015B
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_02CADE21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_02CADE21
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_10010157 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_10010157
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 1_2_1000DE1D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_1000DE1D

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 34.1.142.70 80

Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Memory allocated: C:\Windows\SysWOW64\explorer.exe base: 2CA0000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004010C4 CreateProcessA,Wow64GetThreadContext,VirtualAllocEx,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,CloseHandle,

0_2_004010C4

Contains functionality to inject threads in other processes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 1_2_04EC8160 Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread,

1_2_04EC8160

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Memory written: PID: 7592 base: 2CA0000 value: E8

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Memory written: C:\Windows\SysWOW64\explorer.exe base: 2CA0000

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\SysWOW64\svchost.exe		1_2_04EC8160
Source: C:\Windows\SysWOW64\explorer.exe	Code function: Sleep,OpenProcess,_memset,_memset,GetSystemDirectoryA,GetFileAttributesA,CreateProcessA,OpenProcess,_memset,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetCurrentProcess,GetProcessId,_memset,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread,Sleep,VirtualProtectEx,VirtualProtectEx,VirtualProtectEx,ResumeThread, Windows\System32\svchost.exe		1_2_04EC8160

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Process created: C:\Windows\SysWOW64\explorer.exe explorer.exe

Jump to behavior

Source: explorer.exe, 00000001.00000003.2147915309.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000002.3887743739.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram Manager
Source: explorer.exe, 00000001.00000003.2563956049.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2564011782.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 192.168.2.8 0 min141700Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: explorer.exe, 00000001.00000003.3199967163.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2850616685.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0 min141700Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: explorer.exe, 00000001.00000002.3887743739.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: inProgram ManagerAA\J
Source: explorer.exe, 00000001.00000003.2563956049.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2564011782.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .168.2.8 0 min141700Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free2 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager
Source: explorer.exe, 00000001.00000003.1540358924.0000000005DC1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.3269353550.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000001.00000003.2919639287.0000000005DC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .168.2.8 0 min141700Windows 10 Pro10.0.190454HDD:1WW 223 Gb Free 168 Gb Mem: 8 Gb Free3 Gb Microsoft Basic Render Driver 0 5140 Microsoft Basic Render Driver 0 5140 Program Manager

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_00401EC7 cpuid

0_2_00401EC7

Source: C:\Windows\SysWOW64\explorer.exe

Code function: _memset,_memset,_memset,gethostname,gethostbyname,inet_ntoa,_strcat_s,_strcat_s,inet_ntoa,_strcat_s,_strcat_s,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,GetLastInputInfo,GetTickCount,wsprintfW,wsprintfW,MultiByteToWideChar,MultiByteToWideChar,GetSystemInfo,wsprintfW,GetForegroundWindow,GetWindowTextW,lstrlenW,lstrlenW,GetModuleHandleW,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,wsprintfW,GetCurrentProcessId,OpenProcess,K32GetProcessImageFileNameW,CloseHandle,GetTickCount,__time64,__localtime64,wsprintfW,GetLocaleInfoW,GetSystemDirectoryW,GetCurrentHwProfileW,

1_2_04EC5D90

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004D2699 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_004D2699

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004D2699 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_004D2699

Source: C:\Users\user\Desktop\gZY58wycW0.exe

Code function: 0_2_004EBAB1 GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_004EBAB1

Source: explorer.exe	Binary or memory string: bdagent.exe
Source: explorer.exe	Binary or memory string: msmpeng.exe
Source: explorer.exe	Binary or memory string: kav.exe
Source: explorer.exe	Binary or memory string: avgui.exe

Stealing of Sensitive Information

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 7592, type: MEMORYSTR

Remote Access Functionality

Yara detected GhostRat

Source: Yara match

File source: Process Memory Space: explorer.exe PID: 7592, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	1 Replication Through Removable Media	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	131 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	1 Screen Capture	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	622 Process Injection	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	131 Input Capture	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	26 System Information Discovery	Distributed Component Object Model	3 Clipboard Data	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	31 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	622 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Indicator Removal	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
gZY58wycW0.exe	74%	ReversingLabs	Win32.Trojan.FatalRAT
gZY58wycW0.exe	68%	Virustotal		Browse
gZY58wycW0.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.eyuyan.com)DVarFileInfo$	0%	Avira URL Cloud	safe
https://passport.weibo.comcb=visitor_gray_callback&tid=&from=weibohttps://passport.weibo.com/visitor	0%	Avira URL Cloud	safe
https://weibo.comhttps://m.weibo.cn/detail//Host:	0%	Avira URL Cloud	safe
http://www.eyuyan.comservice	0%	Avira URL Cloud	safe
http://www.eyuyan.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
bf.jlkj9699.com	34.1.142.70	true	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	gZY58wycW0.exe	false	Avira URL Cloud: safe	unknown
https://weibo.com/	gZY58wycW0.exe	false		high
https://weibo.com/ajax/statuses/mymblog?uid=	gZY58wycW0.exe	false		high
https://weibo.com/u/2653906910	gZY58wycW0.exe	false		high
https://passport.weibo.com/visitor/genvisitor2	gZY58wycW0.exe	false		high
https://weibo.comhttps://m.weibo.cn/detail//Host:	gZY58wycW0.exe	false	Avira URL Cloud: safe	unknown
https://weibo.com/u/2653906910data/list/created_atdata/list//midhttps://weibo.com/	gZY58wycW0.exe	false		high
https://weibo.com	gZY58wycW0.exe	false		high
https://www.weibo.com/ajax/statuses/show?id=	gZY58wycW0.exe	false		high
https://weibo.com/ajax/statuses/show?id=	gZY58wycW0.exe	false		high
http://www.eyuyan.comservice	gZY58wycW0.exe	false	Avira URL Cloud: safe	unknown
http://www.eyuyan.com	gZY58wycW0.exe	false	Avira URL Cloud: safe	unknown
https://www.weibo.com/&locale=zh-CN&isGetLongText=truehttps://www.weibo.com/ajax/statuses/show?id=Ho	gZY58wycW0.exe	false		high
https://passport.weibo.com	gZY58wycW0.exe	false		high
https://weibo.com/ajax/statuses/mymblog?uid=Host:	gZY58wycW0.exe	false		high
https://passport.weibo.comcb=visitor_gray_callback&tid=&from=weibohttps://passport.weibo.com/visitor	gZY58wycW0.exe	false	Avira URL Cloud: safe	unknown
https://m.weibo.cn/detail/	gZY58wycW0.exe	false		high
https://www.weibo.com/	gZY58wycW0.exe	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
34.1.142.70	bf.jlkj9699.com	United States		2686	ATGS-MMD-ASUS	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1583229
Start date and time:	2025-01-02 09:06:05 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	gZY58wycW0.exe renamed because original name is a hash value
Original Sample Name:	b7003532f5aa5fa69a130596caab741b.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 97% Number of executed functions: 90 Number of non-executed functions: 262
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 4.175.87.197
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
03:07:40	API Interceptor	3877709x Sleep call for process: explorer.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ATGS-MMD-ASUS	random.exe	Get hash	malicious	Credential Flusher	Browse	34.160.144.191
	armv5l.elf	Get hash	malicious	Unknown	Browse	33.8.247.170
	armv7l.elf	Get hash	malicious	Unknown	Browse	56.161.195.74
	armv4l.elf	Get hash	malicious	Unknown	Browse	48.248.220.219
	armv6l.elf	Get hash	malicious	Unknown	Browse	48.15.174.221
	loligang.sh4.elf	Get hash	malicious	Mirai	Browse	57.26.56.105
	loligang.arm7.elf	Get hash	malicious	Mirai	Browse	48.195.166.175
	loligang.mips.elf	Get hash	malicious	Mirai	Browse	34.167.142.96
	loligang.spc.elf	Get hash	malicious	Mirai	Browse	32.159.121.64
	loligang.ppc.elf	Get hash	malicious	Mirai	Browse	48.243.207.21

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.773298772971822
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	gZY58wycW0.exe
File size:	1'826'816 bytes
MD5:	b7003532f5aa5fa69a130596caab741b
SHA1:	3bacf9bcb9e610c7e3e60db6ab25fd6b095e6a01
SHA256:	e9b09d935be319887782ca4ea497e451f9bd6bcec6099c9aae8e0661fa2ee61e
SHA512:	ee45400f63820c883bb14e7896a41b19924ba776bdd8bc63d8a2c44cff86476cc0fdc3cb0c8e1015308f372783afede61216f990e0abaa38698fe53b1140a58e
SSDEEP:	24576:XINbse2PjHb0C+mZhw/7tOy7K3Jw4NOe+mbMDyJUyTrA6U4hfM11yS4JnzW:XwmZoOybgOe+mSyJdTM6U4hM1vT
TLSH:	7F85CF12F381C0F6C615267148AB57387A359B481B35CFC3A7E4ED786C72291EB3B25A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........D._.._.._..0.!.]....$.t..$.&.\....9.s..=.9.H.._.+....i. ....i.!......!...... .D.._..{....,.^..Rich_.*........

File Icon


Icon Hash:	3a9c4c6761cc9c31

Static PE Info

General

Entrypoint:	0x4cf2a2
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE
Time Stamp:	0x676E91C7 [Fri Dec 27 11:38:47 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f737ddbfe4ab2f8af22e7ac3752e8615

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0057FBB0h
push 004D1FE4h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [004F21D4h]
xor edx, edx
mov dl, ah
mov dword ptr [005DBB48h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [005DBB44h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [005DBB40h], ecx
shr eax, 10h
mov dword ptr [005DBB3Ch], eax
push 00000001h
call 00007F2BD8B41540h
pop ecx
test eax, eax
jne 00007F2BD8B3C0BAh
push 0000001Ch
call 00007F2BD8B3C178h
pop ecx
call 00007F2BD8B412EBh
test eax, eax
jne 00007F2BD8B3C0BAh
push 00000010h
call 00007F2BD8B3C167h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F2BD8B41119h
call dword ptr [004F2390h]
mov dword ptr [005E0CA4h], eax
call 00007F2BD8B40FD7h
mov dword ptr [005DBAB8h], eax
call 00007F2BD8B40D80h
call 00007F2BD8B40CC2h
call 00007F2BD8B3FF79h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [004F2194h]
call 00007F2BD8B40C53h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F2BD8B3C0B8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1899b8	0x118	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1e1000	0x11dec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xf2000	0x740	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xf0832	0xf1000	3ec4db944aa1e44052abdbf5a4d3d21b	False	0.46686069599325725	data	6.501674602090998	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xf2000	0x99e96	0x9a000	08bab3190b5fd6b1714f8c4d18b3f978	False	0.7054570185673701	data	7.146130881868274	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x18c000	0x54caa	0x20000	2db6fb2e55ba8061334ab4d2c7d49ddc	False	0.29416656494140625	data	5.412914411744272	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1e1000	0x11dec	0x12000	02ee78364840a9b4793416a96760ff2a	False	0.3049587673611111	data	5.138433008450167	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x1e1d44	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x1e1d50	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x1e1d68	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x1e1ebc	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x1e1ff0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x1e2124	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x1e2258	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x1e230c	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.3598901098901099
RT_BITMAP	0x1e2478	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x1e26c0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x1e2804	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x1e295c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x1e2ab4	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x1e2c0c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x1e2d64	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x1e2ebc	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x1e3014	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x1e316c	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x1e32c4	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x1e38a8	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x1e3960	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x1e3acc	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x1e3c10	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x1e3ef8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x1e4020	0x2488	PNG image data, 256 x 0, 8-bit/color RGBA, non-interlaced			0.9944396920444825
RT_ICON	0x1e64a8	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 0			0.11454888993859234
RT_ICON	0x1ea6d0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0			0.15342323651452283
RT_ICON	0x1ecc78	0x1a68	Device independent bitmap graphic, 40 x 80 x 32, image size 0			0.182396449704142
RT_ICON	0x1ee6e0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0			0.2401500938086304
RT_ICON	0x1ef788	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0			0.325
RT_ICON	0x1f0110	0x6b8	Device independent bitmap graphic, 20 x 40 x 32, image size 0			0.3697674418604651
RT_ICON	0x1f07c8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0			0.44769503546099293
RT_MENU	0x1f0c30	0xc	data	Chinese	China	1.5
RT_MENU	0x1f0c3c	0x284	data	Chinese	China	0.5
RT_DIALOG	0x1f0ec0	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x1f0f58	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x1f10d4	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x1f11d0	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x1f12bc	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x1f1b6c	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x1f1c20	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x1f1cec	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x1f1da0	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x1f1e84	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x1f2010	0x50	data	Chinese	China	0.85
RT_STRING	0x1f2060	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x1f208c	0x78	data	Chinese	China	0.925
RT_STRING	0x1f2104	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x1f22c8	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x1f23f4	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x1f253c	0x40	data	Chinese	China	0.65625
RT_STRING	0x1f257c	0x64	data	Chinese	China	0.73
RT_STRING	0x1f25e0	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x1f27b8	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x1f28cc	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x1f28f0	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x1f2904	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x1f2918	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x1f293c	0x76	data			0.788135593220339
RT_GROUP_ICON	0x1f29b4	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x1f29c8	0x14	data	Chinese	China	1.25
RT_VERSION	0x1f29dc	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0x1f2c1c	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
KERNEL32.dll	GetLocalTime, GetSystemTime, GetTimeZoneInformation, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, GetCurrentProcess, DuplicateHandle, lstrcpynA, SetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, InterlockedIncrement, RaiseException, TerminateProcess, HeapSize, GetACP, UnhandledExceptionFilter, FreeEnvironmentStringsA, FreeEnvironmentStringsW, GetEnvironmentStrings, GetEnvironmentStringsW, SetHandleCount, GetStdHandle, GetFileType, GetEnvironmentVariableA, HeapDestroy, HeapCreate, VirtualFree, SetEnvironmentVariableA, LCMapStringA, LCMapStringW, VirtualAlloc, IsBadWritePtr, GetStringTypeA, GetStringTypeW, SetUnhandledExceptionFilter, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, SetStdHandle, InterlockedExchange, SuspendThread, ReleaseMutex, CreateMutexA, TerminateThread, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, CloseHandle, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, GetFileAttributesA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, WaitForSingleObject, TlsFree
USER32.dll	LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, UnregisterClassA, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, IsRectEmpty, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, LockWindowUpdate, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBoxA, GetCursorPos, GetSystemMetrics, EmptyClipboard, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, LoadStringA, GetSysColorBrush, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, RedrawWindow
GDI32.dll	Escape, GetTextMetricsA, TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtTextOutA, ExtSelectClipRgn, SetBkColor, CreateRectRgnIndirect, SetStretchBltMode, GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, CreatePen, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, LineTo, MoveToEx, ExcludeClipRect, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode
WINMM.dll	midiStreamOut, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, waveOutGetNumDevs, waveOutOpen, midiOutUnprepareHeader, midiStreamOpen, waveOutRestart, midiStreamProperty, midiOutPrepareHeader, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegOpenKeyExA, RegSetValueExA, RegQueryValueA, RegCreateKeyExA, RegCloseKey
SHELL32.dll	ShellExecuteA, Shell_NotifyIconA, DragQueryFileA
ole32.dll	CLSIDFromProgID, OleRun, CoCreateInstance, CLSIDFromString, OleUninitialize, OleInitialize, RegisterDragDrop, RevokeDragDrop, ReleaseStgMedium
OLEAUT32.dll	SafeArrayGetDim, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayGetElement, VariantCopyInd, VariantInit, SysAllocString, SafeArrayDestroy, SafeArrayCreate, SafeArrayPutElement, RegisterTypeLib, LHashValOfNameSys, LoadTypeLib, UnRegisterTypeLib, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear
COMCTL32.dll	ImageList_Read, ImageList_Destroy, ImageList_Duplicate, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_GetIcon
WS2_32.dll	WSAAsyncSelect, WSACleanup, ntohl, accept, getpeername, recv, inet_ntoa, closesocket, recvfrom, ioctlsocket
WLDAP32.dll
comdlg32.dll	ChooseColorA, ChooseFontA, GetOpenFileNameA, GetSaveFileNameA, GetFileTitleA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-02T09:07:14.099929+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.8	49707	34.1.142.70	80	TCP
2025-01-02T09:09:48.656645+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.8	49713	34.1.142.70	80	TCP
2025-01-02T09:10:51.642452+0100	2052875	ET MALWARE Anonymous RAT CnC Checkin	1	192.168.2.8	49715	34.1.142.70	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:07:04.133025885 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:04.137833118 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:04.137921095 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:04.140836954 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:04.145632029 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:05.466876984 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:05.507567883 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:05.514858007 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:05.520354033 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063344002 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063360929 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063373089 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063433886 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.063493967 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063504934 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063515902 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063536882 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.063563108 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.063674927 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063688040 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063699961 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.063750982 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.064102888 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.064138889 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.544092894 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544138908 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544151068 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544204950 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.544279099 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544291019 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544317007 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.544574022 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544585943 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544610023 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544620991 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.544656992 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.544862986 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.544996977 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545006990 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545042038 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.545109034 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545150995 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545164108 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.545726061 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545768976 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.545861959 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545874119 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.545921087 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.546001911 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.546013117 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.546053886 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.546665907 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.546678066 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.546688080 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.546709061 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.549029112 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.549076080 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.986572981 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986605883 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986620903 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986711979 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986711025 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.986725092 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986798048 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986808062 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.986809969 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986862898 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.986931086 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.986946106 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987005949 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987113953 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987128019 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987166882 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987214088 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987241983 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987299919 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987318993 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987329006 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987334013 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987360954 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987426043 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987454891 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987570047 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987584114 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987632990 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987647057 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987674952 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987751961 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987806082 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987818956 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987834930 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.987862110 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.987873077 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988089085 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988102913 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988117933 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988149881 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988296032 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988310099 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988323927 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988333941 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988339901 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988368988 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988584995 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988603115 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988621950 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988641977 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988709927 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.988778114 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988826990 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988840103 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.988867044 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.989032984 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.989047050 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.989061117 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.989084959 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.989095926 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.989279032 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.989293098 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.989336014 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.989502907 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.991568089 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.991583109 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.991597891 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:06.991621017 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.991633892 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:06.991671085 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.038789988 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.429411888 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429447889 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429497957 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.429667950 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429723978 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429763079 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.429820061 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429836988 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.429876089 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430059910 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430074930 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430088997 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430103064 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430115938 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430128098 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430152893 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430332899 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430347919 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430361986 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430375099 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430382967 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430387974 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430406094 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430430889 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430690050 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430705070 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430717945 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430732012 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430746078 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.430768967 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.430782080 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431085110 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431099892 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431113958 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431127071 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431142092 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431142092 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431157112 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431163073 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431178093 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431519032 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431533098 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431545973 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431556940 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431571007 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431581020 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431591034 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431602001 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431606054 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431618929 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431622028 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431636095 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431649923 CET	80	49706	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:07.431662083 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:07.431698084 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:08.640820980 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:08.645731926 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:08.645821095 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:10.445595980 CET	49706	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:13.552988052 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:13.557949066 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:14.095257044 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:14.099929094 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:14.104720116 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:24.838169098 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:24.843081951 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:25.379414082 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:25.429455996 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:25.474250078 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:25.479077101 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:41.846184969 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:41.851038933 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:42.385859013 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:42.429476976 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:42.437160015 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:42.441931009 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:58.449165106 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:58.455584049 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:58.991789103 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:07:59.038892031 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:59.099390984 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:07:59.104259968 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:14.856045961 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:14.860939026 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:15.395638943 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:15.445183039 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:15.503910065 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:15.508759975 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:32.841272116 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:32.846262932 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:33.381213903 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:33.473994970 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:33.478980064 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:49.699944019 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:49.700041056 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:49.705590963 CET	80	49707	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:49.705662012 CET	49707	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:51.633971930 CET	49710	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:51.634037018 CET	443	49710	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:51.634166002 CET	49710	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:56.449111938 CET	49710	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:08:56.449152946 CET	443	49710	34.1.142.70	192.168.2.8
Jan 2, 2025 09:08:56.449218035 CET	443	49710	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:07.853427887 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:07.858372927 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:07.858481884 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:12.650918007 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:12.655857086 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:13.185988903 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:13.399012089 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:13.399064064 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:13.550430059 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:13.555221081 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:25.121099949 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:25.121207952 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:25.125952005 CET	80	49711	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:25.126003981 CET	49711	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:27.088356018 CET	49712	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:27.088397026 CET	443	49712	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:27.088551044 CET	49712	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:32.022381067 CET	49712	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:32.022427082 CET	443	49712	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:32.022489071 CET	443	49712	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:43.227621078 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:43.232688904 CET	80	49713	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:43.232786894 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:48.119388103 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:48.124330044 CET	80	49713	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:48.651372910 CET	80	49713	34.1.142.70	192.168.2.8
Jan 2, 2025 09:09:48.656645060 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:09:48.661479950 CET	80	49713	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:00.057923079 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:00.058043957 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:00.062720060 CET	80	49713	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:00.062796116 CET	49713	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:02.038688898 CET	49714	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:02.038757086 CET	443	49714	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:02.038863897 CET	49714	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:06.994878054 CET	49714	443	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:06.994956017 CET	443	49714	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:06.995027065 CET	443	49714	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:18.165247917 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:18.170094967 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:18.170200109 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:23.015398026 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:23.020257950 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:23.426465988 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:23.431732893 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:23.436533928 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:34.947618961 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:34.952397108 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:35.361512899 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:35.429882050 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:35.689325094 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:35.694155931 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:51.642452002 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:51.647505045 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:52.305526018 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:10:52.351826906 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:52.412991047 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:10:52.417869091 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:11:09.539611101 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:11:09.539611101 CET	49715	80	192.168.2.8	34.1.142.70
Jan 2, 2025 09:11:09.544600010 CET	80	49715	34.1.142.70	192.168.2.8
Jan 2, 2025 09:11:09.550570011 CET	49715	80	192.168.2.8	34.1.142.70

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 2, 2025 09:07:03.552319050 CET	59153	53	192.168.2.8	1.1.1.1
Jan 2, 2025 09:07:04.129319906 CET	53	59153	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 2, 2025 09:07:03.552319050 CET	192.168.2.8	1.1.1.1	0x66f1	Standard query (0)	bf.jlkj9699.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 2, 2025 09:07:04.129319906 CET	1.1.1.1	192.168.2.8	0x66f1	No error (0)	bf.jlkj9699.com		34.1.142.70	A (IP address)	IN (0x0001)	false

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49706	34.1.142.70	80	7592	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:07:04.140836954 CET	24	OUT	Data Raw: 18 00 00 00 29 39 4d 00 00 00 00 00 ca 00 20 33 e8 ec d1 07 4a 9a 90 61 Data Ascii: )9M 3Ja
Jan 2, 2025 09:07:05.466876984 CET	71	IN	Data Raw: 47 00 00 00 29 39 4d 00 00 00 00 00 ca 00 20 33 e8 bc b1 b7 2a d8 f1 54 fb f8 e8 e2 e1 28 e9 c1 c8 29 4b b4 e8 86 64 67 57 9e f4 5f a0 2a 01 d5 a5 08 a6 c5 94 f0 85 b4 83 ed 12 48 78 71 ab 99 69 d0 ce e4 99 f1 b3 Data Ascii: G)9M 3T()KdgW_Hxqi
Jan 2, 2025 09:07:05.514858007 CET	66	OUT	Data Raw: 42 00 00 00 29 39 4d 00 00 00 00 00 ca 00 20 33 e8 e8 d1 85 a0 22 40 1c 5c 64 79 22 b8 e6 9e 77 d1 4b d4 73 e8 fe ef 31 c7 21 fc 12 99 78 0d 69 bf 68 b2 ce e3 79 93 a9 0e dd 93 39 39 c3 ca f4 a8 36 Data Ascii: B)9M 3"@\dy"wKs1!xihy996
Jan 2, 2025 09:07:06.063344002 CET	1236	IN	Data Raw: df ef 01 00 29 39 4d 00 00 00 00 00 ca 00 20 33 67 30 ac 67 d9 45 2d 5c 67 2c 2c bf 86 64 98 d5 18 43 5d 2f 8d 16 2c 82 5a 40 ea 5b eb 7a 82 51 37 14 cd d6 3f 18 fb 7a bd a4 56 ec 00 85 98 66 1e fd 1a 9f 35 3a f5 e4 d0 b1 37 46 b2 8e 15 a5 03 be Data Ascii: )9M 3g0gE-\g,,dC]/,Z@[zQ7?zVf5:7F;\|Z)2-D7I?L^4ZF'1.$GYo*Kdj$XF rDDRCQde}EZ/T%UD~K-n=YG\|^!f{n/
Jan 2, 2025 09:07:06.063360929 CET	1236	IN	Data Raw: 92 c4 70 ed a4 fe 56 69 aa c8 1c 26 2c 3f f5 c9 9d c8 31 61 a4 a5 1a 4c 60 b5 7d dc 0e 3e 11 6d 3c 31 59 91 8c b6 f4 b4 ae 53 bb a6 21 e5 1a 3b c2 9f e2 46 82 93 4d 2d 51 a4 86 be fd 23 8f cb 8b fc 1a 11 37 13 f0 37 7b 71 c4 91 37 79 72 bb d5 df Data Ascii: pVi&,?1aL`}>m<1YS!;FM-Q#77{q7yr]rXX~R#\[N@VctuN:sd[bimLEM']"r_6<vv{-jj0l6M{p_)sZ:uF\)2Jmb$
Jan 2, 2025 09:07:06.063373089 CET	1236	IN	Data Raw: 89 cd 13 f0 44 1b a5 1e 00 08 52 74 5c 5f b3 0a e3 b0 05 22 31 f4 36 13 da a3 56 5a 9f 8b cc 77 03 82 f5 64 e9 8a 2d 2b 70 8f 32 ce 5b e3 af 69 ce c3 b0 5c 96 2b b1 a1 50 bb 30 6f c3 06 26 41 15 3f 0a e8 7b 93 3c 2e 57 5e 1c a8 54 83 04 af d8 4d Data Ascii: DRt\_"16VZwd-+p2[i\+P0o&A?{<.W^TMQUEdHkr^jeNz#g;<7K`qJplbh361%?s851C'))XJGa"$BN!-IGkAQy:S/<"
Jan 2, 2025 09:07:06.063493967 CET	1236	IN	Data Raw: 92 a2 1f a5 b0 4b 95 ae 54 a7 f8 e2 50 6f c0 25 b1 c2 67 4e 98 b8 43 70 ac 40 59 91 d8 9a ce bc 8c 58 03 9f 44 b1 dc d0 12 73 c6 06 e8 0a b6 95 6e 80 3f f9 ba e1 bd 4b 6e ac 5f 55 60 38 cf 5a 73 b4 81 d9 3d 26 29 f1 1b 4d e9 7d d4 bd a4 54 3d 05 Data Ascii: KTPo%gNCp@YXDsn?Kn_U`8Zs=&)M}T=uo?Du678T-9S,0lf".8t5V6O[[5Q^izJ_Wn\VZos8=DV*?@1$}=;z
Jan 2, 2025 09:07:06.063504934 CET	1236	IN	Data Raw: 70 35 24 c7 32 3c 52 ca 46 3c 7c 29 80 cf 61 99 99 55 48 f5 09 a7 71 9a 27 d6 b9 2f fb 6b ce 73 99 94 84 93 92 a5 47 da 5e 92 ac 6d b9 21 76 9d 1f fc b8 0e c9 60 ba 0f 12 d5 63 62 72 bc 7b 7e 20 b3 3d 62 c6 52 d9 2c ba a3 e2 e0 d0 19 d1 32 9d d7 Data Ascii: p5$2<RF<\|)aUHq'/ksG^m!v`cbr{~ =bR,2/?$&)jZZ?Mp{cB$_lp&Z1jg^NWeXT4? .1)nX"1~OD6\e\|rq$e`Lc"9jHkr>=
Jan 2, 2025 09:07:06.063515902 CET	1236	IN	Data Raw: b0 88 9a bf 8f ce a9 23 ae 4b 83 2a b7 d5 02 ad 78 fa cd 31 66 8c e6 8a c8 76 a0 c7 71 b3 0b f5 92 04 5f e0 3f c7 0c 87 cc f1 e8 f3 b2 d4 71 09 bf e2 94 0a b7 be d5 81 59 75 7d 7d 4f 23 b7 71 32 a7 99 ad 6c 6f ce f5 5c 07 65 a8 1f 80 7e 57 d0 f4 Data Ascii: #Kx1fvq_?qYu}}O#q2lo\e~WPgsQztG}\|^UwvWso{+tqnVVpN\|O }q+~hz1t,h&)T${Wg\|`\|g]Q_l dU))ntQ2}b
Jan 2, 2025 09:07:06.063674927 CET	1236	IN	Data Raw: 9c 17 f2 09 3e 0d 1c c3 fc 67 23 d1 2e 63 ec 04 63 c9 c4 d3 a4 af 91 39 b2 72 9c 71 53 aa ed 41 59 bf 1d dc 93 b6 f6 96 fa 9d 7a 75 41 f1 b5 05 3f bc e3 60 49 14 73 6c 90 37 96 0d 94 8e 29 44 55 75 4f 21 96 a6 c6 2d 32 70 2a a4 f7 15 80 c5 a1 4c Data Ascii: >g#.cc9rqSAYzuA?`Isl7)DUuO!-2pL\enH'ucctwsnt%RWKSD8y?(0=X0\v`~InG?-9y4K =U}2YHnO/p$]^

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49707	34.1.142.70	80	7592	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:07:13.552988052 CET	563	OUT	Data Raw: 33 02 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 f8 d9 50 79 bb 4b 4a 51 2f 57 a0 be 00 74 1c 88 93 e7 50 91 03 9f 2a c7 c9 69 d6 37 43 59 88 b8 52 1f 10 30 bf bc 52 2a 71 09 27 88 a4 0c 12 a1 61 3b d1 fe 39 4e dc ed 6d 55 d0 05 11 e3 c7 2e 27 78 Data Ascii: 3MMGPyKJQ/WtPi7CYR0Rq'a;9NmU.'xHlPMsB]6,f#3zRMa<VX7A(e+TsJ>HR3x(nd\D@S4?A]7zUCgAYK7*OPO-uR
Jan 2, 2025 09:07:14.095257044 CET	23	IN	Data Raw: 17 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 4b e1 37 6b 0a 91 Data Ascii: MMG.K7k
Jan 2, 2025 09:07:14.099929094 CET	23	OUT	Data Raw: 17 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 43 e1 37 6c 0a 96 Data Ascii: MMG.C7l
Jan 2, 2025 09:07:24.838169098 CET	23	OUT	Data Raw: 17 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 47 e1 37 6a 0a 90 Data Ascii: MMG.G7j
Jan 2, 2025 09:07:25.379414082 CET	24	IN	Data Raw: 18 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 87 e1 37 a1 9e 5a 1d Data Ascii: MMG.7Z
Jan 2, 2025 09:07:25.474250078 CET	63	OUT	Data Raw: 3f 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 76 2e d1 57 f0 6a 92 b2 40 91 a5 f6 ac 6b 3c 75 6b 88 7a 50 69 3d 56 f7 9d d4 c5 bc 60 1b 0f 53 38 bc 50 76 11 f5 17 3a 61 0a 03 de 4e 62 08 Data Ascii: ?MMGv.Wj@k<ukzPi=V`S8Pv:aNb
Jan 2, 2025 09:07:41.846184969 CET	23	OUT	Data Raw: 17 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 47 e1 37 6a 0a 90 Data Ascii: MMG.G7j
Jan 2, 2025 09:07:42.385859013 CET	24	IN	Data Raw: 18 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 87 e1 37 a1 9e 5a 1d Data Ascii: MMG.7Z
Jan 2, 2025 09:07:42.437160015 CET	63	OUT	Data Raw: 3f 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 76 2e d1 57 f0 6a 92 b2 40 91 a5 f6 ac 6b 3c 75 6b 88 7a 50 69 3d 56 f7 9d d4 c5 bc 60 1b 0f 53 38 bc 50 76 11 f5 17 3a 61 0a 03 de 4e 62 08 Data Ascii: ?MMGv.Wj@k<ukzPi=V`S8Pv:aNb
Jan 2, 2025 09:07:58.449165106 CET	23	OUT	Data Raw: 17 00 00 00 1e 4d 4d 00 00 00 00 00 ca 00 fe 47 2e 47 e1 37 6a 0a 90 Data Ascii: MMG.G7j

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49711	34.1.142.70	80	7592	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:09:12.650918007 CET	568	OUT	Data Raw: 38 02 00 00 c3 de 4d 0b 00 00 00 00 ca 00 e4 a3 0e af 9f 68 2b bd 65 04 28 6d e2 4d 30 79 1d 16 b2 06 eb 2d 51 59 3c 62 07 08 21 c6 b0 4a 79 37 63 6d 92 06 8e c3 25 1e 28 d8 d8 12 a5 85 74 37 8c 47 51 b8 59 98 0f e9 5f 0c a0 76 8d d2 0d 9f 75 29 Data Ascii: 8Mh+e(mM0y-QY<b!Jy7cm%(t7GQY_vu)1f]OI^&1ue~kOhj+NvxoPr!!k`WtMk(Nm811DBG%vv+S0a=ah^/Q8->]]J=xCN3Z
Jan 2, 2025 09:09:13.185988903 CET	23	IN	Data Raw: 17 00 00 00 c3 de 4d 0b 00 00 00 00 ca 00 e4 a3 d8 3d 5e 26 3b fd be Data Ascii: M=^&;
Jan 2, 2025 09:09:13.399012089 CET	23	IN	Data Raw: 17 00 00 00 c3 de 4d 0b 00 00 00 00 ca 00 e4 a3 d8 3d 5e 26 3b fd be Data Ascii: M=^&;
Jan 2, 2025 09:09:13.550430059 CET	23	OUT	Data Raw: 17 00 00 00 c3 de 4d 0b 00 00 00 00 ca 00 e4 a3 d8 35 5e 26 3c fd b9 Data Ascii: M5^&<
Jan 2, 2025 09:09:25.121099949 CET	23	OUT	Data Raw: 17 00 00 00 c3 de 4d 0b 00 00 00 00 ca 00 e4 a3 d8 31 5e 26 3a fd bf Data Ascii: M1^&:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49713	34.1.142.70	80	7592	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:09:48.119388103 CET	566	OUT	Data Raw: 36 02 00 00 d3 e8 4b 21 00 00 00 00 ca 00 e5 70 a8 53 0b d1 08 3f d7 40 c8 c7 52 5f 3e 73 10 fb 3f 8c 35 61 9c 1e 37 50 00 1d f9 60 08 f5 c6 76 af 31 d1 63 f4 15 74 c8 2e 24 32 cb 60 02 be c7 d5 02 c9 4d 86 33 e6 07 b2 3f 1f 51 33 2c b9 ea 17 b5 Data Ascii: 6K!pS?@R_>s?5a7P`v1ct.$2`M3?Q3,,i#mWV=D8P.7O *z.PdH1m;YhG\|V}NN,Q0(B-@0cxB)16'g-<xYs_oh\|[
Jan 2, 2025 09:09:48.651372910 CET	23	IN	Data Raw: 17 00 00 00 d3 e8 4b 21 00 00 00 00 ca 00 e5 70 7e c1 c6 bf 10 7f 08 Data Ascii: K!p~
Jan 2, 2025 09:09:48.656645060 CET	23	OUT	Data Raw: 17 00 00 00 d3 e8 4b 21 00 00 00 00 ca 00 e5 70 7e c9 c6 bf 17 7f 0f Data Ascii: K!p~
Jan 2, 2025 09:10:00.057923079 CET	23	OUT	Data Raw: 17 00 00 00 d3 e8 4b 21 00 00 00 00 ca 00 e5 70 7e cd c6 bf 11 7f 09 Data Ascii: K!p~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49715	34.1.142.70	80	7592	C:\Windows\SysWOW64\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jan 2, 2025 09:10:23.015398026 CET	570	OUT	Data Raw: 3a 02 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 8e d6 10 09 05 5f a3 ea fa cd cd 61 c4 85 a5 99 a8 eb f6 dc 56 3d 80 f1 31 23 2e ca df 9b b5 2e f0 ac 58 b0 73 db 06 01 a5 3e f4 e2 3c 91 2a 97 d1 64 28 cb 4a 64 37 91 0e 3d 55 75 8e 27 10 4c 78 01 Data Ascii: :.I7^_aV=1#..Xs><*d(Jd7=Uu'LxWH+VdP^vGg=NDH^Qxw?aXAOK^+I}@m=iin]b:TJ1.x(,ncgk#7j2Rue8(&3
Jan 2, 2025 09:10:23.426465988 CET	23	IN	Data Raw: 17 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 44 df 67 1d 1f 78 Data Ascii: .I7^XDgx
Jan 2, 2025 09:10:23.431732893 CET	23	OUT	Data Raw: 17 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 4c df 67 1a 1f 7f Data Ascii: .I7^XLg
Jan 2, 2025 09:10:34.947618961 CET	23	OUT	Data Raw: 17 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 48 df 67 1c 1f 79 Data Ascii: .I7^XHgy
Jan 2, 2025 09:10:35.361512899 CET	24	IN	Data Raw: 18 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 88 df 67 d7 8b b3 e6 Data Ascii: .I7^Xg
Jan 2, 2025 09:10:35.689325094 CET	63	OUT	Data Raw: 3f 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 00 21 ef 07 86 7f 7b 49 8d fa aa be c6 9d 8e 93 04 85 97 e3 60 ba 60 ac c3 e3 7d 62 b8 20 22 6f 3c a9 0c ac 57 a1 0a c9 3e 38 bc 22 ba 63 a0 Data Ascii: ?.I7^!{I``}b "o<W>8"c
Jan 2, 2025 09:10:51.642452002 CET	23	OUT	Data Raw: 17 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 48 df 67 1c 1f 79 Data Ascii: .I7^XHgy
Jan 2, 2025 09:10:52.305526018 CET	24	IN	Data Raw: 18 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 88 df 67 d7 8b b3 e6 Data Ascii: .I7^Xg
Jan 2, 2025 09:10:52.412991047 CET	63	OUT	Data Raw: 3f 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 00 21 ef 07 86 7f 7b 49 8d fa aa be c6 9d 8e 93 04 85 97 e3 60 ba 60 ac c3 e3 7d 62 b8 20 22 6f 3c a9 0c ac 57 a1 0a c9 3e 38 bc 22 ba 63 a0 Data Ascii: ?.I7^!{I``}b "o<W>8"c
Jan 2, 2025 09:11:09.539611101 CET	23	OUT	Data Raw: 17 00 00 00 2e f1 49 37 00 00 00 00 ca 00 5e 8f 58 48 df 67 1c 1f 79 Data Ascii: .I7^XHgy

Target ID:	0
Start time:	03:07:00
Start date:	02/01/2025
Path:	C:\Users\user\Desktop\gZY58wycW0.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\gZY58wycW0.exe"
Imagebase:	0x400000
File size:	1'826'816 bytes
MD5 hash:	B7003532F5AA5FA69A130596CAAB741B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	03:07:00
Start date:	02/01/2025
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	explorer.exe
Imagebase:	0x470000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	6.3%
Signature Coverage:	10.3%
Total number of Nodes:	2000
Total number of Limit Nodes:	134

Executed Functions

Function 00452ED0 Relevance: 55.2, APIs: 29, Strings: 2, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00452F42
IsIconic.USER32(?), ref: 00452F7A
SetActiveWindow.USER32(?), ref: 00452FA3
IsWindow.USER32(?), ref: 00452FCD
IsWindow.USER32(?), ref: 0045329E
DestroyAcceleratorTable.USER32(?), ref: 004533EE
DestroyMenu.USER32(?), ref: 004533F9
DestroyAcceleratorTable.USER32(?), ref: 00453413
DestroyMenu.USER32(?), ref: 00453422
DestroyAcceleratorTable.USER32(?), ref: 00453482
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,?,?,000007D9,00000000,00000000), ref: 00453491
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00453513
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 0045362B
IsWindow.USER32(?), ref: 0045375C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 00453771
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0045378E
DestroyAcceleratorTable.USER32(?), ref: 004537DC
IsWindow.USER32(?), ref: 00453851
IsWindow.USER32(?), ref: 004538A1
IsWindow.USER32(?), ref: 004538F1
IsWindow.USER32(?), ref: 0045392E
IsWindow.USER32(?), ref: 004539B1
GetParent.USER32(?), ref: 004539BF
GetFocus.USER32 ref: 00453A00

Part of subcall function 00452DC0: IsWindow.USER32(?), ref: 00452E3B
Part of subcall function 00452DC0: GetFocus.USER32 ref: 00452E45
Part of subcall function 00452DC0: IsChild.USER32(?,00000000), ref: 00452E57

IsWindow.USER32(?), ref: 00453A5F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 00453A74
IsWindow.USER32(00000000), ref: 00453A87
GetFocus.USER32 ref: 00453A91
SetFocus.USER32(00000000), ref: 00453A9C

Strings

d, xrefs: 00452EE3
p{[, xrefs: 00453923

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$ActiveCallbackChildDispatcherIconicParentUser
String ID: d$p{[
API String ID: 2657180179-3779288808
Opcode ID: c075ca3c6c1ff721681e3581e44aac9fdd92174601dd865b4fdd2d6387ecef0a
Instruction ID: 57e9351b8be7df6c2ee8ecbc917f9ad8f68ae29dc4c262c87890dd4c55674018
Opcode Fuzzy Hash: c075ca3c6c1ff721681e3581e44aac9fdd92174601dd865b4fdd2d6387ecef0a
Instruction Fuzzy Hash: 5672AE716043419FD320DF25C881B6FB7E9AF88746F10491EF94997342DB78E909CBAA

Function 004544C0 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,005A74E4), ref: 00454527
LoadLibraryA.KERNEL32(?,?,005B7D40), ref: 00454619
LoadLibraryA.KERNELBASE(?,?), ref: 0045465F
LoadLibraryA.KERNELBASE(?,?,005B7C48,00000001), ref: 004546A7
LoadLibraryA.KERNEL32(00000001), ref: 004546BD
GetProcAddress.KERNEL32(00000000,?), ref: 004546CF
FreeLibrary.KERNEL32(00000000), ref: 00454762

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: b39f5ae4bde092832c14dd05093febe83bcfda55cf12bdb8be9dad5f36266789
Instruction ID: 0a8327e8d1ded267d917e00c889fb30302feaa3427006d315403e0ffd5a0449d
Opcode Fuzzy Hash: b39f5ae4bde092832c14dd05093febe83bcfda55cf12bdb8be9dad5f36266789
Instruction Fuzzy Hash: FFA1F4B1600741AFC714DF65C880B6BB3A8BF99318F04062EFC158B352DB38E949CB99

Function 004EBAB1 Relevance: 6.1, APIs: 4, Instructions: 63COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(?,?,?,004EBAAC), ref: 004EBB28
GetProcessVersion.KERNELBASE(00000000,?,?,?,004EBAAC), ref: 004EBB65
LoadCursorA.USER32(00000000,00007F02), ref: 004EBB93
LoadCursorA.USER32(00000000,00007F00), ref: 004EBB9E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 575dce9e51f56258ea9dc51a1fc21ce79e00d211d8a0e88e4072ca9ca71ca7d2
Instruction ID: ed0684e93bf7d1f4a12c562e34c90c8a934adaf68132293ca7cb56ba6a9e2d89
Opcode Fuzzy Hash: 575dce9e51f56258ea9dc51a1fc21ce79e00d211d8a0e88e4072ca9ca71ca7d2
Instruction Fuzzy Hash: C5116AB1A007508FD7289F3A998462ABBE5FB48705740093FE18BC6B80D7B8A400CB94

Function 004D2699 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 004D26A6
GetSystemTime.KERNEL32(?), ref: 004D26B0
GetTimeZoneInformation.KERNELBASE(?), ref: 004D2705

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: 48f0883d8f0c58cd202f95e42b1b328f03fdb9bf5d7d5c0fc5d6ef6d5ae5dc3c
Instruction ID: 0797710e53b641deee8f8eb6876adf6b894a32e7d4116aba7efc0b9c7aafb206
Opcode Fuzzy Hash: 48f0883d8f0c58cd202f95e42b1b328f03fdb9bf5d7d5c0fc5d6ef6d5ae5dc3c
Instruction Fuzzy Hash: BC21626980010AE6EF31AB98DE146FF77B9BF28710F500103F950A6394E7B88D86D76C

Function 004E3CEF Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004E3CF4
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 004E3EA7

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 6fa60573411069cf7b748b6ee7c86eda22a795f517ca68250fe32309331fcaac
Instruction ID: 9f47c56320c8040fe1aa1a996e95694ade00ced40c385badd0f06bd9a7a7e017
Opcode Fuzzy Hash: 6fa60573411069cf7b748b6ee7c86eda22a795f517ca68250fe32309331fcaac
Instruction Fuzzy Hash: 13E1CE71600298ABDF11DF1ACC88ABE77A9EF58316F10851BF8059B291C73CDA41DB69

Function 0043DC60 Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0471975ed486fb8383bb2d9568289013e6fdecee59df5abf7abd2b8edbd6dde0
Instruction ID: b0e7e13b9b7a3808c5250d41c098c56a8325a282b2dee02ab39a2ec8fc647598
Opcode Fuzzy Hash: 0471975ed486fb8383bb2d9568289013e6fdecee59df5abf7abd2b8edbd6dde0
Instruction Fuzzy Hash: 362119B26017008FE720CF6AE884A57B7E8FBA8325F10993FE155C7250E775E815CB54

Function 0045D1B0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,?), ref: 0045D1C0
FindClose.KERNEL32(00000000), ref: 0045D1CC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 7728f237426ea2dbfd74fd9cf545897a20edb820c7c033144cc785156ac82f50
Instruction ID: 799014c21064e1691615e0d99ab9c8a5f53e0907ea38a5a88d6b1698336fe8c0
Opcode Fuzzy Hash: 7728f237426ea2dbfd74fd9cf545897a20edb820c7c033144cc785156ac82f50
Instruction Fuzzy Hash: 74D0A7B48041006BD7259B74DE086BA32A8BB44311FC40B38BD2DC12E0F77EC829C555

Function 004010C4 Relevance: 2.4, Strings: 1, Instructions: 1119COMMON

Download Yara Rule

Strings

explorer.exe, xrefs: 004012C9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID: explorer.exe
API String ID: 0-3187896405
Opcode ID: 12cb717cf33df7dcff9b4f3252ec2c3ed63b02f0a8b26abc1d8b38977019fe27
Instruction ID: 61ef1b09633eac9d5bf9282fb0e66222df290ea502690ffc9e04d75058215b4c
Opcode Fuzzy Hash: 12cb717cf33df7dcff9b4f3252ec2c3ed63b02f0a8b26abc1d8b38977019fe27
Instruction Fuzzy Hash: D98283F1A812929BFF00CF98DCC0B85B7E1EF69324B291475E546AB345D378B861DB21

Function 004A8F90 Relevance: 1.5, APIs: 1, Instructions: 26comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0057BBD0,00000000,00000001,0057BBE0,00000070,00000000,004AA2BF,?,00000000,00000000,004F0A43,000000FF,004A887D), ref: 004A8FD0

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 159155de64a0aa3cd506aa656d688daee472dc2f1475bb371fb8069398634b38
Instruction ID: f035b4d0de40ff8c9d362770b9c175644cde124e754cf34da02afdabf0ae8005
Opcode Fuzzy Hash: 159155de64a0aa3cd506aa656d688daee472dc2f1475bb371fb8069398634b38
Instruction Fuzzy Hash: D9F07FB0901B149FD3B4CF2AE915A53BBF4FB487007108A2EA48EC3A54E7B5B4408F54

Function 004E3120 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004EAF8D: TlsGetValue.KERNEL32(005DB764,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000,?,004DE6D1,00000000,00000000,00000000,00000000), ref: 004EAFCC

CallNextHookEx.USER32(?,00000003,?,?), ref: 004E314A
GetClassLongA.USER32(?,000000E6), ref: 004E3191
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_000EA309), ref: 004E31BD
lstrcmpiA.KERNEL32(?,ime), ref: 004E31CC
GetWindowLongA.USER32(?,000000FC), ref: 004E323F
SetWindowLongA.USER32(?,000000FC,00000000), ref: 004E3260

Strings

ime, xrefs: 004E31C6
AfxOldWndProc423, xrefs: 004E32A1, 004E32A6, 004E32B1, 004E32B9, 004E32C2

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 5a04e9c0727cbdb5fc9de31be6cf89d4e530f8a20a7d8949802e1b268c91fbcd
Instruction ID: 38a8c32399768f4e89a01b7a8c6effe4a606782c6063401e6ed088e123aa023b
Opcode Fuzzy Hash: 5a04e9c0727cbdb5fc9de31be6cf89d4e530f8a20a7d8949802e1b268c91fbcd
Instruction Fuzzy Hash: 0151FC31504255BFCB229F66CD08B6B7BB8BF04367F11466AFA41A7290C778DA10DB98

Function 00442D80 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 430
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E7F76: __EH_prolog.LIBCMT ref: 004E7F7B
Part of subcall function 004E7F76: BeginPaint.USER32(?,?,?,?,00441659), ref: 004E7FA4

Part of subcall function 004E7B27: GetClipBox.GDI32(?,?), ref: 004E7B2E

IsRectEmpty.USER32(?), ref: 00442DC7
GetClientRect.USER32(?,?), ref: 00442DDF
InflateRect.USER32(?,?,?), ref: 00442E9D
IntersectRect.USER32(?,?,?), ref: 00442F07
CreateRectRgn.GDI32(?,?,?,?), ref: 00442F21
FillRgn.GDI32(?,?,?), ref: 004430E0
GetCurrentObject.GDI32(?,00000006), ref: 0044315F

Part of subcall function 004E76CE: GetStockObject.GDI32(?), ref: 004E76D7
Part of subcall function 004E76CE: SelectObject.GDI32(0043F475,00000000), ref: 004E76F1
Part of subcall function 004E76CE: SelectObject.GDI32(0043F475,00000000), ref: 004E76FC

OffsetRect.USER32(?,00000001,00000001), ref: 0044323D
OffsetRect.USER32(?,00000002,00000002), ref: 004432D1
OffsetRect.USER32(?,00000001,00000001), ref: 00443284

Part of subcall function 004E789E: SetTextColor.GDI32(?,?), ref: 004E78B8
Part of subcall function 004E789E: SetTextColor.GDI32(?,?), ref: 004E78C6

Strings

0`W, xrefs: 00442F31, 00442F35
<`W, xrefs: 00443056
tZ, xrefs: 004430FB
T_W, xrefs: 0044309B

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID: 0`W$<`W$T_W$tZ
API String ID: 4264835570-2443681303
Opcode ID: da95bc7a25e1d564d5121827261bf3beb6412a95ed77636a7e9ff81dd6070d1a
Instruction ID: ff31a33fba2bb3e7e6132a7d69643e608b10cb30b8ec05e639ff3b3b4bb5b000
Opcode Fuzzy Hash: da95bc7a25e1d564d5121827261bf3beb6412a95ed77636a7e9ff81dd6070d1a
Instruction Fuzzy Hash: A5029A711083809FD324DF65C885AABB7E9BFD8705F504D1EF18A87290DBB8E949CB16

Function 0043F780 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

tZ, xrefs: 0043FB90

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID: tZ
API String ID: 0-618434692
Opcode ID: 6e3364a315a739190d1c4e95f2813d9fe4e9dbda1a597b90b8a040efe46daa36
Instruction ID: 527f4e20ffce94cb4ec8cbfa6f8a41dcc29d53a198a46fc7843a1a7f47f191c4
Opcode Fuzzy Hash: 6e3364a315a739190d1c4e95f2813d9fe4e9dbda1a597b90b8a040efe46daa36
Instruction Fuzzy Hash: 56D15A71A047419FD724DF24C881A2BB7E5BB48318F20693EE55AC7790D778EC49CB19

Function 10017090 Relevance: 21.2, APIs: 14, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT ref: 100170FF
??2@YAPAXI@Z.MSVCRT(00000100), ref: 1001710F
??2@YAPAXI@Z.MSVCRT(00000078,00000100), ref: 1001711C
??2@YAPAXI@Z.MSVCRT(00000010,00000078,00000100), ref: 10017129
??2@YAPAXI@Z.MSVCRT(000054F0,00000010,00000078,00000100), ref: 10017139
??2@YAPAXI@Z.MSVCRT(000003DC,000054F0,00000010,00000078,00000100), ref: 10017149
??2@YAPAXI@Z.MSVCRT ref: 100171FB
??2@YAPAXI@Z.MSVCRT(00000100), ref: 1001720B
??2@YAPAXI@Z.MSVCRT(00000078,00000100), ref: 10017218
??2@YAPAXI@Z.MSVCRT(00000010,00000078,00000100), ref: 10017225
??2@YAPAXI@Z.MSVCRT(000054F0,00000010,00000078,00000100), ref: 10017235
??2@YAPAXI@Z.MSVCRT(000003DC,000054F0,00000010,00000078,00000100), ref: 10017245
CreateCompatibleDC.GDI32(00000000), ref: 10017320
CreateCompatibleDC.GDI32 ref: 10017328

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??2@$CompatibleCreate
String ID:
API String ID: 2751892210-0
Opcode ID: e8fdb1ed28e246d3529f5ed77cbc3c3ceb66a55df81643b3e8b54a0f077fd1d3
Instruction ID: 0f10bd593ae600cb38cbaaa22fec1f499e913940d81218a79a1784d92bf44df9
Opcode Fuzzy Hash: e8fdb1ed28e246d3529f5ed77cbc3c3ceb66a55df81643b3e8b54a0f077fd1d3
Instruction Fuzzy Hash: FF7118B45007889BEB30CF29C8A17DABBE1FF4C310F90442E9A4D9B791DB7666558B81

Function 004A4D70 Relevance: 19.9, APIs: 13, Instructions: 371
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00001036,00000000,00000000), ref: 004A4F98
SendMessageA.USER32(?,00001003,00000000,00000124), ref: 004A4FF2
SendMessageA.USER32(?,00001003,00000002,0000012C), ref: 004A5038
ImageList_SetBkColor.COMCTL32(?,00000000), ref: 004A50A1
SendMessageA.USER32(?,00001208,00000000,00000000), ref: 004A50D1
SendMessageA.USER32(?,00001024,00000000,?), ref: 004A50E8
IsWindow.USER32(00000000), ref: 004A505D

Part of subcall function 0043EA20: GetSysColor.USER32(0000000F), ref: 0043EA2D

SendMessageA.USER32(?,00001026,00000000,00000000), ref: 004A5102
SendMessageA.USER32(?,00001001,00000000,00000000), ref: 004A511C
LoadCursorA.USER32(00000000,00007F89), ref: 004A514C
LoadCursorA.USER32(?,000007D8), ref: 004A5163
LoadCursorA.USER32(00000000,00007F00), ref: 004A5170
SendMessageA.USER32(?,0000103E,00000000,00000000), ref: 004A517E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$CursorLoad$Color$ImageList_Window
String ID:
API String ID: 1757432420-0
Opcode ID: acf0652867619e752e4f64fdcfba462ff0f923fed2a8f3db8687600da40c45d1
Instruction ID: ecb00d7b40b9b9d40c5e12ee4927e1589a8429588eaf3b87db97f5a6d3df68b4
Opcode Fuzzy Hash: acf0652867619e752e4f64fdcfba462ff0f923fed2a8f3db8687600da40c45d1
Instruction Fuzzy Hash: 85C17E71700705AFE724DA75CC81F6BB3E8BB99744F04492DF656C7381EBA8E8018759

Function 0045B270 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 0045B2BA

Part of subcall function 004E5845: IsWindowEnabled.USER32(?), ref: 004E584F

IsWindow.USER32(?), ref: 0045B35B
GetParent.USER32(?), ref: 0045B376
IsWindowVisible.USER32(?), ref: 0045B38A
SetActiveWindow.USER32(?), ref: 0045B3AB
IsWindow.USER32(?), ref: 0045B3C8
KiUserCallbackDispatcher.NTDLL(?), ref: 0045B3D6
IsWindow.USER32(?), ref: 0045B3DD
IsWindow.USER32(?), ref: 0045B438
IsWindow.USER32(?), ref: 0045B492
GetFocus.USER32 ref: 0045B4A6
IsWindow.USER32(00000000), ref: 0045B4B3
IsChild.USER32(?,00000000), ref: 0045B4C2

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$Parent$ActiveCallbackChildDispatcherEnabledFocusUserVisible
String ID:
API String ID: 416498738-0
Opcode ID: 4df9ed8758d1e8970b977c3eb3b93bb425423ff2deaeda356518ea12eda99449
Instruction ID: c401aaea8216bfe5324d7c7fb1a3a9821b671bbf697c345a7ee55e73ea70c281
Opcode Fuzzy Hash: 4df9ed8758d1e8970b977c3eb3b93bb425423ff2deaeda356518ea12eda99449
Instruction Fuzzy Hash: 8F51B571600709AFD724DF66D840A6BBBA8FF44346F10091FFD4592242DB38E859CBE9

Function 0047AB70 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0047AB99
OleInitialize.OLE32(00000000), ref: 0047ABD5
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0047ABF3
SetCurrentDirectoryA.KERNEL32(023452C8,?), ref: 0047AC4D
LoadCursorA.USER32(00000000,00007F00), ref: 0047ACA8
GetStockObject.GDI32(00000005), ref: 0047ACC9
GetCurrentThreadId.KERNEL32 ref: 0047ACF1

Strings

<V, xrefs: 0047AE81
_EL_HideOwner, xrefs: 0047ACD3
8)O, xrefs: 0047ADA8
t'O, xrefs: 0047AD80

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: 8)O$<V$_EL_HideOwner$t'O
API String ID: 3783217854-1327059671
Opcode ID: d52dacafce501ade0c2edcac810a450b935edbda4190b3a2f75c472210cd1674
Instruction ID: 87b4f22f3de42fb7334b1c0a0c5897500acfca49c66fbf052ec3e05c5ce3669f
Opcode Fuzzy Hash: d52dacafce501ade0c2edcac810a450b935edbda4190b3a2f75c472210cd1674
Instruction Fuzzy Hash: BDE1F470A00205DFCB14EF55CD81BEE77B5FF84305F14406EE909AB292DB786A15CB99

Function 004E2F45 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 004E2F4A
GetPropA.USER32(?,AfxOldWndProc423), ref: 004E2F62
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 004E2FC0

Part of subcall function 004E2B2D: GetWindowRect.USER32(?,?), ref: 004E2B52
Part of subcall function 004E2B2D: GetWindow.USER32(?,00000004), ref: 004E2B6F

SetWindowLongA.USER32(?,000000FC,?), ref: 004E2FF0
RemovePropA.USER32(?,AfxOldWndProc423), ref: 004E2FF8
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 004E2FFF
GlobalDeleteAtom.KERNEL32(00000000), ref: 004E3006

Part of subcall function 004E2B0A: GetWindowRect.USER32(?,?), ref: 004E2B16

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 004E305A

Strings

AfxOldWndProc423, xrefs: 004E2F58, 004E2F60, 004E2FF6, 004E2FFE

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 1d5165d5fcc95b4e9397d51fdcf2e103e936a9058161de53ecbabad81f18242f
Instruction ID: 17c6d3cd18dbd09886a5c3944de783b549fdb0aeed4ae999316d5a959848fdde
Opcode Fuzzy Hash: 1d5165d5fcc95b4e9397d51fdcf2e103e936a9058161de53ecbabad81f18242f
Instruction Fuzzy Hash: CC31457280055ABBCB129FA6DE49DBF7B7CFF45316F00011AF601A2151C7B99A10DB69

Function 004EAC26 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(005DB780,005DB754,00000000,?,005DB764,005DB764,004EAFC1,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000), ref: 004EAC35
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,005DB764,005DB764,004EAFC1,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000), ref: 004EAC8A
GlobalHandle.KERNEL32(008426F0), ref: 004EAC93
GlobalUnlock.KERNEL32(00000000), ref: 004EAC9C
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004EACAE
GlobalHandle.KERNEL32(008426F0), ref: 004EACC5
GlobalLock.KERNEL32(00000000), ref: 004EACCC
LeaveCriticalSection.KERNEL32(004CF382,?,?,005DB764,005DB764,004EAFC1,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000), ref: 004EACD2
GlobalLock.KERNEL32(00000000), ref: 004EACE1
LeaveCriticalSection.KERNEL32(?), ref: 004EAD2A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 2231fcd66450a4377040371f4f2e54c2e6c62186599bbe6917181e5c3af2db29
Instruction ID: 17196538ec5b817911d53846c5200ef1fd7f4364282c1c5b6e726ee89aab2011
Opcode Fuzzy Hash: 2231fcd66450a4377040371f4f2e54c2e6c62186599bbe6917181e5c3af2db29
Instruction Fuzzy Hash: 4431C4712043059FD7249F29DD89A2AB7E9FF44306B014A2EF892C3661E7B5F824CB15

Function 0043F2D0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 267
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateSolidBrush.GDI32(00000000), ref: 0043F418
SendMessageA.USER32(?,000000C5,?,00000000), ref: 0043F4A9
SendMessageA.USER32(?,000000CC,?,00000000), ref: 0043F4C1
SendMessageA.USER32(?,00000465,00000000,?), ref: 0043F58B
SendMessageA.USER32(?,000000B1,?,?), ref: 0043F5C8
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0043F5D7

Strings

EDIT, xrefs: 0043F457
msctls_updown32, xrefs: 0043F51F

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$BrushCreateSolid
String ID: EDIT$msctls_updown32
API String ID: 943060551-1401569126
Opcode ID: df04b3b5f1cc1a2c85b5a12b46b1034430170d843b58a239aaf2c68cb114f54a
Instruction ID: 57dac7c0c3b4db2db7997d1db0670c8c60f1aa01def070b48a843f8257ae6b3a
Opcode Fuzzy Hash: df04b3b5f1cc1a2c85b5a12b46b1034430170d843b58a239aaf2c68cb114f54a
Instruction Fuzzy Hash: 1B91C271A04B00AFE724DB25CC41F6BB6E5BB98704F10592EF696D7380EA78EC098759

Function 00457ED0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d68ae5c98721a5616e0e6cb956cee16744905544fd97cc31010584a33403173
Instruction ID: 569bb0b378ab8c24d2a9ae684c8daabdf9458002ea66089d41a362b0139d9a19
Opcode Fuzzy Hash: 8d68ae5c98721a5616e0e6cb956cee16744905544fd97cc31010584a33403173
Instruction Fuzzy Hash: 9FB1A0706087009FD724CF65C885B2BBBE5BB84705F10892EF99297391DB78E849CB5A

Function 00449A80 Relevance: 13.8, APIs: 9, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51247b8ebedf3e46d5b5a8ba8c0b63796682ed7dbfdc8b49598882757401006d
Instruction ID: f5b55464d13c5609c89879eaf0d68011b0f3a7bf91bfa383a798e5ec3e9a43de
Opcode Fuzzy Hash: 51247b8ebedf3e46d5b5a8ba8c0b63796682ed7dbfdc8b49598882757401006d
Instruction Fuzzy Hash: BA81A0723006019FE720DF69DCD6EABB3A8EB94359F10492FF142CB291C7A5E846D794

Function 0044ACF0 Relevance: 13.8, APIs: 9, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a57782f3c276c37f5ba096649e2989b6cc7d4c2952fa863772ea60afb8638754
Instruction ID: fc2aa23d7678987554d8ae873cb6e02162371fdd3a1a3c241c8e9b3d5bfdfae7
Opcode Fuzzy Hash: a57782f3c276c37f5ba096649e2989b6cc7d4c2952fa863772ea60afb8638754
Instruction Fuzzy Hash: 2671DFB23406019FE320DF68DCD5EABB3A8EB94359F10892FF142CB291C7A5E856C755

Function 004DD28B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000001,80000000,?,0000000C,00000001,00000080,00000000,?,00000000,00000000), ref: 004DD43E
GetLastError.KERNEL32 ref: 004DD44A
GetFileType.KERNEL32(00000000), ref: 004DD45F
CloseHandle.KERNEL32(00000000), ref: 004DD46A

Strings

H, xrefs: 004DD4B1
@, xrefs: 004DD477

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastType
String ID: @$H
API String ID: 1809617866-104103126
Opcode ID: 1687fb153076a8306947377673312e33a7745651dcc1a7500f4cc528f3d362f0
Instruction ID: 053cec6676a91ab3d1a3542e46783ca30c949d47b19d24244b786e7a5dac1b02
Opcode Fuzzy Hash: 1687fb153076a8306947377673312e33a7745651dcc1a7500f4cc528f3d362f0
Instruction Fuzzy Hash: 54811671D04209AAEF208F68D8747BF7B60AF01328F28425BED61A63D1C7BD8945C75B

Function 004A3CB0 Relevance: 9.1, APIs: 6, Instructions: 80windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000409,00000001,00000000), ref: 004A3CCB
SendMessageA.USER32(?,0000040E,00000000,00000000), ref: 004A3CFA
SendMessageA.USER32(?,00000409,00000000,00000000), ref: 004A3D0B
SendMessageA.USER32(?,00000404,?,?), ref: 004A3D1C
SendMessageA.USER32(?,00000409,00000000,00000000), ref: 004A3D2D
DestroyIcon.USER32(?,?,?,?,004A23B2), ref: 004A3D5A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$DestroyIcon
String ID:
API String ID: 3419509030-0
Opcode ID: 2ab217e9c8e1526b4bdce73288a29850562ce94cf70e57b0dc69bb6882ec0a69
Instruction ID: 5e6bf5ec675104f2ac6f0bb419d7ee709bdfb63664f7f68c73bec7733f1901ad
Opcode Fuzzy Hash: 2ab217e9c8e1526b4bdce73288a29850562ce94cf70e57b0dc69bb6882ec0a69
Instruction Fuzzy Hash: 3821C672300305AFD720DE69CC80F67B3A8EBA5751F11492EF745A7280E6B5FD068764

Function 004E73F1 Relevance: 9.0, APIs: 6, Instructions: 35COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 004E73FE
GetSystemMetrics.USER32(0000000C), ref: 004E7405
GetDC.USER32(00000000), ref: 004E741E
GetDeviceCaps.GDI32(00000000,00000058), ref: 004E742F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 004E7437
ReleaseDC.USER32(00000000,00000000), ref: 004E743F

Part of subcall function 004EBAD1: GetSystemMetrics.USER32(00000002), ref: 004EBAE3
Part of subcall function 004EBAD1: GetSystemMetrics.USER32(00000003), ref: 004EBAED

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: d79edefd0693a3387ada241cc2362827b4d6c146a08dc74cc85759fcbf4f7f76
Instruction ID: 7b418c7d5ec67633583aea975f2b9d542bb117cfa7e4ea104ab3f20435d19208
Opcode Fuzzy Hash: d79edefd0693a3387ada241cc2362827b4d6c146a08dc74cc85759fcbf4f7f76
Instruction Fuzzy Hash: 9EF0BE30640700AEE6206B739C89F27BBA4EB81767F00483FF601862D0CAB49C00CFA9

Function 004497F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00000000), ref: 004498EC
DestroyIcon.USER32(?,?,?,000000B0,00000000,00000000,?,?,00000000), ref: 0044998C
SendMessageA.USER32(?,000000F7,00000000,?), ref: 00449A4B
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 00449A66

Strings

BUTTON, xrefs: 004499EC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$BrushCreateDestroyIconSolid
String ID: BUTTON
API String ID: 3996100863-3405671355
Opcode ID: 73bbfa4a7dd67dc0517f3b2a6454ec8695a330aeda33118ef28b44902726e8d9
Instruction ID: cacbc953ce59a50bc5d0beb4cb49aa8b04d8be84f9bd8c168032cbdd3407b2eb
Opcode Fuzzy Hash: 73bbfa4a7dd67dc0517f3b2a6454ec8695a330aeda33118ef28b44902726e8d9
Instruction Fuzzy Hash: D371B0B16047409FE724DF29C880F6BB7A9BB85700F144A2EF58683780DB39EC44DB5A

Function 0044AA60 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 226windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00000000), ref: 0044AB5C
DestroyIcon.USER32(?,?,?,000000A8,00000000,00000000,?,?,00000000), ref: 0044ABFC
SendMessageA.USER32(?,000000F7,00000000,?), ref: 0044ACBB
SendMessageA.USER32(?,000000F1,00000000,00000000), ref: 0044ACD6

Strings

BUTTON, xrefs: 0044AC5C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$BrushCreateDestroyIconSolid
String ID: BUTTON
API String ID: 3996100863-3405671355
Opcode ID: b05c9ae4c9de7e24fa2ee44f4e3328a73b11bb7f77db677e19006f59681eefc8
Instruction ID: 2db3b079a856d30514f7169b8b01bf1c890c53befa13517b98bc1b74eda1ed7e
Opcode Fuzzy Hash: b05c9ae4c9de7e24fa2ee44f4e3328a73b11bb7f77db677e19006f59681eefc8
Instruction Fuzzy Hash: EA71AEB16447459FE724DF25C980A6BB7A6FB84700F104A2EF68683380DB39BC54CB5A

Function 00444B00 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00444C0C
DestroyIcon.USER32(?,?,?,?,0000008C,00000000), ref: 00444C6A
SendMessageA.USER32(?,000000F7,00000001,?), ref: 00444D0C
SendMessageA.USER32(?,000000F7,00000000,?), ref: 00444D3E

Strings

BUTTON, xrefs: 00444CCB

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$ColorDestroyIcon
String ID: BUTTON
API String ID: 1480523805-3405671355
Opcode ID: a5a902b99a58b23d4d8e7b7ed1f8fd58c9d1250db1515d2f9c4632cc2038d276
Instruction ID: 36551cfb492dd0638e3ed3e4d3aab01642a9c004d337dc22a3b456f4d0775566
Opcode Fuzzy Hash: a5a902b99a58b23d4d8e7b7ed1f8fd58c9d1250db1515d2f9c4632cc2038d276
Instruction Fuzzy Hash: FC61BEB1604745AFE224DF25C881B6BB7E9FB84710F148A1EF58683780DA39F844CB5A

Function 004DB538 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 004D6E54: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6E91
Part of subcall function 004D6E54: EnterCriticalSection.KERNEL32(?,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6EAC

Part of subcall function 004D6EB5: LeaveCriticalSection.KERNEL32(?,004D0C82,00000009,004D0C6E,00000000,?,00000000,00000000,00000000), ref: 004D6EC2

GetTimeZoneInformation.KERNELBASE(0000000C,?,?,?,0000000B,0000000B,?,004DB529,004DBB10,?,?,?,?,004D2767,?,?), ref: 004DB586
WideCharToMultiByte.KERNEL32(00000220,Eastern Standard Time,000000FF,0000003F,00000000,?,?,004DB529,004DBB10,?,?,?,?,004D2767,?,?), ref: 004DB61C
WideCharToMultiByte.KERNEL32(00000220,Eastern Summer Time,000000FF,0000003F,00000000,?,?,004DB529,004DBB10,?,?,?,?,004D2767,?,?), ref: 004DB655

Strings

Eastern Standard Time, xrefs: 004DB610
Eastern Summer Time, xrefs: 004DB649

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3442286286-239921721
Opcode ID: 0a27dc302806ad7886bb4d2cd38650c164aef8e943f2c58028230dd308f3ac5b
Instruction ID: c5d849692228d5f621b46b892f40e520cc77e01e344267c0e2febdc9078af242
Opcode Fuzzy Hash: 0a27dc302806ad7886bb4d2cd38650c164aef8e943f2c58028230dd308f3ac5b
Instruction Fuzzy Hash: BA61FA75504240DFE7319F29EC61B2A3FA6EF62314F26012FE450863A2D7784946DBDE

Function 00457DB0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 00457E58
SendMessageA.USER32(?,00000080,00000000,?), ref: 00457E6A
DestroyIcon.USER32(?), ref: 00457E7D
DestroyIcon.USER32(?), ref: 00457E8A

Strings

p{[, xrefs: 00457E2E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: DestroyIconMessageSend
String ID: p{[
API String ID: 1880505497-2613221635
Opcode ID: 02473e52c428d027ab6e6104ad9ade88ec13b9e6945dff6f9a9ffcae74190963
Instruction ID: 3feacaae195d36835786f38fd34c0d29d3787880a20c3308f5b62cec90794319
Opcode Fuzzy Hash: 02473e52c428d027ab6e6104ad9ade88ec13b9e6945dff6f9a9ffcae74190963
Instruction Fuzzy Hash: 72314C71608301AFE720DF65D881BA7B3E8AFC4711F10882EFD9997241D678E80D8B66

Function 0045C480 Relevance: 7.7, APIs: 5, Instructions: 196windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0045C55C
SendMessageA.USER32(?,00008003,00000000,00000000), ref: 0045C573
GetWindowRect.USER32(?,00000000), ref: 0045C5C5
GetClientRect.USER32(?,00000000), ref: 0045C61D
GetWindowRect.USER32(?,00000000), ref: 0045C641

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: RectWindow$ClientMessageSend
String ID:
API String ID: 1071774122-0
Opcode ID: c24fa44af347965fbde00d45acd7dee1f37f8a85ac3cefe2da1d091a6b82bfaf
Instruction ID: 82be754cab7d9a83e827834a12a9917ad1d6a49cf697e395bbe6dc249369625e
Opcode Fuzzy Hash: c24fa44af347965fbde00d45acd7dee1f37f8a85ac3cefe2da1d091a6b82bfaf
Instruction Fuzzy Hash: DA61C071604355AFC710DF65C885A6BBBE8EFC8749F000A1EF94597281DA38ED09CB9A

Function 0043F600 Relevance: 7.6, APIs: 5, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,0058FCC4,?,?), ref: 0043F6A1
GetSystemMetrics.USER32(0000002E), ref: 0043F6B5
GetWindowRect.USER32(?,?), ref: 0043F6D5
GetStockObject.GDI32(00000011), ref: 0043F722
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 0043F731

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ExtentMessageMetricsObjectPoint32RectSendStockSystemTextWindow
String ID:
API String ID: 3316701254-0
Opcode ID: 2a2ea30274189317e9680b2b63f286ec4cad88d6387a84a2affdaed94838edce
Instruction ID: 0147c2b7853f7b57e4bc6b84a737ad30eef639179214d557d598071ced0ddb5a
Opcode Fuzzy Hash: 2a2ea30274189317e9680b2b63f286ec4cad88d6387a84a2affdaed94838edce
Instruction Fuzzy Hash: 0541B231604740AFD324DF65CD91F6B73A8BB88714F00592EF542962D0EBB8ED0ACB55

Function 004A6900 Relevance: 7.6, APIs: 5, Instructions: 127windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001009,00000000,00000000), ref: 004A6916
ImageList_GetImageCount.COMCTL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004A518E), ref: 004A699C
ImageList_GetImageCount.COMCTL32(?), ref: 004A69C2
SendMessageA.USER32(?,00001006,00000000,?), ref: 004A6A07
SendMessageA.USER32(?,00001007,00000000,00000007), ref: 004A6A4A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Image$MessageSend$CountList_
String ID:
API String ID: 102003083-0
Opcode ID: bc7c95256abfa495d8d50e27ae58b9925ba85d419ffe6615c26987f49651b1dd
Instruction ID: 4e0c85171130f50d61d5734516f2c455d3d1aa7f23e92e99e9d3f08f31d0068e
Opcode Fuzzy Hash: bc7c95256abfa495d8d50e27ae58b9925ba85d419ffe6615c26987f49651b1dd
Instruction Fuzzy Hash: 6D418DB15053419FC720CF29C84065BBBE8FF99744F054A2EF898E7280E778D905CB9A

Function 00440A20 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 004E7EC2: __EH_prolog.LIBCMT ref: 004E7EC7
Part of subcall function 004E7EC2: GetWindowDC.USER32(?,?,?,00440A51), ref: 004E7EF0

GetClientRect.USER32 ref: 00440A62
GetWindowRect.USER32(?,?), ref: 00440A71

Part of subcall function 004E7C7C: ScreenToClient.USER32(?,?), ref: 004E7C90
Part of subcall function 004E7C7C: ScreenToClient.USER32(?,?), ref: 004E7C99

OffsetRect.USER32(?,?,?), ref: 00440A9C

Part of subcall function 004E7BB9: ExcludeClipRect.GDI32(?,?,?,?,?,76C1A5C0,?,?,00440AAC,?), ref: 004E7BDE
Part of subcall function 004E7BB9: ExcludeClipRect.GDI32(?,?,?,?,?,76C1A5C0,?,?,00440AAC,?), ref: 004E7BF3

OffsetRect.USER32(?,?,?), ref: 00440ABF
FillRect.USER32(?,?,?), ref: 00440ADA

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: afa3d72524c2e0d31e2f22b459cdbdbb401bf85b5f7fef2e3f2301bae0444008
Instruction ID: aec603229f17d09cecd27b72ce8e74b5d8b746091aa787d5a0e1b367e2cb2b1e
Opcode Fuzzy Hash: afa3d72524c2e0d31e2f22b459cdbdbb401bf85b5f7fef2e3f2301bae0444008
Instruction Fuzzy Hash: 8E31AF71208342AFD714DF25C855EABB7E8FBC8714F008A1DF48687290DB74E909CB56

Function 004A3D80 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

ImageList_GetIcon.COMCTL32(?,?,00000000,00000000,?,?,004A3F6D,00000000,?,?,?,?,004A23B2), ref: 004A3D9B
SendMessageA.USER32(?,0000040F,00000000,00000000), ref: 004A3DB6
DestroyIcon.USER32(00000000,?,?,?,004A23B2), ref: 004A3DC5
DestroyIcon.USER32(?,?,?,?,004A23B2), ref: 004A3DFD

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Icon$Destroy$ImageList_MessageSend
String ID:
API String ID: 1019128568-0
Opcode ID: 69c4f0f5bc830efe324d39284c56e0909c0991dfcad89fb245579f9650c8c299
Instruction ID: c40a132c670db0e4dffea478d44c817a214af089e949fd0d28cad80bebcc9a4b
Opcode Fuzzy Hash: 69c4f0f5bc830efe324d39284c56e0909c0991dfcad89fb245579f9650c8c299
Instruction Fuzzy Hash: E511C171301312ABE7248F65D884FA7B7A9FFA2702F00452EF556C7200EBB4E910C7A8

Function 004A7E70 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000030,00000030,?,00000001), ref: 004A7EA1
SendMessageA.USER32(?,00000030,?,00000001), ref: 004A7EB9
GetStockObject.GDI32(00000011), ref: 004A7EC3
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004A7EE3

Part of subcall function 0043EA60: CreateFontIndirectA.GDI32 ref: 0043EAA9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObjectStock
String ID:
API String ID: 1613733799-0
Opcode ID: b67752c2fd63de0119cdde20b26839d315c340ba0f824b3a5b3037c1d5e9add1
Instruction ID: 758734cc491b6b2a3d294f1c56baef2d4c3d23e9c78d290c5ff3df8f9b070b73
Opcode Fuzzy Hash: b67752c2fd63de0119cdde20b26839d315c340ba0f824b3a5b3037c1d5e9add1
Instruction Fuzzy Hash: 1F01BC36204310FFDB20DB50ED94FA737A8AF89751F058889F6058B291C7B4EC42CB94

Function 00448500 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 004485EC
LoadCursorA.USER32(00000000,00007F00), ref: 004485FA

Strings

_EL_CommonDlg, xrefs: 00448603

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID: _EL_CommonDlg
API String ID: 3794545487-4856671
Opcode ID: d33f7a16d672c24daed29ba75bcca90abdf1de15b743fb99bfaabc8b1dae56c9
Instruction ID: f68fa2f4bc625cdf45ed2072de23f4bb63b19c0627a1c97b0f049ef2213d1d5f
Opcode Fuzzy Hash: d33f7a16d672c24daed29ba75bcca90abdf1de15b743fb99bfaabc8b1dae56c9
Instruction Fuzzy Hash: B5316F71648751AFE314DB64CD41F6BB7E4EB88B14F108A1EFA5A873C0DB78A800CB56

Function 00447CA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 00447D80
LoadCursorA.USER32(00000000,00007F00), ref: 00447D8E

Strings

_EL_Timer, xrefs: 00447D97

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID: _EL_Timer
API String ID: 3794545487-970978732
Opcode ID: 31d378838b71a608e8b5855f24912f5e547cd0ab5f08d74ea72f9818e9c0a9e4
Instruction ID: 7e7b626a0874fb3662da233fcc73bf33ee3edb90c799a445ca4fa0408276241e
Opcode Fuzzy Hash: 31d378838b71a608e8b5855f24912f5e547cd0ab5f08d74ea72f9818e9c0a9e4
Instruction Fuzzy Hash: 55317AB1658750AFE314DB59CD41B2BB7E4EB88B04F108A1EFA46873C0D779E805CB56

Function 00441E30 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 00441F01
LoadCursorA.USER32(00000000,00007F00), ref: 00441F0F

Part of subcall function 0045E060: GetClassInfoA.USER32(?,?,00000000), ref: 0045E078

Strings

_EL_Label, xrefs: 00441F18

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: _EL_Label
API String ID: 1762135420-1571322718
Opcode ID: 7211704bcd880cc92b4fc25ef2c4ca68dec4cca6b824ca94052e924b9a2d4b5e
Instruction ID: 1de30b1484b5d8c1c4c44178db8f4231f2dac27efefa3b8d32584bf31da48e4f
Opcode Fuzzy Hash: 7211704bcd880cc92b4fc25ef2c4ca68dec4cca6b824ca94052e924b9a2d4b5e
Instruction Fuzzy Hash: 68317CB1608710AFE214DB59CD41F2BB7E9EF88B10F104A1EFA5A87390D775AC00CB96

Function 004E61C5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 004E61D8
SetWindowsHookExA.USER32(000000FF,VD,00000000,00000000), ref: 004E61E8

Part of subcall function 004EB022: __EH_prolog.LIBCMT ref: 004EB027

Strings

VD, xrefs: 004E61E1

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: VD
API String ID: 2183259885-1619796972
Opcode ID: 00ca8e65f9a414a5476ad48bf9aa3ad7d90ea0afe935ec654e66deb8fb38d5cd
Instruction ID: fd42319138a27ef6d14aa87e3b42d2df386bec7cc3ee3b06e94863464d035baf
Opcode Fuzzy Hash: 00ca8e65f9a414a5476ad48bf9aa3ad7d90ea0afe935ec654e66deb8fb38d5cd
Instruction Fuzzy Hash: B6F0A7319013C05EDB307BB3A90DB163A94AF11757F06476BB152561E1CB6C6850DB9F

Function 00453E40 Relevance: 4.6, APIs: 3, Instructions: 110windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00453E69
IsWindow.USER32 ref: 00453E97
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00453F66

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessagePeek$Window
String ID:
API String ID: 1210580970-0
Opcode ID: 3fd418b5e73abe66677afb0ad03fc356bd3a473041d675960498f58fc1ceb14a
Instruction ID: d7dcefc808e47d14509771aa433ba809d1f932393aa45406382d4cc4af20c7bb
Opcode Fuzzy Hash: 3fd418b5e73abe66677afb0ad03fc356bd3a473041d675960498f58fc1ceb14a
Instruction Fuzzy Hash: B2316F72A04216AFD714DF24D984AABB3B8FF4438BF40052EF91583242D775EE18CAA5

Function 10026440 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,10026677,00000000,00000020), ref: 10026463
FlushInstructionCache.KERNEL32(10026677,00000000,10026677,?,10026677,00000000,00000020), ref: 1002648E
VirtualProtect.KERNELBASE(00000000,10026677,00000040,00000014,?,10026677,00000000,00000020), ref: 100264AB

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
Instruction ID: 63f23e8b59d19312b92c29cae95ac7a559587f2e0b5583b49ef3a248e102aaa7
Opcode Fuzzy Hash: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
Instruction Fuzzy Hash: 0E11A278A00208EFDB44DF98D984A9AB7F5FB48304F20C199F9099B350C735EE41DB90

Function 004E6725 Relevance: 4.5, APIs: 3, Instructions: 29windowCOMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 004E6732
TranslateMessage.USER32(?), ref: 004E6752
DispatchMessageA.USER32(?), ref: 004E6759

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: c97986c482a89cedc483a8cea68983c3df5c6d1973f6e2f39a5db74779e3157b
Instruction ID: 62a5e8a52981e504229cbccaea870e92e975aa87a50f900cb45e77d31040fcc9
Opcode Fuzzy Hash: c97986c482a89cedc483a8cea68983c3df5c6d1973f6e2f39a5db74779e3157b
Instruction Fuzzy Hash: 8BE092322001106BE3259B25AE88D7B33ADEF81B02B05146EF501D6110C7E8AC82CB69

Function 1002616D Relevance: 3.8, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1002619B
_initterm.MSVCRT ref: 100261C6
free.MSVCRT ref: 10026203

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: _inittermfreemalloc
String ID:
API String ID: 1678931842-0
Opcode ID: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
Instruction ID: c3025327f4686e2d82251761483d94adc5640adac6d06395e623d3ba54a4f38f
Opcode Fuzzy Hash: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
Instruction Fuzzy Hash: 07115E316452A1CFF784CBA4EEC4B1A37A4FB09391B650479FC05CB2A5D721AC42CB00

Function 004441D0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0043EA20: GetSysColor.USER32(0000000F), ref: 0043EA2D

CreateSolidBrush.GDI32(00000000), ref: 00444268

Strings

BUTTON, xrefs: 004442BF

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: BrushColorCreateSolid
String ID: BUTTON
API String ID: 2798526982-3405671355
Opcode ID: 83497f3efce7fdb7e491c153c9939bc6687d8037a41d1940d30ac1701f1c40b4
Instruction ID: 9e22173c7de22fdbe9d824c65888adf810d00075580f4a0ef438197a4a9726d6
Opcode Fuzzy Hash: 83497f3efce7fdb7e491c153c9939bc6687d8037a41d1940d30ac1701f1c40b4
Instruction Fuzzy Hash: BF3190B1604B109BE314DB59C841F6BB7E8FF88B44F008A1EF59687790E779E801C796

Function 004A36A0 Relevance: 3.1, APIs: 2, Instructions: 134windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000409,00000000,00000000), ref: 004A3808
SendMessageA.USER32(?,00002001,00000000,00000000), ref: 004A3822

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 170b6e8222492eca64b635f9b79aa6f818dc7d119c927b3271729bc373f8b070
Instruction ID: 68214f5310a404c53aecbc758d6e71a8e369310500f17bc4dc6de8864c06aecd
Opcode Fuzzy Hash: 170b6e8222492eca64b635f9b79aa6f818dc7d119c927b3271729bc373f8b070
Instruction Fuzzy Hash: B0416CB5604701AFD324DF69C841B5BB7E9AB99704F10892EF586C3380E778E905CB96

Function 004A3E60 Relevance: 3.1, APIs: 2, Instructions: 126windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000401,?,?), ref: 004A3F59
SendMessageA.USER32(?,00000410,00000000,?), ref: 004A3F89

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fb60c95475405a866d18e04ab645481877624bd1d082059c6ac14f50a2249ecf
Instruction ID: 8c0b932e4f821ed40b5bab0633886510300c711528eec1cd3355b91015e39c52
Opcode Fuzzy Hash: fb60c95475405a866d18e04ab645481877624bd1d082059c6ac14f50a2249ecf
Instruction Fuzzy Hash: E141F4B2A003115FE310EF19DC81A2BB3A8EFE5319F05492EFA5587351E639ED068796

Function 004A6F20 Relevance: 3.1, APIs: 2, Instructions: 92COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000005), ref: 004A6FF2
LoadCursorA.USER32(00000000,00007F00), ref: 004A7000

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CursorLoadObjectStock
String ID:
API String ID: 3794545487-0
Opcode ID: e17269e56d871a930538d1e76d24b3f1712983e78397f0e7514a4ffe9539df49
Instruction ID: ccffb889e40beeb513f7235b606c2cc4152bb61e7af44fef82164eb88df3dad6
Opcode Fuzzy Hash: e17269e56d871a930538d1e76d24b3f1712983e78397f0e7514a4ffe9539df49
Instruction Fuzzy Hash: 5D317EB1648700AFE314DB58DD41F2BB7E4EB89B10F008A1EF65A87390D778AC00CB96

Function 004A7F10 Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f57cd076377edc8ac09b127ee1b79d43381c7caa42632f40f870f4e12e5b667
Instruction ID: 79547115c261c74a96a338c26435c5420e0b15ecf80603ec120dd3b3fa89ae05
Opcode Fuzzy Hash: 7f57cd076377edc8ac09b127ee1b79d43381c7caa42632f40f870f4e12e5b667
Instruction Fuzzy Hash: 9A2148B2604B008FE720CF6AE884A57B7E8EBA1325B10883FE165C7251E374E814CB54

Function 00440B90 Relevance: 3.1, APIs: 2, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000031,00000000,00000000), ref: 00440BC6

Part of subcall function 004E7E0E: __EH_prolog.LIBCMT ref: 004E7E13
Part of subcall function 004E7E0E: GetDC.USER32(0043B594), ref: 004E7E3C

Part of subcall function 004E770A: SelectObject.GDI32(0043F475,00000000), ref: 004E772C
Part of subcall function 004E770A: SelectObject.GDI32(0043F475,?), ref: 004E7742

GetTextExtentPoint32A.GDI32(?,0058FCCC,00000001,?), ref: 00440C07

Part of subcall function 004E7E80: __EH_prolog.LIBCMT ref: 004E7E85
Part of subcall function 004E7E80: ReleaseDC.USER32(004ECD9D,00000000), ref: 004E7EA4

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologObjectSelect$ExtentMessagePoint32ReleaseSendText
String ID:
API String ID: 3310046980-0
Opcode ID: 275c7931111d34a670f2c61a65a983d0e007d958fbda22b35bb594661758b0ee
Instruction ID: 5e4891f35d3719123f77ffdbb43928bfb18df1336858132b457b3e46b5bd933c
Opcode Fuzzy Hash: 275c7931111d34a670f2c61a65a983d0e007d958fbda22b35bb594661758b0ee
Instruction Fuzzy Hash: 1621D172204641ABC314EF2ACE42B5BB7E5AF84B25F148A1EF445D32C5DA78E806CB91

Function 004555E0 Relevance: 3.1, APIs: 2, Instructions: 64windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00008002,00000000,00000000), ref: 0045564E
GetParent.USER32(00000000), ref: 0045566A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 2b4a68b9cdabeef19fa0a10627122f215582c00c2ee4ac6208be572a304f7ec9
Instruction ID: 5b83a15d3141b2871b2b92982de06ee7fb00f2b8f15b662c83aa52d4116e156d
Opcode Fuzzy Hash: 2b4a68b9cdabeef19fa0a10627122f215582c00c2ee4ac6208be572a304f7ec9
Instruction Fuzzy Hash: E811C6327016515FD7209A669824B7BB39CAF51752F854037FD08DB302EB38DC4986AD

Function 100264C0 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

FlushInstructionCache.KERNEL32(?,00000000,00000000), ref: 100264FF
VirtualProtect.KERNELBASE(00000000,00000000,00000000,00000000), ref: 10026524

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CacheFlushInstructionProtectVirtual
String ID:
API String ID: 403598440-0
Opcode ID: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
Instruction ID: 4cf98e0dcf6dfc27f34e277785f8542e4947d89007de13e16ffdbbdb6af82732
Opcode Fuzzy Hash: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
Instruction Fuzzy Hash: 5E01D778A00208EFD740CF94D894A9DFBB9FB48314F50C298E80997355D731EE86CB50

Function 004A6A80 Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000100C,000000FF,00000002), ref: 004A6AB8
SendMessageA.USER32(?,0000100C,00000000,00000002), ref: 004A6ACD

Part of subcall function 004DF9AF: SendMessageA.USER32(?,0000102B,?,?), ref: 004DF9D0

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 9b38febcb092aec27879b74eb453793f597b2fa6fc1c2c82b79255f4286eacb5
Instruction ID: 951e491fa891ca78167d54073a00f6aa0d32e10489375fabb6e69bc725152411
Opcode Fuzzy Hash: 9b38febcb092aec27879b74eb453793f597b2fa6fc1c2c82b79255f4286eacb5
Instruction Fuzzy Hash: 2AF0B4B23403517AE63096559C96F97B39C9B96B15F04862FB311EB2C0C9E4D905832C

Function 004AABD0 Relevance: 3.0, APIs: 2, Instructions: 41threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,?,00000000,00000000,?), ref: 004AABFC
CloseHandle.KERNELBASE(00000000,?,00000000,00000000,?), ref: 004AAC24

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CloseCreateHandleThread
String ID:
API String ID: 3032276028-0
Opcode ID: ea18ecab39ecb561b589218083b71f722ba72e62c0e6a0f8a691e35b6c2f4133
Instruction ID: 09bc14d7fac41554e79e8e7077fbee69833d3fa9f89efe278b6feb555f0fa58b
Opcode Fuzzy Hash: ea18ecab39ecb561b589218083b71f722ba72e62c0e6a0f8a691e35b6c2f4133
Instruction Fuzzy Hash: 9DF06D717047019BD724CF28D880B6BB3A9AF85711F00881EE146CB280C7B4F815C765

Function 004AA360 Relevance: 3.0, APIs: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000000), ref: 004AA391
LoadCursorA.USER32(00000000,00007F00), ref: 004AA39F

Part of subcall function 004E3A89: wsprintfA.USER32 ref: 004E3ABF
Part of subcall function 004E3A89: GetClassInfoA.USER32(?,-00000058,?), ref: 004E3AEA

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStockwsprintf
String ID:
API String ID: 2679859018-0
Opcode ID: 617661a4b91d27426598122b6e90da71691b1de7ad81ddca6ae20fdba26faa03
Instruction ID: 283b39a7c94f3b52c6c97fec8b4d6a41a4138199c73a0c0bfcc9dbfc9a12fd00
Opcode Fuzzy Hash: 617661a4b91d27426598122b6e90da71691b1de7ad81ddca6ae20fdba26faa03
Instruction Fuzzy Hash: CEF0BD712882107FE204DA99DD55F3B73ECAB8CB05F00461DB649D71C4C6A4ED008769

Function 004EB808 Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,00000000,004E7473,00000000,00000000,00000000,00000000,?,00000000,?,004DE6D1,00000000,00000000,00000000,00000000,004CF382), ref: 004EB811
SetErrorMode.KERNELBASE(00000000,?,00000000,?,004DE6D1,00000000,00000000,00000000,00000000,004CF382,00000000), ref: 004EB818

Part of subcall function 004EB86B: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 004EB89C
Part of subcall function 004EB86B: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 004EB93D
Part of subcall function 004EB86B: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 004EB96A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: f43dc9ceb5a2e539ac9d1794fa239c90e637edd0b97e2ae9c0fd751eb458dafa
Instruction ID: 2a5e3c3053e1f2497b29520d1030dfac79ab53cef65f370bb9449048040c0228
Opcode Fuzzy Hash: f43dc9ceb5a2e539ac9d1794fa239c90e637edd0b97e2ae9c0fd751eb458dafa
Instruction Fuzzy Hash: 73F03C719043918FD714FF26D545A0A7BA8AF44711F06889FF4449B362CB78D840CB9A

Function 10019482 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100031A0: LoadCursorA.USER32 ref: 100031E6
Part of subcall function 100031A0: RegisterClassExA.USER32 ref: 1000320D

GetCurrentThreadId.KERNEL32 ref: 1001949E
SetWindowsHookExA.USER32(00000004,1001A4F0,?,00000000), ref: 100194AD

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ClassCurrentCursorHookLoadRegisterThreadWindows
String ID:
API String ID: 1908744831-0
Opcode ID: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
Instruction ID: 1960aa195ee1fe07530ea21f1dd313f19c5464d8ba1e979a915d34b59bad2663
Opcode Fuzzy Hash: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
Instruction Fuzzy Hash: 40F082B9A001049FE314CF58E885B9A7BE8EB88711F00812AFA0BC7340EB31A451C751

Function 004D478B Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,004CF300,00000001), ref: 004D479C

Part of subcall function 004D4643: GetVersionExA.KERNEL32 ref: 004D4662

HeapDestroy.KERNEL32 ref: 004D47DB

Part of subcall function 004D8095: HeapAlloc.KERNEL32(00000000,00000140,004D47C4,000003F8), ref: 004D80A2

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: c46222e646b8d2a5aa7397e4dba4f321d282b998a19a6b66f0689d77b76c94da
Instruction ID: 03af2fdf23a29ddab44dfaa70d8039a0f442e13eb1bdfee95292fc5216bdbdb6
Opcode Fuzzy Hash: c46222e646b8d2a5aa7397e4dba4f321d282b998a19a6b66f0689d77b76c94da
Instruction Fuzzy Hash: 88F06570A16303ABDF3017355D6673A2790DBD1755F20443BF501C83A0EBB886819609

Function 0045E8B0 Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 0045E8CB
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 0045E8DD

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ImageLoad
String ID:
API String ID: 306446377-0
Opcode ID: 386b023df47d5be379bcec4ec5d78e6246a1e45924c1d310f96d8d848714b075
Instruction ID: d8d3faeb24e0d2976a8fff5d3bb6311716ac294456ff56aace6c4e323181e5cd
Opcode Fuzzy Hash: 386b023df47d5be379bcec4ec5d78e6246a1e45924c1d310f96d8d848714b075
Instruction Fuzzy Hash: 97E0ED3234131177D620CE5A8C86F9BF7A9EB8DB10F100819B344AB1D1C2F1B4458669

Function 004E36E1 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 004E3708
CallWindowProcA.USER32(?,?,?,?,?), ref: 004E371D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: b1b9d9262280db15cdd2a979dbb79f4ac7327415bc1c3232c14ef1e77244d192
Instruction ID: 8c603a4ac4613d5bfa406e11ce4f2c6c26c1c4a5b0ed1ecaaa71826f711b9b54
Opcode Fuzzy Hash: b1b9d9262280db15cdd2a979dbb79f4ac7327415bc1c3232c14ef1e77244d192
Instruction Fuzzy Hash: E6F0F876100204EFCF128F95DC48D9A7BB9FF08352B048569F94586120D772D920EB44

Function 004E3316 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 004EAF8D: TlsGetValue.KERNEL32(005DB764,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000,?,004DE6D1,00000000,00000000,00000000,00000000), ref: 004EAFCC

GetCurrentThreadId.KERNEL32 ref: 004E3338
SetWindowsHookExA.USER32(00000005,004E3120,00000000,00000000), ref: 004E3348

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 9fb6d5a18280e7eb98605f920bac655d5716d6086f0e1a20edb04b77ee6d3f6f
Instruction ID: c0f31f965207aaf3ade45b1827ab5136464b89a5d8093d0bd9a4c5a54a1f05b8
Opcode Fuzzy Hash: 9fb6d5a18280e7eb98605f920bac655d5716d6086f0e1a20edb04b77ee6d3f6f
Instruction Fuzzy Hash: EAE03931600740AED7319F679809B1776E4EB84B13F15462FE50586240D678A9149B6E

Function 004E3813 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(?), ref: 004E3820
GetWindowTextA.USER32(?,00000000,00000000), ref: 004E3838

Part of subcall function 004E1878: lstrlenA.KERNEL32(?,00000100,004E6C6A,000000FF,0058FEE4,00000000,000000FF,00000100,0058FEE4,0058FEE4,?,00000100,00000000,00454890), ref: 004E188B

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: TextWindow$Lengthlstrlen
String ID:
API String ID: 288803333-0
Opcode ID: 78f8ad33602e43c50644b2f6712f4cb1b98dacd7299261b6637509323788a2e2
Instruction ID: 2d02b303547f9d3f5930fdfcfd0c69ed5fa846aca6c8ba42856a4ae87c86fc4b
Opcode Fuzzy Hash: 78f8ad33602e43c50644b2f6712f4cb1b98dacd7299261b6637509323788a2e2
Instruction Fuzzy Hash: 51E06531104251AFCB55AF55DC5CC6A77F5FF48316710862EB09AC35B1CB31A851CB19

Function 00402459 Relevance: 2.5, APIs: 2, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000040,00402236,?,?,?,00000000,?,00000000,?,00000000,?,00000000,?), ref: 00402468
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040,?,00000000), ref: 0040247C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6a5c688f70d79bc2af88556774f0c9cdf0549ee203fca10f56ab3ff5853e4b7b
Instruction ID: 6a0734c410e30abbf9231c4f416c3205b4aa69eb6441f9c7ad894ba423f2aa5e
Opcode Fuzzy Hash: 6a5c688f70d79bc2af88556774f0c9cdf0549ee203fca10f56ab3ff5853e4b7b
Instruction Fuzzy Hash: 39D0C970258342ABEF22CE618C09F1FBAA9BF80B00F004C1CB3A0B41D0C3B5E0189A0E

Function 00449D80 Relevance: 1.6, APIs: 1, Instructions: 125windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00449EB3

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 094fd42abe1163fb5f5bead1eea6f3d47e152c5db9c4b3969fe515bfce07c71c
Instruction ID: 7897d5695214d59b468422ae0162b32d1ebdb1496f5e766cb261974f65e04c61
Opcode Fuzzy Hash: 094fd42abe1163fb5f5bead1eea6f3d47e152c5db9c4b3969fe515bfce07c71c
Instruction Fuzzy Hash: 7141AB76214701CFD364CF28D480B8AB7E5BB99304F10886EE596CB790D3B6E886CB94

Function 0044AFB0 Relevance: 1.6, APIs: 1, Instructions: 113windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0044B0E3

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: db7fa0b2f32822a86a08767b508f879cfa0f138227f3d8d07064a1811d5d5bb5
Instruction ID: 9f018d4d07db4ae9aebc4f02b7e28a8a200e87822e73f8ea9cac1101fabc4187
Opcode Fuzzy Hash: db7fa0b2f32822a86a08767b508f879cfa0f138227f3d8d07064a1811d5d5bb5
Instruction Fuzzy Hash: 7F41BB762147118FD360CF2CD490B8AB7E0FB99304F10886EE596CB790D3B6E886CB94

Function 004D1A36 Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D1B2C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e92d80976fbfb0cd8aa463f7d7c716968caf1944c3d5291638390b1b9c8ef9c
Instruction ID: d8528bb87f044b1dc4d99828032004adec2261fed2cfadf29476b389d90fadfc
Opcode Fuzzy Hash: 8e92d80976fbfb0cd8aa463f7d7c716968caf1944c3d5291638390b1b9c8ef9c
Instruction Fuzzy Hash: A9318172D01629BACF20AFA99C91A9EB774FB14724F15422BEC21763E1D7386940CB5C

Function 004D0BB5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 004D0C9C

Part of subcall function 004D6E54: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6E91
Part of subcall function 004D6E54: EnterCriticalSection.KERNEL32(?,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6EAC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: d5d8c3d00a07bf8494236da5344a2e760556940e8204f767014375273feb8aa0
Instruction ID: 04fe92f9a6e94d817a75c70a788ee89ba54d1c1b100cc49dcec1801218e06e9e
Opcode Fuzzy Hash: d5d8c3d00a07bf8494236da5344a2e760556940e8204f767014375273feb8aa0
Instruction Fuzzy Hash: 3A21F431A10204ABDB24EF69DC52B9E77A4EB00B24F14431BF411EB3C1C77898418B5C

Function 004A6810 Relevance: 1.6, APIs: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101B,00000000,?), ref: 004A68E8

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5fbe69b5daa7e9253a4130e96f67a3cf9ab0281ae6f4a88ca8eee7a1f1792ad0
Instruction ID: eac1d15ef1a869cb99210ff240d7072de351cc9503cf6f6642ce4b09ce9a9cdf
Opcode Fuzzy Hash: 5fbe69b5daa7e9253a4130e96f67a3cf9ab0281ae6f4a88ca8eee7a1f1792ad0
Instruction Fuzzy Hash: 5721E0B29053428BD720DF18C980BABB7E4FB95304F050A2EF89597380D779DD498B96

Function 004D0A8E Relevance: 1.6, APIs: 1, Instructions: 75memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000000,00000000,00000000,?,00000000,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074), ref: 004D0B62

Part of subcall function 004D6E54: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6E91
Part of subcall function 004D6E54: EnterCriticalSection.KERNEL32(?,?,?,004D1AEC,00000009,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D6EAC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CriticalSection$EnterFreeHeapInitialize
String ID:
API String ID: 641406236-0
Opcode ID: 44af8b2f115b6054f231949959e36161d76a3eefdd9a07505873156a462a78ff
Instruction ID: 62ae5ea791e517eaf54b4467a935f30bece90176b8cef316326b1c3aa685235e
Opcode Fuzzy Hash: 44af8b2f115b6054f231949959e36161d76a3eefdd9a07505873156a462a78ff
Instruction Fuzzy Hash: 8921B372905208AADF109B95DC26FAE7B78EB10728F14021BF414A73C0DB7C9944CAA9

Function 004E2C7D Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004E2C82

Part of subcall function 004EAF8D: TlsGetValue.KERNEL32(005DB764,?,00000000,004EAA14,004EA309,004EAA30,004E61B5,004E7454,?,00000000,?,004DE6D1,00000000,00000000,00000000,00000000), ref: 004EAFCC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 53a1b06e01b1fc634a16c23746dd646a0637ef5400f8cb7b3fcbb558daf606c0
Instruction ID: 4fcfe4e7a12460d9e7ac87b60d48f0a6ab6866c29062eab5728be831036d5fdc
Opcode Fuzzy Hash: 53a1b06e01b1fc634a16c23746dd646a0637ef5400f8cb7b3fcbb558daf606c0
Instruction Fuzzy Hash: A8217A72A00209EFDF05DF55C981AEE7BB9FF44315F10406AF915AB240D3B8AE55CB91

Function 004E33A4 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,0047ACF1,?,?,?,?,?,?,?,?,?), ref: 004E3442

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 38ddfea89843b5c55b92946623c011ba4c28d44eab5a49b9b3376836295b6d09
Instruction ID: 6022a475f3c7d7923d83228539e3436148cb230cd8d3824c4c66560c94898b1c
Opcode Fuzzy Hash: 38ddfea89843b5c55b92946623c011ba4c28d44eab5a49b9b3376836295b6d09
Instruction Fuzzy Hash: 6D31AC75A00219AFCF02DFA9C9449DEBBF1BF4C301B11846AF918E7210E7359A509F54

Function 0043B620 Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,00000000,?,?,00002800,00000000), ref: 0043B6BE

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 1f121c917481ef2806499806174903bf8c14a99cf8b2fd8b1f3518910e771a1d
Instruction ID: 10875f113204dd8929419f13e247a69c1e02c797d439f75a33d6f0dea64c1e18
Opcode Fuzzy Hash: 1f121c917481ef2806499806174903bf8c14a99cf8b2fd8b1f3518910e771a1d
Instruction Fuzzy Hash: 6A11A4B56046005BD315EB36DC46A6B73E8EF98318F00592EF94683252EB3CEC0487EA

Function 10006940 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

Part of subcall function 100069F0: DeleteObject.GDI32(?), ref: 100069FE

CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreateDeleteObjectSection
String ID:
API String ID: 2173382960-0
Opcode ID: 1eb944d488383bc4aa980fc588f5b2db447b9dad9f5b85fe004328d50d26d93d
Instruction ID: 7c6951bcf0e21e93eae5dd231c3839bee3ae470e0ee931b53b39c6278d73b45b
Opcode Fuzzy Hash: 1eb944d488383bc4aa980fc588f5b2db447b9dad9f5b85fe004328d50d26d93d
Instruction Fuzzy Hash: 14116D726107058AE330CF15DD81B57F7E9EF94790F54893EE185CAA91D771E8088B60

Function 1000A880 Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000A896

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Prop
String ID:
API String ID: 257714900-0
Opcode ID: 9e952fefe096254a1bbe306181cc1f219a277d469f60241f2d76a5743c8985b5
Instruction ID: b92aa163cc4772d189c91a95496e01ad41b9399914cdb497733bef8968714656
Opcode Fuzzy Hash: 9e952fefe096254a1bbe306181cc1f219a277d469f60241f2d76a5743c8985b5
Instruction Fuzzy Hash: 06F06276208621ABA110DA5C9CC0C7FE7ACDBD66B0720472DF660D32D7CB20AC4697A1

Function 004596C0 Relevance: 1.5, APIs: 1, Instructions: 43windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000BC19,00000000,?), ref: 0045971E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: ac09607c7c2136f1272ffac4032049c9129351ef81d19862cc8dad1016ee34b9
Instruction ID: be6a5458efbb0df97e3d9d7ae72406f1fc70bfc47f28aaf294170078d9ed4544
Opcode Fuzzy Hash: ac09607c7c2136f1272ffac4032049c9129351ef81d19862cc8dad1016ee34b9
Instruction Fuzzy Hash: F3017C75604201DFC200DF2AD880E6BB7E8ABD4305F04882FE845C7242E778DD0DCB96

Function 004CEFAC Relevance: 1.5, APIs: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001004,00000000,?), ref: 004CEFFF

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a933bd825f2b832cd4d9df288911b847f4f76d383fd15aa76238507067e89d3e
Instruction ID: 373a698fdcd5698b1e11720b56f2d59d30d6b15f83ffd42efffb43de9ec5d87f
Opcode Fuzzy Hash: a933bd825f2b832cd4d9df288911b847f4f76d383fd15aa76238507067e89d3e
Instruction Fuzzy Hash: 7EF0C236701228B6DF649A57C856FEBBBACAF44314B08403FE906D2180D7A8D946C6A8

Function 004E2BA6 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E56B6: GetWindowLongA.USER32(?,000000F0), ref: 004E56C2

SendMessageA.USER32(?,0000036E,?,00000000), ref: 004E2BFA

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: LongMessageSendWindow
String ID:
API String ID: 3360111000-0
Opcode ID: 8b63a132485909e1aa9a6d8d66c71838792f060ac49c4bcef4a94c85b449dd1f
Instruction ID: 7f43a5ddaa9f719de2306216def8c86ab24b539540b22a2adfd1a4721d087e10
Opcode Fuzzy Hash: 8b63a132485909e1aa9a6d8d66c71838792f060ac49c4bcef4a94c85b449dd1f
Instruction Fuzzy Hash: 2AF04476600648AFDB019F96C9419AFB7ADAB94355B10402BE50197340D6B4AE018754

Function 0045A1E0 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004E7F76: __EH_prolog.LIBCMT ref: 004E7F7B
Part of subcall function 004E7F76: BeginPaint.USER32(?,?,?,?,00441659), ref: 004E7FA4

Part of subcall function 004E7B27: GetClipBox.GDI32(?,?), ref: 004E7B2E

IsRectEmpty.USER32(?), ref: 0045A220

Part of subcall function 00459D40: CreateRectRgn.GDI32(?,?,?,?), ref: 00459D8E
Part of subcall function 00459D40: GetClientRect.USER32(?,?), ref: 00459E29

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$BeginClientClipCreateEmptyH_prologPaint
String ID:
API String ID: 4024812366-0
Opcode ID: 2badd6fb0de1b81bbd09fa67d5ba06ff2d26112ede643a6e425a28f7dd841ae2
Instruction ID: f645723e1098d737d5808ad180c5b8ee8d096fd31da055021ed5809a7f017338
Opcode Fuzzy Hash: 2badd6fb0de1b81bbd09fa67d5ba06ff2d26112ede643a6e425a28f7dd841ae2
Instruction Fuzzy Hash: 88F081710087819FC314DF15C945B9EB7E8EB84B25F500A1EF065822D0DB789908CBA7

Function 004E2EF4 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a52bc6aef59ba2e750caacb075696ac91a1bccfa7c26038cde70cb980780d00
Instruction ID: 6ee0fa0aee62f9d4d87cf1c5344116053a3cd29224a00e6898ad97c60de34467
Opcode Fuzzy Hash: 1a52bc6aef59ba2e750caacb075696ac91a1bccfa7c26038cde70cb980780d00
Instruction Fuzzy Hash: 85F0F83240515AFBCF125F929E00AEB3B2DAF19366F008416FA0555011C3B99621EBA9

Function 004CF00B Relevance: 1.5, APIs: 1, Instructions: 27windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00001002,00000001,?), ref: 004CF03D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: aaf0537521e227d3972f05e537517eba9aabfe0d0520cbe73caa51b28f5a431a
Instruction ID: e0a79a4a01aca87bcae179f2b384a580bd6203fb67d952cae1b880e1546883ca
Opcode Fuzzy Hash: aaf0537521e227d3972f05e537517eba9aabfe0d0520cbe73caa51b28f5a431a
Instruction Fuzzy Hash: 76E09236600118ABDB10A656DC0AFEBB76CEB94754F04403AE90192081DBB5E85AC6A4

Function 004A8EF0 Relevance: 1.5, APIs: 1, Instructions: 25registryCOMMON

Download Yara Rule

APIs

RegisterDragDrop.OLE32(?,-00000064), ref: 004A8F1C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: DragDropRegister
String ID:
API String ID: 1555377906-0
Opcode ID: 5d47137d0efde5d200f661c7a594160543d1bf924bd665e524a73050fc17cd1c
Instruction ID: 652b711b51f30efdb69b6de7321fa0fabddf12cd195c456183f95d9e5a725216
Opcode Fuzzy Hash: 5d47137d0efde5d200f661c7a594160543d1bf924bd665e524a73050fc17cd1c
Instruction Fuzzy Hash: B2E065791222118FC704DF29C800AEA77A8EF89325F44446EE846C7360CB78E800CB41

Function 00447FE0 Relevance: 1.5, APIs: 1, Instructions: 24timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,000003E8,?,00000000), ref: 0044800D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Timer
String ID:
API String ID: 2870079774-0
Opcode ID: 6ea6b31a0888082a0f9d62674be3ab44b9320353ca6bd92201a67b9d3839c926
Instruction ID: 494d17576946acac73c3a9d8a90fb019623a793caf45f8ab795f6d49991cfa48
Opcode Fuzzy Hash: 6ea6b31a0888082a0f9d62674be3ab44b9320353ca6bd92201a67b9d3839c926
Instruction Fuzzy Hash: 9DE01A716147509BE670DE399844F5762E8AB24326F014A2FF242C3680CAA6E8459718

Function 0043B550 Relevance: 1.5, APIs: 1, Instructions: 22windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,?,?,?), ref: 0043B570

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2ddd52c138e881ad386d5d14b3b8c0a9009912ed8fb2ed07fbe1cf85c533672
Instruction ID: fe82661c7bb6c2ae72876a8f019891fe2cb07085ee2591071901a57eb9ffac65
Opcode Fuzzy Hash: b2ddd52c138e881ad386d5d14b3b8c0a9009912ed8fb2ed07fbe1cf85c533672
Instruction Fuzzy Hash: 96E0B6B6601210AF8600DF5AD888C57BBACFF89275B1548A9F50997222D630EC05CBA1

Function 0045CFF0 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00830000,00000000,?), ref: 0045D001

Part of subcall function 00454860: wsprintfA.USER32 ref: 00454872

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AllocateHeapwsprintf
String ID:
API String ID: 1352872168-0
Opcode ID: 11554e22038206e488079d151dda1e890c878386e19ca62661afa0b7774df429
Instruction ID: 857095176ffdccdf8352a83aa2f036e9c10b47ea7460c2ae07318b537620bfbb
Opcode Fuzzy Hash: 11554e22038206e488079d151dda1e890c878386e19ca62661afa0b7774df429
Instruction Fuzzy Hash: 42E086B590010CFBDB00DFA0EC45A6A77B8DB4C305F008559FD0547341D636EE44DB98

Function 004E6C78 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 004E6C8F

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 5aa2d29a14c515f00d3186ca0ff2ae3c54a53f49b26150e61b6dc99fe8e74760
Instruction ID: bb143315fffe4303d1d274363826b8fea2900930c1847d5158ed721d8b431f79
Opcode Fuzzy Hash: 5aa2d29a14c515f00d3186ca0ff2ae3c54a53f49b26150e61b6dc99fe8e74760
Instruction Fuzzy Hash: 0FD0A7720093E29BC701DF628808C8FBBA4BF54311B054C0EF4C083211D324D414C766

Function 004E574C Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,0045FAFA), ref: 004E575A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 49b733630dc61efca852bfeb23e79b48fa450e328daf6c7821dca0860daafc44
Instruction ID: 405d2498996ef1d7f492436a845578a8e17ab7643d50d6320bdd331873bd6f51
Opcode Fuzzy Hash: 49b733630dc61efca852bfeb23e79b48fa450e328daf6c7821dca0860daafc44
Instruction Fuzzy Hash: E6D09234204200EFCF459F61DA48A1ABBA2FF9470AF6489A9E046CA161D736CC22EF45

Function 004E581E Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000005,00452EBE,00000005,00000000,?,?,?,?,?,000003E9,00000000,00000000,?,005B7B70), ref: 004E582C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: d3120ebc8a58995dd85e020f26db15b031b86295f450b6acff7eea61db032508
Instruction ID: b62d53eb3f2825c15123501ee1a85e50745b8ab4b0ceae808e8c9341d8daf698
Opcode Fuzzy Hash: d3120ebc8a58995dd85e020f26db15b031b86295f450b6acff7eea61db032508
Instruction Fuzzy Hash: CFD0C930704200EFCF099F61CA48A2ABBB2BF94709F209579F4468A121D736CC22EF09

Function 004E02F7 Relevance: 1.5, APIs: 1, Instructions: 11windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000101F,00000000,00000000), ref: 004E0303

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1c58c0473ecb40b8afe85bf9d2cbe038b12993f1caf0ef3d735f67b0fee918a4
Instruction ID: 25f36a05c26d4d3330d97c503c7796c79b8f0f243803d9a639a2b17230e950e7
Opcode Fuzzy Hash: 1c58c0473ecb40b8afe85bf9d2cbe038b12993f1caf0ef3d735f67b0fee918a4
Instruction Fuzzy Hash: D3C09B3434034177EE202F665D0AF5535197B40F06FF05495B600DD0E6D6DDD455950C

Function 004A3C90 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000005,00000000,00000000), ref: 004A3C9A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 5c7cb7ec154e9ba7cc1c0f716418071986b421761bc053cd312d3a8fe6a69660
Instruction ID: d59e39addc2ab2bd3950715d5b615386aa2b74f0e66322412b84582ec096724b
Opcode Fuzzy Hash: 5c7cb7ec154e9ba7cc1c0f716418071986b421761bc053cd312d3a8fe6a69660
Instruction Fuzzy Hash: 6EB01130B80300BBEE208BA08E0EF023228AB00B02F300880B302EE0C0E2E0E002CA08

Function 10025D00 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000045C,10025D96,?,10026268,?,?,?,?,?,?), ref: 10025D0F

Part of subcall function 10019250: 70144BC0.MSVFW32 ref: 10019374
Part of subcall function 10019250: GetVersion.KERNEL32 ref: 10019392

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: 70144??2@Version
String ID:
API String ID: 741736933-0
Opcode ID: b42eda6355405cee72902d32ec50ce663df726c730aeb1b8a14187fe49f5916d
Instruction ID: 7e419e08a8c89389e48617f3b5b6180ff5c9c39a8ef321e5e2b9f2201d5a6f9d
Opcode Fuzzy Hash: b42eda6355405cee72902d32ec50ce663df726c730aeb1b8a14187fe49f5916d
Instruction Fuzzy Hash: 29E09A787001098FE728CB78ECD4E2637E1EBD8600B21853DE90AC3292FA31E862D604

Non-executed Functions

Function 0046C380 Relevance: 87.2, APIs: 47, Strings: 2, Instructions: 1494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E7F76: __EH_prolog.LIBCMT ref: 004E7F7B
Part of subcall function 004E7F76: BeginPaint.USER32(?,?,?,?,00441659), ref: 004E7FA4

Part of subcall function 004E7B27: GetClipBox.GDI32(?,?), ref: 004E7B2E

DPtoLP.GDI32 ref: 0046C49B
GetClientRect.USER32(?,?), ref: 0046C4A9
DPtoLP.GDI32(?,?,00000002), ref: 0046C4C1
IntersectRect.USER32(?,?,?), ref: 0046C560
LPtoDP.GDI32(?,?,00000002), ref: 0046C5A1
IntersectRect.USER32(?,?,?), ref: 0046C5FE
LPtoDP.GDI32(?,?,00000002), ref: 0046C63F
CreateRectRgnIndirect.GDI32(?), ref: 0046C66A
IntersectRect.USER32(?,?,?), ref: 0046C69E
LPtoDP.GDI32(?,?,00000002), ref: 0046C6DF
CreateRectRgnIndirect.GDI32(?), ref: 0046C705
CreateRectRgnIndirect.GDI32(?), ref: 0046C734
GetCurrentObject.GDI32(?,00000006), ref: 0046C750
GetCurrentObject.GDI32(?,00000001), ref: 0046C769
GetCurrentObject.GDI32(?,00000002), ref: 0046C782

Part of subcall function 004E77E6: SetBkMode.GDI32(?,?), ref: 004E77FF
Part of subcall function 004E77E6: SetBkMode.GDI32(?,?), ref: 004E780D

Part of subcall function 004E45D8: GetScrollPos.USER32(00000000,0044FAC3), ref: 004E45F6

Part of subcall function 0046BFB0: CreateFontIndirectA.GDI32(00000000), ref: 0046C002

FillRgn.GDI32(?,?,?), ref: 0046C962
IntersectRect.USER32(?,?,?), ref: 0046CA47
IsRectEmpty.USER32(?), ref: 0046CA52
LPtoDP.GDI32(?,?,00000002), ref: 0046CA6F
CreateRectRgnIndirect.GDI32(?), ref: 0046CA7A
CombineRgn.GDI32(?,?,?,00000004), ref: 0046CAAB
DPtoLP.GDI32(?,?,00000002), ref: 0046CAC9

Part of subcall function 004E78CD: SetMapMode.GDI32(?,?), ref: 004E78E6
Part of subcall function 004E78CD: SetMapMode.GDI32(?,?), ref: 004E78F4

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0046CB08
IntersectRect.USER32(?,?,?), ref: 0046CB9B
IsRectEmpty.USER32(?), ref: 0046CBE1
SelectObject.GDI32(?,?), ref: 0046CC1C
DPtoLP.GDI32(?,?,00000001), ref: 0046CCA8
LPtoDP.GDI32(?,?,00000001), ref: 0046CDC7
DPtoLP.GDI32(?,?,00000001), ref: 0046CDE5

Part of subcall function 004E7BFB: MoveToEx.GDI32(?,?,?,?), ref: 004E7C1D
Part of subcall function 004E7BFB: MoveToEx.GDI32(?,?,?,?), ref: 004E7C31

Part of subcall function 004E7C47: MoveToEx.GDI32(?,?,?,00000000), ref: 004E7C61
Part of subcall function 004E7C47: LineTo.GDI32(?,?,?), ref: 004E7C72

Part of subcall function 004E770A: SelectObject.GDI32(0043F475,00000000), ref: 004E772C
Part of subcall function 004E770A: SelectObject.GDI32(0043F475,?), ref: 004E7742

Part of subcall function 0046F670: GetCurrentObject.GDI32(?), ref: 0046F73B
Part of subcall function 0046F670: LPtoDP.GDI32(?,00000000,00000001), ref: 0046F788

IntersectRect.USER32(?,00000000,?), ref: 0046CF32
IsRectEmpty.USER32(00000000), ref: 0046CF3D
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 0046CF84
LPtoDP.GDI32(?,00000000,00000002), ref: 0046CF99
CreateRectRgnIndirect.GDI32(00000000), ref: 0046CFA4
CombineRgn.GDI32(?,?,?,00000004), ref: 0046CFD5
LPtoDP.GDI32(?,?,00000001), ref: 0046D004
DPtoLP.GDI32(?,?,00000001), ref: 0046D022
wsprintfA.USER32 ref: 0046D0C0
SelectObject.GDI32(?,?), ref: 0046D0E8
IntersectRect.USER32(?,?,?), ref: 0046D658
IsRectEmpty.USER32(?), ref: 0046D663
LPtoDP.GDI32(?,?,00000002), ref: 0046D680
CreateRectRgnIndirect.GDI32(?), ref: 0046D68B
CombineRgn.GDI32(?,?,?,00000004), ref: 0046D6BC

Part of subcall function 0046ED30: SetRectEmpty.USER32(?), ref: 0046EDAA

Part of subcall function 0046ED30: GetSysColor.USER32(0000000F), ref: 0046EEDB
Part of subcall function 0046ED30: IntersectRect.USER32(?,?,?), ref: 0046EF33

GetSysColor.USER32(0000000F), ref: 0046C846

Part of subcall function 004E8173: __EH_prolog.LIBCMT ref: 004E8178
Part of subcall function 004E8173: CreateSolidBrush.GDI32(?), ref: 004E8195

Part of subcall function 004E8123: __EH_prolog.LIBCMT ref: 004E8128
Part of subcall function 004E8123: CreatePen.GDI32(?,?,?), ref: 004E814B

CreateRectRgnIndirect.GDI32(?), ref: 0046C5C6

Part of subcall function 0046DB80: CopyRect.USER32(?,00000000), ref: 0046DBF7
Part of subcall function 0046DB80: IsRectEmpty.USER32(?), ref: 0046DC02
Part of subcall function 0046DB80: GetClientRect.USER32(00000000,?), ref: 0046DC41
Part of subcall function 0046DB80: DPtoLP.GDI32(?,?,00000002), ref: 0046DC53
Part of subcall function 0046DB80: LPtoDP.GDI32(?,?,00000002), ref: 0046DC90

FillRect.USER32(?,?,?), ref: 0046D9B9

Strings

0buu, xrefs: 0046C5C6, 0046C657, 0046CA7A, 0046CFA4, 0046D68B
tZ, xrefs: 0046C8F7

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Create$IndirectIntersectObject$Empty$CurrentModeSelect$CombineH_prologMove$ClientColorFill$BeginBrushClipCopyFontLinePaintScrollSolidwsprintf
String ID: 0buu$tZ
API String ID: 3726329589-3721331629
Opcode ID: cf5c609730ba5c158c4b6e907ad1c5c0da2301d52eb172e7bb72687ec72b5a9e
Instruction ID: 59c29ec4c0d449583fbf8e3aa332e472f8ce27f679bc069eabffa6199d51f600
Opcode Fuzzy Hash: cf5c609730ba5c158c4b6e907ad1c5c0da2301d52eb172e7bb72687ec72b5a9e
Instruction Fuzzy Hash: 32D246716083859FD324DF65C894FAFB7E9ABC8704F004A1EF58A83251EB74A905CB67

Function 10004E30 Relevance: 36.6, APIs: 24, Instructions: 566windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10004E5F

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

CreateCompatibleDC.GDI32(00000000), ref: 10004FC9
SelectObject.GDI32(00000000,?), ref: 10004FDD
SetBkMode.GDI32(00000000,00000001), ref: 10004FE6

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Part of subcall function 100055A0: GetWindowRect.USER32(?,?), ref: 100055C2
Part of subcall function 100055A0: SetRect.USER32(?,00000000,00000000,?,?), ref: 100055E3
Part of subcall function 100055A0: GetWindowLongA.USER32(?,000000F0), ref: 100055EF

SelectObject.GDI32(00000000,?), ref: 10005076
SetTextColor.GDI32(00000000,?), ref: 1000507F
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 100050B7
GetWindowTextA.USER32(?,?,00000400), ref: 10005127
DrawTextA.USER32(00000000,?,?,?,00040024), ref: 10005150
IsRectEmpty.USER32(?), ref: 10005179
IsIconic.USER32(?), ref: 1000518B
IsRectEmpty.USER32(?), ref: 1000525E
IsZoomed.USER32(?), ref: 10005270
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10005398
GetMenuState.USER32(00000000), ref: 1000539F
IsRectEmpty.USER32(?), ref: 1000543D
SetBkMode.GDI32(00000000,00000001), ref: 1000544A
SelectObject.GDI32(00000000,?), ref: 100054D5
DeleteDC.GDI32(00000000), ref: 100054DC
CreateCompatibleDC.GDI32(00000000), ref: 100054E4
SelectObject.GDI32(00000000,?), ref: 100054F5
DeleteObject.GDI32(00000000), ref: 10005557

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Object$SelectWindow$CreateEmptyText$CompatibleDeleteDrawMenuMode$74001530ColorIconIconicLongSectionStateSystemZoomed
String ID:
API String ID: 1459725302-0
Opcode ID: 869c7fd31a59fd848f571312f20572626bedb3b1c27675698ae66dad921983ac
Instruction ID: cea4122b0922ce362506ef713f39b4431f8d55212c238b2335c3802d68202380
Opcode Fuzzy Hash: 869c7fd31a59fd848f571312f20572626bedb3b1c27675698ae66dad921983ac
Instruction Fuzzy Hash: 92227B79240205AFF324CB64CC89FAB77A9FF84745F20491CF95A87295EA71B906CB60

Function 10023070 Relevance: 25.9, APIs: 17, Instructions: 358windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10023094
IsRectEmpty.USER32(?), ref: 10023107
IsIconic.USER32(?), ref: 10023115
IsRectEmpty.USER32(?), ref: 100231E6
IsZoomed.USER32(?), ref: 100231F4
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
GetMenuState.USER32(00000000), ref: 1002331E
IsRectEmpty.USER32(?), ref: 100233BD
SetBkMode.GDI32(?,00000001), ref: 100233CA

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: EmptyRect$Menu$IconicModeStateSystemVisibleWindowZoomed
String ID:
API String ID: 549281773-0
Opcode ID: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
Instruction ID: d06e77375d5cb7ab1f1ac25b83a2b383d651d1881662a64e5f1b630b1572dc97
Opcode Fuzzy Hash: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
Instruction Fuzzy Hash: 1DD16CB9241B06AFE324CB64DCC4FAB73A9FF84744F60891CE55A87241E634FD468B60

Function 10006010 Relevance: 25.7, APIs: 17, Instructions: 164windownativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 1000601C
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10006032
SendMessageA.USER32(?,000000A2,00000000,?), ref: 10006052
GetWindowRect.USER32(?,?), ref: 10006062
IsRectEmpty.USER32(?), ref: 1000608D
PtInRect.USER32(?,?,?), ref: 100060A0
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 100060BF
GetMenuState.USER32(00000000), ref: 100060C6
SendMessageA.USER32(?,00000112,0000F180,?), ref: 100060F9
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10004C8B), ref: 10006113

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageRectSendWindow$Menu$EmptyEnabledNtdllProc_StateSystem
String ID:
API String ID: 2671586774-0
Opcode ID: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
Instruction ID: db1f306a8784ca8736970017476ad2195cdbaa505f3b9dba42231a781a1f9d91
Opcode Fuzzy Hash: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
Instruction Fuzzy Hash: 1551AE75240716AFF320DBA5CC89FAB77EDEB88780F20492CF55683695DA34E945CB20

Function 0045C7C0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 0045C7CC
IsZoomed.USER32(?), ref: 0045C7DA
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 0045C804
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045C817
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045C825
FreeLibrary.KERNEL32(00000000), ref: 0045C85B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0045C871
IsWindow.USER32(?), ref: 0045C89E
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 0045C8AB

Strings

GetMonitorInfoA, xrefs: 0045C81D
MonitorFromWindow, xrefs: 0045C811
User32.dll, xrefs: 0045C7F9
H, xrefs: 0045C848

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: fdf8e77ad145a9685cf91b99a3a090a410ff7da0dc34f458936d41d9869ee919
Instruction ID: 0f65ee24287762498b74e63bce03f27849451eb617c6cc114828638bb701e7e6
Opcode Fuzzy Hash: fdf8e77ad145a9685cf91b99a3a090a410ff7da0dc34f458936d41d9869ee919
Instruction Fuzzy Hash: 14317171700305AFD710AF61CD89B7B7BA8EB84B02F00452DFD0197281DBB8E919CB69

Function 10003970 Relevance: 20.3, APIs: 13, Instructions: 806COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(?,?,1002CDA8,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 100039AB
??2@YAPAXI@Z.MSVCRT(?,?,?,1002CDA8,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020), ref: 100039BD
PtInRegion.GDI32(?,00000000,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 10003A4F
PtInRegion.GDI32(?,?,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 10003AB3
??2@YAPAXI@Z.MSVCRT(?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020,?), ref: 10003B14
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020,?), ref: 10003C36
_ftol.MSVCRT ref: 10003D2F
OffsetRgn.GDI32(?,?,?), ref: 10004038
PtInRegion.GDI32(?,-00000001,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000), ref: 100041D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020,?), ref: 1000428E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020,00000020), ref: 10004298
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000,00000020), ref: 100042A2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,?,00000000), ref: 100042AC

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??2@??3@$Region$Offset_ftol
String ID:
API String ID: 2490806229-0
Opcode ID: 20f87a81f43be5445c397b0e250875611de442200e131b72367e034636e4db9f
Instruction ID: 98ed0c605d52677ada83a984198e756a1aca9b3409a824ef284006b387393d3d
Opcode Fuzzy Hash: 20f87a81f43be5445c397b0e250875611de442200e131b72367e034636e4db9f
Instruction Fuzzy Hash: F3626975A086468FD709CF19C88051AB7E6FFC8384F15C92DE899DB359EB30E946CB81

Function 10021800 Relevance: 19.7, APIs: 13, Instructions: 170windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 1002198A
GetMenuItemID.USER32(?,?), ref: 100219E3
SendMessageA.USER32(?,00000111,00000000), ref: 100219F3
CallWindowProcA.USER32(?,?,000000A2,?,?), ref: 10021A38

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallItemKillMenuMessageProcSendTimerWindow
String ID:
API String ID: 2515994771-0
Opcode ID: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
Instruction ID: 89b724dc2ca4cdc55add286efa33b9077fff919ea1f62498a6f78f4254ff7468
Opcode Fuzzy Hash: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
Instruction Fuzzy Hash: 64518179304702AFE354DB64D895FEBB3E9FB98740F50891DF696C6190CB70A886CB50

Function 10017540 Relevance: 18.5, APIs: 12, Instructions: 476COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 100175E4
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,00000000), ref: 10017607
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10017695
??3@YAXPAX@Z.MSVCRT(00000000,?,-00000001,00000000), ref: 100176E6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@$??2@
String ID:
API String ID: 4113381792-0
Opcode ID: 9aef21dc69513510d62cbd5b6012a76406e709963529ef32f910eb16fd510893
Instruction ID: 33afa64b527c78f8bd4c2c7d176e8c765b8c94169a76a89671ef6ae364567c8b
Opcode Fuzzy Hash: 9aef21dc69513510d62cbd5b6012a76406e709963529ef32f910eb16fd510893
Instruction Fuzzy Hash: 8502D0756002488FDB28CF14D890BEA77E2FB88310F59857DED0A5F381DB75AA45CB91

Function 00458390 Relevance: 15.4, APIs: 10, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ab88e5a08582936473d9f8b64fe236fa72473695eb73c2cf41f2ae3a634c05
Instruction ID: b0024682cb779601d98906e03b05cca422b9eef3af178f96b4313e2c0116e44c
Opcode Fuzzy Hash: 67ab88e5a08582936473d9f8b64fe236fa72473695eb73c2cf41f2ae3a634c05
Instruction Fuzzy Hash: 46C1E2767046088FE310EF29AC81A6BB394FB84315F504D2FE946D7342DF36E9198B99

Function 10009340 Relevance: 15.2, APIs: 10, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10009350
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000936C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
Instruction ID: 66a860390867b69e52e3412568fee3c891a1f5c98dd500308f81789add6bf3bd
Opcode Fuzzy Hash: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
Instruction Fuzzy Hash: E941907A205600ABE200DB58DC84DABB3E8FBC4751F50491DF98683251C774ED0ACBB2

Function 1000C3F0 Relevance: 15.2, APIs: 10, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000C400
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000C41C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
Instruction ID: e4712fcc12151d2cebdf1b72559aff8232ef5eb8468fa4595113e4497e6478ba
Opcode Fuzzy Hash: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
Instruction Fuzzy Hash: 7F419F7A205704ABE250EB58DC88D6BB7E8FBC8751F50491DF94283252C774ED0A8BB2

Function 10017BA0 Relevance: 12.9, APIs: 6, Strings: 1, Instructions: 613COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 10017FBB

Strings

d, xrefs: 10017CB8

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ObjectSelect
String ID: d
API String ID: 1517587568-2564639436
Opcode ID: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
Instruction ID: 4b82767d9c842e9e08e3940738fc6923ca1a8521680a6cc2111a8d75eee5b889
Opcode Fuzzy Hash: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
Instruction Fuzzy Hash: 4A32E571A047128FD319CF14D8907AAB3E5FFC8340F558A7DE8969B291D734EA89CB42

Function 10005940 Relevance: 12.1, APIs: 8, Instructions: 83nativetimeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 10005959
GetWindowRect.USER32(?,?), ref: 1000596C
PtInRect.USER32(?,?,?), ref: 1000599D
PtInRect.USER32(?,?,?), ref: 100059B4
PtInRect.USER32(?,?,?), ref: 100059CB
PtInRect.USER32(?,?,?), ref: 100059E2
KillTimer.USER32(?,00006625,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 100059F2

Part of subcall function 10004E30: GetWindowRect.USER32(?,?), ref: 10004E5F

NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 10005A27

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$CursorKillNtdllProc_Timer
String ID:
API String ID: 1632373092-0
Opcode ID: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
Instruction ID: 9a3ddf00fd3851daef2864d54b78be332d389b06acf702b9600ba59b9845d60c
Opcode Fuzzy Hash: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
Instruction Fuzzy Hash: 51212CB6614302AFE314DB64CC88C6BB7E9FFC8794F008A1DF49AD3214D631E9058B62

Function 10021370 Relevance: 10.6, APIs: 7, Instructions: 134nativewindowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002CD88), ref: 1002137E
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1002139A
IsWindowVisible.USER32(?), ref: 100213D9
ShowWindow.USER32(?,00000000), ref: 100213E6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$NtdllProc_PropShowVisible
String ID:
API String ID: 2900772547-0
Opcode ID: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
Instruction ID: bd9fa984eed261b426f55b418d79167bb0f56a7a5cd861e89bf77d4c9bc891ea
Opcode Fuzzy Hash: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
Instruction Fuzzy Hash: 9531E97B301659ABE211DA95ECC4DBFB7ADEBD53D6F01841AF24187100C722AD06C775

Function 100098B0 Relevance: 9.1, APIs: 6, Instructions: 85nativetimeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 100098BE
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100098DA
KillTimer.USER32(?,?,00000000), ref: 10009914

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: KillNtdllProc_PropTimerWindow
String ID:
API String ID: 3733616403-0
Opcode ID: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
Instruction ID: adc7337034f0b9ec4e7ed3ed95778db363d18d8614baef39ea8ea303d17308f6
Opcode Fuzzy Hash: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
Instruction Fuzzy Hash: EF21F336305215ABE210DA54ECC4E7F77ACEBC5BE1F10451EF68293241C726AC069761

Function 10006210 Relevance: 9.1, APIs: 6, Instructions: 56windownativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10006219
SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 1000622F
SendMessageA.USER32(?,000000A3,00000000,?), ref: 10006251
IsZoomed.USER32(?), ref: 10006263
SendMessageA.USER32(?,00000112,0000F120,?), ref: 1000628C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000629E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Window$EnabledNtdllProc_Zoomed
String ID:
API String ID: 1736178447-0
Opcode ID: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
Instruction ID: 53ad444b2308a7bebedf1b38f9ffedf2fa5899a07a2aa37d5df76109a97d8af9
Opcode Fuzzy Hash: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
Instruction Fuzzy Hash: E1118E35305B12EFE220CB95DC84E9BB3EDEB8CB40F20880CF68597594C670E841C764

Function 1000B6E0 Relevance: 8.6, APIs: 5, Instructions: 1050windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,00000000,?,?,?,?,?,?,00CC0020), ref: 1000BB67
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000BE29
BitBlt.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BEF2
OffsetRect.USER32(?,1000329E,000000FF), ref: 1000BFA9
BitBlt.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BC0B

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Part of subcall function 1000B4C0: CreateCompatibleDC.GDI32(?), ref: 1000B548
Part of subcall function 1000B4C0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000B553
Part of subcall function 1000B4C0: SelectObject.GDI32(00000000,00000000), ref: 1000B55F
Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
Part of subcall function 1000B4C0: DeleteObject.GDI32(?), ref: 1000B5C5
Part of subcall function 1000B4C0: DeleteDC.GDI32(00000000), ref: 1000B5CC

Part of subcall function 1000B5F0: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B646

Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B1A0
Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B216

Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B273
Part of subcall function 1000B120: BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B2C9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: 74001530CompatibleCreateDeleteObject$BitmapOffsetRectSelect
String ID:
API String ID: 3037979023-0
Opcode ID: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
Instruction ID: b631010fc7c61f0dbc485572ac6f53e1cb0354f72aed0dfdbd8fa92e86ef0b76
Opcode Fuzzy Hash: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
Instruction Fuzzy Hash: F872B6B5700901AFD358CE6ECE95D27F7EAEFC8610314CA1CA55EC3A5CEA30F8558A64

Function 1001D8E0 Relevance: 7.6, APIs: 5, Instructions: 150nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001D8EC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D908

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
Instruction ID: 3dd76a049db869770da15870645d9af25493a0817101984a39104c73db85ad87
Opcode Fuzzy Hash: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
Instruction Fuzzy Hash: D741447A7082119BD640FE58E880E6F77A9EBD4750F108C1BF5818B256C270DCC697B2

Function 10008310 Relevance: 7.6, APIs: 5, Instructions: 99nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000831C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008338

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
Instruction ID: d5cf22ff5653e0c4365a76e3bc0a6f530f10b9ff97d098438d5549bdcf248cbb
Opcode Fuzzy Hash: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
Instruction Fuzzy Hash: 0E216476308612ABE204DB18EC84EAF77A9EBD8760F104919F181D7295C770ED9687B1

Function 1001FD50 Relevance: 7.6, APIs: 5, Instructions: 90nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001FD66
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FD7E
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1001FDBE
GetPropA.USER32(00000000,1002C03C), ref: 1001FDD0
GetWindowRect.USER32(00000000,?), ref: 1001FDED

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Prop$FindNtdllProc_Rect
String ID:
API String ID: 1621342347-0
Opcode ID: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
Instruction ID: 6b8d0221fe97fab34533167ca4c9a37e3e90209f2d168c5ada330748bbe964d0
Opcode Fuzzy Hash: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
Instruction Fuzzy Hash: F83187356042009FD304DF18C888E7BB3E9FBD8654F55895DF9459B352C730EE468B66

Function 10008710 Relevance: 6.2, APIs: 4, Instructions: 176nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000871D
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008739

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
Instruction ID: 4fac22d2b0eaef5fff40d3138b4cbdac12c866ca4beaf184c634f33bf18d14c9
Opcode Fuzzy Hash: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
Instruction Fuzzy Hash: 055164763041119BE204DA48D8D4DBFB3AEEBD4392F14842BF68187296CB71EC5697B2

Function 1001FEA0 Relevance: 6.2, APIs: 4, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001FEAD
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FEC9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
Instruction ID: 62426f1cfc6e2e8613ee12b2a616a1d9dd04dd25ff66616f45cf830b1ca35ad5
Opcode Fuzzy Hash: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
Instruction Fuzzy Hash: 6341A6B77042115BE100DA58E8C4EBFB39ADBD83A1F50842FF68587252C770DC9697B5

Function 10011630 Relevance: 6.1, APIs: 4, Instructions: 133nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001163C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10011658

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
Instruction ID: e71c5dea82c0fa7fedd5e34c1b30a37f09bcbf9f8200f5aed356c99c4536bfaa
Opcode Fuzzy Hash: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
Instruction Fuzzy Hash: DB41767A7082119BD248DA08E894DAF73E9DBD8750F10491DF142CB396C770EC8A87B2

Function 10025780 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 10025794
IsZoomed.USER32(?), ref: 100257A2

Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765

IsRectEmpty.USER32(?), ref: 10025808
IsWindowVisible.USER32(?), ref: 10025816

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Show$EmptyIconicRectVisibleZoomed
String ID:
API String ID: 3753707372-0
Opcode ID: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
Instruction ID: f748418fd072593a3d66f39f517992ca0597f05378dce08ab7b824f94379abf5
Opcode Fuzzy Hash: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
Instruction Fuzzy Hash: 6B213D34305B52CBE760CB35F888B9B73E8EF44786F82446DE45BDA240EB75E8418B48

Function 00454CC6 Relevance: 6.1, APIs: 4, Instructions: 72fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(00000000,?), ref: 00454C82
FindClose.KERNEL32(?,0040E476), ref: 00454C91
FindFirstFileA.KERNEL32(?,?,0040E476), ref: 00454C9D
FindClose.KERNEL32(00000000), ref: 00454CFB

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: 91570daed7816a1d957f1614151975009f063336295560e0196eb5c9a5508322
Instruction ID: e1fd8dd6d6de9e1457197dd4c210994de0769ba98e5cf0e37e38034f71640e9e
Opcode Fuzzy Hash: 91570daed7816a1d957f1614151975009f063336295560e0196eb5c9a5508322
Instruction Fuzzy Hash: 48113F7290661147D7228F30D90027B7260ABD431BF17072AED16CF341E77DDC8E828A

Function 10008D40 Relevance: 6.1, APIs: 4, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C058), ref: 10008D4C
RemovePropA.USER32(?,1002C058), ref: 10008D5E
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 10008D88
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008DD0

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: PropWindow$CallNtdllProcProc_Remove
String ID:
API String ID: 167436498-0
Opcode ID: ae9651af754efeaf910986bedca81cdbe93bc3ee3aa19282c3980d9b3a87c30d
Instruction ID: 7f1ce935ea723094267178f469a7703aac22c69bbb9d6f32e347a6d7df6c448d
Opcode Fuzzy Hash: ae9651af754efeaf910986bedca81cdbe93bc3ee3aa19282c3980d9b3a87c30d
Instruction Fuzzy Hash: 6D11697A105511ABA241DB18DC84CBF7BADEFD5790F10491DF58183296C720AD4AC7F6

Function 004E4A4E Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E56B6: GetWindowLongA.USER32(?,000000F0), ref: 004E56C2

GetKeyState.USER32(00000010), ref: 004E4A72
GetKeyState.USER32(00000011), ref: 004E4A7B
GetKeyState.USER32(00000012), ref: 004E4A84
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004E4A9A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: d7a5f7cb2598dc48fc85b61de9a2f7d91a37d061fb2012a82289b411600f82dd
Instruction ID: d8ab99252ad5885b7fa6a9730e0c3491018a7c8e108f0096e7869443c31d4670
Opcode Fuzzy Hash: d7a5f7cb2598dc48fc85b61de9a2f7d91a37d061fb2012a82289b411600f82dd
Instruction Fuzzy Hash: 85F0A7763807C62AFA2036675C46FE553145FC0BEAF15053FB781AA1D18AD98842627C

Function 0048C140 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row width error, xrefs: 0048C1CD
internal row size calculation error, xrefs: 0048C1BB
internal row logic error, xrefs: 0048C185
invalid user transform pixel depth, xrefs: 0048C3B9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: 5a61f353bb6f9fbf21e45cb0a569e62f5433a93e2f9ec364fb80c90b9d1081cf
Instruction ID: c454212694eaac07895d9ef4998d994e7929e1c9fc6d485171048fb634af65a8
Opcode Fuzzy Hash: 5a61f353bb6f9fbf21e45cb0a569e62f5433a93e2f9ec364fb80c90b9d1081cf
Instruction Fuzzy Hash: C0F159316083554FCB24EE3895D02BFBBD1ABD5710F484DAFE88587342E6399C4AC7A6

Function 00468731 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 101networkCOMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 0046879D
recv.WS2_32(?,00000000,?,?), ref: 004687F3

Strings

, xrefs: 00468775

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ioctlsocketrecv
String ID:
API String ID: 2464938158-3916222277
Opcode ID: bf3f4a92da284c573cb91359f929a9cf9c0180d2017a5ef19f64c0b4e55e4c93
Instruction ID: 669513b2da6c349dc36bd6f3e7408d8445515c5127b7b61d8bf1104bf98bcfbb
Opcode Fuzzy Hash: bf3f4a92da284c573cb91359f929a9cf9c0180d2017a5ef19f64c0b4e55e4c93
Instruction Fuzzy Hash: C9319A715083409FD314EF25C851B6BB7B4FB99724F144B2EF89693290EB389905CB9A

Function 1000F750 Relevance: 4.7, APIs: 3, Instructions: 165nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000F75C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000F778

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
Instruction ID: 2528abf51e870a12b61f462225b441024f09dc823bf7e01d6d69a58c881fcfe4
Opcode Fuzzy Hash: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
Instruction Fuzzy Hash: A74177B63086119FE248DE08E865D7F73AADBD4750F10891DF14287296CB30AC8A97B6

Function 10007A30 Relevance: 4.7, APIs: 3, Instructions: 157nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10007A3D
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,100065A9,?,?,?,?), ref: 10007A59

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
Instruction ID: 97ae2f1b3464a4c4e6a23b637a735b9b026802ad9d4f48c1e8d21a1d89c5b290
Opcode Fuzzy Hash: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
Instruction Fuzzy Hash: BA415F767041019BE204DB58E8D4DBFB3A9EBD83A1F10882FF585C3256CB74AC5697B2

Function 10014790 Relevance: 4.6, APIs: 3, Instructions: 140nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001479C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100147B8

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
Instruction ID: 5cef6116b7980ede2fc3cff8751f03a03dbdccd6a3174d1e1b5d14adc9a2bdd3
Opcode Fuzzy Hash: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
Instruction Fuzzy Hash: 134153B67086119BD244DA18E8A5D7F73A9EBD4750F01481DF1428B3A6CF70EC8687B6

Function 1000FD50 Relevance: 4.6, APIs: 3, Instructions: 131nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000FD5B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000FD77

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
Instruction ID: 4488ee033ce5568a6e9b86f628f37d529af62b25991ac58fd4dce584937037cd
Opcode Fuzzy Hash: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
Instruction Fuzzy Hash: D9414AB63082459BE240DE54D980D7F73E9EBC4790F118C0EF5818765AC770EC8697B6

Function 1001C800 Relevance: 4.6, APIs: 3, Instructions: 129nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001C80C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001C828

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
Instruction ID: 1e50225a5a76dfa976e6c4c56d3e30440892ed78c8c68004a9b13c076068a0f2
Opcode Fuzzy Hash: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
Instruction Fuzzy Hash: A13155BB7083159BD240DE58E884D6F73A9EBD4760F108C1AF5819B256C770ECCA97B2

Function 1000DA90 Relevance: 4.6, APIs: 3, Instructions: 117nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000DA9C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000DAB8

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
Instruction ID: 228e3ab525f591684e137e6fd99d1f9435fde28c84332add3aa5917434ab564e
Opcode Fuzzy Hash: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
Instruction Fuzzy Hash: 6E31397A7042019BE100EE58E880D6F77E9DBD47A0F118C1BF6819725AC770DC8697B2

Function 1001E7F0 Relevance: 4.6, APIs: 3, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001E7FC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001E818

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
Instruction ID: 8b1d6d09460b07866bb12f6193a6cd946900c67d8b00bd84724c958df11b5175
Opcode Fuzzy Hash: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
Instruction Fuzzy Hash: 063152BA6082519BD240DE58E880DAFB7E9EBD8751F108C19F281C7252C730ECCAD7B1

Function 1000D330 Relevance: 4.6, APIs: 3, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000D33D
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000D359

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
Instruction ID: 3cad35e25735ce33caab85577b29180f6f89a3b7f1056cd299d0b253d523294e
Opcode Fuzzy Hash: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
Instruction Fuzzy Hash: 9C21B5B7700111ABE200EA58D8D8DAFF7ADEBD42A1F10852BF54187286C770DC46D7B2

Function 10013DA0 Relevance: 4.6, APIs: 3, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10013DAC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10013DC8

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
Instruction ID: 4bf817b2858c0e7a759d776878d335dbdc853776b506ffad1926632038d3614c
Opcode Fuzzy Hash: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
Instruction Fuzzy Hash: 992133BB704211ABD240DA58E884D6F77E9DBD4760F11C919F541CB296C270DCCA97B1

Function 10012AD0 Relevance: 4.6, APIs: 3, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10012ADB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012AF7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
Instruction ID: d284b80dbbabb1398f9d2070992cac2ce438575b69408aea9e9a94da9e131599
Opcode Fuzzy Hash: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
Instruction Fuzzy Hash: 5E111FFA208212AFD244DF58E984DAB73E9EBC8750F108D09F5819B245C734EC96C7B6

Function 10012BF0 Relevance: 4.6, APIs: 3, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10012BFC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012C18

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
Instruction ID: 2331f883b3d6d46fcb743b651009c8baabaccb07b2ddfb5f76acc19c2e81c812
Opcode Fuzzy Hash: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
Instruction Fuzzy Hash: 231154BA2082129BD204DF59E880DAFB7A9EBD4721F118C1AF641C7211C770EC96C7B1

Function 1001D330 Relevance: 4.6, APIs: 3, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001D33B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D357
CallWindowProcA.USER32(?,?,?,?,?), ref: 1001D386

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID:
API String ID: 1641805499-0
Opcode ID: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
Instruction ID: 45f5a508404fa7b349f84285f489640ca45463347baf7dd885cba52e9e31337c
Opcode Fuzzy Hash: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
Instruction Fuzzy Hash: 83017576205211AFD641EE68D894D9B77E9EBC8700F10CD0AF5819B209C370ED86C7B2

Function 10006350 Relevance: 4.5, APIs: 3, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000635B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006377
CallWindowProcA.USER32(?,?,?,?,?), ref: 100063A3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID:
API String ID: 1641805499-0
Opcode ID: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
Instruction ID: b12fdf80a4ee98a0669d910f96ba9de27c494e6b3a9d2ac390c97d8e35b7d40b
Opcode Fuzzy Hash: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
Instruction Fuzzy Hash: 2A010CB6205212AFE604DE54D844CAB77E9EBC8750F10890DF58597245C730ED4687B6

Function 1000E440 Relevance: 4.5, APIs: 3, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000E44B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000E465
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E48F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID:
API String ID: 1641805499-0
Opcode ID: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
Instruction ID: 3a83241c110d65d65373b22bd99f22be1f6ecbda2895f89fe6f1498726ca76d1
Opcode Fuzzy Hash: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
Instruction Fuzzy Hash: A5F01DB6205611EFA204DF54ED44CAB77E9EBC8740F10C90DF545A7259D730EC0A87B2

Function 10006560 Relevance: 4.5, APIs: 3, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000656B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006585

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
Instruction ID: 5dbf9fbb83ff20062e3ed168ee9e718ee031d4db6b7bc6fcd510bc647bf1e31e
Opcode Fuzzy Hash: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
Instruction Fuzzy Hash: A8F014B5209621AFE204DF40DC84DAB73A9EFC8740F208908F58697249C770ED46CBB2

Function 10020B70 Relevance: 4.5, APIs: 3, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10020B7B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10020B95
CallWindowProcA.USER32(?,?,?,?,?), ref: 10020BB8

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID:
API String ID: 1641805499-0
Opcode ID: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
Instruction ID: 8febcc7cfdc6d2d48d38ff73ec199bb7e5977764db5be9c515e8769bbb7d267c
Opcode Fuzzy Hash: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
Instruction Fuzzy Hash: BFF03CB5209611AFE204DF54E898CAB73EAEFC8610F108D0DF58583252D770EC46CBB2

Function 100062B0 Relevance: 4.5, APIs: 3, Instructions: 28nativewindowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 100062CA
SendMessageA.USER32(?,00000313,00000000,?), ref: 100062E0
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100062F6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
Instruction ID: b518878becbef3456e94c07293a0586dd5aa6203277d98abda6802a90051a15b
Opcode Fuzzy Hash: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
Instruction Fuzzy Hash: 4FF0F879204712ABE250CF65DD48E97B7FDEBD8740F20480CB58193260C770E949CB65

Function 10005900 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10005906
EnableWindow.USER32(?,00000001), ref: 10005913
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,10004C2B,?,?,?,?,?), ref: 10005929

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnableEnabledNtdllProc_
String ID:
API String ID: 1897713328-0
Opcode ID: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
Instruction ID: 33976d3887a1ec7a0cf96d3802eee5120e501a190f8f2c604677c3bb47bb1761
Opcode Fuzzy Hash: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
Instruction Fuzzy Hash: C5E0EC79116A22EFE201DF10DC88DAB77ACEF89751F108408F94193211C770AE068BAA

Function 00458A60 Relevance: 3.2, APIs: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00458B90

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 8a3a12c6c41ee5e86e100d8871b952522e6376e259255376e62e36ec2be7b64c
Instruction ID: c30b8be6d709d989c4328fcf3796e29d4793eae5af7e49261e204733a674dd05
Opcode Fuzzy Hash: 8a3a12c6c41ee5e86e100d8871b952522e6376e259255376e62e36ec2be7b64c
Instruction Fuzzy Hash: 7481AC76214701CBD314CF28D480B8AB7E5FBA9310F10886EE49ACB350D7B6E896CB61

Function 00468650 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 00468682
recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 004686D0

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ioctlsocketrecvfrom
String ID:
API String ID: 217199969-0
Opcode ID: c2c489adc60deafc668e84c44353057c21dae831700223719b1b8c94f176a981
Instruction ID: 2781da8c06e0979f0b1c27bcd7c509b0ce1ac5d986d368d6975d77326c479fc2
Opcode Fuzzy Hash: c2c489adc60deafc668e84c44353057c21dae831700223719b1b8c94f176a981
Instruction Fuzzy Hash: 3B214F70104601ABD318DF24DD85B6BB7E5AB98714F108B1DF19A872D0EB78D801DB5A

Function 10008CB0 Relevance: 3.0, APIs: 2, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10008CBB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008CD7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
Instruction ID: ba7b9a7e75b5fd1a47e67aed631709819a18bd4e2cca9f68860d5bab8b638427
Opcode Fuzzy Hash: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
Instruction Fuzzy Hash: CA01FFB6209212AFE640DB54E880DAF73E9EFD4740F118D0DF58197255C770ED868BB6

Function 1000CBC0 Relevance: 3.0, APIs: 2, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000CBCB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000CBE7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
Instruction ID: 539b395f2d12ac3cc3f2cd791ecb8ee3aacd8a81aa599b83fb95c9963a22f77c
Opcode Fuzzy Hash: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
Instruction Fuzzy Hash: A0F04F76108655ABE200DB48E890DAF73E8EBC5740F11CC0DF485D7216C770EC8687B2

Function 100214B0 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 100214BB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100214D5

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
Instruction ID: 2e47a34acdab9f8ecda0e86b8cba3aa85b6d9dc765e54781da42e49aa2a1b60d
Opcode Fuzzy Hash: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
Instruction Fuzzy Hash: 0CE0C075219651AB9204DF54E894CAB73E9EBC8700F118D0DF55593241C730AC458BB6

Function 10014EA0 Relevance: 3.0, APIs: 2, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10014EAB
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,1000C929,?,?,?,?), ref: 10014EC5

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID:
API String ID: 2172124074-0
Opcode ID: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
Instruction ID: 23f51dd478920679ccafe8476a3c24c847d47fdfb480d2aa289d71b137eb8eb9
Opcode Fuzzy Hash: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
Instruction Fuzzy Hash: 15E0C9B6219652AFA204DF54EC94CAB73EDEBC8700F118D0DF58597255CB30EC468BB6

Function 00488BB0 Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

,uY, xrefs: 00488CC9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID: ,uY
API String ID: 0-2397635189
Opcode ID: 4f2cc554ffae690293fd8aa91b4687b06927b58d850ef1774ca09748cc40f285
Instruction ID: 136391e473e2df5464368e7b3a7293a862476c82d8114d8981fa4cced3c251a2
Opcode Fuzzy Hash: 4f2cc554ffae690293fd8aa91b4687b06927b58d850ef1774ca09748cc40f285
Instruction Fuzzy Hash: FDE112B5600A018FD334CF19D480A26FBE2FF89310B69C96ED59ACB761DB31E846CB54

Function 10004BD0 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004D01

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
Instruction ID: 0b222c3024169f657697f4807f45d8ba6cc9b1c5df0fdb5bc05cb1375a895788
Opcode Fuzzy Hash: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
Instruction Fuzzy Hash: 4431A9FA618241AFD248DF58D891C2BB3E9EBD8700F54890CB69587256D731EC19CB72

Function 100048E0 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004929

Part of subcall function 10004800: IsWindowEnabled.USER32(?), ref: 10004809
Part of subcall function 10004800: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction ID: 225bf36e4a0812ad4753787a01e5a8dd77c9d750d7cfa771ec93f23d9b1118eb
Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction Fuzzy Hash: CCF0B6F9618242AFE204DB54D890D2BB3E9EBC8780F118D1DB685C3265DA30ED04CB36

Function 10004510 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004559

Part of subcall function 10004430: IsWindowEnabled.USER32(?), ref: 10004439
Part of subcall function 10004430: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction ID: 426c8d43d59635654131c640abf00cd082b32ef771906314d33d0ca2d6834fbf
Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction Fuzzy Hash: B2F0B6F9618642AFE204DA54D881D2BB3E9EBC8780F518D0DB68583256DA30EC44CB36

Function 10002E40 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002E89

Part of subcall function 10002C90: IsWindowEnabled.USER32(?), ref: 10002C9C
Part of subcall function 10002C90: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
Instruction ID: 6bebc549723526bab81e68595eedc138839718632c5911c4ede022b626121a3a
Opcode Fuzzy Hash: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
Instruction Fuzzy Hash: E8F0B6B9608242AFE604DA54D885D2BB3E9EBC8780F108D0DB685C3266D730EC44CB32

Function 100293A1 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

R, xrefs: 10029508

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
Instruction ID: 8be94b6153ab9119319510401fc8330cfa8a6dc569db2486da79333d3fcb569b
Opcode Fuzzy Hash: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
Instruction Fuzzy Hash: E1519E5804D7C11FC3278B3888659A7BF216F57528B0F8AEBD4D08F963C249994AD7A2

Function 1000EDA0 Relevance: .9, Instructions: 855COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
Instruction ID: 983c4fcd37887a59a0cb9d3b85b446299f8e70ed709c6495451e70af00230a31
Opcode Fuzzy Hash: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
Instruction Fuzzy Hash: 1142A2377406154BEB0CCD5EC8B16BDB3D3ABC835474D463D9A5BD3782EDB8A80A8684

Function 10002250 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
Instruction ID: 93596e6502c76a15187eaa282ea5bd3d0e08f7ebc6713d694ddc07016d6b6326
Opcode Fuzzy Hash: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
Instruction Fuzzy Hash: 19124A32B086154FE71CCE28C49426EB7E2EBC8394F16463EE95AD7748DA30D945CBC1

Function 004DC9AA Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e745d210375971aa9e94bbd9c65b208810e52e0e87b392d0608a384ff6576116
Instruction ID: 1a1fe0d7f798ce8fd8d94cc28809fa3237bbd463d3a2d39de1aea2c2560753a9
Opcode Fuzzy Hash: e745d210375971aa9e94bbd9c65b208810e52e0e87b392d0608a384ff6576116
Instruction Fuzzy Hash: F0E1F070E5420B8EEB25CF64C8B63FEBBB2BB15344F284027D501A6381D77D9982DB59

Function 00490B10 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b802f4577bbdefacc2841b1945a2a1d6d11135318e33bbce38e4bdf5a24168a9
Instruction ID: 7c24b06922b9a04edb9b503eb3ae71cc0f38e824c267bd92735b5b3a4695b2b6
Opcode Fuzzy Hash: b802f4577bbdefacc2841b1945a2a1d6d11135318e33bbce38e4bdf5a24168a9
Instruction Fuzzy Hash: A7C1102520A6824FDF19CA6C94E92BBFFD1DB6A310B0885FEC9D5CB323C565854AC394

Function 0048C680 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d402c577a531fa7f87c7a9544bac0eed880104e7421b8e2879262a1d84f878
Instruction ID: ee5dfd9eea2aeb9464e75e21d9daf4301074612db44a88fd074cfa231ba9b61b
Opcode Fuzzy Hash: 69d402c577a531fa7f87c7a9544bac0eed880104e7421b8e2879262a1d84f878
Instruction Fuzzy Hash: 9FD19A72A097468FC708DF18C4D036EBBE1FBD9314F545A2EE89597350D338A90ACB96

Function 004B4C10 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e62c05a55182445c45b2b971376e53360e1fb60783d3a0f7de10f952f26fa69d
Instruction ID: 9d0bf0351d17ec6854ddcf81a2b67fd0d3485e759321407ebeae010a00deae9b
Opcode Fuzzy Hash: e62c05a55182445c45b2b971376e53360e1fb60783d3a0f7de10f952f26fa69d
Instruction Fuzzy Hash: 86D13675215B418FD324CF29D980AA7B7E5FF89304B14892ED5D787B42D635F802CB54

Function 004906DE Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction ID: bfe843f18df69b295902fe9e4151e314e4eff06a801e9f5ffa263ab5df6f3a8b
Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction Fuzzy Hash: 77C1BE352087824FD729DB2894A55FBBFE2AFAA300F1DD5BDD4CA8B3A3D9255409C740

Function 004A0410 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07fbf627a7873106f9b36723e95e997859051535eb3a0ee608d78a1e520793f5
Instruction ID: 7f6bdf948eef903425abb966e20b24fc78167de86f7a841132526819c2d79e1f
Opcode Fuzzy Hash: 07fbf627a7873106f9b36723e95e997859051535eb3a0ee608d78a1e520793f5
Instruction Fuzzy Hash: 6ED19C756082518FC319CF18E9D88E67BE1BFA9740F0E42F9C98A8B323D7369845CB55

Function 004B4770 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0e294d84ba0747ea9af0ff39443646f16849154c62b9ffee7b57c41f2fcc2ca
Instruction ID: 87df4fed77d00e918148020bf294bc612b215035f1e0c2c33fdd31b6939c2b67
Opcode Fuzzy Hash: f0e294d84ba0747ea9af0ff39443646f16849154c62b9ffee7b57c41f2fcc2ca
Instruction Fuzzy Hash: C4B12775214B418FD328DF29C9909A7B7E6BF89304B18892ED4CBC7B52DA35F841CB58

Function 004D88E6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: 1195087cd7c3afe61861f2dd86016d71ba26b9d7c3a78fb29074f83aa9655970
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 25B15A75A0020A9FDB15CF04C5E0AB9BBA1FF59318F24819FD85A5B342CB35EE46CB94

Function 0049CC90 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: f56cd6f3772f4d070a5273a71b0ce1802e218c4487abe8a86d7dd9ad477b4ebb
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 0AA10775A087418FC714CF29C49085AFBF2BFC8714F198A6EE99987325E770E945CB82

Function 10028B99 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
Instruction ID: 428467e42f7f86c7821e8e1e21e6f22a2fc9309eb635c514b15cab7e2e214c89
Opcode Fuzzy Hash: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
Instruction Fuzzy Hash: 3C61C82914D3C15FC7874B7444661A27FB1AE1B22870E85DAC9C18F173D299AC4FEFA1

Function 00490464 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction ID: 2e3499af892047582f7cac390033699bc0a19fc376ddacf2fba662659fd58692
Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction Fuzzy Hash: 0771102124D7C24FCB299B2888A42F6BFE1AFA6300F5D96FED9D64F392C5065409C761

Function 0049C1F0 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 0dd53a282a865794d49ff831f7454dff93a926d2558c4ca2930829b9a6d7692d
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 6681F73954A7819FC711CF29C0D04A6FFE2BF9E204F5C999DE9D50B316C231A91ACB92

Function 004902B1 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction ID: 00cde10df1cad45c7e81ef6c30eb7901ad045d3d75018939afe947aa0c3215cd
Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction Fuzzy Hash: 2E41F8363193834FCB289A3C84512FAFFA1AF9A300F5847BED8D5C7742D529950AC755

Function 004888A0 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e495c0f7490d9acb5bbc951c6643248d4a4b5b606114c7272b235627a0b1ff
Instruction ID: 89f341ffbc340de1d7f9034d3616309129c7f3f1f7b86a09c1504aef8d7742f4
Opcode Fuzzy Hash: c7e495c0f7490d9acb5bbc951c6643248d4a4b5b606114c7272b235627a0b1ff
Instruction Fuzzy Hash: 393197227B50A20BD354DEBDAC80177B7A397DA306F6CC77CD588C7A0AC839E8479214

Function 1001A030 Relevance: 44.0, APIs: 29, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 1001A9C0: _mbscmp.MSVCRT ref: 1001A9D3

_mbscmp.MSVCRT ref: 1001A065

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: _mbscmp
String ID:
API String ID: 2888065108-0
Opcode ID: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
Instruction ID: 3c9746c1fec8770da351958914ea95a60552062d740270c3ce570340641db563
Opcode Fuzzy Hash: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
Instruction Fuzzy Hash: A6B1902739152923D101F2E5BCC1EEE634CDFE22A7F118032F705ED081DA36EA9682B5

Function 10005D40 Relevance: 42.3, APIs: 28, Instructions: 254windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10005D4C
SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 10005D62
GetWindowRect.USER32(?,?), ref: 10005D7B
IsRectEmpty.USER32(?), ref: 10005DA1
PtInRect.USER32(?), ref: 10005DB8
IsZoomed.USER32(?), ref: 10005E71
GetWindowLongA.USER32(?,000000F0), ref: 10005E8E
SetRect.USER32(?,00000000,00000000,?,?), ref: 10005EBB
OffsetRect.USER32(?,?,?), ref: 10005ED0
SetRect.USER32(?,?,00000000,?,?), ref: 10005EF1
SetRect.USER32(?,?,00000000,?,00000004), ref: 10005F0F
PtInRect.USER32(?), ref: 10005F1E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendZoomed
String ID:
API String ID: 3721721508-0
Opcode ID: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
Instruction ID: b63b4231ee4676df5d12ce30ad5422ad18bad84e1520a447d21eb9a6881f90ac
Opcode Fuzzy Hash: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
Instruction Fuzzy Hash: 5781A375204316AFF320DBA4DCC9F6B77ECEB84B81F10491DF64682194EA75EA05C761

Function 10014B40 Relevance: 40.8, APIs: 27, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?), ref: 10014BF2
CallWindowProcA.USER32(?,?,00000001,?,?), ref: 10014C13
CallWindowProcA.USER32(?,?,00000001,00000000,?), ref: 10014C38
IsWindowVisible.USER32(?), ref: 10014C42
InvalidateRect.USER32(?,00000000,00000001), ref: 10014C54
GetWindowRect.USER32(?,000000F0), ref: 10014C87
GetParent.USER32(?), ref: 10014C9D
ScreenToClient.USER32(00000000), ref: 10014CA6
GetParent.USER32(?), ref: 10014CB1
ScreenToClient.USER32(00000000), ref: 10014CB4
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014CE7
GetWindowRect.USER32(?,000000F0), ref: 10014CF6
GetParent.USER32(?), ref: 10014D1C
ScreenToClient.USER32(00000000), ref: 10014D25
GetParent.USER32(?), ref: 10014D30
ScreenToClient.USER32(00000000), ref: 10014D33
GetWindowRect.USER32(?,000000F0), ref: 10014D72
GetParent.USER32(?), ref: 10014D88
ScreenToClient.USER32(00000000), ref: 10014D91
GetParent.USER32(?), ref: 10014D9C
ScreenToClient.USER32(00000000), ref: 10014D9F
GetParent.USER32(?), ref: 10014DE5
ScreenToClient.USER32(00000000), ref: 10014DEE
GetParent.USER32(?), ref: 10014DF9
ScreenToClient.USER32(00000000), ref: 10014DFC
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014E2F
GetWindowRect.USER32(?,000000F0), ref: 10014E3E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$ClientParentScreen$Rect$CallMoveProc$InvalidateMessageSendVisible
String ID:
API String ID: 1330197011-0
Opcode ID: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
Instruction ID: c47097b4e2208499dd9ef6fa9ca82aafd1a7c7d366bf9be39b5b8423eecfa7f7
Opcode Fuzzy Hash: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
Instruction Fuzzy Hash: 67A139B52047069FE314CF65C884F6BB7E9EBC8704F11891CF599972A0DA74F98ACB60

Function 100250C0 Relevance: 39.4, APIs: 26, Instructions: 416windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022FD0: GetMenuItemCount.USER32(?), ref: 10022FE9
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 1002300D
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 10023021

SetRectEmpty.USER32(?), ref: 100252A5
SetRectEmpty.USER32(?), ref: 100252AE
SetRectEmpty.USER32(?), ref: 100252B7
SetRectEmpty.USER32(?), ref: 100252C0
SetRectEmpty.USER32(?), ref: 100253EE
SetRectEmpty.USER32(?), ref: 100253F7
IsRectEmpty.USER32(?), ref: 10025400
IsRectEmpty.USER32(?), ref: 1002540B
SetRectEmpty.USER32(?), ref: 100254E0
SetRectEmpty.USER32(?), ref: 1002552F
SetRectEmpty.USER32(?), ref: 10025538
SetRectEmpty.USER32(?), ref: 10025541
SetRectEmpty.USER32(?), ref: 1002554A
SetRectEmpty.USER32(?), ref: 10025553
IsRectEmpty.USER32(?), ref: 1002556E
IsRectEmpty.USER32(?), ref: 100255B6
IsRectEmpty.USER32(?), ref: 100255C3
SetRectEmpty.USER32(?), ref: 1002561A
SetRectEmpty.USER32(?), ref: 10025623
SetRectEmpty.USER32(?), ref: 1002562C
SetRectEmpty.USER32(?), ref: 10025635
SetRectEmpty.USER32(?), ref: 1002563E
SetRectEmpty.USER32(?), ref: 10025647
GetMenuItemCount.USER32(?), ref: 100256E8
GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,?,?,?,1002388F,?), ref: 10025708
GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,?,?,?,1002388F,?), ref: 1002571C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Empty$ItemMenu$Count
String ID:
API String ID: 3556175780-0
Opcode ID: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
Instruction ID: 3580b85264a0b11b2af6f932b74e5bb24bd1c90a80f22c94ed852e82d06a07f9
Opcode Fuzzy Hash: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
Instruction Fuzzy Hash: 4D12CF75605B058FC368CB28D888AE6B7E5FF88305F65896ED8AF87315DB31B841CB44

Function 10005A40 Relevance: 39.3, APIs: 26, Instructions: 255windowtimeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10005A4C
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10005A62
GetWindowRect.USER32(?,?), ref: 10005A7B
IsRectEmpty.USER32(?), ref: 10005AA1
PtInRect.USER32(?), ref: 10005AB8
SetTimer.USER32 ref: 10005BAC
GetWindowLongA.USER32(?,000000F0), ref: 10005BC6
SetRect.USER32(?,00000000,00000000,?,?), ref: 10005BF3
OffsetRect.USER32(?,?,?), ref: 10005C08
SetRect.USER32(?,?,00000000,?,?), ref: 10005C2A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendTimer
String ID:
API String ID: 70592305-0
Opcode ID: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
Instruction ID: d42ccc5a3b2781513f2fd8ff1ff6268cf5ee92936f68469feebf928f78cc2080
Opcode Fuzzy Hash: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
Instruction Fuzzy Hash: CA819C75204706AFF320DBA4CC89FAB77E8EB88B81F104909F656C6294E771F905CB25

Function 10011B50 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 404windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10011B62
SendMessageA.USER32(?,00001009,00000000,?), ref: 10011B78
InflateRect.USER32(?,00000000,00000005), ref: 10011BE9
SetRect.USER32(00000060,?,?,?,?), ref: 10011CC0
SetRect.USER32(00000050,?,?,?,?), ref: 10011CDE
InflateRect.USER32(00000050,00000004,00000004), ref: 10011CEB
InflateRect.USER32(00000060,00000004,00000004), ref: 10011CF2
SetRectEmpty.USER32(00000050), ref: 10011D0E
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D49
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D8D
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011DE0
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E17
IsRectEmpty.USER32(00000050), ref: 10011E2F
InflateRect.USER32(00000050,00000001,00000001), ref: 10011E3E
SetRectEmpty.USER32(?), ref: 10011E62
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E95
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011EC9
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F14
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F45
IsRectEmpty.USER32(?), ref: 10011F61
InflateRect.USER32(?,00000001,00000001), ref: 10011F78

Strings

, xrefs: 10011D18

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$MessageSend$Inflate$Empty$Client
String ID:
API String ID: 1339602669-3916222277
Opcode ID: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
Instruction ID: a0f7648be8e36038d2b16f179121c650e50f05b29048d1dfe480584c03a9469a
Opcode Fuzzy Hash: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
Instruction Fuzzy Hash: 21E17D752087069FD318CF29C9C1A9AB7E6FBC8344F144A2DF585DB251D7B0E886CB52

Function 1001CC00 Relevance: 37.9, APIs: 25, Instructions: 431windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001CC0F
ScreenToClient.USER32(?,?), ref: 1001CC1E
GetClientRect.USER32(?,?), ref: 1001CC57
GetParent.USER32(?), ref: 1001CC61
GetClassNameA.USER32(00000000,?,00000040), ref: 1001CC73
_mbscmp.MSVCRT ref: 1001CC89
_mbscmp.MSVCRT ref: 1001CC9C
CreateCompatibleDC.GDI32(?), ref: 1001CCB8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 1001CCCB
SelectObject.GDI32(00000000,00000000), ref: 1001CCDD
SelectObject.GDI32(00000000,?), ref: 1001CCEC
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CD02
SetRect.USER32(?,?,?,?,?), ref: 1001CD41
SetRect.USER32(?,?,?,?,?), ref: 1001CD64
IsWindowEnabled.USER32(?), ref: 1001CD6A
PtInRect.USER32(?,?,?), ref: 1001CD8D
PtInRect.USER32(?,?,?), ref: 1001CE0C
PtInRect.USER32(?,?,?), ref: 1001CFDF
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 1001D0F1
DeleteDC.GDI32(00000000), ref: 1001D0F8
DeleteObject.GDI32(?), ref: 1001D103

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Object$ClientCompatibleCreateDeleteSelect_mbscmp$BitmapClassCursorEnabledNameParentScreenWindow
String ID:
API String ID: 3766834539-0
Opcode ID: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
Instruction ID: 3e656c1c5e6747a07933068c804b643b2a797f552276aae395ead9c06b7a3bed
Opcode Fuzzy Hash: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
Instruction Fuzzy Hash: 20F159B9204204AFE304DB54CC85EABB3ADFFC8744F148A69F95887355D634EE46CB61

Function 10021CA0 Relevance: 36.4, APIs: 24, Instructions: 355COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10021CB2
PtInRect.USER32(?,?,?), ref: 10021CE2
PtInRect.USER32(?,?,?), ref: 10021D00

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
Instruction ID: 9d0981d9d4456fe75954a96ff124bc768ed38601b0fc248c18501ffb98e7e012
Opcode Fuzzy Hash: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
Instruction Fuzzy Hash: BDB1B276600305ABE360CBA9ECC4EE7B7ECEBD8790F51492EF859C6240D635E949C760

Function 1001D420 Relevance: 36.3, APIs: 24, Instructions: 336windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001D44A

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 1001D4A3

Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 1001D4B8
SendMessageA.USER32(?,00000406,00000000,00000000), ref: 1001D4E1
IsRectEmpty.USER32(?), ref: 1001D4FA
SendMessageA.USER32(?,0000040A,00000000,?), ref: 1001D55E
SendMessageA.USER32(?,00000414,00000000,00000000), ref: 1001D56B
GetIconInfo.USER32(00000000,?), ref: 1001D580
GetObjectA.GDI32(?,00000018,?), ref: 1001D598
DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1001D5D1
DeleteObject.GDI32(?), ref: 1001D5E5
DeleteObject.GDI32(?), ref: 1001D5EF
SendMessageA.USER32(?,00000403,00000000,00000000), ref: 1001D60E
??2@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,00000000), ref: 1001D622
SendMessageA.USER32(?,00000402,00000001,00000000), ref: 1001D64B
SetTextColor.GDI32(?,?), ref: 1001D674
DrawTextA.USER32(?,00000000,?,?,00000024), ref: 1001D694
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000024,?,?,?,?,?,?,?,?,00000000), ref: 1001D69B
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 1001D6EB
GetParent.USER32(?), ref: 1001D726
IsWindowEnabled.USER32(?), ref: 1001D732
SendMessageA.USER32(00000000,0000002B,00000000,?), ref: 1001D775
SelectClipRgn.GDI32(?,00000000), ref: 1001D7BC
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001D83D

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Object$Select$ClipCreateDeleteRect$CompatibleDrawIconText$??2@??3@BitmapClientColorEmptyEnabledInfoModeParentPropWindow
String ID:
API String ID: 1362129631-0
Opcode ID: b003ebf027d72403f8cb3d27b9e7ff3e5f9c0d22eb73ba247c27aebcaaa1183c
Instruction ID: 90df3fa2a803067d4cdad2171947ebf974ab48cb4e9fe13901dbc3d04bca41ca
Opcode Fuzzy Hash: b003ebf027d72403f8cb3d27b9e7ff3e5f9c0d22eb73ba247c27aebcaaa1183c
Instruction Fuzzy Hash: D1D10675604341AFE354DF68C884E6BB7E9FBC8700F148A2DF68987291DB70E945CB62

Function 10023960 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 425windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002399F
IsRectEmpty.USER32(?), ref: 100239B4
SetBkMode.GDI32 ref: 10023A30
SelectObject.GDI32(?,?), ref: 10023A4D
SelectObject.GDI32(?,?), ref: 10023A5D
SetTextColor.GDI32(?,?), ref: 10023AAD
BitBlt.GDI32(?,00000000,00000000,?,00000001,00000000,?,?,00CC0020), ref: 10023AE3
GetMenuItemCount.USER32(00000000), ref: 10023B2A
GetMenuItemInfoA.USER32(00000000,00000000,00000400,?), ref: 10023B88

Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,75756D90,00000000,10023B9B,00000000,?), ref: 10024DCB
Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9

InflateRect.USER32(?,000000FF,000000FF), ref: 10023BC7
SetTextColor.GDI32(?,?), ref: 10023BEF
SetTextColor.GDI32(?,?), ref: 10023C25
SetTextColor.GDI32(?,?), ref: 10023C69
DrawTextA.USER32(?,?,?,?,00000025), ref: 10023C8B
SetTextColor.GDI32(?,?), ref: 10023C9B
DrawIconEx.USER32(?,?,?,00000000,00000010,00000010,00000000,00000000,00000003), ref: 10023CE9
GetSystemMetrics.USER32(00000020), ref: 10023CFE
OffsetRect.USER32(?,00000000), ref: 10023D19
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 10023E64

Strings

0, xrefs: 10023B6C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Text$ColorRect$ItemMenu$DrawObjectOffsetSelect$CountEmptyIconInflateInfoMetricsModeSystemVisibleWindow
String ID: 0
API String ID: 2055320636-4108050209
Opcode ID: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
Instruction ID: a9acdb67b72450ec93636fc2c6a84ac6b9940729399217752d96d5b5a37b2c08
Opcode Fuzzy Hash: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
Instruction Fuzzy Hash: 5DF14975204741AFE354CF28D885FABB3E9FB88704F608A2DF95997290DB30E906CB51

Function 100101C0 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 377windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 10010213
GetClientRect.USER32(?,?), ref: 10010222
ClientToScreen.USER32(?,?), ref: 10010237
ClientToScreen.USER32(?,?), ref: 10010242
SetBkMode.GDI32(?,00000001), ref: 10010281
SelectObject.GDI32(?,?), ref: 10010299
ClientToScreen.USER32(?,?), ref: 100102EA
MenuItemFromPoint.USER32(00000000,?,?,?), ref: 100102FB
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010325
GetMenuItemRect.USER32(?,?,00000000,?), ref: 1001033D
GetMenuItemCount.USER32(?), ref: 10010357
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010389
OffsetRect.USER32(?,?,?), ref: 100103AC
GetMenuItemInfoA.USER32 ref: 10010419
SetRect.USER32(?,?,?,?,?), ref: 1001053E
SetRect.USER32(?,?,?,?,?), ref: 10010564
OffsetRect.USER32(?,?,?), ref: 10010579
OffsetRect.USER32(?,?,?), ref: 10010591
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001060C

Strings

0, xrefs: 100103F7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$ItemMenu$Client$OffsetScreen$CountFromInfoModeObjectPointSelectWindow
String ID: 0
API String ID: 303195050-4108050209
Opcode ID: 008811b3abd2f731aae474ba5b14917b142eec1ffb338946d922de29f3af1481
Instruction ID: 218a776880d17dfc55bc541e60bba26cc9f27d11404c7c810f554a5f716a7b01
Opcode Fuzzy Hash: 008811b3abd2f731aae474ba5b14917b142eec1ffb338946d922de29f3af1481
Instruction Fuzzy Hash: 61E113B5208345AFE354CF68C884E6BB7E9FBC8744F108A1DF58A87250DB74E945CB62

Function 004641B0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 366windowCOMMON

Download Yara Rule

APIs

CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0046423C
CreateCompatibleDC.GDI32(?), ref: 0046424E
CreateCompatibleDC.GDI32(?), ref: 00464257
SelectObject.GDI32(00000000,?), ref: 00464266
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00464279
SelectObject.GDI32(?,00000000), ref: 00464289
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004642A9
SelectObject.GDI32(00000000,?), ref: 004642B5
DeleteDC.GDI32(00000000), ref: 004642C2
SelectObject.GDI32(?,?), ref: 004642CA
DeleteDC.GDI32(?), ref: 004642D1
DeleteObject.GDI32(?), ref: 004642D7
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0046430D

Strings

(, xrefs: 0046456F
, xrefs: 004643D3
(, xrefs: 004643BC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CreateObject$Select$BitmapCompatibleDelete
String ID: $($(
API String ID: 1878064223-3669016180
Opcode ID: a341eedb6dbc1319be3624338266476d430f1c1954fd027053a6925304128fa2
Instruction ID: 06539395b7076619d1e647241191e7f5d95402deaa23aba700b3e3eb6b5cf93d
Opcode Fuzzy Hash: a341eedb6dbc1319be3624338266476d430f1c1954fd027053a6925304128fa2
Instruction Fuzzy Hash: 99D158B26043059FC714CF25D984A6BBBE9EFC8310F14492EFA9687350DB74E845CB66

Function 10013170 Relevance: 34.9, APIs: 23, Instructions: 429windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001319A

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 100131E3
IsWindowEnabled.USER32(?), ref: 100131FE
InflateRect.USER32(?,000000FE,000000FE), ref: 100132E2
GetWindowTextA.USER32(?,?,00000400), ref: 10013319
SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 1001334D
GetIconInfo.USER32(00000000,?), ref: 10013369
GetObjectA.GDI32(?,00000018,?), ref: 1001337B
GetTextExtentPointA.GDI32(?,?,?,?), ref: 100133A5
DeleteObject.GDI32(?), ref: 100133E7
DeleteObject.GDI32(?), ref: 100133EE
SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 10013420
GetObjectA.GDI32(00000000,00000018,?), ref: 10013436
GetTextExtentPointA.GDI32(?,?,?,?), ref: 10013460
DrawTextA.USER32(?,?,-00000001,?,00000000), ref: 1001352A
GetPropA.USER32(?,1002C2C0), ref: 100135C0
IsWindowEnabled.USER32(?), ref: 100135D1
SetTextColor.GDI32(?,?), ref: 10013607
OffsetRect.USER32(?,?,?), ref: 1001362B
SetBkMode.GDI32(?,00000001), ref: 10013638
DrawTextA.USER32(?,?,?,?,00000000), ref: 10013663
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001368D

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Text$Rect$CreateDeleteMessageSelectSendWindow$ClipCompatibleDrawEnabledExtentPointProp$BitmapClientColorIconInflateInfoModeOffset
String ID:
API String ID: 660395982-0
Opcode ID: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
Instruction ID: 0720dea72c005f8db2774b89525498d56df710bbe5d87d96d133ef9dad5b9a48
Opcode Fuzzy Hash: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
Instruction Fuzzy Hash: 7FF14AB42087419FE324CF64C885E6BB7E9FBC8710F108A1CF69987290DB74E949CB52

Function 100034F0 Relevance: 33.3, APIs: 22, Instructions: 321COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,1002CDA8,?), ref: 10003521
SelectObject.GDI32(?,?), ref: 10003586
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 100035F1
SelectObject.GDI32(?,?), ref: 10003791
OffsetRgn.GDI32(00000000,?,?), ref: 1000380A
CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003819
DeleteObject.GDI32(?), ref: 10003824
SetRect.USER32(?,00000000,00000000,00000000,?), ref: 1000385B
SelectObject.GDI32(?,?), ref: 100038A2
SelectObject.GDI32(?,?), ref: 100038EF
SelectObject.GDI32(?,?), ref: 100037DD

Part of subcall function 1001C210: ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C3BC
Part of subcall function 1001C210: GlobalFree.KERNEL32(00000000), ref: 1001C3C3

OffsetRgn.GDI32(00000000,00000000,?), ref: 10003918
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10003923
DeleteObject.GDI32(00000000), ref: 1000392A
DeleteObject.GDI32(?), ref: 100035FC

Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E

SelectObject.GDI32(?,?), ref: 100035D2

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

SelectObject.GDI32(?,?), ref: 10003683
SelectObject.GDI32(?,?), ref: 100036CF
OffsetRgn.GDI32(00000000,00000000,?), ref: 100036F2
CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003701
DeleteObject.GDI32(?), ref: 1000370C
SetRect.USER32(?,00000000,00000000,?,?), ref: 10003753

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$Global$DeleteRect$Combine$CreateOffset$AllocLockUnlock$FreeRegionSection
String ID:
API String ID: 2649344923-0
Opcode ID: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
Instruction ID: 7ad6e692fdaee63a5d88ca3bc9fb50060419e0f4e25ce673a8ec1ac2766f1ee5
Opcode Fuzzy Hash: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
Instruction Fuzzy Hash: B8D107B9504318AFE354CFA4CD84D6BBBE9FB88740F204A1DF55987264D770E906CBA2

Function 1000AF00 Relevance: 33.2, APIs: 22, Instructions: 151COMMON

Download Yara Rule

APIs

EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
IsRectEmpty.USER32(?), ref: 1000AF21
CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
DeleteObject.GDI32(00000000), ref: 1000AF7F
DeleteObject.GDI32(00000000), ref: 1000AF82
CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
CreatePen.GDI32(00000000,00000001,?), ref: 1000AFD6
CreatePen.GDI32(00000000,00000001,?), ref: 1000B008
CreateSolidBrush.GDI32(?), ref: 1000B041
SelectObject.GDI32(?,00000000), ref: 1000B051
SelectObject.GDI32(?,00000000), ref: 1000B059
Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
SelectObject.GDI32(?,?), ref: 1000B080
SelectObject.GDI32(?,?), ref: 1000B088
IsRectEmpty.USER32(?), ref: 1000B08F
SelectClipRgn.GDI32(?,00000000), ref: 1000B09B
DeleteObject.GDI32(00000000), ref: 1000B0A8
DeleteObject.GDI32(00000000), ref: 1000B0AB

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$CreateSelect$Rect$Delete$ClipEmpty$BrushCombineEqualRectangleSolid
String ID:
API String ID: 1312918531-0
Opcode ID: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
Instruction ID: ed92dcb72f46cb93286c5d67c269e6d90022c8bc6c11db7440066506c94aadbf
Opcode Fuzzy Hash: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
Instruction Fuzzy Hash: 2D515779205215AFE244DBA4CCC4E6BB7E9FFC8744F208A19FA0597260D770ED46CBA1

Function 00478120 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 351windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E3813: GetWindowTextLengthA.USER32(?), ref: 004E3820
Part of subcall function 004E3813: GetWindowTextA.USER32(?,00000000,00000000), ref: 004E3838

__ftol.LIBCMT ref: 00478196
__ftol.LIBCMT ref: 004781EC
__ftol.LIBCMT ref: 00478242
__ftol.LIBCMT ref: 00478298
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004782B9
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004782D3
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0047839B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004783CD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004783EA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0047840A
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00478424
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0047843C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0047845B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004784C4
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00478529
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0047856B

Part of subcall function 004E55DC: GetDlgItem.USER32(?,?), ref: 004E55EA

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00478597

Strings

tZ, xrefs: 00478136

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$__ftol$TextWindow$ItemLength
String ID: tZ
API String ID: 2143175130-618434692
Opcode ID: 790ce956c397fb94e38e6fe4e02c2c4276b8d6fbafa30c1477ed527db43985ea
Instruction ID: 3bf3678bed07949ff1883ead713936e1b6ef508b4c5396e48aa3749d788bd4a9
Opcode Fuzzy Hash: 790ce956c397fb94e38e6fe4e02c2c4276b8d6fbafa30c1477ed527db43985ea
Instruction Fuzzy Hash: 5FD1C0B5584B02ABD320AB71CC45FEB73A4BB40705F10892EF19A872E1DF78E545CB5A

Function 1000C930 Relevance: 31.7, APIs: 21, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1000C945
GetWindowLongA.USER32(?,000000EC), ref: 1000C968
IsWindowEnabled.USER32(?), ref: 1000C982
SendMessageA.USER32(?,00000138,00000000,?), ref: 1000C9A3
GetClientRect.USER32(?,?), ref: 1000C9B4
GetWindowRect.USER32(?,?), ref: 1000C9C3
ClientToScreen.USER32(?,?), ref: 1000C9D8
ClientToScreen.USER32(?,?), ref: 1000C9E3
OffsetRect.USER32(?,?,?), ref: 1000C9FE
OffsetRect.USER32(?,?,?), ref: 1000CA13
SelectObject.GDI32(00000000,00000000), ref: 1000CA17
CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA39
CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA51
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000CA5A
SelectClipRgn.GDI32(00000000,00000000), ref: 1000CA62
DeleteObject.GDI32(00000000), ref: 1000CA6F
DeleteObject.GDI32(00000000), ref: 1000CA72
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1000CA88
InflateRect.USER32(?,000000FE,000000FE), ref: 1000CACF
IsWindowEnabled.USER32(?), ref: 1000CAD9
GetFocus.USER32 ref: 1000CAE7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$ClientObject$CreateDeleteEnabledLongOffsetScreenSelect$ClipCombineFocusInflateMessageSend
String ID:
API String ID: 1428229788-0
Opcode ID: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
Instruction ID: f3ce32309e44c4e53b58f03bab4cd10378bf4dbb7bac6551a4584a97cbcaf063
Opcode Fuzzy Hash: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
Instruction Fuzzy Hash: 26714DB8204305AFE304DF65CC84E2BB7E8EFC9754F108A1DF99993260D675E946CB62

Function 10013F20 Relevance: 30.2, APIs: 16, Strings: 1, Instructions: 493windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10013F4E
OffsetRect.USER32(?,?,?), ref: 10013F67

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 10013F9A

Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 10013FB5
SelectObject.GDI32(?,?), ref: 10013FC9
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10013FED
SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 1001400F
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10014027
SetRectEmpty.USER32(00000000), ref: 10014046
SendMessageA.USER32(?,00000409,00000000,00000000), ref: 1001405B
SendMessageA.USER32 ref: 10014247
SetRect.USER32(?,?,?,?,?), ref: 1001431F
DrawTextA.USER32(?,?,?,?,00000025), ref: 10014469
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10014484
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 100144FE

Strings

P, xrefs: 10014226

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$MessageObjectSelectSend$Create$ClipCompatible$??2@??3@BitmapDeleteDrawEmptyModeOffsetPropTextWindow
String ID: P
API String ID: 4166418595-3110715001
Opcode ID: 9f570dee45befc74a9ce08817d24616d7024467e30ac1365d4316e300070ec4e
Instruction ID: 667f0b52e11a95e24b10ca477dcf0e066d8db5c2e0f9aabd908416b331fe757d
Opcode Fuzzy Hash: 9f570dee45befc74a9ce08817d24616d7024467e30ac1365d4316e300070ec4e
Instruction Fuzzy Hash: 831269756043019FD314CF58C880A6AB7E6FFC8704F258A1DF6998B361DA71EC86CB52

Function 100201A0 Relevance: 28.9, APIs: 19, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000020), ref: 100201C0
OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
CreateCompatibleDC.GDI32(00000000), ref: 100201D9
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
SelectObject.GDI32(00000000,00000000), ref: 100201FC
SelectObject.GDI32(00000000,?), ref: 1002020B
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F

Part of subcall function 10020700: SendMessageA.USER32(?,0000041A,00000000,00000044), ref: 1002071E
Part of subcall function 10020700: SendMessageA.USER32(?,00000419,00000000,00000034), ref: 1002072F
Part of subcall function 10020700: GetClientRect.USER32(?,?), ref: 10020749

IsWindowEnabled.USER32(?), ref: 1002024C
IsWindowEnabled.USER32(?), ref: 1002028A
GetFocus.USER32 ref: 100202CF
IsWindowEnabled.USER32(?), ref: 10020411
IsWindowEnabled.USER32(?), ref: 1002044B
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 100205BD
DeleteObject.GDI32(?), ref: 100205C8
DeleteDC.GDI32(00000000), ref: 100205CF

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Enabled$ObjectRect$CompatibleCreateDeleteMessageSelectSend$BitmapClientFocusOffset
String ID:
API String ID: 969275910-0
Opcode ID: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
Instruction ID: 94777b03be6e9f1ae59e0413948786f371ff679d45ed1d23647022047fdc10e1
Opcode Fuzzy Hash: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
Instruction Fuzzy Hash: 91C138B9200715DFE364CB54DCC1EAB73AAFF88740F618969FA0587762D634ED418B60

Function 1000DEF0 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 269windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000DF29
OffsetRect.USER32(?,?,?), ref: 1000DF42

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 1000DF94

Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 1000DFA9
IsWindowEnabled.USER32(?), ref: 1000DFB3
SendMessageA.USER32(?,00001209,00000000,00000000), ref: 1000DFCE
SendMessageA.USER32 ref: 1000DFFA
SendMessageA.USER32(?,0000120F,?,00000000), ref: 1000E02B
SendMessageA.USER32(?,00001203,00000000,?), ref: 1000E03E
SendMessageA.USER32(?,00001207,00000000,?), ref: 1000E04F
6FA9CFD0.COMCTL32(?,?,?,?,?,00000001,?,?,?,00001200,00000000,00000000), ref: 1000E156
SetTextColor.GDI32(?,?), ref: 1000E1A9
DrawTextA.USER32(?,?,?,?,00000024), ref: 1000E1D4
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000E210

Strings

7, xrefs: 1000DFE6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$CreateObjectRectSelect$ClipCompatibleTextWindow$BitmapColorDeleteDrawEnabledModeOffsetProp
String ID: 7
API String ID: 1379053974-1790921346
Opcode ID: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
Instruction ID: d6cd2112b19415e89498b4abe21e6ca38dab58f18fec7e0c69950289425e1392
Opcode Fuzzy Hash: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
Instruction Fuzzy Hash: 58A14A75208341AFE314CF24C884F6BB7E9EBC8744F108A1CF599973A1DA75E945CB62

Function 004E4D4F Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E56B6: GetWindowLongA.USER32(?,000000F0), ref: 004E56C2

GetParent.USER32(?), ref: 004E4D7A
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004E4D9D
GetWindowRect.USER32(?,?), ref: 004E4DB6
GetWindowLongA.USER32(00000000,000000F0), ref: 004E4DC9
CopyRect.USER32(?,?), ref: 004E4E16
CopyRect.USER32(?,?), ref: 004E4E20
GetWindowRect.USER32(00000000,?), ref: 004E4E29
CopyRect.USER32(?,?), ref: 004E4E45

Strings

@, xrefs: 004E4DB8
(, xrefs: 004E4DE1

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 77044df17db5b2f965a1d239e0d416cc94277c886e1e98b1bf185dbb91cb33ea
Instruction ID: f2c4af52d535db5b79cc560602e5e1de358f1d46f06d79f9d8d46f70da014cab
Opcode Fuzzy Hash: 77044df17db5b2f965a1d239e0d416cc94277c886e1e98b1bf185dbb91cb33ea
Instruction Fuzzy Hash: 61517072900619AFDB10DBA9CC89FEEBBB9AF84315F154216F901F3290D774AD05CB68

Function 10018F60 Relevance: 24.2, APIs: 16, Instructions: 171COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 10018F91
DeleteObject.GDI32(?), ref: 10018FA7
DeleteObject.GDI32(?), ref: 10018FC1
DeleteObject.GDI32(?), ref: 10018FCE
CreateFontIndirectA.GDI32(00000000), ref: 1001900A
CreateFontIndirectA.GDI32(00000000), ref: 1001902C
SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 10019057
CreateFontIndirectA.GDI32(?), ref: 1001905E
CreateFontIndirectA.GDI32 ref: 10019076
SystemParametersInfoA.USER32 ref: 100190A3
CreateFontIndirectA.GDI32(?), ref: 100190BA
CreateFontIndirectA.GDI32(?), ref: 100190CD
CreateFontIndirectA.GDI32(?), ref: 10019102
CreateFontIndirectA.GDI32(?), ref: 10019116
CreateFontIndirectA.GDI32(?), ref: 10019131
CreateFontIndirectA.GDI32(?), ref: 10019145

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreateFontIndirect$DeleteObject$InfoParametersSystem
String ID:
API String ID: 3387422844-0
Opcode ID: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
Instruction ID: 711df5a203e8b563da40807aa8fc905527dfc6b6a225bd5e8f361db8bcb87da6
Opcode Fuzzy Hash: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
Instruction Fuzzy Hash: DD6116B06007468FE720CF69C880A9BF7E5FF88744F504A2EE98A87640E774FA45CB55

Function 004645F0 Relevance: 22.8, APIs: 15, Instructions: 305windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045E9E0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 0045E9EF

SetStretchBltMode.GDI32(?,00000000), ref: 00464604
CreateCompatibleDC.GDI32(?), ref: 00464689
CreateCompatibleDC.GDI32(?), ref: 004646A1
GetObjectA.GDI32(?,00000018,?), ref: 004646E2
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004646F8
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00464756
StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 004647AF
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 004647E9
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 00464823
CreateCompatibleDC.GDI32(?), ref: 0046489B
SelectObject.GDI32(00000000,?), ref: 004648A8
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 004648EB
SelectObject.GDI32(00000000,?), ref: 004648F7
DeleteDC.GDI32(00000000), ref: 004648FE
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 0046493D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Stretch$Create$CompatibleObject$Select$BitmapDeleteDisplayDrawEnumIconModeSettings
String ID:
API String ID: 1298110373-0
Opcode ID: 5c62411cf2090d9b631c6460eba479f4c45203effe605365e24516fa9eeefa06
Instruction ID: c65e778f71f4cdf9f2d5064ea9683884441696247fd82b1986369d452c32bb44
Opcode Fuzzy Hash: 5c62411cf2090d9b631c6460eba479f4c45203effe605365e24516fa9eeefa06
Instruction Fuzzy Hash: ABB15671208704AFD614DB25CC85F6BB3E9FB88724F108A1DF6A583290DB74EC05CB6A

Function 10015C70 Relevance: 22.8, APIs: 15, Instructions: 254windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10015C7C
GetClientRect.USER32(?,?), ref: 10015CA1
GetWindowRect.USER32(?,?), ref: 10015CB0
ClientToScreen.USER32(?,?), ref: 10015CC5
ClientToScreen.USER32(?,?), ref: 10015CD0
OffsetRect.USER32(?,?,?), ref: 10015CEB
OffsetRect.USER32(?,?,?), ref: 10015D00
EqualRect.USER32(?,?), ref: 10015D0C
IsWindowEnabled.USER32(?), ref: 10015D96
GetFocus.USER32 ref: 10015DF8

Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Object$Select$Create$ClientWindow$DeleteEmptyEqualOffsetScreen$BrushClipCombineEnabledFocusRectangleSolidVisible
String ID:
API String ID: 2232225062-0
Opcode ID: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
Instruction ID: 8293882ae8f60722bbcd7dca41eebeae144ae381a56dea18b72fd41b6b61f364
Opcode Fuzzy Hash: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
Instruction Fuzzy Hash: 6291F4B96043019FD304DF69C88592BB7E9EBC8310F14CA1DF9998B355DA31E946CB92

Function 100055A0 Relevance: 22.7, APIs: 15, Instructions: 222COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100055C2
SetRect.USER32(?,00000000,00000000,?,?), ref: 100055E3
GetWindowLongA.USER32(?,000000F0), ref: 100055EF
SetRectEmpty.USER32(?), ref: 100056EC
SetRectEmpty.USER32(?), ref: 100056F5
SetRectEmpty.USER32(?), ref: 1000578A
SetRectEmpty.USER32(?), ref: 100057BC
SetRectEmpty.USER32(?), ref: 10005815
SetRectEmpty.USER32(?), ref: 1000581E
SetRectEmpty.USER32(?), ref: 10005827
SetRectEmpty.USER32(?), ref: 10005830
SetRectEmpty.USER32(?), ref: 10005839
IsRectEmpty.USER32(?), ref: 10005854
IsRectEmpty.USER32(?), ref: 1000589C
IsRectEmpty.USER32(?), ref: 100058A9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Empty$Window$Long
String ID:
API String ID: 1594619121-0
Opcode ID: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
Instruction ID: d0c9926444baea1fe4ebff3a720e05cc6beccc75dc12de5c1cc4c6843b7c2cf1
Opcode Fuzzy Hash: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
Instruction Fuzzy Hash: FFA11375605B058FE364CF28C888BA7B7E5FF88345F25896DD89E87215DB32A806CF50

Function 100240D0 Relevance: 22.7, APIs: 15, Instructions: 199timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006626), ref: 1002412C
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 1002413C

Part of subcall function 10024CF0: GetMenuItemInfoA.USER32 ref: 10024D26

Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3

KillTimer.USER32(?,?), ref: 10024176
TrackPopupMenu.USER32(?,00000000,00000000,00000000,00000000,?), ref: 100241DA

Part of subcall function 10023F00: GetCursorPos.USER32(?), ref: 10023F0E
Part of subcall function 10023F00: GetWindowRect.USER32(?,?), ref: 10023F1D
Part of subcall function 10023F00: PtInRect.USER32(?,?,?), ref: 10023F38
Part of subcall function 10023F00: PtInRect.USER32(00000168,?,?), ref: 10023F67
Part of subcall function 10023F00: GetMenuItemCount.USER32(?), ref: 10023F94
Part of subcall function 10023F00: GetMenuItemInfoA.USER32 ref: 10023FE3
Part of subcall function 10023F00: OffsetRect.USER32(?,?,00000000), ref: 1002401B
Part of subcall function 10023F00: PtInRect.USER32(?,00000400,00000000), ref: 10024030

Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024082
Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024099

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Menu$Item$Timer$InfoKill$CountCursorMessageOffsetPopupSendTrackWindow
String ID:
API String ID: 2948288781-0
Opcode ID: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
Instruction ID: 37a8328168521e0b11368bf9a4f74ca38fbc0c8ce550388fabf89b9119d921f0
Opcode Fuzzy Hash: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
Instruction Fuzzy Hash: 0F71EF79200702ABE310DB28DC84FABB7F9EF98754F11891DF55A87290DB31E945CB51

Function 10002C90 Relevance: 22.6, APIs: 15, Instructions: 150windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10002C9C
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10002CDD
GetCursorPos.USER32(?), ref: 10002D06
GetWindowRect.USER32(?,?), ref: 10002D1C
GetWindowRect.USER32(?,?), ref: 10002D2A
GetWindowRect.USER32(?,?), ref: 10002D38
PtInRect.USER32(?,?,?), ref: 10002D87
LoadCursorA.USER32(00000000,00007F85), ref: 10002DC6
SetCursor.USER32(00000000), ref: 10002DCD
SendMessageA.USER32(?,?,0000000F,?), ref: 10002DE9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: RectWindow$CursorMessageSend$EnabledLoad
String ID:
API String ID: 4229092383-0
Opcode ID: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
Instruction ID: dc413347daec2f70c86c06c67fd336eb8edfad542e32f7a3e4721b36555a0e72
Opcode Fuzzy Hash: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
Instruction Fuzzy Hash: 66517975608742AFE310DB65CC88E9BB7E9FFC8B50F60891DF58983250D674E905CB62

Function 10017350 Relevance: 22.6, APIs: 15, Instructions: 88COMMON

Download Yara Rule

APIs

DeleteDC.GDI32(?), ref: 10017387
DeleteDC.GDI32(?), ref: 10017394
DeleteObject.GDI32(?), ref: 100173A1
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,?,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173D4
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173EC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173F8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718,?,?,?), ref: 10017404
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718), ref: 10017410
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718), ref: 10017424
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF,10019718), ref: 10017430
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,1002781A,000000FF), ref: 1001743C
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,1002781A), ref: 10017448
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?,00000000), ref: 10017454
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 10017460

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@$Delete$Object
String ID:
API String ID: 1805807598-0
Opcode ID: 7b169dbb6de1d35d7e5cbc644cd2f3a099730363be3119b7d3e9183802c9ff51
Instruction ID: 8eb2a162a59bfd02bb3efb1085eef2ff5d2453cd59b241f8ea59b29271d371ff
Opcode Fuzzy Hash: 7b169dbb6de1d35d7e5cbc644cd2f3a099730363be3119b7d3e9183802c9ff51
Instruction Fuzzy Hash: 0D3105B9500B519BC720DFB8D8C5A9BB7E8FB4C210FA08D1DB5AA87241C676F9449B60

Function 100169C0 Relevance: 21.4, APIs: 14, Instructions: 408COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10016A9B
SetRect.USER32(?,00000000,?,?,?), ref: 10016C24
MulDiv.KERNEL32(?,?,?), ref: 10016C3D
OffsetRect.USER32(?,00000000,00000000), ref: 10016C51
OffsetRect.USER32(?,00000000,?), ref: 10016C7F
IsRectEmpty.USER32(?), ref: 10016C85
MulDiv.KERNEL32(?,76C22370,?), ref: 10016CDB
MulDiv.KERNEL32(-00000001,?,?), ref: 10016CFA
MulDiv.KERNEL32(?,?,?), ref: 10016D1F
SetRect.USER32(?,?,00000000,?,?), ref: 10016DB7
SetRectEmpty.USER32(?), ref: 10016DC3
EqualRect.USER32(?,?), ref: 10016DED
EqualRect.USER32(?,?), ref: 10016DFD
SetRectEmpty.USER32(?), ref: 10016E30

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Empty$EqualOffset$EnabledWindow
String ID:
API String ID: 1250441839-0
Opcode ID: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
Instruction ID: b6d8e02c079bcafa56aa8081014225c04d9d0cf20a220bfdce263d8fab6bfb8f
Opcode Fuzzy Hash: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
Instruction Fuzzy Hash: 3302E4746047019FC718CF69C98491AFBF6FF88304F248A2DE98A8B755D731E985CB91

Function 00454E30 Relevance: 21.3, APIs: 9, Strings: 3, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,00000000,005B7B70,00000000), ref: 00454F14
LoadLibraryA.KERNEL32(?,00000000,00000000,00000000,?,?,0058FD08,?,?,?,?,?,?,00000000,005B7B70,00000000), ref: 00454F51
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00454F87
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005B7B70,00000000), ref: 00454F92
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,005B7B70,00000000), ref: 00454FA0
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 004550AD
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 004550E2
CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,005B7B70,00000000), ref: 004551A7
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 004551C3

Strings

tZ, xrefs: 00454FEE
DllRegisterServer, xrefs: 00454F79
DllUnregisterServer, xrefs: 00454F80, 00454F85

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer$tZ
API String ID: 2476498075-2538320404
Opcode ID: b47c3a2d6f01e6c772d725a1577922ffc7dea05800d2dde3c64a10625d30853f
Instruction ID: 2dbb364e31ba9809c066627c570863ea9d04c6726223389ad240ec060bfb21a5
Opcode Fuzzy Hash: b47c3a2d6f01e6c772d725a1577922ffc7dea05800d2dde3c64a10625d30853f
Instruction Fuzzy Hash: F1B1D4B1900649ABDB10EFA5C851FBE77B8EF44309F10451EFC15AB382DA389E09C765

Function 10011460 Relevance: 21.0, APIs: 14, Instructions: 49COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 10011466
GetSystemMetrics.USER32(0000000F), ref: 10011476
GetSystemMetrics.USER32(00000000), ref: 1001147D
GetSystemMetrics.USER32(00000001), ref: 10011484
GetSystemMetrics.USER32(0000000B), ref: 1001148B
GetSystemMetrics.USER32(0000000C), ref: 10011492
GetSystemMetrics.USER32(00000002), ref: 10011499
GetSystemMetrics.USER32(00000003), ref: 100114A0
GetSystemMetrics.USER32(00000020), ref: 100114A7
GetSystemMetrics.USER32(00000021), ref: 100114AE
GetSystemMetrics.USER32(00000007), ref: 100114B5
GetSystemMetrics.USER32(00000008), ref: 100114BC
GetSystemMetrics.USER32(00000004), ref: 100114C3
GetSystemMetrics.USER32(00000033), ref: 100114CA

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MetricsSystem$Color
String ID:
API String ID: 3740768223-0
Opcode ID: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
Instruction ID: b415c9ff06fc4772aef4a92c67fdb6d16b11039c2eda6f13e71a1828a8f5e86c
Opcode Fuzzy Hash: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
Instruction Fuzzy Hash: F00187B0D417449AE7306FB29D4EF07BEE0EFC0B00F11492EE2858BA81D6B5A141CF40

Function 00470E20 Relevance: 19.8, APIs: 13, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00470E3E
SetCapture.USER32(?,?,?,?,?,?,?,?,?,004EF3C8,000000FF,0047067D,?,?,?,?), ref: 00470E5B

Part of subcall function 004E7E0E: __EH_prolog.LIBCMT ref: 004E7E13
Part of subcall function 004E7E0E: GetDC.USER32(0043B594), ref: 004E7E3C

Part of subcall function 004846F0: GetWindowExtEx.GDI32(?,?), ref: 00484713

Part of subcall function 004E7D3C: GetWindowExtEx.GDI32(?,?), ref: 004E7D4D
Part of subcall function 004E7D3C: GetViewportExtEx.GDI32(?,?), ref: 004E7D5A
Part of subcall function 004E7D3C: MulDiv.KERNEL32(?,00000000,00000000), ref: 004E7D7F
Part of subcall function 004E7D3C: MulDiv.KERNEL32(?,00000000,00000000), ref: 004E7D9A

Part of subcall function 004E78CD: SetMapMode.GDI32(?,?), ref: 004E78E6
Part of subcall function 004E78CD: SetMapMode.GDI32(?,?), ref: 004E78F4

Part of subcall function 004E7842: SetROP2.GDI32(?,?), ref: 004E785B
Part of subcall function 004E7842: SetROP2.GDI32(?,?), ref: 004E7869

Part of subcall function 004E77E6: SetBkMode.GDI32(?,?), ref: 004E77FF
Part of subcall function 004E77E6: SetBkMode.GDI32(?,?), ref: 004E780D

Part of subcall function 004E8123: __EH_prolog.LIBCMT ref: 004E8128
Part of subcall function 004E8123: CreatePen.GDI32(?,?,?), ref: 004E814B

Part of subcall function 004E770A: SelectObject.GDI32(0043F475,00000000), ref: 004E772C
Part of subcall function 004E770A: SelectObject.GDI32(0043F475,?), ref: 004E7742

GetCapture.USER32 ref: 00470F21
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00470F40
DispatchMessageA.USER32(?), ref: 00470F81
DispatchMessageA.USER32(?), ref: 00470F9D
ScreenToClient.USER32(?,?), ref: 00470FE4
GetCapture.USER32 ref: 0047100C
ReleaseCapture.USER32 ref: 00471034
ReleaseCapture.USER32 ref: 00471090
DPtoLP.GDI32 ref: 004710D4
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0047115D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004711EB

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID:
API String ID: 453157188-0
Opcode ID: ba6ced0bb085f8f64977272a469e0bcde4eb7ede01ed32fd721dffaf2a695bb3
Instruction ID: c3aaed2879a316b09a01be775b27cca726f6fbc2dc9b4180be86bc1fe0d38781
Opcode Fuzzy Hash: ba6ced0bb085f8f64977272a469e0bcde4eb7ede01ed32fd721dffaf2a695bb3
Instruction Fuzzy Hash: 7EB1C771104740ABD324EB29CC85EAFB7E8FF84704F10491EF156872A1DB78E945CB6A

Function 1000CE20 Relevance: 19.7, APIs: 13, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000CE96
OffsetRect.USER32(?,?,?), ref: 1000CEAF
GetClientRect.USER32(?,?), ref: 1000CEC1
SelectObject.GDI32(?,?), ref: 1000CEFA
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1000CF18
SetMapMode.GDI32(?,00000001), ref: 1000CF24
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF34
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF44
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF54
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF64
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000CFB5

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1

??3@YAXPAX@Z.MSVCRT(?), ref: 1000D017
InvalidateRect.USER32(?,00000000,00000001), ref: 1000D031

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$DeleteRect$SelectWindow$Viewport$??3@ClientInvalidateModeOffset
String ID:
API String ID: 648218233-0
Opcode ID: 1af748156e2dd9d40a91cdbdd6aab29c40d3e99f3135864ecf00bc1dc963960f
Instruction ID: 2f10df49a190d83ca2c48d706accd39583ccff9776fc3dcd98fdd01acb908c43
Opcode Fuzzy Hash: 1af748156e2dd9d40a91cdbdd6aab29c40d3e99f3135864ecf00bc1dc963960f
Instruction Fuzzy Hash: 6A615C79244342AFE224DF14CC85F2BB7A8FB88B40F20891DFA5997295C771FD428B61

Function 10009550 Relevance: 19.7, APIs: 13, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10009562
GetWindowRect.USER32(?,?), ref: 10009571
ClientToScreen.USER32(?,?), ref: 10009586
ClientToScreen.USER32(?,?), ref: 10009591
OffsetRect.USER32(?,?,?), ref: 100095AC
OffsetRect.USER32(?,?,?), ref: 100095C1
IsWindowEnabled.USER32(?), ref: 100095D2
GetFocus.USER32 ref: 100095E0
FindWindowExA.USER32(?,00000000,1002C070,00000000), ref: 1000964D
FindWindowExA.USER32(?,00000000,1002C060,00000000), ref: 10009662
SelectObject.GDI32(00000000,?), ref: 100096C6
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100096E8
IsWindowEnabled.USER32(?), ref: 100096F2

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Rect$Client$EnabledFindOffsetScreen$FocusObjectSelect
String ID:
API String ID: 995514740-0
Opcode ID: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
Instruction ID: 219e8067712f3e67318549e0e7e2ffd899cab36933d0d05de9bc9511727c2731
Opcode Fuzzy Hash: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
Instruction Fuzzy Hash: BB6115B8204702AFE314DF69C880E6BB7E8FF88744B208A5DF94987355D735E946CB61

Function 1001CA30 Relevance: 19.6, APIs: 13, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001CA4C
GetWindowRect.USER32(?,?), ref: 1001CA5B
ClientToScreen.USER32(?,?), ref: 1001CA70
ClientToScreen.USER32(?,?), ref: 1001CA7B
OffsetRect.USER32(?,?,?), ref: 1001CA96
OffsetRect.USER32(?,?,?), ref: 1001CAAB
EqualRect.USER32(?,?), ref: 1001CAB7
BeginPath.GDI32(00000000), ref: 1001CAC2
Rectangle.GDI32(00000000,?,?,?,?), ref: 1001CADD
EndPath.GDI32(00000000), ref: 1001CAE4
SelectClipPath.GDI32(00000000,00000004), ref: 1001CAED
SelectObject.GDI32(00000000,?), ref: 1001CB00
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CB1A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$ClientPath$OffsetScreenSelect$BeginClipEqualObjectRectangleWindow
String ID:
API String ID: 2221267872-0
Opcode ID: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
Instruction ID: 2ba2e5f7c95da289b8c11f671d4d77d81127840f5cb8de534027a22f72d25923
Opcode Fuzzy Hash: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
Instruction Fuzzy Hash: B231C879204316AFE714DB65CCC9D7BB3F9FBC8614F108A0CF55683250DA74E94A8B61

Function 100084B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100084C9
GetComboBoxInfo.USER32 ref: 100084DC
GetWindowRect.USER32(?,?), ref: 100084FD
OffsetRect.USER32(?,?,?), ref: 1000851B
CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 10008566
IsWindowEnabled.USER32(?), ref: 10008599
GetFocus.USER32 ref: 100085A7
IsRectEmpty.USER32(?), ref: 10008606
SelectObject.GDI32(00000000,?), ref: 10008646
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000866A

Strings

4, xrefs: 100084D4

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: RectWindow$CallComboEmptyEnabledFocusInfoObjectOffsetProcSelect
String ID: 4
API String ID: 3620934650-4088798008
Opcode ID: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
Instruction ID: 5cea887d1a42687cc65618457859d6ae2faca28e616dd28a7858be6a4daf13f9
Opcode Fuzzy Hash: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
Instruction Fuzzy Hash: 275127B9208701AFE314DF68C880E6BB7E9FBC8750F108A1DF99987355DA30E945CB52

Function 10013810 Relevance: 18.4, APIs: 12, Instructions: 363windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001383A

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 10012060: GetPropA.USER32(?,1002C2CC), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 10013889
InflateRect.USER32(?,000000FF,000000FF), ref: 100138F0
InflateRect.USER32(00000000,000000FF,000000FF), ref: 100138FB
IsWindowEnabled.USER32(?), ref: 10013912
GetWindowTextA.USER32(?,?,00000400), ref: 10013AA2
DrawTextA.USER32(?,?,?,?,00000001), ref: 10013B3E
GetPropA.USER32(?,1002C2C0), ref: 10013BD4
SetTextColor.GDI32(?,00000000), ref: 10013BFA
SetBkMode.GDI32(?,00000001), ref: 10013C07
DrawTextA.USER32(?,?,?,?,00000001), ref: 10013C2C
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10013C56

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: RectText$CreateObjectSelect$ClipCompatibleDrawInflatePropWindow$BitmapClientColorDeleteEnabledMessageModeSend
String ID:
API String ID: 3785997197-0
Opcode ID: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
Instruction ID: 6eeb226ef1bb0de1b614e7657a0c8b189afcc3c0ce88ba382625342e3441b8cf
Opcode Fuzzy Hash: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
Instruction Fuzzy Hash: 5DE137B52083019FD354CF68C884A6AB7E5FFC8714F108A1DFAA987391D774E945CB92

Function 10007550 Relevance: 18.2, APIs: 12, Instructions: 192windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 10007570
GetIconInfo.USER32(00000000,?), ref: 10007586
GetObjectA.GDI32(?,00000018,?), ref: 10007598
DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1000761E
DeleteObject.GDI32(?), ref: 1000762F
DeleteObject.GDI32(?), ref: 10007636
SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 1000764D
GetObjectA.GDI32(00000000,00000018,?), ref: 10007665
CreateCompatibleDC.GDI32(?), ref: 10007670
SelectObject.GDI32(00000000,00000000), ref: 1000767A
BitBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 10007701
DeleteDC.GDI32(00000000), ref: 10007708

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Delete$IconMessageSend$CompatibleCreateDrawInfoSelect
String ID:
API String ID: 955780663-0
Opcode ID: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
Instruction ID: 5ad2fc0d9cfef1da6667f6bfad95baaf5387ec86fbaa1d7a00321d89c8de7b88
Opcode Fuzzy Hash: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
Instruction Fuzzy Hash: BD516075300611AFD344CA7CCD85F6BB7EAEFC8244F198628FA49C7255D671EC068790

Function 1000C6F0 Relevance: 18.2, APIs: 12, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000C702
GetWindowRect.USER32(?,?), ref: 1000C711
ClientToScreen.USER32(?,?), ref: 1000C726
ClientToScreen.USER32(?,?), ref: 1000C731
OffsetRect.USER32(?,?,?), ref: 1000C74C
OffsetRect.USER32(?,?,?), ref: 1000C761
IsWindowEnabled.USER32(?), ref: 1000C778
GetFocus.USER32 ref: 1000C782
InflateRect.USER32(00000020,000000FE,000000FE), ref: 1000C81C
SelectObject.GDI32(00000000,?), ref: 1000C830
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000C84F
IsWindowEnabled.USER32(?), ref: 1000C859

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$ClientWindow$EnabledOffsetScreen$FocusInflateObjectSelect
String ID:
API String ID: 3408369734-0
Opcode ID: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
Instruction ID: d3539a25c7ff0506e7ee7ab9e9479a1055ac5ff067c866c20199165bfa3bfce7
Opcode Fuzzy Hash: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
Instruction Fuzzy Hash: C25119B8204706AFE314DF69C884D2BB7E9FFC8354B208A1DF85987365D631ED468B61

Function 10016060 Relevance: 18.2, APIs: 12, Instructions: 157windowCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 1001608F
CallWindowProcA.USER32(?,?,?,?,?), ref: 100160C2
GetParent.USER32(?), ref: 1001611B
SendMessageA.USER32(00000000), ref: 10016122

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallProcWindow$MessageParentSend
String ID:
API String ID: 482362837-0
Opcode ID: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
Instruction ID: 0d51841f0734fbb8e4940dc07b8de3669c789b49538fb586d0ae161ad6d6c563
Opcode Fuzzy Hash: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
Instruction Fuzzy Hash: 4E519E76200611AFE310DB68CC85FAB73E8EB8C750F144918F95ACB292D670E985CBA1

Function 1000C030 Relevance: 18.1, APIs: 12, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 1000C03F
GetClientRect.USER32(?,?), ref: 1000C04B
ClientToScreen.USER32(?,?), ref: 1000C05D
ClientToScreen.USER32(?,?), ref: 1000C065
OffsetRect.USER32(?,?,?), ref: 1000C080
OffsetRect.USER32(?,?,?), ref: 1000C095
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0B1
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0C9
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C0D2
SelectClipRgn.GDI32(?,00000000), ref: 1000C0DE
DeleteObject.GDI32(00000000), ref: 1000C0EB
DeleteObject.GDI32(00000000), ref: 1000C0EE

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Client$CreateDeleteObjectOffsetScreen$ClipCombineSelectWindow
String ID:
API String ID: 2240990249-0
Opcode ID: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
Instruction ID: 6da254da4a0019f5656eed989aa654683ae0a7bab9e4da9d351570924b964c57
Opcode Fuzzy Hash: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
Instruction Fuzzy Hash: C021D8B9115225BFE304DB55CC84CABB7EDEFC9710F158A0DF98593210D674EA0A8BA2

Function 004DC6DD Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,005802CC,00000001,005802CC,00000001,00000000,023411AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004CF9C3), ref: 004DC71B
CompareStringA.KERNEL32(00000000,00000000,005802C8,00000001,005802C8,00000001), ref: 004DC738
CompareStringA.KERNEL32(00494F56,00000000,00000000,00000000,004CF9C3,00000000,00000000,023411AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004CF9C3), ref: 004DC796
GetCPInfo.KERNEL32(00000000,00000000,00000000,023411AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,004CF9C3,00000000), ref: 004DC7E7
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 004DC866
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 004DC8C7
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 004DC8DA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004DC926
CompareStringW.KERNEL32(00494F56,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004DC93E

Strings

VOI, xrefs: 004DC6DD

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: VOI
API String ID: 1651298574-4019266030
Opcode ID: 13114f916af8ca6f9140aee266613e118964dcf9741b6a07b096e7ff83d7e683
Instruction ID: 798119e1fe8aee3e3c0e4229d1261815886c52c3f77e2ca7b66b803a2cd49b31
Opcode Fuzzy Hash: 13114f916af8ca6f9140aee266613e118964dcf9741b6a07b096e7ff83d7e683
Instruction Fuzzy Hash: 937180B290414BEFCF219F948DE59EB7BB6EB05350F14016BF950A2360D3398C51DB99

Function 10012D70 Relevance: 16.8, APIs: 11, Instructions: 272windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10012DA6
OffsetRect.USER32(?,?,?), ref: 10012DBF

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SelectObject.GDI32(?,00000000), ref: 10012DF5
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10012E0F
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 10012E28
SendMessageA.USER32(?,00000407,00000001,00000000), ref: 10012E3C
IsWindowEnabled.USER32(?), ref: 10012E7B
IsWindowEnabled.USER32(?), ref: 10012F5A
IsWindowEnabled.USER32(?), ref: 10012F95
IsWindowEnabled.USER32(?), ref: 1001306D
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 100130BE

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Enabled$CreateObjectRectSelect$ClipCompatibleMessageSend$BitmapDeleteOffset
String ID:
API String ID: 1350237671-0
Opcode ID: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
Instruction ID: 4c5c30fd0665583f47b77be65c20ac278036d55bad62e296687f2ec44f63bcda
Opcode Fuzzy Hash: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
Instruction Fuzzy Hash: A9B148B9204301AFE348CF68C885E6AB7EAFBC8714F148A2DF95997351DB30E941CB51

Function 00478E40 Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00478E6E
FillRect.USER32(?,?,00000000), ref: 00478ECE
FillRect.USER32(?,?,00000000), ref: 00478F3E

Part of subcall function 004E8173: __EH_prolog.LIBCMT ref: 004E8178
Part of subcall function 004E8173: CreateSolidBrush.GDI32(?), ref: 004E8195

FillRect.USER32(?,?,00000000), ref: 00478FB5
CreateCompatibleDC.GDI32(?), ref: 00478FDD
SelectObject.GDI32(00000000,?), ref: 00478FF3
SetStretchBltMode.GDI32(?,00000000), ref: 00479025
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00479058
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00479083
SelectObject.GDI32(00000000,?), ref: 0047908F
DeleteDC.GDI32(00000000), ref: 0047909C

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID:
API String ID: 1645634290-0
Opcode ID: 3f48709f6e21e23f8a766e078bb1455f49b862247532698bd80c66f859e2f554
Instruction ID: 3c7c1a11a558043b7919237e5656459080fbf0281163b0cbb557b20752dcc32e
Opcode Fuzzy Hash: 3f48709f6e21e23f8a766e078bb1455f49b862247532698bd80c66f859e2f554
Instruction Fuzzy Hash: 77611A71204341AFD724DF65C984FABB7E9FB88704F00891EF95A93280DB74E805CB69

Function 1001BBF0 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 1001BC14
DeleteObject.GDI32(?), ref: 1001BC2F
DeleteObject.GDI32(?), ref: 1001BC5B
DeleteObject.GDI32(?), ref: 1001BC7F
DeleteObject.GDI32(?), ref: 1001BCA2
DeleteObject.GDI32(?), ref: 1001BCBB
SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BD28
IsWindowVisible.USER32(?), ref: 1001BD38

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: DeleteObject$MessageSendVisibleWindow
String ID:
API String ID: 2663172341-0
Opcode ID: 66abe18e5676ff3348325067956f17469dfdb9c0fcfd3401069746659852b7f4
Instruction ID: 69cb3e28c512f8bc434b60400197b4956680df1e75d225c41875b39bfed14100
Opcode Fuzzy Hash: 66abe18e5676ff3348325067956f17469dfdb9c0fcfd3401069746659852b7f4
Instruction Fuzzy Hash: C15149B96006198FD744DF65D8C4D19BBE6EF84754B66806DE4098F261CB32ECC2CF54

Function 1000FF70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1000FF8B
GetMenuItemInfoA.USER32 ref: 1000FFCB
??3@YAXPAX@Z.MSVCRT(?), ref: 10010083
??2@YAPAXI@Z.MSVCRT(00000014), ref: 1001008D
??2@YAPAXI@Z.MSVCRT(0000000C,00000014), ref: 100100B2
SetMenuItemInfoA.USER32 ref: 10010127
??2@YAPAXI@Z.MSVCRT(0000000C), ref: 10010174

Strings

0, xrefs: 1000FFBB

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??2@ItemMenu$Info$??3@Count
String ID: 0
API String ID: 1280313425-4108050209
Opcode ID: 6e4a127d26160f2826dbd7c3078cd4743ef47c8372238a0a12d2d6f6826a0902
Instruction ID: 9c73eb5ddcbb23b1021a2a30c8f8144f940f888cd30e2e31c2a3417c855ec077
Opcode Fuzzy Hash: 6e4a127d26160f2826dbd7c3078cd4743ef47c8372238a0a12d2d6f6826a0902
Instruction Fuzzy Hash: 117128B1B042429FD304CF14C880A5ABBE5FF88754F25C56DF8899B361D7B6E886CB91

Function 10023F00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 10023F0E
GetWindowRect.USER32(?,?), ref: 10023F1D
PtInRect.USER32(?,?,?), ref: 10023F38
PtInRect.USER32(00000168,?,?), ref: 10023F67
GetMenuItemCount.USER32(?), ref: 10023F94

Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,75756D90,00000000,10023B9B,00000000,?), ref: 10024DCB
Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9

GetMenuItemInfoA.USER32 ref: 10023FE3
OffsetRect.USER32(?,?,00000000), ref: 1002401B
PtInRect.USER32(?,00000400,00000000), ref: 10024030

Strings

0, xrefs: 10023FD3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$ItemMenu$Offset$CountCursorInfoWindow
String ID: 0
API String ID: 1145675194-4108050209
Opcode ID: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
Instruction ID: 31d5a28eec6a1afefc3e1dee2d447974a65d6f43cb3d9e79273529089ad59d0b
Opcode Fuzzy Hash: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
Instruction Fuzzy Hash: BE415B752087019FD304DF68DC88A6BB7F9FBC8650F11891DFA5583250DB71E94ACBA2

Function 0043C2D0 Relevance: 15.3, APIs: 10, Instructions: 301COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0043C322
VariantClear.OLEAUT32 ref: 0043C3A5
SafeArrayPutElement.OLEAUT32 ref: 0043C41F
VariantClear.OLEAUT32(?), ref: 0043C42E
VariantCopyInd.OLEAUT32 ref: 0043C4B1
VariantChangeType.OLEAUT32(?,?,00000000,?), ref: 0043C605
VariantClear.OLEAUT32 ref: 0043C610

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Variant$Clear$ArrayChangeCopyElementInitSafeType
String ID:
API String ID: 2581279852-0
Opcode ID: aec983cda258a2cc5b5c7e20e51a0de945af29b93cf45d5197f7a16d4225bd3a
Instruction ID: 976788fedf421a184a1224d430105cd6877ccb2db89949150a5020faee63d2dd
Opcode Fuzzy Hash: aec983cda258a2cc5b5c7e20e51a0de945af29b93cf45d5197f7a16d4225bd3a
Instruction Fuzzy Hash: 96B1BF75604711DBC714CF26D8C4A6BB7E4EF8C304F24A82EE88697320E779E945CB5A

Function 100065F0 Relevance: 15.2, APIs: 10, Instructions: 232windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000669B
SelectObject.GDI32(?,?), ref: 100066CF
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100066E7
GetPropA.USER32(?,1002C03C), ref: 100066F3
IsWindowEnabled.USER32(?), ref: 10006700
GetFocus.USER32 ref: 10006745
InflateRect.USER32(?,000000FB,000000FB), ref: 100067AA
InflateRect.USER32(?,00000005,00000005), ref: 100067F1
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10006813
??3@YAXPAX@Z.MSVCRT(?), ref: 10006877

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Inflate$??3@ClientEnabledFocusObjectPropSelectWindow
String ID:
API String ID: 24168671-0
Opcode ID: ed3e04b97e76525c8ce2d3e680fc5afe9cccc0776d0c1c7a03bb55042e5a08e0
Instruction ID: 808e24e67ffa3fdcadfbf8160937d97e86c192aaa0f854ceeccdbcc12e2f0151
Opcode Fuzzy Hash: ed3e04b97e76525c8ce2d3e680fc5afe9cccc0776d0c1c7a03bb55042e5a08e0
Instruction Fuzzy Hash: 3A8159B96043419FE314CF54CC84E6BB3EAFB88794F218A2CF95987355DA30ED458B61

Function 1001C210 Relevance: 15.2, APIs: 10, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
GlobalLock.KERNEL32(00000000), ref: 1001C230
SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
GlobalLock.KERNEL32(00000000), ref: 1001C316
SetRect.USER32(?,?,?,?,?), ref: 1001C339
ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
GlobalUnlock.KERNEL32(00000000), ref: 1001C3BC
GlobalFree.KERNEL32(00000000), ref: 1001C3C3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Global$AllocLockRectUnlock$CreateFreeRegion
String ID:
API String ID: 2388356299-0
Opcode ID: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
Instruction ID: 800a03afdf74d798d33c9bbd273a6215fc8d6eee2ba7c904765c8bbc0eaa987e
Opcode Fuzzy Hash: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
Instruction Fuzzy Hash: 165179752047058FD314CF19C8C4E1ABBE6FBC8354F158A2DF8969B252D730E98ACBA1

Function 10006A30 Relevance: 15.1, APIs: 10, Instructions: 95windowCOMMON

Download Yara Rule

APIs

Part of subcall function 100069F0: DeleteObject.GDI32(?), ref: 100069FE

CreateCompatibleDC.GDI32(00000000), ref: 10006A67
CreateCompatibleDC.GDI32(00000000), ref: 10006A6D
SelectObject.GDI32(00000000,?), ref: 10006A8A
GetObjectA.GDI32(?,00000018,?), ref: 10006AA2
SelectObject.GDI32(00000000,000000FF), ref: 10006AD1
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 10006AEE
SelectObject.GDI32(00000000,00000000), ref: 10006AF6
SelectObject.GDI32(00000000,00000000), ref: 10006AFE
DeleteDC.GDI32(00000000), ref: 10006B07
DeleteDC.GDI32(00000000), ref: 10006B0A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate
String ID:
API String ID: 2651682802-0
Opcode ID: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
Instruction ID: 18bf3757976541dfd00de2af7b288375a6f254a0424e89b954cf1b644370f741
Opcode Fuzzy Hash: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
Instruction Fuzzy Hash: A221A0762043196BF250EB59CCC0F2BB7EDEBC9790F60442DFA4097244DA64EC068BA2

Function 1000C1C0 Relevance: 15.1, APIs: 10, Instructions: 88windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000C1D7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
IsWindowVisible.USER32(00000000), ref: 1000C211
GetWindowRect.USER32(00000000,?), ref: 1000C22D
OffsetRect.USER32(?,?,?), ref: 1000C242
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
DeleteObject.GDI32(00000000), ref: 1000C270
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: RectWindow$CreateFind$CombineDeleteObjectOffsetVisible
String ID:
API String ID: 1313402854-0
Opcode ID: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
Instruction ID: 0129f1f143ae883f5581523c8020f595d90fc1c3a02a3f94cc4d99a36711fcdf
Opcode Fuzzy Hash: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
Instruction Fuzzy Hash: AD210C75205325AFE2109B65CC85F3BB7ECEBC9B55F104619FA45A3240DA20ED068B66

Function 1000C100 Relevance: 15.1, APIs: 10, Instructions: 75COMMON

Download Yara Rule

APIs

GetUpdateRect.USER32(?,?,00000000), ref: 1000C110
GetWindowRect.USER32(?,?), ref: 1000C126
ClientToScreen.USER32(?,?), ref: 1000C138
ClientToScreen.USER32(?,?), ref: 1000C140
OffsetRect.USER32(?,?,?), ref: 1000C155
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C16F
CombineRgn.GDI32(00000000,00000000,00000000,00000001), ref: 1000C195
DeleteObject.GDI32(00000000), ref: 1000C19C
SelectClipRgn.GDI32(?,00000000), ref: 1000C1A4
DeleteObject.GDI32(00000000), ref: 1000C1AB

Part of subcall function 1000C1C0: GetWindowRect.USER32(?,?), ref: 1000C1D7
Part of subcall function 1000C1C0: CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
Part of subcall function 1000C1C0: IsWindowVisible.USER32(00000000), ref: 1000C211
Part of subcall function 1000C1C0: GetWindowRect.USER32(00000000,?), ref: 1000C22D
Part of subcall function 1000C1C0: OffsetRect.USER32(?,?,?), ref: 1000C242
Part of subcall function 1000C1C0: CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
Part of subcall function 1000C1C0: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
Part of subcall function 1000C1C0: DeleteObject.GDI32(00000000), ref: 1000C270
Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$CreateDeleteObject$ClientCombineFindOffsetScreen$ClipSelectUpdateVisible
String ID:
API String ID: 3337848875-0
Opcode ID: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
Instruction ID: 74d7dfbfc758c62a16206c90bb991d6bb96e2836b961c83879c6e1e08fceeccd
Opcode Fuzzy Hash: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
Instruction Fuzzy Hash: 4611477A105221AFF300DB65CCC4DABB7ACEFC9740F14490DF94582200E734EA0A8BB2

Function 0043CCB0 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0043CD0A
VariantCopyInd.OLEAUT32(?,?), ref: 0043CD1B
VariantClear.OLEAUT32(?), ref: 0043D0BB

Strings

4EW, xrefs: 0043CFD6

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Variant$ClearCopyInit
String ID: 4EW
API String ID: 1785138364-2753751881
Opcode ID: 161002c9df5d1e9e6e7a24a11264d9047bbfb89c119c4931781d94b2c848278b
Instruction ID: 64e882c37bba27fc385a54e4bce558442813a9fe5647162604a1d0e431a2d694
Opcode Fuzzy Hash: 161002c9df5d1e9e6e7a24a11264d9047bbfb89c119c4931781d94b2c848278b
Instruction Fuzzy Hash: BFC18E75A082028FD714DF18D58066BBBF4AF8DB04F24542EF981AB350D63ADC42CB9B

Function 0043C8C0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158comregistryCOMMON

Download Yara Rule

APIs

LoadTypeLib.OLEAUT32(00000000), ref: 0043C91F

Part of subcall function 0045EA20: lstrlenA.KERNEL32(00000000,00000000,004551A3,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0045EA2E

GetUserDefaultLCID.KERNEL32(00000000,?,?,00000001), ref: 0043C95B
LHashValOfNameSys.OLEAUT32(00000001,00000000), ref: 0043C964
RegisterTypeLib.OLEAUT32(?,00000000), ref: 0043C9C9
CoCreateInstance.OLE32(?,00000000,00000017,0057D528,00000000), ref: 0043CA29
CoCreateInstance.OLE32(?,00000000,00000007,0057D528,00000000), ref: 0043CA45
OleRun.OLE32(00000000), ref: 0043CA50

Strings

4EW, xrefs: 0043C9EB

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CreateInstanceType$DefaultHashLoadNameRegisterUserlstrlen
String ID: 4EW
API String ID: 2910728731-2753751881
Opcode ID: b71c928fbdff9abbd920f1f80819c8f9b5dff82e38c45bd2289637389b7f28da
Instruction ID: f04aa88c0e042552f36bdbe521257103cb9aede5b9415bd2dce00f6d6ae49f74
Opcode Fuzzy Hash: b71c928fbdff9abbd920f1f80819c8f9b5dff82e38c45bd2289637389b7f28da
Instruction Fuzzy Hash: 415147B1204346AFD700EF61DC84F6BBBE8EF88709F00981DF94597251E779E9098B66

Function 10012750 Relevance: 13.7, APIs: 9, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 10012809
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1001281F
SetMapMode.GDI32(?,00000001), ref: 1001282B
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001283B
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001284B
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001285B
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001286B
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 100128B8

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1

??3@YAXPAX@Z.MSVCRT(?), ref: 1001292B

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Delete$Select$ViewportWindow$??3@Mode
String ID:
API String ID: 2611903862-0
Opcode ID: 7c815beb85d3b7d6d1a28cbd2c605b41dffed16a3aaece435989d75e05e30fb6
Instruction ID: 5a2126a295ea02ada3bf3e3be973f49605dcc2c156f47a887c0508dc2def5236
Opcode Fuzzy Hash: 7c815beb85d3b7d6d1a28cbd2c605b41dffed16a3aaece435989d75e05e30fb6
Instruction Fuzzy Hash: FA614BB9640301AFE724CF18CC85F5B77A9FB88B50F20891CF9599B391C671E881CBA5

Function 10022200 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10022268
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 1002229B
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 100222D3
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 10022313
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,0000271B), ref: 100223B8

Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765

CallWindowProcA.USER32(?,?,00000047,?,?), ref: 100223DC

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Show$CallProcRect
String ID:
API String ID: 3118190714-0
Opcode ID: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
Instruction ID: 8dc1deb737b558b6c714bf112c7838984d22b05039a9ca3c04896061e2edaa8e
Opcode Fuzzy Hash: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
Instruction Fuzzy Hash: 3651FF75344701AFE224DA68DC96FABB3E9EB88B10F10890DF65A973D5CA74BC018B54

Function 100194E0 Relevance: 13.7, APIs: 9, Instructions: 156COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 1001950B
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019534
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001956D
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100195A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100195DF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019618
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019651
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001968A
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100196C3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@$HookUnhookWindows
String ID:
API String ID: 4067003578-0
Opcode ID: b87acc1557eed828f0344a7fc93a7db1be4abbab0bedf78bfabcd7249e5cf933
Instruction ID: 68d6bc10badb6e31eff8a5ceec3b68c03d71041423b9f4d656f5879cd019a15e
Opcode Fuzzy Hash: b87acc1557eed828f0344a7fc93a7db1be4abbab0bedf78bfabcd7249e5cf933
Instruction Fuzzy Hash: 45613DB5900B418BC721CF6DC8C068AFBE5FB58250F95482EE1AE87352D735F984CB96

Function 10012180 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 100121A6
SelectObject.GDI32(?,?), ref: 100121CC
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100121E4
SelectObject.GDI32(?,00000000), ref: 100121EC
BitBlt.GDI32 ref: 1001224C
CallWindowProcA.USER32(?,?,00000014,00000000,?), ref: 10012262
SelectObject.GDI32(00000000,?), ref: 100122A0
PatBlt.GDI32(00000000,00000000,00000000,?,00CC0020,00F00021), ref: 100122BE
BitBlt.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020), ref: 10012316

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ObjectSelect$CallClientProcRectWindow
String ID:
API String ID: 1176863719-0
Opcode ID: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
Instruction ID: 521344e5b0112258a1cfddc808acbd5a461835463cd1efe4b2e01d7775b1bad5
Opcode Fuzzy Hash: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
Instruction Fuzzy Hash: BB51F9B9254300AFE214DB54CC86F6BB7A8EBC8B50F20491CFA4597391C6B5FC458BA6

Function 1001A4F0 Relevance: 13.6, APIs: 9, Instructions: 128COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,1002C058,00000000), ref: 1001A559
SetPropA.USER32(?,1002C058,00000000), ref: 1001A5AC
CallNextHookEx.USER32(?,?,?,?), ref: 1001A66D

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Prop$CallHookNext
String ID:
API String ID: 3868478265-0
Opcode ID: ba536d1b1a470f14f7738c772cb23c0568ed46f4c70e7589315eeac59150253b
Instruction ID: 7811e094c1e109cc8e8b8a1a0b8848a8eb1566d8d7a83a7f68ba57272ffb72e5
Opcode Fuzzy Hash: ba536d1b1a470f14f7738c772cb23c0568ed46f4c70e7589315eeac59150253b
Instruction Fuzzy Hash: 0D415479600611EFD614DB94CC80D2773E9EF966A07158A18F66ACB690D734FC85CB20

Function 1000D060 Relevance: 13.6, APIs: 9, Instructions: 119COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000D08E
OffsetRect.USER32(?,?,?), ref: 1000D0A7
GetClientRect.USER32(?,?), ref: 1000D0B9
SetRectEmpty.USER32(?), ref: 1000D11A
BeginPath.GDI32(?), ref: 1000D147
Rectangle.GDI32(?,?,?,?,?), ref: 1000D164
EndPath.GDI32(?), ref: 1000D16B
SelectClipPath.GDI32(?,00000005), ref: 1000D179
SelectClipPath.GDI32(?,00000004), ref: 1000D18B

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: PathRect$ClipSelect$BeginClientEmptyOffsetRectangleWindow
String ID:
API String ID: 926769777-0
Opcode ID: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
Instruction ID: ba60728ec9fc36432d1322e881ef709b7ac6645eae2937ea16e8d96f42463b8c
Opcode Fuzzy Hash: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
Instruction Fuzzy Hash: 4B413979609211AFE744EF04C884D9FB7E9EFC8761F50881DF94A87214D730E94ACBA2

Function 10016650 Relevance: 13.6, APIs: 9, Instructions: 89windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006622,76C03760,00000000,100161F8,?,?), ref: 10016663
KillTimer.USER32(?,00006623,?,?), ref: 1001666E
KillTimer.USER32(?,00006624,?,?), ref: 10016679
GetParent.USER32(?), ref: 100166B6
SendMessageA.USER32(00000000,?,?), ref: 100166BF
GetParent.USER32(?), ref: 100166CF
SendMessageA.USER32(00000000,?,?), ref: 100166D2
SendMessageA.USER32(?,?,?,00000000), ref: 100166FA
SendMessageA.USER32(?,?,00000008,00000000), ref: 1001670B

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$KillTimer$Parent
String ID:
API String ID: 639473585-0
Opcode ID: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
Instruction ID: 23e64ce1f8e016dc164ffd5e7c53ec1364c03778283d0123c89ade336ad14168
Opcode Fuzzy Hash: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
Instruction Fuzzy Hash: 1F212175200B01ABE664DB65CC51FA7B3EDEF88714F11481DF6569B290CAB1F841CB60

Function 0045C8C0 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 0045C8DA
GetTopWindow.USER32(?), ref: 0045C8E0
IsWindowVisible.USER32(00000000), ref: 0045C8F1
GetWindowLongA.USER32(00000000,000000EC), ref: 0045C902
GetClientRect.USER32(00000000,?), ref: 0045C955
IntersectRect.USER32(?,?,?), ref: 0045C96A
IsRectEmpty.USER32(?), ref: 0045C975
InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 0045C986
GetWindow.USER32(00000000,00000002), ref: 0045C98B

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
String ID:
API String ID: 938479747-0
Opcode ID: ad544b267fbadc56146b436c0b233bf4f13718d7f3f33154eac48b1d43b1ad7e
Instruction ID: 65458de54730002733caa5ea2b0584d38317058616ffbbd2b3ef6e2f8e043e99
Opcode Fuzzy Hash: ad544b267fbadc56146b436c0b233bf4f13718d7f3f33154eac48b1d43b1ad7e
Instruction Fuzzy Hash: 4E216DB1204306AF8314DF65DD94D6BB7ACFF88715B044A2DF94593201DB74D909CBA9

Function 10004800 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10004809
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004847
LoadCursorA.USER32(00000000,00007F84), ref: 1000486B
SetCursor.USER32(00000000), ref: 10004872
SendMessageA.USER32(?,?,0000000B,?), ref: 1000488F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Cursor$EnabledLoadWindow
String ID:
API String ID: 952789742-0
Opcode ID: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
Instruction ID: a48a6881d2a0336a3b2bb6231070b8bc95643f1d678b29964c15dfe4c6f22d82
Opcode Fuzzy Hash: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
Instruction Fuzzy Hash: 0521BE75609763AFF250CB64EC88F8B37E8EF58750F128C14F241D6990CBA0E8458795

Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10004439
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004477
LoadCursorA.USER32(00000000,00007F84), ref: 1000449B
SetCursor.USER32(00000000), ref: 100044A2
SendMessageA.USER32(?,?,0000000A,?), ref: 100044BF

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Cursor$EnabledLoadWindow
String ID:
API String ID: 952789742-0
Opcode ID: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
Instruction ID: 4b1eefcfb1eff533e0469eb4f3c20f4418bd10dfbad317feed312d8172fc31b6
Opcode Fuzzy Hash: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
Instruction Fuzzy Hash: 5D21D175709723AFF650CB64EC88F8B37E8EF59750F128804F242D7890C6A0E846C795

Function 10022B70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 10022B92
GetMenuItemInfoA.USER32 ref: 10022BD3
??2@YAPAXI@Z.MSVCRT(0000000C), ref: 10022D74

Strings

0, xrefs: 10022BC3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ItemMenu$??2@CountInfo
String ID: 0
API String ID: 343086914-4108050209
Opcode ID: 2b229e6ce4f0cb3d8364a42aaff5c57ac865d2390ea098557bfb65e58a4eac2a
Instruction ID: eeaf9257602ae2fb2291704959b8afc54feedf824bc9d131a5182b5c0530c076
Opcode Fuzzy Hash: 2b229e6ce4f0cb3d8364a42aaff5c57ac865d2390ea098557bfb65e58a4eac2a
Instruction Fuzzy Hash: 97717EB0604246AFE754CF64E880A5ABBE5FF84744FA5C52EE809CB751E731EC42CB81

Function 10024B50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 10024BB5
GetMenuItemCount.USER32(?), ref: 10024BC4
GetMenuItemInfoA.USER32 ref: 10024C09
SetMenuItemInfoA.USER32(?,00000000,00000400,?), ref: 10024C73
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,10024A51,?,?,00000000), ref: 10024CC7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,10024A51,?,?,00000000), ref: 10024CD0

Strings

0, xrefs: 10024BF9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@ItemMenu$Info$Count
String ID: 0
API String ID: 1300621985-4108050209
Opcode ID: cf8d953e71d0d401e0776d2466d0d5f42c659b4f9576582b63639309d889a865
Instruction ID: ba23ef1283d543214e51f6240621ccfcbfd39c9ee9b7c6bd65e8a0915674a4ed
Opcode Fuzzy Hash: cf8d953e71d0d401e0776d2466d0d5f42c659b4f9576582b63639309d889a865
Instruction Fuzzy Hash: 1D519E746012028FD754CF18E8C4A56B7F9EF88754F66C669E809CB350EB31EC42CB91

Function 10024E80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32(?), ref: 10024E99
IsWindowVisible.USER32(?), ref: 10024F00
OffsetRect.USER32(?,?,?), ref: 10024F39
OffsetRect.USER32(?,?,?), ref: 10024F4E
EqualRect.USER32(?,?), ref: 10024F66
EqualRect.USER32(?,?), ref: 10024F78

Strings

<, xrefs: 10024E90

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$EqualOffsetWindow$InfoVisible
String ID: <
API String ID: 2641278648-4251816714
Opcode ID: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
Instruction ID: 43e9ea39151c7cd5d2d9fc7f3b5f0f6f8eba1aada2934db523e61a0316c8f1e6
Opcode Fuzzy Hash: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
Instruction Fuzzy Hash: 294128756047029FD354CF28D484A9BB7E8FFC8304F518A2EF89987250DB31E946CB62

Function 004D4821 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 004D488E
GetStdHandle.KERNEL32(000000F4,0058003C,00000000,00000000,00000000,?), ref: 004D4964
WriteFile.KERNEL32(00000000), ref: 004D496B

Strings

..., xrefs: 004D48E0
Runtime Error!Program: , xrefs: 004D48F4
<program name unknown>, xrefs: 004D489E
Microsoft Visual C++ Runtime Library, xrefs: 004D493A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 3c201741c95db6c8e7105776e906f64054575ab55e1418817d4986d3b6d6cb92
Instruction ID: ae0a4856e4a7d96906d924f6184007ef7559b1de30e0d4fe2cb81a610bf05583
Opcode Fuzzy Hash: 3c201741c95db6c8e7105776e906f64054575ab55e1418817d4986d3b6d6cb92
Instruction Fuzzy Hash: 23312972A002189FDF20E661CD66FAF376CEB81304F50019BF544E7380E6B4A944CB5A

Function 00468880 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 004688C4

Strings

%s:%d, xrefs: 0046893E
P, xrefs: 004688BC

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: ba2dca33f5191a151d7d5593e7466aefa14a613bead4a3b254ec5b8ba08b1b85
Instruction ID: 8ef3353b8421da74753415003c8c88ea30916d11364deb6aaf6da6d6285e42fe
Opcode Fuzzy Hash: ba2dca33f5191a151d7d5593e7466aefa14a613bead4a3b254ec5b8ba08b1b85
Instruction Fuzzy Hash: C8317571104A015FE714EB28DC88DBBB3E8BFD4325F004B2EF5A1922D0EAB4991A8756

Function 10023530 Relevance: 12.3, APIs: 8, Instructions: 312windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002356E
SetTextColor.GDI32(?,?), ref: 1002374A
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 1002390B

Part of subcall function 10023070: IsWindowVisible.USER32(?), ref: 10023094
Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 10023107
Part of subcall function 10023070: IsIconic.USER32(?), ref: 10023115
Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 100231E6
Part of subcall function 10023070: IsZoomed.USER32(?), ref: 100231F4
Part of subcall function 10023070: GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
Part of subcall function 10023070: GetMenuState.USER32(00000000), ref: 1002331E

GetWindowTextA.USER32(?,?,00000400), ref: 100237DD
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 1002381F
SetBkMode.GDI32(?,00000001), ref: 100238A2
SelectObject.GDI32(?,00000000), ref: 100238B7
DrawTextA.USER32(?,?,?,?,00040024), ref: 100238DE

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: TextWindow$DrawEmptyMenuRectVisible$ColorIconIconicModeObjectSelectStateSystemZoomed
String ID:
API String ID: 3608014746-0
Opcode ID: b124cef97b468efd2e6cf9f063e6fb4f9423a705c9c23057f94ce808e329f1e3
Instruction ID: 32d7335e5a1ed0603d0bba8e657fa13f5095f1cf460f47c86137365764961296
Opcode Fuzzy Hash: b124cef97b468efd2e6cf9f063e6fb4f9423a705c9c23057f94ce808e329f1e3
Instruction Fuzzy Hash: 4AC108B9240705AFE354CB64CC85FA7B3E9EB88740F208A1DF55A87255DA75FC06CBA0

Function 00484520 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 00484538
GetDeviceCaps.GDI32(?,0000005A), ref: 00484541
GetDeviceCaps.GDI32(?,0000006E), ref: 00484552
GetDeviceCaps.GDI32(?,0000006F), ref: 0048456F
GetDeviceCaps.GDI32(?,00000070), ref: 00484584
GetDeviceCaps.GDI32(?,00000071), ref: 00484599
GetDeviceCaps.GDI32(?,00000008), ref: 004845AE
GetDeviceCaps.GDI32(?,0000000A), ref: 004845C3

Part of subcall function 00484300: __ftol.LIBCMT ref: 00484305

Part of subcall function 00484330: __ftol.LIBCMT ref: 00484335

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: 1a26edd4c6832187ced9cc0106dced00f068edd1eefc1a84c234bd6a4e739de4
Instruction ID: 6742373ebbf7703f1ef905bc31f0205953ece30379a2871ea494c503fc6dcd22
Opcode Fuzzy Hash: 1a26edd4c6832187ced9cc0106dced00f068edd1eefc1a84c234bd6a4e739de4
Instruction Fuzzy Hash: 4A515770608701ABD700EF6AD885A6FBBF4FFC9304F01495DFA8496290EB71D9248B96

Function 004D425A Relevance: 12.1, APIs: 8, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004CF338), ref: 004D4275
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004CF338), ref: 004D4289
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,004CF338), ref: 004D42B5
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004CF338), ref: 004D42ED
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,004CF338), ref: 004D430F
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,004CF338), ref: 004D4328
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,004CF338), ref: 004D433B
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 004D4379

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID:
API String ID: 1823725401-0
Opcode ID: 733e70e212aa1ee40675daea27fe9b3e5cbd4b909241583d8f034e42977cdefc
Instruction ID: c6cfb4b7be06ebfe82d739f51879c7874d66189ca34bce0b5a97d344675e91cd
Opcode Fuzzy Hash: 733e70e212aa1ee40675daea27fe9b3e5cbd4b909241583d8f034e42977cdefc
Instruction Fuzzy Hash: 4131D4726092559FDB207BBC5CA483BB69CE7C9358B16057BF981C3311EB798C4182AA

Function 10022A20 Relevance: 12.1, APIs: 8, Instructions: 120windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10022A2C
CallWindowProcA.USER32(?,?,?,?,?), ref: 10022A87
GetMenu.USER32(?), ref: 10022AB2
SetMenu.USER32(?,00000000), ref: 10022AC4
GetWindowRect.USER32(?,00400000), ref: 10022AEB
SendMessageA.USER32(?,00000083,00000000,?), ref: 10022B01
CallWindowProcA.USER32(?,?,?,?,?), ref: 10022B1E
SetMenu.USER32(?,00000000), ref: 10022B43

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Menu$CallProc$MessageRectSendVisible
String ID:
API String ID: 3332730756-0
Opcode ID: 7e02270cb5639131933e80c8c53a2fa2742bf47566859d10389e38ab56e9b911
Instruction ID: 9276f38f3cf173ca9a812d88aef6df53489b9eb25c2b5bf1bf9ebad47c79e053
Opcode Fuzzy Hash: 7e02270cb5639131933e80c8c53a2fa2742bf47566859d10389e38ab56e9b911
Instruction Fuzzy Hash: 5F416A79204701AFD260DBA9DC84E67B3E9EB88754F208A1DF55AC3661C634E942CB60

Function 100106C0 Relevance: 12.1, APIs: 8, Instructions: 119COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000005,?,?), ref: 100106F0
GetWindowRect.USER32(?,?), ref: 10010725
OffsetRect.USER32(?,?,?), ref: 1001073E

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

SelectObject.GDI32(?,?), ref: 10010782
SelectObject.GDI32(?,00000000), ref: 100107C7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 100107D7

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 100107F7
DeleteObject.GDI32(00000000), ref: 100107FE

Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: GlobalRect$Object$AllocCreateDeleteLockSelectWindow$CallCombineOffsetProcSectionUnlock
String ID:
API String ID: 915955766-0
Opcode ID: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
Instruction ID: 73ca99926bc02046f123c486a2af454b80d39e45caa77a60c923b30de1dd379e
Opcode Fuzzy Hash: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
Instruction Fuzzy Hash: 4041FA79204740AFE354CF64CC85E6BB7A9FBC8710F108A1CF65987251DB74E905CBA1

Function 10024520 Relevance: 12.1, APIs: 8, Instructions: 99COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024562
CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024594
CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245C6
CreateWindowExA.USER32(00080000,1002C028,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245F8
SetPropA.USER32(?,1002CD88,?), ref: 10024613
SetPropA.USER32(?,1002CD88,?), ref: 10024622
SetPropA.USER32(?,1002CD88,?), ref: 10024631
SetPropA.USER32(?,1002CD88,?), ref: 10024640

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreatePropWindow
String ID:
API String ID: 661344865-0
Opcode ID: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
Instruction ID: 9f628f48033890d7f24c30de2fa77ca5103cf21e47ce77eaf880fe3b7e00f918
Opcode Fuzzy Hash: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
Instruction Fuzzy Hash: F931B9753C0704BAE270DBA5DC86F93B7A8EF98B11F314519F749AB2D0C6A0B8418B58

Function 10017480 Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?), ref: 1001749D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174B9
CloseHandle.KERNEL32(00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174C6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 81fbd18608adbdfbe6414eac23378f6f2e5a840e10539d39e41f4149977872c6
Instruction ID: 8b3d300d7cd505047f5b36438d5475ead2230649a77d8796dbb5cbe265e0d923
Opcode Fuzzy Hash: 81fbd18608adbdfbe6414eac23378f6f2e5a840e10539d39e41f4149977872c6
Instruction Fuzzy Hash: 8411EB7734122027E220A659EC8DF6BB79CE7D9BB2F208136FA45D62C0D661EC568371

Function 10024650 Relevance: 12.0, APIs: 8, Instructions: 45COMMON

Download Yara Rule

APIs

RemovePropA.USER32(?,1002CD88), ref: 1002466D
RemovePropA.USER32(?,1002CD88), ref: 1002467B
RemovePropA.USER32(?,1002CD88), ref: 10024689
RemovePropA.USER32(?,1002CD88), ref: 10024697
DestroyWindow.USER32(?), ref: 100246A6
DestroyWindow.USER32(?), ref: 100246AF
DestroyWindow.USER32(?), ref: 100246B8
DestroyWindow.USER32(?), ref: 100246C1

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: DestroyPropRemoveWindow
String ID:
API String ID: 1784376950-0
Opcode ID: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
Instruction ID: 8634cc0847dbc949a985fe4dc17aacceb001e21e00327079f9f065a41ef256d6
Opcode Fuzzy Hash: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
Instruction Fuzzy Hash: 31019AB2541B489BC620EFBA9C84DD7F7EDAFE9301F514A2EE259D3210CA75A8018B50

Function 004507C0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004507FD
GetParent.USER32(?), ref: 0045080F
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 00450837
GetWindowRect.USER32(?,?), ref: 004508C1
InvalidateRect.USER32(?,?,00000001,?), ref: 004508E4
GetWindowRect.USER32(?,?), ref: 00450AAC
InvalidateRect.USER32(?,?,00000001,?), ref: 00450ACD

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: d839f8bd6009a171a07837a66546321815e644a0bb80ee7645e419072f0354bf
Instruction ID: fc1ce7ec1b91e4316b5c5602d7fb0bd400ec9f17f118793a29b3fcd70256ed29
Opcode Fuzzy Hash: d839f8bd6009a171a07837a66546321815e644a0bb80ee7645e419072f0354bf
Instruction Fuzzy Hash: 3891F4756007059BD720EF268C41B6B73E8AF94319F040A1EFD459B382DB78ED0ACB99

Function 10011880 Relevance: 10.6, APIs: 7, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 1001189F
IsRectEmpty.USER32(00000050), ref: 100118A9
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100118D6
IsWindowEnabled.USER32(?), ref: 100118DC
IsRectEmpty.USER32(00000060), ref: 1001196A
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 10011991
IsWindowEnabled.USER32(?), ref: 10011997

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: EmptyEnabledRectWindow$ObjectSelect
String ID:
API String ID: 2275352032-0
Opcode ID: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
Instruction ID: a48e8d2156bf71d1f245c115769e0258ac4b106f3870a774a9d1c5f789da5c24
Opcode Fuzzy Hash: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
Instruction Fuzzy Hash: 7B5159B82016019FE318CB55CCD4EAB73EAEF88754B118968E9598B715DB35FC82CB20

Function 10022DD0 Relevance: 10.6, APIs: 7, Instructions: 144windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 10022E00
GetWindowRect.USER32(?,?), ref: 10022E22
GetMenuItemCount.USER32(?), ref: 10022E2F
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10022E5E
OffsetRect.USER32(?,?,?), ref: 10022E8B
GetSubMenu.USER32(?,?), ref: 10022F11
??2@YAPAXI@Z.MSVCRT(00000010), ref: 10022F29

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MenuRect$Item$??2@??3@CountOffsetWindow
String ID:
API String ID: 386475264-0
Opcode ID: f17518a12ae01caf356ce74a89df4fd18e8e6548c938938fe35cb7513e8f26fd
Instruction ID: b4e87db7927906467f26b41a9e75fc39679a568fb5d8f31fe5ea3c43946c0583
Opcode Fuzzy Hash: f17518a12ae01caf356ce74a89df4fd18e8e6548c938938fe35cb7513e8f26fd
Instruction Fuzzy Hash: 415153B4A083069FC708CF69D88095AFBE5FB88710F558A6DF85A8B311DB30E945CB81

Function 1000AAE0 Relevance: 10.6, APIs: 7, Instructions: 138COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000AAED

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Prop
String ID:
API String ID: 257714900-0
Opcode ID: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
Instruction ID: 2e390604217a2b3f58ee7591da4aaa58580bf2b8c483784fb10c7b559247f76a
Opcode Fuzzy Hash: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
Instruction Fuzzy Hash: 6741BF72600705DFE720DF59D8C0FABB7D9EB853A1F41852EF14A86102C731A8C5CB25

Function 1000B4C0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON

Download Yara Rule

APIs

74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
CreateCompatibleDC.GDI32(?), ref: 1000B548
CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000B553
SelectObject.GDI32(00000000,00000000), ref: 1000B55F
74001530.MSIMG32(?,?,?,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
DeleteObject.GDI32(?), ref: 1000B5C5
DeleteDC.GDI32(00000000), ref: 1000B5CC

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: 74001530CompatibleCreateDeleteObject$BitmapSelect
String ID:
API String ID: 4063847144-0
Opcode ID: c94c59a43e300dec6fb2f87b5ba0981db8e0b4afc0f974236af4a5751fe5a3a0
Instruction ID: a2bec2eff1570f1e033dcbeedc9227712d92de05b5e2e1092a7d92024c81a4dd
Opcode Fuzzy Hash: c94c59a43e300dec6fb2f87b5ba0981db8e0b4afc0f974236af4a5751fe5a3a0
Instruction Fuzzy Hash: 083114B6206611BFE254DF59CC88F6BB7EDEBC8B91F10495CF64987250D630EC028B61

Function 100125E0 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10012615
SetRectEmpty.USER32(?), ref: 10012682
BeginPath.GDI32(?), ref: 100126AB
Rectangle.GDI32(?,?,?,?,?), ref: 100126C8
EndPath.GDI32(?), ref: 100126CF
SelectClipPath.GDI32(?,00000004), ref: 100126E2
IsWindowEnabled.USER32(?), ref: 100126F0

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Path$Rect$BeginClientClipEmptyEnabledRectangleSelectWindow
String ID:
API String ID: 1084965025-0
Opcode ID: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
Instruction ID: b8edb3d788cc78fff0226b0fdbf1bf844b5db10293aac1c63da7d3a1532afda8
Opcode Fuzzy Hash: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
Instruction Fuzzy Hash: 1A4146B8205201AFD308DF14C884E6BB7E8EF89750F15856DF9458B265D730ED89CBA2

Function 10011300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 10011314
GetMenuItemInfoA.USER32 ref: 10011357
SetMenuItemInfoA.USER32(?,00000000,00000400,00000400), ref: 100113C7
??3@YAXPAX@Z.MSVCRT ref: 1001141C
??3@YAXPAX@Z.MSVCRT(?), ref: 10011425

Strings

0, xrefs: 10011347

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ItemMenu$??3@Info$Count
String ID: 0
API String ID: 736798657-4108050209
Opcode ID: 0cf0ac6ad7a8be9223033cdd5cb307bfcc9cf592a42d38a91426e5dcf788734d
Instruction ID: 6d719e0a32b6bda592360f4ae478a4486d40816c5b56cfaf3c9dbc286bc1d952
Opcode Fuzzy Hash: 0cf0ac6ad7a8be9223033cdd5cb307bfcc9cf592a42d38a91426e5dcf788734d
Instruction Fuzzy Hash: 39316D746043129FD708CF18C880A9AB3E9FF88B58F258529F959DB351E731EC82CB52

Function 1000C5D0 Relevance: 10.6, APIs: 7, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 1000C5E8
InflateRect.USER32(000000FE,000000FE,000000FE), ref: 1000C5F9
CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 1000C61A
GetClientRect.USER32(?,?), ref: 1000C62B
InflateRect.USER32(?,000000FE,000000FE), ref: 1000C661
IsWindowEnabled.USER32(?), ref: 1000C667
GetFocus.USER32 ref: 1000C675

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$ClientInflateWindow$CallEnabledFocusProc
String ID:
API String ID: 3997489093-0
Opcode ID: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
Instruction ID: 0210b2d985ab851d087a4ba75c5b64220f905e20614fa079e217abae1528d616
Opcode Fuzzy Hash: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
Instruction Fuzzy Hash: FD314A75604301AFD314DF6AC880D1BF7E9EFC9254F208A1DF59983365DA32E846CB92

Function 10018E00 Relevance: 10.6, APIs: 7, Instructions: 96windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 10018E2A
DeleteObject.GDI32(?), ref: 10018E3E
SelectObject.GDI32(10017522,?), ref: 10018E89
BitBlt.GDI32(10017522,00000000,00000000,?,?,00000000,?,?,00CC0020), ref: 10018EC1
SelectObject.GDI32(10017522,?), ref: 10018ECF
CreateSolidBrush.GDI32(?), ref: 10018F16
CreatePatternBrush.GDI32(?), ref: 10018F23

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$BrushCreateDeleteSelect$PatternSolid
String ID:
API String ID: 22681066-0
Opcode ID: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
Instruction ID: 23f9e4fe7887b74c245d57b0e501ed812031919aed004f8028d95dad6bed7b15
Opcode Fuzzy Hash: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
Instruction Fuzzy Hash: E03148B52007019FE214DF64C895FA7B7E9EB88750F11892DF69A872A1DB30F945CB60

Function 1000AE20 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000AE2F
GetWindowRect.USER32(?,?), ref: 1000AE3B
ClientToScreen.USER32(?,?), ref: 1000AE4D
ClientToScreen.USER32(?,?), ref: 1000AE55
OffsetRect.USER32(?,?,?), ref: 1000AE70
OffsetRect.USER32(?,?,?), ref: 1000AE85
EqualRect.USER32(?,?), ref: 1000AE91

Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Object$Select$Create$Client$DeleteEmptyEqualOffsetScreen$BrushClipCombineRectangleSolidWindow
String ID:
API String ID: 1135996890-0
Opcode ID: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
Instruction ID: bacedecaa7b5975dfe14453393d98d9b711d5753841d023854cdc35a831728b0
Opcode Fuzzy Hash: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
Instruction Fuzzy Hash: 59211979109201AFE304DF19C885C6BBBF9EFC9350F11CA1DF44987225D634EA46CBA2

Function 10012370 Relevance: 10.6, APIs: 7, Instructions: 74COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 1001238D
GetPropA.USER32(?,1002C03C), ref: 100123B4
SetBkColor.GDI32(?,?), ref: 100123D2
SetTextColor.GDI32(?,?), ref: 100123EC

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Color$CallProcPropTextWindow
String ID:
API String ID: 1567449379-0
Opcode ID: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
Instruction ID: 4c3276a66a0a9f635cfbb79f7bd4f3ded52351a7d3631d5cad51002f68e975b9
Opcode Fuzzy Hash: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
Instruction Fuzzy Hash: 32213C7A200215DFE214CF55DCC8EA7B7A9FF88711F258579FA0987612C731AC86CB60

Function 1001C450 Relevance: 10.6, APIs: 7, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001C463
RemovePropA.USER32(?,1002C460), ref: 1001C471
SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1001C47F
GetPropA.USER32(?,1002C03C), ref: 1001C48B
IsWindowVisible.USER32(?), ref: 1001C4AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?,1001C40B,?), ref: 1001C4BD
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,?,1001C40B,?), ref: 1001C4CE

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Prop$Window$InvalidateMessageRectRemoveSendVisible
String ID:
API String ID: 2510188223-0
Opcode ID: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
Instruction ID: 11fdaa9114d1614bf2f695c029d4fea50ea2cb84254ba2801cf49c8279bf9916
Opcode Fuzzy Hash: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
Instruction Fuzzy Hash: B0016D75202A29EFE780AF954CC8DFB76ACEF45285B1280B9F20596011C7708A428BA5

Function 1000FBF0 Relevance: 10.5, APIs: 7, Instructions: 49windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 1000FC09
CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
SelectObject.GDI32(00000000,00000000), ref: 1000FC21
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
GetClipRgn.GDI32(?,00000000), ref: 1000FC44
SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
DeleteObject.GDI32(00000000), ref: 1000FC5A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Create$ClipCompatibleObjectSelect$BitmapDeleteRect
String ID:
API String ID: 4212353020-0
Opcode ID: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
Instruction ID: 8b55c2d16eca8a6de84a41ee3e6a417fb1aae9501b44e532c548ffb84ecac7fc
Opcode Fuzzy Hash: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
Instruction Fuzzy Hash: 5001D379601314AFE3509FA59CC8F26BBECFF48A51F20891EFA86D2250C674A9058B20

Function 10015840 Relevance: 9.3, APIs: 6, Instructions: 287windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10015860
SelectObject.GDI32(?,?), ref: 10015903
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F
SelectObject.GDI32(?,?), ref: 100159B3
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100159C9
BitBlt.GDI32(?,?,76C22370,?,?,?,00000000,00000000,00CC0020), ref: 10015B86

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$Delete$VisibleWindow
String ID:
API String ID: 2338221860-0
Opcode ID: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
Instruction ID: f04d0c149d7934839a0fbc71b930f3873cc576cb42b8e8f7a274e06dc9e73843
Opcode Fuzzy Hash: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
Instruction Fuzzy Hash: 79B104B8200205AFE714CF54C8C5EAB77A8FF88B44F14496CF8498B256DB75ED46CBA1

Function 10003220 Relevance: 9.2, APIs: 6, Instructions: 239windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(00000000), ref: 100032B3
SelectObject.GDI32(00000000,?), ref: 100032C0

Part of subcall function 100042C0: PtInRegion.GDI32(?,00000000,?,00000000,00000000,1002CDA8,1002CDC8,1002CDC8,?,00000000), ref: 100042F8

SelectObject.GDI32(00000000,?), ref: 1000342A
DeleteDC.GDI32(00000000), ref: 10003431
DeleteObject.GDI32(00000000), ref: 10003438
IsWindowVisible.USER32(?), ref: 10003491

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$DeleteSelect$CompatibleCreateRegionVisibleWindow
String ID:
API String ID: 1842338607-0
Opcode ID: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
Instruction ID: b148bc9a0c6a2d913fc867f66123447b75209ee6773f678a23cc705497eb98c2
Opcode Fuzzy Hash: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
Instruction Fuzzy Hash: EF915D796006048FE709CF69C8C4C2BB7EAFFC8694B158A2DF85987369DB30E945CB51

Function 10016760 Relevance: 9.2, APIs: 6, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B

OffsetRect.USER32(?,00000000,?), ref: 1001683C
OffsetRect.USER32(?,00000000,?), ref: 10016852
OffsetRect.USER32(?,00000000,?), ref: 1001686D
MulDiv.KERNEL32(?,?,?), ref: 100168B4
GetParent.USER32(?), ref: 100168F6
SendMessageA.USER32(?,?,00000000,00000000), ref: 10016918

Part of subcall function 10015840: IsWindowVisible.USER32(?), ref: 10015860
Part of subcall function 10015840: SelectObject.GDI32(?,?), ref: 10015903
Part of subcall function 10015840: PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Offset$Window$CursorMessageObjectParentSelectSendVisible
String ID:
API String ID: 410164804-0
Opcode ID: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
Instruction ID: 5b3f42e8751718efe35102d26408225ceaa88a89c417ccc3e437b77936ff3ce4
Opcode Fuzzy Hash: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
Instruction Fuzzy Hash: 6D611774204606AFD708DF39CD94A6AB7E9FB88704F108A1DF85A9B344DB30FA45CB95

Function 00448E90 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 404COMMON

Download Yara Rule

Strings

hlp, xrefs: 0044935E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologMessageParentSend$DecrementInterlocked
String ID: hlp
API String ID: 158108401-549983773
Opcode ID: 23d2fd53f004093bb834b77ab844bc1ec2e135bea13f70dc787baada0e26a642
Instruction ID: a99666088a715b06e8d9a21299fb0501950ebd0664c6fb835e98b9c884fbd318
Opcode Fuzzy Hash: 23d2fd53f004093bb834b77ab844bc1ec2e135bea13f70dc787baada0e26a642
Instruction Fuzzy Hash: 78F1A1702083859FE724DF25C885BAFB7E4AF84305F10492EF995972C1DB78E809CB5A

Function 10011160 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000018,?), ref: 10011285
CreateCompatibleDC.GDI32(00000000), ref: 1001128D
SelectObject.GDI32(00000000,00000000), ref: 1001129D
74001530.MSIMG32(?,?,?,00000010,00000010,00000000,00000000,00000000,?,?,00FF01FF,?,?), ref: 100112DB
SelectObject.GDI32(00000000,00000000), ref: 100112E3
DeleteDC.GDI32(00000000), ref: 100112E6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$74001530CompatibleCreateDelete
String ID:
API String ID: 86801536-0
Opcode ID: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
Instruction ID: fced8d308138b36c133f8264daa482e3f1224d76aacb4f59917f490493d9ace5
Opcode Fuzzy Hash: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
Instruction Fuzzy Hash: 954190767402049FD344DB58CC80FAAB3A9EF89360F25855AED04CF351C635EC96CBA1

Function 10010C70 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,?), ref: 10010CEA
SelectObject.GDI32(?,?), ref: 10010D3A
_mbsstr.MSVCRT ref: 10010D4A
DrawTextA.USER32(?,?,00000000,?,00000024), ref: 10010D6C
DrawTextA.USER32(00000000,00000001,?,?,00000026), ref: 10010D9F
DrawTextA.USER32(?,?,?,?,00000024), ref: 10010DC7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Text$Draw$ColorObjectSelect_mbsstr
String ID:
API String ID: 2554462136-0
Opcode ID: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
Instruction ID: caa0527cdf57b14729ef594e8188670eae6bffac27ed0865ed6a9a4dbb4e9640
Opcode Fuzzy Hash: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
Instruction Fuzzy Hash: E4515C792042009FD308CF68C884E67B7E9FF88354F108A6DF9598B355DB70E946CBA1

Function 1000E680 Relevance: 9.1, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 1000E6C6
OffsetRect.USER32(?,?,?), ref: 1000E76A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
Instruction ID: 55dceb283fd2939f53b1af87dd3abf76b527e98de1fc72b27c0b69958cadab38
Opcode Fuzzy Hash: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
Instruction Fuzzy Hash: 70314B763029559FF3049E7C9E8CABEBBCAD7C82A2F29573DF606D1048D661FC094250

Function 100220A0 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 100220B8
GetWindowRect.USER32 ref: 100220E3
IsRectEmpty.USER32(?), ref: 1002216B
IsRectEmpty.USER32(?), ref: 1002218E
IsRectEmpty.USER32(?), ref: 100221A5
SendMessageA.USER32(?,00007401,?,?), ref: 100221DA

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Empty$Window$MessageSendVisible
String ID:
API String ID: 1963373104-0
Opcode ID: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
Instruction ID: 15d01376b549b43e06bef1ecdf41231e929ad262f4cddba4413b2d284a982563
Opcode Fuzzy Hash: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
Instruction Fuzzy Hash: A131AD38300B02ABD654DA75DC95FABB3E9EF94740F41890CFA5AC3250DB70E951CB90

Function 10015630 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10015671
GetClientRect.USER32(?,?), ref: 10015680
ClientToScreen.USER32(?,?), ref: 10015695
ClientToScreen.USER32(?,?), ref: 100156A0
OffsetRect.USER32(?,?,?), ref: 100156BB
OffsetRect.USER32(?,?,?), ref: 100156D0

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Client$OffsetScreen$Window
String ID:
API String ID: 3447441489-0
Opcode ID: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
Instruction ID: c2827e8d9cd10a597387bf157e688e7552e1f46be816908af53a9ee1b8aa0ec2
Opcode Fuzzy Hash: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
Instruction Fuzzy Hash: E241F578204706DFD714CF29C881EA7B7E9EF88754F14891DE89ACB250E731F9858BA1

Function 100259E0 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 10025A15

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

SelectObject.GDI32(00000001,?), ref: 10025A7D
SelectObject.GDI32(00000001,00000000), ref: 10025AC2

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,?,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

OffsetRgn.GDI32(00000000,00000000,?), ref: 10025AE4
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10025AF8
DeleteObject.GDI32(00000000), ref: 10025AFF

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Global$ObjectRect$AllocLockSelect$CombineCreateDeleteEmptyOffsetSectionUnlock
String ID:
API String ID: 685556349-0
Opcode ID: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
Instruction ID: cf9c318b9d579a266dc806ebc7a0d6f04a146a731b116f9e3c9b73cee362de29
Opcode Fuzzy Hash: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
Instruction Fuzzy Hash: 7F41FB79604751AFD314CF64C880E6BB7E8FF88650F208A1DF55587641DB34E909CBA1

Function 1000E270 Relevance: 9.1, APIs: 6, Instructions: 79windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 1000E284
CreateCompatibleBitmap.GDI32(?,?,?), ref: 1000E298
SelectObject.GDI32(?,00000000), ref: 1000E2A6
SelectObject.GDI32(?,?), ref: 1000E2C0
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000E2DA
??2@YAPAXI@Z.MSVCRT(0000000C,?,?,?,?,1000D0ED,?,?,?,?,?), ref: 1000E2F0

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CompatibleCreateObjectSelect$??2@Bitmap
String ID:
API String ID: 661465749-0
Opcode ID: 517728d0a81dfb890fec61be2e80a0268166fa2bfb532fabf3e6e869bc174316
Instruction ID: 676109a112f91462f0683b0e748601321322578746db1e72dd9edd93884032e7
Opcode Fuzzy Hash: 517728d0a81dfb890fec61be2e80a0268166fa2bfb532fabf3e6e869bc174316
Instruction Fuzzy Hash: 6F21F5B9601702AFE314CF59D884E16FBE8FB88751F20C62EFA5987751D730A841CBA0

Function 1001DC40 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1001DC52
GetCursorPos.USER32(?), ref: 1001DC5D
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1001DC92
SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1001DCB0
SendMessageA.USER32(?,00001207,00000000,?), ref: 1001DCC1
PtInRect.USER32(?,?,?), ref: 1001DCD2

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Rect$CursorWindow
String ID:
API String ID: 1680679697-0
Opcode ID: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
Instruction ID: b91518a891387c981cce0504226fb2a498f6544864ac186356a6de0c8c4ec29a
Opcode Fuzzy Hash: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
Instruction Fuzzy Hash: 102181762043069FD304DF69CCC0E5BB7E8EBC8660F104A1EF551D7250D6B0E9498BA1

Function 1000DE30 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1000DE3E
GetWindowRect.USER32(?,?), ref: 1000DE4D
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1000DE82
SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1000DEA5
SendMessageA.USER32(?,00001207,00000000), ref: 1000DEB1
PtInRect.USER32(?,?,?), ref: 1000DEC2

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$Rect$CursorWindow
String ID:
API String ID: 1680679697-0
Opcode ID: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
Instruction ID: 25e19ebef5cfb3a3824964290d61ec62e8227a99a9e9e0869e33b01463ce3919
Opcode Fuzzy Hash: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
Instruction Fuzzy Hash: B02181752043069FE304DF65CCC0E6BB7E9EBC8660F104A1EF950C7250D670E9498B61

Function 1001A9C0 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

_mbscmp.MSVCRT ref: 1001A9D3
_mbscmp.MSVCRT ref: 1001A9FD
GetParent.USER32(?), ref: 1001AA0B
FindWindowExA.USER32(00000000,00000000,1002C4BC,00000000), ref: 1001AA23
FindWindowExA.USER32(00000000,00000000,1002C4B0,00000000), ref: 1001AA31
FindWindowExA.USER32(00000000,00000000,1002C4A0,00000000), ref: 1001AA3F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: FindWindow$_mbscmp$Parent
String ID:
API String ID: 3521712903-0
Opcode ID: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
Instruction ID: 07a90f14033cc30d1d35d2e0eeef8570c81e30e2f87793286d4a341ae43e1c20
Opcode Fuzzy Hash: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
Instruction Fuzzy Hash: D111C8773516252BE200F6A8AC90FAB63CCDFD5666F514022FB00EA140D334ED8687B5

Function 1001EBC0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001EBD4
GetWindowRect.USER32(?,?), ref: 1001EBE3
GetClientRect.USER32(?,?), ref: 1001EBF2
ClientToScreen.USER32(?,?), ref: 1001EC07
ClientToScreen.USER32(?,?), ref: 1001EC12
SendMessageA.USER32(?,00000445,00000000,?), ref: 1001EC54

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Client$RectScreen$CursorMessageSendWindow
String ID:
API String ID: 1353371867-0
Opcode ID: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
Instruction ID: c36cae17ecde68ff4f981e12f48877b9c68e936cd5b1928b6e4795760c61fe65
Opcode Fuzzy Hash: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
Instruction Fuzzy Hash: 2B110479108746EFD708DF29C888D6BB7E8EBD8604F10C91DF58983220E670E94ACB52

Function 1001B8F0 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,10025E63,?,?,?,?,?,?), ref: 1001B8F4
FindResourceA.KERNEL32(00000000,?,?), ref: 1001B913

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: FindHandleModuleResource
String ID:
API String ID: 3537982541-0
Opcode ID: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
Instruction ID: 5268aa00fc51c7ef6193ce43b0a0328cd4925fc10cfa97f1260c64665a9d4d10
Opcode Fuzzy Hash: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
Instruction Fuzzy Hash: 0501DF7A2056206BE3119728EC88D6F77ECEFC9211F114119FA44C7200DB34CE4387B1

Function 00470B10 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00470B32
ScreenToClient.USER32(00000001,?), ref: 00470B41

Part of subcall function 00470BC0: DPtoLP.GDI32(?,?,00000001), ref: 00470CD7

LoadCursorA.USER32(00000000,00007F85), ref: 00470B71
SetCursor.USER32(00000000), ref: 00470B78
LoadCursorA.USER32(00000000,00007F84), ref: 00470B97
SetCursor.USER32(00000000), ref: 00470B9E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: 3a05def5a4015870f7f3bd74b71525e615cd36e930bfd63a329a3df9dcdb84f3
Instruction ID: dd3579fe95985a661e013a65f15dd794d9cd142a3471eab11c3b67f6a77d7979
Opcode Fuzzy Hash: 3a05def5a4015870f7f3bd74b71525e615cd36e930bfd63a329a3df9dcdb84f3
Instruction Fuzzy Hash: 6411EC31114301ABC614DBA4DD59EAF7398AB94B15F00452EF145C61C0EAB4E918C777

Function 004E8A5E Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004E8A61

Part of subcall function 004E8903: GetWindowLongA.USER32(00000000,000000F0), ref: 004E8914

GetParent.USER32(00000000), ref: 004E8A88

Part of subcall function 004E8903: GetClassNameA.USER32(00000000,?,0000000A), ref: 004E892F
Part of subcall function 004E8903: lstrcmpiA.KERNEL32(?,combobox), ref: 004E893E

GetWindowLongA.USER32(?,000000F0), ref: 004E8AA3
GetParent.USER32(?), ref: 004E8AB1
GetDesktopWindow.USER32 ref: 004E8AB5
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 004E8AC9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 2a461bbabd0f5c6ed3c641b4f8655efe5a13e86d1a2303bdf71aa0f6222d8777
Instruction ID: 03c376438b0208beec130e71628a9a1d72f1aafab326eeaf34338be125edf802
Opcode Fuzzy Hash: 2a461bbabd0f5c6ed3c641b4f8655efe5a13e86d1a2303bdf71aa0f6222d8777
Instruction Fuzzy Hash: A2F0AF3260166137DA32A62A5C88BBF65585BC1B52F1D013FF91CE62D4EF988D02C1AD

Function 1001BB00 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1001BB16

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
Instruction ID: 61a02fd3fe343e1cbdaa3c21f8ae578eda2fb75fcd6781e2b5076b330a8b8943
Opcode Fuzzy Hash: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
Instruction Fuzzy Hash: EEF03035346A31B7FA91ABA4BC8AFDB3658DF05741F214010F701AA0D4D7A4AB8747EA

Function 004E8978 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004E8987
GetWindow.USER32(?,00000005), ref: 004E8998
GetDlgCtrlID.USER32(00000000), ref: 004E89A1
GetWindowLongA.USER32(00000000,000000F0), ref: 004E89B0
GetWindowRect.USER32(00000000,?), ref: 004E89C2
PtInRect.USER32(?,?,?), ref: 004E89D2

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 7384ba3b03532d5d376e5c32c5bbacd831eac89995001ec8a93e251c07c8fe18
Instruction ID: e0194c800e93dd0954c725302fd8571bc31d0173c28e9df0ecdf189a88109af8
Opcode Fuzzy Hash: 7384ba3b03532d5d376e5c32c5bbacd831eac89995001ec8a93e251c07c8fe18
Instruction Fuzzy Hash: 7701BC7250001ABBCF019B65DC08EBF3B6CEF01311B404026F905A22A1EAB89926CB9A

Function 10019170 Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 1001917A
??3@YAXPAX@Z.MSVCRT(?,?), ref: 10019186
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 10019192
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001919E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 100191AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 100191B6

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: f1a8cc473319eb0b1c69932dca6256fb8b8dc5912ee8d40ae2d3c541b9704d15
Instruction ID: b30d290d8c7ff241b3e1323c47ca36b58938814fe857fb6cef48acb235ac3c58
Opcode Fuzzy Hash: f1a8cc473319eb0b1c69932dca6256fb8b8dc5912ee8d40ae2d3c541b9704d15
Instruction Fuzzy Hash: ADE0757A51062057C224E7B4ACC1DD772A9BB4C210FA08D0CB19A47201C977F940E790

Function 00440490 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 144windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E5845: IsWindowEnabled.USER32(?), ref: 004E584F

IsWindowVisible.USER32(?), ref: 004404CA

Part of subcall function 004E3813: GetWindowTextLengthA.USER32(?), ref: 004E3820
Part of subcall function 004E3813: GetWindowTextA.USER32(?,00000000,00000000), ref: 004E3838

Part of subcall function 004DFDE5: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 004DFDF1

wsprintfA.USER32 ref: 00440564
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00440590
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0044059F

Strings

tZ, xrefs: 004404E8

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
String ID: tZ
API String ID: 1914814478-618434692
Opcode ID: 0c532f357a219fd74d7f66938f030c90cac9a4df56b96f23659606051c24f15b
Instruction ID: b406216f60097f9265610555b2e1fa10e761fe6534565f857aba8e3eeec5c0c3
Opcode Fuzzy Hash: 0c532f357a219fd74d7f66938f030c90cac9a4df56b96f23659606051c24f15b
Instruction Fuzzy Hash: CB517775208741AFD724EF14C991B5BB7F5FB88704F10891EE99A87380CB78E815CB96

Function 004D4643 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 004D4662
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004D4697
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 004D46F7

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004D4692
__GLOBAL_HEAP_SELECTED, xrefs: 004D46D1

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: f7bffdec347e3b53eaaf717de00c946409ba28f0512f621488d8b1be0951db2f
Instruction ID: 5970789ea1dfeaf1107d93403f4ac7c5539c854806dcee579ca56631954073d6
Opcode Fuzzy Hash: f7bffdec347e3b53eaaf717de00c946409ba28f0512f621488d8b1be0951db2f
Instruction Fuzzy Hash: 7531E7719012446FEB3197705C75AEE3BA89B47318F5404EBD185D6392E73CCE86CB19

Function 10009120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 10009179
SelectObject.GDI32(00000000,?), ref: 100091A7
GetTextExtentPointA.GDI32(00000000,?,?,00000400), ref: 100091C7

Strings

@, xrefs: 10009169
0, xrefs: 10009161

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ExtentInfoItemMenuObjectPointSelectText
String ID: 0$@
API String ID: 1214468274-1545510068
Opcode ID: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
Instruction ID: 3d2f61126256a53cf897c85a85e5fe7bc4fb7c3a9049d66df69f7ce8b741961f
Opcode Fuzzy Hash: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
Instruction Fuzzy Hash: 46111F75209300AFE750DB24C955BEFB7E8FBC4350F40491DF69992290DB79AA09CB92

Function 10018890 Relevance: 7.9, APIs: 5, Instructions: 413COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 10018A8B
_ftol.MSVCRT ref: 10018AD0
_ftol.MSVCRT ref: 10018D13
_ftol.MSVCRT ref: 10018D49
_ftol.MSVCRT ref: 10018D7A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: _ftol
String ID:
API String ID: 2545261903-0
Opcode ID: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
Instruction ID: 0b0bc44675ec839da114b02f6054aa0f657a73593dc5a8713aae574027d7ad68
Opcode Fuzzy Hash: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
Instruction Fuzzy Hash: DBF1CF71909B61EBE351DF10D89428A7BE4FFC5380FA14A5DF4C1961A1EB31CB96CB82

Function 10010E00 Relevance: 7.7, APIs: 5, Instructions: 218windowCOMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 10010E51

Part of subcall function 1000FBF0: CreateCompatibleDC.GDI32(?), ref: 1000FC09
Part of subcall function 1000FBF0: CreateCompatibleBitmap.GDI32(?,00000000,?), ref: 1000FC14
Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106

SetBkMode.GDI32(?,00000001), ref: 10010EA8
SelectObject.GDI32(?,?), ref: 10010EBD
SendMessageA.USER32(?,0000002B,00000000,?), ref: 10010F7B
GetPixel.GDI32(?,?,?), ref: 10011008

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$Create$ClipCompatibleDeleteRect$74001530BitmapBrushMessageModeOffsetPixelSendSolid
String ID:
API String ID: 827094094-0
Opcode ID: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
Instruction ID: a69ee935151e19899d8c4b44d90f6d6784ea96e440500a2836e4d15a7f76abeb
Opcode Fuzzy Hash: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
Instruction Fuzzy Hash: 0981E4B4608340AFE314CB58C882F6BB7E9FB88740F108A1DF99997391D670E945CB62

Function 1001A750 Relevance: 7.7, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000002CC,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A7A0
??2@YAPAXI@Z.MSVCRT(00000150,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A7F7
??2@YAPAXI@Z.MSVCRT(000002F4,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A852
??2@YAPAXI@Z.MSVCRT(0000007C,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A8AA
??2@YAPAXI@Z.MSVCRT(00000064,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A902
??2@YAPAXI@Z.MSVCRT(00000020,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A95A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: acee3e2d181177633a24cf035c914bc3b8895da4ff9bca02219d70c3d3395465
Instruction ID: 780453279fc9d404bdb8cca2fd0b2e9d713902c348bdb508de38a8486bde4cdd
Opcode Fuzzy Hash: acee3e2d181177633a24cf035c914bc3b8895da4ff9bca02219d70c3d3395465
Instruction Fuzzy Hash: 2951A1B5A083519BD604DF289C91B1A73D0EB98B60F004A2EF196DB381DB34ED848B93

Function 10016480 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PtInRect.USER32(0000002C,00000000,00000000), ref: 100164CD
PtInRect.USER32(0000006C,?,?), ref: 10016519
PtInRect.USER32(0000003C,?,?), ref: 1001656D
PtInRect.USER32(0000005C,?,?), ref: 1001659C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect
String ID:
API String ID: 400858303-0
Opcode ID: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
Instruction ID: 88eee75a724b57100442f45c2dc2b334c4b92a05eceda69fcc84a06ca03c096a
Opcode Fuzzy Hash: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
Instruction Fuzzy Hash: 04514C753007069BD714DF69EC84AABB3E9FB88B14F40092DF85A87240DB75F989CB61

Function 1001C570 Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C58A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C5EB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C64E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C6AF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C712

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 353ac758a6fb63025c5d98e7d195cbef0722081482f832dd2b1cd277f8c81383
Instruction ID: 207150d8cd520f2c8076046b94b252afd95317543a8e9ea73a38ad0b49929f05
Opcode Fuzzy Hash: 353ac758a6fb63025c5d98e7d195cbef0722081482f832dd2b1cd277f8c81383
Instruction Fuzzy Hash: 305134B6A0025D8FC714CF4AC894C56B7E1EF886507AAC4AED54A5F622CA31FC86CF44

Function 004D438C Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 004D43EA
GetFileType.KERNEL32(?,?,00000000), ref: 004D4495
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 004D44F8
GetFileType.KERNEL32(00000000,?,00000000), ref: 004D4506
SetHandleCount.KERNEL32 ref: 004D453D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: dbebf32f810db16defa94e2994453a52d5228fe1f17dac765765139250b28fda
Instruction ID: b03ba65ad56bd38f394f70b41c62db8affb5686468fec840b074b59a75d4956e
Opcode Fuzzy Hash: dbebf32f810db16defa94e2994453a52d5228fe1f17dac765765139250b28fda
Instruction Fuzzy Hash: 345148315052158BC720CB68C8B47267BE0FB92328F29877FD597973E1C738998AC709

Function 1001E9A9 Relevance: 7.6, APIs: 5, Instructions: 149timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001EA96
GetWindowRect.USER32(?,?), ref: 1001EAA5
PtInRect.USER32(?,?,?), ref: 1001EABA
KillTimer.USER32(?,00007720), ref: 1001EAD3
InvalidateRect.USER32(?,00000000,00000000), ref: 1001EAE7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CursorInvalidateKillTimerWindow
String ID:
API String ID: 1204915734-0
Opcode ID: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
Instruction ID: 1aaf348c908433e104cd2ce18659ca1b4ce5b612a6fc862c77d7acbc4d0a29e2
Opcode Fuzzy Hash: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
Instruction Fuzzy Hash: F40113B9504752AFD710DB28C8C886BB7F9EF49744B10894DF58AC7220D630F945CB61

Function 10021500 Relevance: 7.6, APIs: 5, Instructions: 145windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?), ref: 10021551
SendMessageA.USER32(?,00000112,0000F093,?), ref: 1002158D
IsZoomed.USER32(?), ref: 1002159F
GetSystemMetrics.USER32(00000004), ref: 100215AF
CallWindowProcA.USER32(?,?,000000A1,?,?), ref: 100216B3

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@CallMessageMetricsProcSendSystemWindowZoomed
String ID:
API String ID: 3560867145-0
Opcode ID: 40f6cafe6fc529aef8933b53fac1e56a8b6434288313871db4eb5997b39d8aab
Instruction ID: 6bec9c70b05b0ba5ee56a74e6e33481ab579d1bccf6329b3e51cbdad3a69271d
Opcode Fuzzy Hash: 40f6cafe6fc529aef8933b53fac1e56a8b6434288313871db4eb5997b39d8aab
Instruction Fuzzy Hash: B441E27A7002119BE710DF94E8C9FDBB399EBA4750F80803AF9099F282C7719C5487A0

Function 10008FB0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 10009048
CallWindowProcA.USER32(?,?,0000002B,?,?), ref: 100090CB
CreateCompatibleDC.GDI32(00000000), ref: 100090EC
CallWindowProcA.USER32(?,?,0000002B,00000000,?), ref: 10009100
DeleteDC.GDI32(?), ref: 1000910C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallProcWindow$CompatibleCreateDeleteProp
String ID:
API String ID: 1060680913-0
Opcode ID: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
Instruction ID: f2b3dcc440dab69ee4fbcbe6af92302eeabc2b2a5026597934c7d9f665362333
Opcode Fuzzy Hash: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
Instruction Fuzzy Hash: AA4134753007129FE310CF6AD884B66B7E8FF847D0F158129F9498B295D732E882CBA1

Function 10010840 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100108A4
OffsetRect.USER32(?,?,?), ref: 100108BD
GetSystemMetrics.USER32(00000000), ref: 100108CB
GetSystemMetrics.USER32(00000001), ref: 100108D1
CallWindowProcA.USER32(?,?,00000046,?,?), ref: 10010933

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MetricsRectSystemWindow$CallOffsetProc
String ID:
API String ID: 3217627387-0
Opcode ID: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
Instruction ID: 23580ca9b0729daaad7b279e8dc62797c40a95a429eab73825f66c9b8e763cb3
Opcode Fuzzy Hash: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
Instruction Fuzzy Hash: 9D314C753092069FE718DF18C8A4E6AB7E6FF88740F24851DF9CA8B252D670E981CB51

Function 0045C310 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 0045C32C

Part of subcall function 00450DD0: IsChild.USER32(?,?), ref: 00450E4D
Part of subcall function 00450DD0: GetParent.USER32(?), ref: 00450E67

GetCursorPos.USER32(?), ref: 0045C344
GetClientRect.USER32(?,?), ref: 0045C353
PtInRect.USER32(?,?,?), ref: 0045C374
SetCursor.USER32(?,?,00000000,?,?,?,?,0045BFA0), ref: 0045C3F2

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ChildCursorRect$ClientParent
String ID:
API String ID: 1110532797-0
Opcode ID: c05561a10ea69c5576322866e8a49da0eb23e6662b602a46ae0df9d591560361
Instruction ID: e4a2f702fa03b161305eab97eeb4b0ad9b3dd5038dda2315a326693a6ca0012b
Opcode Fuzzy Hash: c05561a10ea69c5576322866e8a49da0eb23e6662b602a46ae0df9d591560361
Instruction Fuzzy Hash: E421C531600301AFD720DE25DC95FAB73E8AF84715F05491EFC05A7282E678E80AC6A9

Function 10016350 Relevance: 7.6, APIs: 5, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 10016363

Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3

GetParent.USER32(?), ref: 100163A2
SendMessageA.USER32(00000000), ref: 100163A9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Timer$KillMessageParentSend
String ID:
API String ID: 4215942989-0
Opcode ID: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
Instruction ID: cfa475f0d94ce1742ae4734d9acbaaceee74d3da44fb01cfd7150537f1731013
Opcode Fuzzy Hash: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
Instruction Fuzzy Hash: D9216F79301B12ABE624D764CC95FDB72E9EB58B40F404818F656CE280DA76ED82C754

Function 0044C201 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000146), ref: 0044C212
SendMessageA.USER32(?,00000146), ref: 0044C22D
SendMessageA.USER32(?,00000146), ref: 0044C249
SendMessageA.USER32(?,00000146), ref: 0044C25D
SendMessageA.USER32(?,0000014E), ref: 0044C272

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bfd6842268f62ae35ddc25de17c36fca83c681723855acda278bf09d498c31f3
Instruction ID: 259e74b5d288d63c880d4b56199ef9c822a594f1b02fcfb3cfba4d69bbc3d5a9
Opcode Fuzzy Hash: bfd6842268f62ae35ddc25de17c36fca83c681723855acda278bf09d498c31f3
Instruction Fuzzy Hash: C311C231705A08ABE620DAA6DCC0E67B7A9FB85758F114A1EF142C71D0C6B5B4028B32

Function 100200C0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 100200D7
ScreenToClient.USER32(?,00000000), ref: 100200E6
PtInRect.USER32(00000034,00000000,?), ref: 100200FA
TrackMouseEvent.USER32(?,?,?,?,?,?,?,?,1001FFAC,?,?), ref: 10020142
CallWindowProcA.USER32(?,?,00000200,?,?), ref: 1002015F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallClientCursorEventMouseProcRectScreenTrackWindow
String ID:
API String ID: 246821313-0
Opcode ID: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
Instruction ID: 3019ab15dc7928b1b202b4615dd38406c76b54fbe59730a3b13cec038340f0e3
Opcode Fuzzy Hash: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
Instruction Fuzzy Hash: D4113A79204701EFD314DF14C885A5BB7E9FB88700F504A0DF98683621D770E949CB91

Function 0044C184 Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000154), ref: 0044C195
SendMessageA.USER32(?,00000153,?,00000000), ref: 0044C1AC

Part of subcall function 0043EB80: SendMessageA.USER32(?,00000030,?,00000001), ref: 0043EBDD

SendMessageA.USER32(?,00000154), ref: 0044C1D5
SendMessageA.USER32(?,00000153,?,?), ref: 0044C1ED
InvalidateRect.USER32(?,?,00000001,?,?), ref: 0044C1F6

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$InvalidateRect
String ID:
API String ID: 2778011698-0
Opcode ID: 7a47a97aaa90b1c1c34cd31c9281114bb9c38880c6360aa5e551ef86aaaa873a
Instruction ID: 4cc800516e44d9acc79ce430d0ac57e3ae4669eaee589054fa307068beeaeea0
Opcode Fuzzy Hash: 7a47a97aaa90b1c1c34cd31c9281114bb9c38880c6360aa5e551ef86aaaa873a
Instruction Fuzzy Hash: 84018471200B45BFE624DB1ADC51FB7F7ACEF85748F01892DF54297780C6B9B8098A24

Function 10014EF0 Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10014F03
GetClassLongA.USER32(00000000), ref: 10014F0A
SendMessageA.USER32(?,00000115,00000000,00000000), ref: 10014F30
SendMessageA.USER32(?,00000115,00000001,00000000), ref: 10014F47
CallWindowProcA.USER32(?,?,0000020A,?,?), ref: 10014F6A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$CallClassLongParentProcWindow
String ID:
API String ID: 1353622983-0
Opcode ID: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
Instruction ID: d2383e6da1af4afa3427e5b8932eb01d4800057d420c1cdead8e2e9a0b4738ac
Opcode Fuzzy Hash: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
Instruction Fuzzy Hash: BE018436214711EFE354DB54CC89FC777A5FB98740F118918F2568B6A4C6B0E882CB50

Function 004D45AF Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,004D1642,004D3750,00000000,?,?,00000000,00000001), ref: 004D45B1
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 004D45BF
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 004D460B

Part of subcall function 004D1A36: RtlAllocateHeap.NTDLL(00000008,?,00000000,00000000,00000001,004D45D4,00000001,00000074,?,?,00000000,00000001), ref: 004D1B2C

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004D45E3
GetCurrentThreadId.KERNEL32 ref: 004D45F4

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ErrorLastValue$AllocateCurrentHeapThread
String ID:
API String ID: 2047054392-0
Opcode ID: 6426ec7f72aea5d8c118813c1386fda8e4b6271ccd9d970c973a8249130dfec3
Instruction ID: 345cb2ce4bacdf6dfdbcda1fa7a2f47465e755d775308502bc402191ad2399fe
Opcode Fuzzy Hash: 6426ec7f72aea5d8c118813c1386fda8e4b6271ccd9d970c973a8249130dfec3
Instruction Fuzzy Hash: 51F0F6326066116BC6212BB4AD19A7B3B60AF927B2B01013BFA42963A0DB7C8C01D65C

Function 1000B0C0 Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1000B0C9
SelectObject.GDI32(?,00000000), ref: 1000B0DD
PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
SelectObject.GDI32(?,00000000), ref: 1000B103
DeleteObject.GDI32(00000000), ref: 1000B106

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$BrushCreateDeleteSolid
String ID:
API String ID: 1979645813-0
Opcode ID: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
Instruction ID: 83e1346f7fd50f5c1e27b067344e86bff92973f43accc98672dc9dd08b035da2
Opcode Fuzzy Hash: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
Instruction Fuzzy Hash: E9F0587A205214AFE200DB65DCC8CBBBBECEBCDA54F10051CF94893200C634AD0A8B72

Function 1000FCA0 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SetMapMode.GDI32(00000000,00000001), ref: 1000FCA8
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000FCB7
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCC6
SetViewportOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 1000FCD5
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCE4

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ViewportWindow$Mode
String ID:
API String ID: 1998588776-0
Opcode ID: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
Instruction ID: 19eb1e7a97a7d17af1ec9957c6ac4774e2def1865d773f4b49123eaa02bc8819
Opcode Fuzzy Hash: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
Instruction Fuzzy Hash: 94F09878391310BBF6749B60CCCAF957765AB48B11F304809FA81AA2D0C6F5A5859B64

Function 004606A0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0045F7A0: InvalidateRect.USER32(?,00000000,00000000), ref: 0045F7CA

Part of subcall function 004E3813: GetWindowTextLengthA.USER32(?), ref: 004E3820
Part of subcall function 004E3813: GetWindowTextA.USER32(?,00000000,00000000), ref: 004E3838

SendMessageA.USER32(?,000000B0,?,?), ref: 00460922
SendMessageA.USER32(?,000000B1,?,?), ref: 0046095E
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0046096B

Strings

tZ, xrefs: 004606C8

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$TextWindow$InvalidateLengthRect
String ID: tZ
API String ID: 2881497910-618434692
Opcode ID: c518527ebfdae16a8950359692c73488d416402811cd199baeb1c995ffb246e4
Instruction ID: 4f314f74210e92d4152cc1e0e9f3830f70704c0522fbc22117786488524b3776
Opcode Fuzzy Hash: c518527ebfdae16a8950359692c73488d416402811cd199baeb1c995ffb246e4
Instruction Fuzzy Hash: DC81D8F5904302ABD614EB24D881E2F77A5EF94344F108E2FF55583291FA7CE84987AB

Function 10008DE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 10008E73
CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F42
CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F98

Strings

0, xrefs: 10008E63

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallProcWindow$InfoItemMenu
String ID: 0
API String ID: 1396499677-4108050209
Opcode ID: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
Instruction ID: 3a263b56c78cee0a8e23883c6dc5574ccc9387f68b94d4295bca3dd9a186fa29
Opcode Fuzzy Hash: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
Instruction Fuzzy Hash: EC513B793102018FE704CF18C884AA6B7E9FF88394F18856EED488B355D736ED46CBA1

Function 00458D70 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 138memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00458E74
GlobalReAlloc.KERNEL32(00000000,00000000,00000002), ref: 00458E7E

Part of subcall function 004EA1C0: __EH_prolog.LIBCMT ref: 004EA1C5

Part of subcall function 004E1445: InterlockedDecrement.KERNEL32(-000000F4), ref: 004E1459

Strings

tZ, xrefs: 00458D8E, 00458DD3
lW, xrefs: 00458D99

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Global$AllocDecrementH_prologInterlockedUnlock
String ID: lW$tZ
API String ID: 2641609054-107565959
Opcode ID: cb45adfa57c68fdf0d007c0c391d22c1c0a508736da5cbfe02be6199b13b4691
Instruction ID: 8dff12476592531a7af1404d6c09454bd44275e6f712f135b1a77f53127eae20
Opcode Fuzzy Hash: cb45adfa57c68fdf0d007c0c391d22c1c0a508736da5cbfe02be6199b13b4691
Instruction Fuzzy Hash: CB51AF70D01298DEDB11EFA5C941BEDBBB4BF69304F10419EE8056B381DB781B08DB26

Function 00458280 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,WTWindow,00000000), ref: 004582A8
LoadCursorA.USER32(00000000,00007F00), ref: 004582B9
GetStockObject.GDI32(00000005), ref: 004582C3

Strings

WTWindow, xrefs: 0045829C, 004582A6

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: WTWindow
API String ID: 1762135420-3503404378
Opcode ID: 147f70b7583cb19a01a2646a955cf13b010d80c4c7336d283583bda1d208d3de
Instruction ID: 0fdda9b8c5d6d728c0678b4cd6077ced84d5430228cf93ed204de776b7a40bc3
Opcode Fuzzy Hash: 147f70b7583cb19a01a2646a955cf13b010d80c4c7336d283583bda1d208d3de
Instruction Fuzzy Hash: 4C11A1B1909341AFC300EF569D8455BFFE8FF88766F40182EF98893251DB799904CB9A

Function 1001C4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 1001C4EB
GetMenuItemInfoA.USER32 ref: 1001C524
SetMenuItemInfoA.USER32(?,?,00000400,?), ref: 1001C561

Strings

0, xrefs: 1001C514

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Menu$InfoItem
String ID: 0
API String ID: 1040333723-4108050209
Opcode ID: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
Instruction ID: f8b742696180afde77dc344fc1703784ab48d404007203de0ad804771102cd86
Opcode Fuzzy Hash: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
Instruction Fuzzy Hash: CA115774204311AFE310CF28C884E6BB7E8EF88794F50891DF999D7690E770E982CB56

Function 004E8903 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 004E8914
GetClassNameA.USER32(00000000,?,0000000A), ref: 004E892F
lstrcmpiA.KERNEL32(?,combobox), ref: 004E893E

Strings

combobox, xrefs: 004E8938

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 7f44807c01c34e086d0128dfa2ac78d2eb22b4313566bf302148762968ca0c67
Instruction ID: dd8f317c71ad86316f66fa1282f24f1f291a221705ff341e49afa0c04cc4c38b
Opcode Fuzzy Hash: 7f44807c01c34e086d0128dfa2ac78d2eb22b4313566bf302148762968ca0c67
Instruction Fuzzy Hash: A3E06531954148BBCF119F60ED4AE7A3B68E700346F108531B416D51E0DA74E655D759

Function 004D49C4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004CF3FD), ref: 004D49C9
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004D49D9

Strings

KERNEL32, xrefs: 004D49C4
IsProcessorFeaturePresent, xrefs: 004D49D3

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 18b4036be0749f7b3c28c81e437e1825b9f8a793e25145ffb41c2fcc07bf0bee
Instruction ID: 14230a08e2dbc7d322336b51213c57374862dd6d5257fa30328eb8e1380a2732
Opcode Fuzzy Hash: 18b4036be0749f7b3c28c81e437e1825b9f8a793e25145ffb41c2fcc07bf0bee
Instruction Fuzzy Hash: 5CC012F53C130297DA6067B20D3EB2725081B90B03F5510676D15F92C0CAB8C904A629

Function 0044C3E6 Relevance: 6.4, APIs: 4, Instructions: 373windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0044C4DC
SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0044C54E
SendMessageA.USER32(?,00000140,00000000,00000000), ref: 0044C5DF
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0044C799

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cbd27d96093d0c3652c2091bc815ea9c585a087e5f07a60842f280b7cea4343c
Instruction ID: 8a239db5bfff387420569f00e68f56bb6fe86e7439bb7b8f8d6454a5fc64ef92
Opcode Fuzzy Hash: cbd27d96093d0c3652c2091bc815ea9c585a087e5f07a60842f280b7cea4343c
Instruction Fuzzy Hash: EFD17E76644740CFD324DF29D881B9AF7E0FBC8B20F10892EE95A87780DB79A805CB55

Function 100262D0 Relevance: 6.4, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002630B
SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002632C
SetLastError.KERNEL32(00000009,?,00000000,?,00000001), ref: 10026368
SetLastError.KERNEL32(0000000C,?,00000000,?,00000001), ref: 10026395

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
Instruction ID: b3c434b615bc2635f358bc3621d77ed4a3c5ae3a0f0d1fd31a7ebcab961547c0
Opcode Fuzzy Hash: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
Instruction Fuzzy Hash: F941F774E04109EFDB04DFA8D895ADDBBB1EF4C314F608559E94AAB285D730AA41CFA0

Function 004D8BDC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,005A8FE0,005A8FE0,?,?,004D90A8,00000000,00000010,00000000,00000009,00000009,?,004D0C61,00000010,00000000), ref: 004D8BFD
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,004D90A8,00000000,00000010,00000000,00000009,00000009,?,004D0C61,00000010,00000000), ref: 004D8C21
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,004D90A8,00000000,00000010,00000000,00000009,00000009,?,004D0C61,00000010,00000000), ref: 004D8C3B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,004D90A8,00000000,00000010,00000000,00000009,00000009,?,004D0C61,00000010,00000000,?), ref: 004D8CFC
HeapFree.KERNEL32(00000000,00000000,?,?,004D90A8,00000000,00000010,00000000,00000009,00000009,?,004D0C61,00000010,00000000,?,00000000), ref: 004D8D13

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: c9c01acf7d47c6887a4b43985c4f78c12e35cb22799fae7dd32550036e4fe10c
Instruction ID: 71ee310cb748a994442635f623e19aef38253d4065c009873d1612fced60181d
Opcode Fuzzy Hash: c9c01acf7d47c6887a4b43985c4f78c12e35cb22799fae7dd32550036e4fe10c
Instruction Fuzzy Hash: 0B31DCB0A42702AFD3208F28DC55B76BAE1FBA5B54F10423FE555973D0EB78A8049B58

Function 004548A0 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004548F3

Strings

tZ, xrefs: 004548D0
%d, %d, xrefs: 004548E6
", xrefs: 00454947, 004549E7

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: wsprintf
String ID: "$%d, %d$tZ
API String ID: 2111968516-3200041139
Opcode ID: a494f1ba3f9ffc07b2532accd95935c1d02b48c00b0485ff2eac3ebd5ae47d2f
Instruction ID: 5f4a217a16da053e291280891b8b40f1f54ee183ff452f6f65d99e7af4bf33bc
Opcode Fuzzy Hash: a494f1ba3f9ffc07b2532accd95935c1d02b48c00b0485ff2eac3ebd5ae47d2f
Instruction Fuzzy Hash: 2981A0719401099BCB14EF62DD82FEE7378AF54719F04052AEC056B293EB38AE09C769

Function 1001E500 Relevance: 6.2, APIs: 4, Instructions: 200windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E552
InflateRect.USER32(?,000000FE,000000FE), ref: 1001E599
6FA9CFD0.COMCTL32(?,?,?,00000000,?,00000001), ref: 1001E727

Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E942
Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E949

6FA9CFD0.COMCTL32(?,?,?,?,?,00000001), ref: 1001E685

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Empty$InflateMessageSend
String ID:
API String ID: 2147231653-0
Opcode ID: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
Instruction ID: 714f37e124b3561914c789874ae4d57327775486736af5f1980e57804d13f8a5
Opcode Fuzzy Hash: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
Instruction Fuzzy Hash: 8E81D0B56183409FD354CF58C880A6BFBE9FBC9700F108A2DFA9887351E771E9458B96

Function 00460C90 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 191COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00460E6B

Part of subcall function 004E574C: SetWindowTextA.USER32(?,0045FAFA), ref: 004E575A

Strings

tZ, xrefs: 00460E87
rW, xrefs: 00460E2E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: TextWindowwsprintf
String ID: rW$tZ
API String ID: 430165219-1868066974
Opcode ID: 36ac684d9a63da082b329c6db8fb8483c7b77e30f7e51b89acb448bbd80fea24
Instruction ID: 732255bb3f39e590fe5c7596b188a807d729f0865c4a6a1dd9697c63b368dff3
Opcode Fuzzy Hash: 36ac684d9a63da082b329c6db8fb8483c7b77e30f7e51b89acb448bbd80fea24
Instruction Fuzzy Hash: 9261C270644B459FC724DF66D881A6BB7E8EB84304F004D1EF59A87381EB79E809CB5B

Function 00464A50 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4274e18da91ca3f01010063d27805a59d6e8181d516b4911698eb49e611bb8cc
Instruction ID: e12c09b53413849804b82ac8a9cc60cdfeef19234070861444ad06ac4fb8b769
Opcode Fuzzy Hash: 4274e18da91ca3f01010063d27805a59d6e8181d516b4911698eb49e611bb8cc
Instruction Fuzzy Hash: 98514DB25083419FC710EF6AD98196BFBE8BBC9724F404A2EF19583350E779D809CB56

Function 1000B120 Relevance: 6.2, APIs: 4, Instructions: 164windowCOMMON

Download Yara Rule

APIs

BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B1A0
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B216
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B273
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000B2C9

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
Instruction ID: 0e05779d305182e8bcc6fd0604af41abdce4d5981c7c16a485e6175e980c0b19
Opcode Fuzzy Hash: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
Instruction Fuzzy Hash: 9451E474209341AFD344CF1AC980A1BFBE9EFCC698F549A1DF99993314D670ED018B66

Function 10004960 Relevance: 6.2, APIs: 4, Instructions: 161COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000498C

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

CreateCompatibleDC.GDI32(00000000), ref: 10004ACC
SelectObject.GDI32(00000000,?), ref: 10004ADA
DeleteObject.GDI32(00000000), ref: 10004B3D

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
String ID:
API String ID: 3658416323-0
Opcode ID: 23c3dad39b7b06eb48d7addef53a14f29711dad34157be51c5675d575d6ac0fc
Instruction ID: 926509f65d47b9d16154319da591b5b9fbd828cd3c3562e040cac586d4f0fdc2
Opcode Fuzzy Hash: 23c3dad39b7b06eb48d7addef53a14f29711dad34157be51c5675d575d6ac0fc
Instruction Fuzzy Hash: 71514075204254AFE714CFA8CDD4FAB7BA9EBC8740F11462DF64983264DB70A906CBA1

Function 10004590 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100045BC

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

CreateCompatibleDC.GDI32(00000000), ref: 100046EA
SelectObject.GDI32(00000000,?), ref: 100046F8
DeleteObject.GDI32(00000000), ref: 1000475C

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
String ID:
API String ID: 3658416323-0
Opcode ID: 57afb882074d8b283f91df5b332fb814e48e5fbbc40286b92b26aa013bbe1ff9
Instruction ID: 31f3b9b0e5f8ca5f00bfa3506996ac21a001d0e66bebc1a0bde6ad0a93aefee3
Opcode Fuzzy Hash: 57afb882074d8b283f91df5b332fb814e48e5fbbc40286b92b26aa013bbe1ff9
Instruction Fuzzy Hash: D0515F75204314AFE714CFA4CDC4FAB7BA9EB88754F114629FA4583394DB70A906CB61

Function 10002EC0 Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10002EEB

Part of subcall function 10006940: CreateDIBSection.GDI32(00000000,?,00000000,?,00000000,00000000), ref: 10006998

CreateCompatibleDC.GDI32(00000000), ref: 10003013
SelectObject.GDI32(00000000,?), ref: 10003021

Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CreateObject$CompatibleDeleteRectSectionSelectWindow
String ID:
API String ID: 3658416323-0
Opcode ID: 07dad1b2f8abdf8a07eb973fc9d63cefb9e0dcfc90d492f50281410ed9c71344
Instruction ID: b27995b4a09c7bf90d17540a9eabbb7790c638f4d3ea255d685444a3819b181a
Opcode Fuzzy Hash: 07dad1b2f8abdf8a07eb973fc9d63cefb9e0dcfc90d492f50281410ed9c71344
Instruction Fuzzy Hash: 6E514C76204315AFE310CFA8CDC9FABBBE9FB88650F504629F54983295DB70A905CB61

Function 10025870 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100258B1
OffsetRect.USER32(?,?,?), ref: 100258CA
CreateRoundRectRgn.GDI32(?,?,?,?,00000001,00000001), ref: 1002590F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CreateOffsetRoundWindow
String ID:
API String ID: 3966507845-0
Opcode ID: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
Instruction ID: fd809a4ceb687a9920e0430a40226c629e5b8fbea5758eea80f51bca6e6e67d1
Opcode Fuzzy Hash: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
Instruction Fuzzy Hash: EC4161B9214601AFE714DB68D885EABB3E9EBC4700F50C91DF89A87240DA70FD05CBA5

Function 00444300 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2397c4ae86ca839fb9d7ad3690e973ee19697dd599aae1e90f8c868db2602b2c
Instruction ID: 64eea6f528d9ff367fe529691e3cec1be20a65e3d798e4820e1714d9b9a898e6
Opcode Fuzzy Hash: 2397c4ae86ca839fb9d7ad3690e973ee19697dd599aae1e90f8c868db2602b2c
Instruction Fuzzy Hash: FF31AD723146019FE720DF69E891BAB73E5EBC4B14F004D2AF582DB280D664E842CBA5

Function 10007F00 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

CreateCompatibleDC.GDI32(?), ref: 10007F68
CreateCompatibleBitmap.GDI32(?,?,?), ref: 10007F82
SelectObject.GDI32(?,00000000), ref: 10007F8F
74001530.MSIMG32(?,?,?,?,?,?,00000000,00000000,?,?,00FF00FF), ref: 10008017

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CompatibleCreate$74001530BitmapObjectSelect
String ID:
API String ID: 1656724047-0
Opcode ID: 351117b677a3e932f0f50200bd7c7ee2448bf8813f5f97b2c86bedaae17dfc0b
Instruction ID: 68acdb373d7a775d6d7ccb3423d03b7186a2d247abf388a2c01072eab6aa2972
Opcode Fuzzy Hash: 351117b677a3e932f0f50200bd7c7ee2448bf8813f5f97b2c86bedaae17dfc0b
Instruction Fuzzy Hash: F841D4B8600602AFE324CF68C884E26B7F9FF88744B108A1DF99983754D730F955CBA1

Function 10015F60 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B

PtInRect.USER32(0000002C,76C21B80,?), ref: 10015FAA
PtInRect.USER32(0000003C,?,?), ref: 10015FEA
PtInRect.USER32(0000006C,?,?), ref: 10016016

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CursorWindow
String ID:
API String ID: 2067259548-0
Opcode ID: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
Instruction ID: 942b3ee6e408d2d77c3cbed3ca5e98908d906ac42d301ec7afef9c4228c91e15
Opcode Fuzzy Hash: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
Instruction Fuzzy Hash: EE313C763007029BC714CF65EC809ABF3E8FB84751F45462DE95987600DB36E8498BA1

Function 004A4210 Relevance: 6.1, APIs: 4, Instructions: 95windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 004A4225
SendMessageA.USER32(?,00000419,?,00000000), ref: 004A425C
SendMessageA.USER32(?,00000433,?,?), ref: 004A42C2
ClientToScreen.USER32(?,?), ref: 004A42EE

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$ClientScreenWindow
String ID:
API String ID: 4074774880-0
Opcode ID: f726c35a4baaef3bd1c5a29752e5e5dcfa607dafc4cec6534f53c061072e7650
Instruction ID: 0d0b4ff4c1ecfe9050bdf37bc692759540a759f726894b7cb2056cf89c5ea6b5
Opcode Fuzzy Hash: f726c35a4baaef3bd1c5a29752e5e5dcfa607dafc4cec6534f53c061072e7650
Instruction Fuzzy Hash: B33158B16083019FD724CF29D881A2FB7E8EFE8754F40592EF98587740D7B4E8058B6A

Function 004E8EE1 Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004E9059: GetParent.USER32(?), ref: 004E908C
Part of subcall function 004E9059: GetLastActivePopup.USER32(?), ref: 004E909B
Part of subcall function 004E9059: IsWindowEnabled.USER32(?), ref: 004E90B0
Part of subcall function 004E9059: EnableWindow.USER32(?,00000000), ref: 004E90C3

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 004E8F17
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004E8F85
MessageBoxA.USER32(00000000,?,?,00000000), ref: 004E8F93
EnableWindow.USER32(00000000,00000001), ref: 004E8FAF

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: a1c66c6e226bd4ae89fd0621bb9c0335a944f31a05dca959b1702eb7496bf6c0
Instruction ID: 5549e393eccf1e6b2896cc4ab4eb9484fa014be906d2ff0492dcf77d55e1cf06
Opcode Fuzzy Hash: a1c66c6e226bd4ae89fd0621bb9c0335a944f31a05dca959b1702eb7496bf6c0
Instruction Fuzzy Hash: 1321D871A00148AFDF209F96CCC5AEEB7B6EB48352F14056EF518E7290DB749D40DB54

Function 100080F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 100080F7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: EnabledWindow
String ID:
API String ID: 1255321416-0
Opcode ID: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
Instruction ID: 37371956b553b68bbaf28cfff257a7f0d6f94ec872bf77a3ed07d6cbcf5e9166
Opcode Fuzzy Hash: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
Instruction Fuzzy Hash: CE11B1772444628BF720D67CE846ACAA3D4FB74390F018D27F59AC7288D628DD878754

Function 10016220 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000001), ref: 10016247
PtInRect.USER32(?,?,?), ref: 10016273
PtInRect.USER32(?,?,?), ref: 1001629F
CallWindowProcA.USER32(?,?,00000084,?,?), ref: 100162BC

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$Window$CallProc
String ID:
API String ID: 2141924492-0
Opcode ID: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
Instruction ID: 6bb5dbdf489e1a6f0cc29fa7beb5d91727bcf99365b1c6db062720247cfdbd6a
Opcode Fuzzy Hash: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
Instruction Fuzzy Hash: 0C218176300B165BE360DAAACCC4E67B3ECFB88A50F40492EF985C7641D635FD598760

Function 10008B70 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,1002C040), ref: 10008BBA

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,1002C048), ref: 10008BD2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027404,000000FF,10008B58), ref: 10008BE6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027404,000000FF,10008B58), ref: 10008C10

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ??3@$PropRemove
String ID:
API String ID: 1378348335-0
Opcode ID: 93d3d9c42f870cd9d9b3a1bdedabf6ebe2cb150f49cc310acf5eac463d88ac74
Instruction ID: 4856fc888e7d091422dc3a361147995440e5673d3ac1890a2cd9819baa295a63
Opcode Fuzzy Hash: 93d3d9c42f870cd9d9b3a1bdedabf6ebe2cb150f49cc310acf5eac463d88ac74
Instruction Fuzzy Hash: A621AFB56007829FD710CF5AD8C0A8AF7E4FB48210F804A2DF16987341C778E9498B91

Function 004DC898 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 004DC8C7
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 004DC8DA
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 004DC926
CompareStringW.KERNEL32(00494F56,00000000,00000000,00000000,?,00000000,?,00000000), ref: 004DC93E

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 850af5a9007ca98207d95a4284c28e61aebe3e1bed2bc162c4e4240c6e948dca
Instruction ID: 400ff03ad6a7bbb7f0bc4e77c8ada500ee077e171c2b07925b771b5159bbb157
Opcode Fuzzy Hash: 850af5a9007ca98207d95a4284c28e61aebe3e1bed2bc162c4e4240c6e948dca
Instruction Fuzzy Hash: 3F21EAB290025AEBCF218FD4CD919DE7FB5FF487A0F11416AFA1462260C3369961DB98

Function 1000E340 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,?,10012579,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 1000E39A
SelectObject.GDI32(?,?), ref: 1000E3AA
DeleteDC.GDI32(?), ref: 1000E3B4
DeleteObject.GDI32(?), ref: 1000E3D1

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: DeleteObject$??3@Select
String ID:
API String ID: 3433755800-0
Opcode ID: f55ce02d52da9193f42541787e68d3cff3417927cbf413641bc5f72140a8c5a2
Instruction ID: eff67cfb01a4d2600c09c765b352805dfe5dc578d0251df350f47da1601aa07e
Opcode Fuzzy Hash: f55ce02d52da9193f42541787e68d3cff3417927cbf413641bc5f72140a8c5a2
Instruction Fuzzy Hash: E3113AB4600642AFE714CF15C8C8E16BBE9FF88380B29C56AE808D7325D771ED41CB90

Function 100117B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 100117CF
PtInRect.USER32(00000060,?), ref: 100117DF
PtInRect.USER32(00000050,?), ref: 100117FC
CallWindowProcA.USER32(?,?,00000200,?,?), ref: 10011838

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
Instruction ID: 8c562a3d8ffa91b3488f9b2e3c9223cef3bcf56be9e3598e3ad49312dabcbff5
Opcode Fuzzy Hash: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
Instruction Fuzzy Hash: 17117C75600715AFE328CF16CC88EA777FCEB80B85F10481DF58286651DA31E886CB60

Function 10011AC0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 10011AD9
PtInRect.USER32(00000060,?), ref: 10011AE9
PtInRect.USER32(00000050,?), ref: 10011AFB
CallWindowProcA.USER32(?,?,00000202,?,?), ref: 10011B37

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
Instruction ID: 8a3aa6fa90d41ed69226067b3e75a7c91dc2c122c79226572cad67fafd763433
Opcode Fuzzy Hash: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
Instruction Fuzzy Hash: C6014C75605725AFE328CB56DCC8EABBBFCEB84B81B10481EF54286211D731E9858B61

Function 10011A30 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 10011A49
PtInRect.USER32(00000060,?), ref: 10011A59
PtInRect.USER32(00000050,?), ref: 10011A6B
CallWindowProcA.USER32(?,?,00000201,?,?), ref: 10011AAA

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
Instruction ID: e73e578019d50ab50198203406a73d3f958aba72b0e288fd38bf24a79029c17e
Opcode Fuzzy Hash: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
Instruction Fuzzy Hash: B7018CB5201715AFE324CF56CC88EABBBFCEF84B81F10080DF58286111C631E984CB61

Function 10007720 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 1000772F
GetPropA.USER32(?,1002C050), ref: 1000773E
SelectObject.GDI32(?,?), ref: 10007783
PatBlt.GDI32(?,00F00021,?,?,?,00F00021), ref: 100077A3

Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Object$Select$BrushClientCreateDeletePropRectSolid
String ID:
API String ID: 3435410480-0
Opcode ID: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
Instruction ID: 0ce474bad31ea1b146f6a7476c3485cc4b4618f4c22a3676eee4e6d7add3520a
Opcode Fuzzy Hash: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
Instruction Fuzzy Hash: 570117BA604211EFE204DB58CC84DABB7ACEFC8250F508A0DFA5983211D630ED45CBA2

Function 004E01E3 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 004E01FB
GetParent.USER32(00000000), ref: 004E0208
ScreenToClient.USER32(00000000,?), ref: 004E0229
IsWindowEnabled.USER32(00000000), ref: 004E0242

Part of subcall function 004E8903: GetWindowLongA.USER32(00000000,000000F0), ref: 004E8914

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: fefc82ba7093820c639226e287a6af006fe156de6041eac075c67da15ddd3cad
Instruction ID: 4d399d819ef3be80784dd254689de17bb7facf5b0943dd8e9b768c8efe5f6a07
Opcode Fuzzy Hash: fefc82ba7093820c639226e287a6af006fe156de6041eac075c67da15ddd3cad
Instruction Fuzzy Hash: A901D436A00504BB8B029B9ADC48DAFBBF9DF85741B040069F605E7310DBB8CD40D76D

Function 004E452B Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 004E4539
SendMessageA.USER32(00000000,?,?,?), ref: 004E456F
GetTopWindow.USER32(00000000), ref: 004E457C
GetWindow.USER32(00000000,00000002), ref: 004E459A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: ae3f561d501c805b89086e3518cf6d7d333a08eea5ca3851d08649447a3a0ef0
Instruction ID: f1bc4eaf6a8054d48c2b1af52cceacaccdad030106178342ca27ee575d0db40e
Opcode Fuzzy Hash: ae3f561d501c805b89086e3518cf6d7d333a08eea5ca3851d08649447a3a0ef0
Instruction Fuzzy Hash: 0B01293200115ABBCF126F92DC08EAF3F29AF88352F044016FB1051160C77ACA32EBA9

Function 10015BE0 Relevance: 6.0, APIs: 4, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006622,00000000,?,10008828,?,?,?), ref: 10015C04
KillTimer.USER32(?,00006623), ref: 10015C0F
KillTimer.USER32(?,00006624), ref: 10015C1A
CallWindowProcA.USER32(?,?,?,?,?), ref: 10015C60

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: KillTimer$CallProcWindow
String ID:
API String ID: 4157066807-0
Opcode ID: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
Instruction ID: 7c6a0bc5b88cb8bece1b2373cc4b17ef2a87975b470b42242de656e3c344c917
Opcode Fuzzy Hash: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
Instruction Fuzzy Hash: 3901E975204B05EBE224DB6AC890F9BB3E9EF98700F14890DF5599F290C676E8818B50

Function 1000E4B0 Relevance: 6.0, APIs: 4, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1000E4C5
SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1000E4DB
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E4F5
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E512

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: CallProcWindow$MessagePropSend
String ID:
API String ID: 3197700573-0
Opcode ID: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
Instruction ID: 451063f49a3e527fd8d608dc22c3f8f1e55c4af648b6bbb05c8928ea7c27e05f
Opcode Fuzzy Hash: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
Instruction Fuzzy Hash: EA014B7A201621EBE204DF54DC88EABB7ADEFD9761F20840DF60593241C721ED06CBB5

Function 004780B0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004780F3
wsprintfA.USER32 ref: 00478109

Strings

gfff, xrefs: 004780BB
%d.%d, xrefs: 00478103

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: wsprintf
String ID: %d.%d$gfff
API String ID: 2111968516-3773932281
Opcode ID: 8e8c266aac0714c827a588f384ce00f88d30fc83e169dec329d2ef4762e73f09
Instruction ID: 4807c717fc50ff9dbd82150fa6115f5432702bad775e5e75bde42d8daebb334b
Opcode Fuzzy Hash: 8e8c266aac0714c827a588f384ce00f88d30fc83e169dec329d2ef4762e73f09
Instruction Fuzzy Hash: E6F0E975B0035017CB5C9A2EBC1DE6B2E9AEBE9710F05C43EF449DB390D9608C15C26A

Function 004E4C1A Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004E4C58
SetBkColor.GDI32(00000000,00000000), ref: 004E4C64
GetSysColor.USER32(00000008), ref: 004E4C74
SetTextColor.GDI32(00000000,?), ref: 004E4C7E

Part of subcall function 004E8903: GetWindowLongA.USER32(00000000,000000F0), ref: 004E8914

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: be65ea5117bb95e7cf51987f3a53d56a1c20a717ef6d2fbdcf55e0cec44f0dbb
Instruction ID: 594a67815725ebd81619a940bdb06e86071e3c37bd709ba6d33e9e92c2ded885
Opcode Fuzzy Hash: be65ea5117bb95e7cf51987f3a53d56a1c20a717ef6d2fbdcf55e0cec44f0dbb
Instruction Fuzzy Hash: 6701A231001148AFEF215F66DD49BBF3B68AB48362F214522FA01D61E0C775DCA1C65A

Function 10014AB0 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 10014AE1
SendMessageA.USER32(?,000000E9,00000000), ref: 10014AF1
IsWindowVisible.USER32(?), ref: 10014B15
SendMessageA.USER32(?,000000E9,00000000), ref: 10014B25

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSendVisibleWindow
String ID:
API String ID: 3984873885-0
Opcode ID: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
Instruction ID: fc90fe054d96e1b13d9ec6b26fe80a5f78d3395466cc4f4aa367405a843ec8f6
Opcode Fuzzy Hash: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
Instruction Fuzzy Hash: 0D014F79104A12DFE660DB64CC84FE373E8EB18300F018919F6A6C7660C770E845CB64

Function 1001BDF0 Relevance: 6.0, APIs: 4, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001BDFC
SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BE12
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE30
InvalidateRect.USER32(?,00000000,00000001,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE3B

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: InvalidateMessagePropRectSendWindow
String ID:
API String ID: 1683571725-0
Opcode ID: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
Instruction ID: 61bc7c0cfe7dd8b66f4080b3c9d4250a00e71bb5cd075d56d4ab3ddb2b0c9d6c
Opcode Fuzzy Hash: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
Instruction Fuzzy Hash: FBF0E535342A21FBF6515758AC89FCE37A59F85B10F200001F700EA1D0CBE49A834B55

Function 100205F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 100205FB
ScreenToClient.USER32(?,?), ref: 1002060A
PtInRect.USER32(00000034,?,?), ref: 1002061E
CallWindowProcA.USER32(?,?,00000201,?,?), ref: 1002064D

Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
Part of subcall function 100201A0: CreateCompatibleDC.GDI32(00000000), ref: 100201D9
Part of subcall function 100201A0: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Rect$CompatibleCreateEnabledObjectSelect$BitmapCallClientCursorOffsetProcScreen
String ID:
API String ID: 3882218468-0
Opcode ID: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
Instruction ID: 9c0e68a1bfba51fb30c42bce227b29f8990f29df3688151d92ec8c3378a25188
Opcode Fuzzy Hash: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
Instruction Fuzzy Hash: C8F019B9210311AFE714DB54CD89D67B3E9FB88B00F50890DF58683650DB70F919CBA1

Function 10020690 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1002069B
ScreenToClient.USER32(?,?), ref: 100206AA
PtInRect.USER32(00000034,?,?), ref: 100206BE
CallWindowProcA.USER32(?,?,00000203,?,?), ref: 100206ED

Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
Part of subcall function 100201A0: CreateCompatibleDC.GDI32(00000000), ref: 100201D9
Part of subcall function 100201A0: CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 100201EA
Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: Window$Rect$CompatibleCreateEnabledObjectSelect$BitmapCallClientCursorOffsetProcScreen
String ID:
API String ID: 3882218468-0
Opcode ID: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
Instruction ID: 3f66a2042e15db7492eec8571bc4eccf41e5f2ab532cfb3c276876021694c1e2
Opcode Fuzzy Hash: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
Instruction Fuzzy Hash: AAF019B9200311AFE204DB54DD89D67B3EDFB88B00F10890DF58683650DB70F909CBA1

Function 10025C70 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000007F,00000002,00000000), ref: 10025C83
SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 10025C8E
GetClassLongA.USER32(?,000000F2), ref: 10025C97
SendMessageA.USER32(?,0000007F,00000001,00000000), ref: 10025CA7

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: MessageSend$ClassLong
String ID:
API String ID: 1264571673-0
Opcode ID: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
Instruction ID: 947a8f3f8a0cea30fb6e839a99a16b54cd066c6a9c51171dd670646b1ab2be3e
Opcode Fuzzy Hash: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
Instruction Fuzzy Hash: AEE0DF6A3453277DF11066269C02FAB328C8F91B91F224120FB04F50C4E2A6AD0306B8

Function 1001C740 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,1002C03C), ref: 1001C753
LockWindowUpdate.USER32(?,?,10025F1F,?,?), ref: 1001C76F
GetPropA.USER32(?,1002C03C), ref: 1001C781
LockWindowUpdate.USER32(00000000), ref: 1001C79E

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: LockPropUpdateWindow
String ID:
API String ID: 165959620-0
Opcode ID: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
Instruction ID: 7a3979f4e55717f4f8ab17c69277cc3bf6940b2a43d5fdf8dbe088e1ab8e3198
Opcode Fuzzy Hash: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
Instruction Fuzzy Hash: 1EF01738206625DBEB98DB21CC88FAA37E8EF40B91F168498F1099B1A1C770D881CF51

Function 004E89ED Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 004E89FA
GetWindowTextA.USER32(?,?,00000100), ref: 004E8A16
lstrcmpA.KERNEL32(?,?), ref: 004E8A2A
SetWindowTextA.USER32(?,?), ref: 004E8A3A

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: ba2e276ff309762aa0d97ea524c576b7a28cec05e62a650810c0a99581ca706f
Instruction ID: 0b9d025ba94cec374fd55a0235f362abbf3416fe8421c6b8098ee098b45e8810
Opcode Fuzzy Hash: ba2e276ff309762aa0d97ea524c576b7a28cec05e62a650810c0a99581ca706f
Instruction Fuzzy Hash: 39F01C71401118BBDF22AF25DD08AEE7B69FB18395F008136F849D5160DBB4DEA4DB98

Function 10024730 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
ShowWindow.USER32(?,?), ref: 10024751
ShowWindow.USER32(?,?), ref: 1002475B
ShowWindow.USER32(?,?), ref: 10024765

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
Instruction ID: fbebdeaf8877d8e39abbbfefd4f084f7c7d7f891781dffc730fc7a01b7582861
Opcode Fuzzy Hash: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
Instruction Fuzzy Hash: 28E092B6201750ABD224DAAACCC8D97F7ECFBCE711B50491EB259832008A75E801C774

Function 1001A700 Relevance: 6.0, APIs: 4, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(1002C484,1002C48C,00000000,?,?,1001928B), ref: 1001A715
GetProcAddress.KERNEL32(00000000), ref: 1001A71E
GetModuleHandleA.KERNEL32(1002C484,1002C468,?,?,1001928B), ref: 1001A72C
GetProcAddress.KERNEL32(00000000), ref: 1001A72F

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID:
API String ID: 1646373207-0
Opcode ID: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
Instruction ID: e5961c9c5a536ee549249fec62f5ee9ffd92b965adf733a9a8c24a5aa6594063
Opcode Fuzzy Hash: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
Instruction Fuzzy Hash: 58D05B766012186FD610FBF9AC98CA7F79CDD95551391452AF344D3111C7709C018BB0

Function 004689A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 004689D9

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 610771619868a6824f8aa604dd0bbf22c26b06d4e3b790c689fba797b4063b02
Instruction ID: fda60d9a9d629a814ff206ba213e8d539c9c547b15beed415399327fb65b8207
Opcode Fuzzy Hash: 610771619868a6824f8aa604dd0bbf22c26b06d4e3b790c689fba797b4063b02
Instruction Fuzzy Hash: 44517DB16043419FD318DF15C891A6BB7B4FB99758F10062EF94683390EB38E945CB5B

Function 004E87EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004E87F0
lstrcpynA.KERNEL32(00000000,?,?,?,00000000,?,?), ref: 004E885A

Strings

tZ, xrefs: 004E880D

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologlstrcpyn
String ID: tZ
API String ID: 588646068-618434692
Opcode ID: ad7b353118073c722ec739fe7d6dc91ffc0bf91937e00aad276e612a31d6a84b
Instruction ID: 564825a9839cdb9d97f591c4e57c0e917284af4e86b232c431d7ee5927a1aebc
Opcode Fuzzy Hash: ad7b353118073c722ec739fe7d6dc91ffc0bf91937e00aad276e612a31d6a84b
Instruction Fuzzy Hash: B4115B3250028AEBCB15DF9ACC55BEEBBB4BF14315F04852EF525972A1CB789A14CB14

Function 004E888B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004E8890
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 004E88FC

Strings

tZ, xrefs: 004E88B4

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: H_prologMessageSend
String ID: tZ
API String ID: 2337391251-618434692
Opcode ID: e4d31725922805bcc0bd39c6786b8dc538dd97d7864f96feabb499b14e302f23
Instruction ID: b8689549776274d345511f4052c7fb6ed91abc8c3afb82f23252b47393540f6f
Opcode Fuzzy Hash: e4d31725922805bcc0bd39c6786b8dc538dd97d7864f96feabb499b14e302f23
Instruction Fuzzy Hash: F401B171940218EBDB20DF95C805BAEBBA0FF04715F20850EF555AB2A1D7B49A01DB88

Function 100031A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 100031E6
RegisterClassExA.USER32 ref: 1000320D

Strings

0, xrefs: 100031BE

Memory Dump Source

Source File: 00000000.00000002.3887509029.0000000010000000.00000040.00001000.00020000.00000000.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3887509029.0000000010030000.00000040.00001000.00020000.00000000.sdmpDownload File
Associated: 00000000.00000002.3887509029.0000000010038000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_gZY58wycW0.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: 0
API String ID: 1693014935-4108050209
Opcode ID: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
Instruction ID: 197b4fdf75a9891b34d05670b40042e82415c0f2dfe413ea69ca17455c6e27b2
Opcode Fuzzy Hash: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
Instruction Fuzzy Hash: F501FBB44193619BE300CF18D45464BFFE4EF88754F804A1EF48596260D7B596498BCA

Function 004D873A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,004D8502,00000000,00000000,00000000,004D0C03,00000000,00000000,?,00000000,00000000,00000000), ref: 004D8762
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004D8502,00000000,00000000,00000000,004D0C03,00000000,00000000,?,00000000,00000000,00000000), ref: 004D8796
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004D87B0
HeapFree.KERNEL32(00000000,?), ref: 004D87C7

Memory Dump Source

Source File: 00000000.00000002.3885834902.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3885805711.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3885956981.00000000004F2000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886036017.000000000058C000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886067536.000000000058E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886099990.0000000000590000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886143621.00000000005A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005B7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005C6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005D9000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886187805.00000000005DF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3886395884.00000000005E1000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_gZY58wycW0.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 2a56720718a623c8c8517dfa4208f85d7a076d415b27a06104b5e280f4d908ba
Instruction ID: d2b3a51190c8bf2107fab2111420f29b629a7d0675f8aa36bc213502443721ee
Opcode Fuzzy Hash: 2a56720718a623c8c8517dfa4208f85d7a076d415b27a06104b5e280f4d908ba
Instruction Fuzzy Hash: 7D113A71602601AFD7318F29ECA5A267BF5FBA4B20760492FF552C62B0C771985AEB04

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete or modify artifacts generated within systems to remove evidence of their presence or hinder defenses. Various artifacts may be created by an adversary or something that can be attributed to an adversary’s actions. Typically these artifacts are used as defensive indicators related to monitored events, such as strings from downloaded files, logs that are generated from user actions, and other data analyzed by defenders. Location, format, and type of artifact (such as command or login history) are often specific to each platform.
Tactics:	Defense Evasion
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Deletion, File: File Metadata, File: File Modification, Firewall: Firewall Rule Modification, Network Traffic: Network Traffic Content, Process: OS API Execution, Process: Process Creation, Scheduled Job: Scheduled Job Modification, User Account: User Account Authentication, User Account: User Account Deletion, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, Google Workspace, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system.Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report gZY58wycW0.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Windows Analysis Report
gZY58wycW0.exe

Function 004544C0 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Function 004E3120 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Function 00442D80 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 430
COMMON

Function 0043F780 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 372
COMMON

Function 10017090 Relevance: 21.2, APIs: 14, Instructions: 162
COMMON

Function 004A4D70 Relevance: 19.9, APIs: 13, Instructions: 371
windowCOMMON

Function 0045B270 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Function 0047AB70 Relevance: 19.6, APIs: 7, Strings: 4, Instructions: 370
commemorythreadCOMMON

Function 004E2F45 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 004EAC26 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 0043F2D0 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 267
windowCOMMON

Function 00457ED0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Function 00449A80 Relevance: 13.8, APIs: 9, Instructions: 278
COMMON

Function 0044ACF0 Relevance: 13.8, APIs: 9, Instructions: 259
COMMON

Function 004DD28B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241
fileCOMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre