Edit tour

Windows Analysis Report
d3r1KVj317.exe

Overview

General Information

Sample name:	d3r1KVj317.exe renamed because original name is a hash value
Original sample name:	d5062f9d7dcb69516a2d2af3fb5a0c8d.exe
Analysis ID:	1520465
MD5:	d5062f9d7dcb69516a2d2af3fb5a0c8d
SHA1:	5991f840b94f7855262e4f85ee3bc2faf1a72a9e
SHA256:	abf5bda7c2cf8a0f7b57b9e0abecee531818144c30d0f11a68b794cd2c3a6371
Tags:	exeuser-abuse_ch
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality to call native functions

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Potential key logger detected (key state polling based)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

d3r1KVj317.exe (PID: 5596 cmdline: "C:\Users\user\Desktop\d3r1KVj317.exe" MD5: D5062F9D7DCB69516A2D2AF3FB5A0C8D)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: d3r1KVj317.exe

ReversingLabs: Detection: 57%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 93.0% probability

Machine Learning detection for sample

Source: d3r1KVj317.exe

Joe Sandbox ML: detected

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

0_2_00695CBB

Source: global traffic

TCP traffic: 192.168.2.8:49704 -> 112.74.185.5:8099

Source: Joe Sandbox View

IP Address: 112.74.185.5 112.74.185.5

Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5
Source: unknown	TCP traffic detected without corresponding DNS query: 112.74.185.5

Source: d3r1KVj317.exe	String found in binary or memory: http://112.74.185.5/3R%E6%8A%80%E6%9C%AF.exe
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predict
Source: d3r1KVj317.exe	String found in binary or memory: http://api.ttshitu.com/predictto16unfunction
Source: d3r1KVj317.exe	String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_0069A5D9 GetKeyState,GetKeyState,GetKeyState,GetKeyState,

0_2_0069A5D9

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021370 GetPropA,NtdllDefWindowProc_A,IsWindowVisible,ShowWindow,NtdllDefWindowProc_A,NtdllDefWindowProc_A,SendMessageA,	0_2_10021370
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D8E0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_1001D8E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10007A30 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10007A30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006210 IsWindowEnabled,SendMessageA,SendMessageA,SendMessageA,IsZoomed,SendMessageA,NtdllDefWindowProc_A,	0_2_10006210
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100062B0 IsWindowEnabled,SendMessageA,NtdllDefWindowProc_A,	0_2_100062B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008310 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,	0_2_10008310
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001D330 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001D330
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10009340 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_10009340
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006350 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006350
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000C3F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,InvalidateRect,CallWindowProcA,CallWindowProcA,GetCursorPos,GetWindowRect,PtInRect,CallWindowProcA,	0_2_1000C3F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000E440 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000E440
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100214B0 GetPropA,NtdllDefWindowProc_A,	0_2_100214B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004510 NtdllDefWindowProc_A,	0_2_10004510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006560 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10006560
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10011630 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,CallWindowProcA,	0_2_10011630
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008710 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,GetParent,	0_2_10008710
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000F750 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000F750
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014790 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10014790
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001E7F0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001E7F0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001C800 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1001C800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100048E0 NtdllDefWindowProc_A,	0_2_100048E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005900 IsWindowEnabled,EnableWindow,NtdllDefWindowProc_A,	0_2_10005900
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10005940 GetCursorPos,GetWindowRect,PtInRect,PtInRect,PtInRect,PtInRect,PtInRect,KillTimer,NtdllDefWindowProc_A,	0_2_10005940
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000DA90 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000DA90
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012AD0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012AD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10020B70 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10020B70
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000CBC0 GetPropA,NtdllDefWindowProc_A,	0_2_1000CBC0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004BD0 NtdllDefWindowProc_A,	0_2_10004BD0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10012BF0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10012BF0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008CB0 GetPropA,NtdllDefWindowProc_A,	0_2_10008CB0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10008D40 GetPropA,RemovePropA,CallWindowProcA,NtdllDefWindowProc_A,	0_2_10008D40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000FD50 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_1000FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FD50 GetPropA,GetPropA,NtdllDefWindowProc_A,FindWindowExA,GetPropA,GetWindowRect,	0_2_1001FD50
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10013DA0 GetPropA,NtdllDefWindowProc_A,CallWindowProcA,	0_2_10013DA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002E40 NtdllDefWindowProc_A,	0_2_10002E40
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10014EA0 GetPropA,NtdllDefWindowProc_A,	0_2_10014EA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1001FEA0 GetPropA,NtdllDefWindowProc_A,InvalidateRect,CallWindowProcA,	0_2_1001FEA0

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00697B51	0_2_00697B51
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E0030	0_2_005E0030
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005EB300	0_2_005EB300
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005413CE	0_2_005413CE
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006843A0	0_2_006843A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C1450	0_2_005C1450
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00609480	0_2_00609480
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0068C536	0_2_0068C536
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00670510	0_2_00670510
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006905EA	0_2_006905EA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006655A0	0_2_006655A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005FE680	0_2_005FE680
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005C36B0	0_2_005C36B0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_005E88A0	0_2_005E88A0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00539A7D	0_2_00539A7D
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017540	0_2_10017540
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10003970	0_2_10003970
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10002250	0_2_10002250
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100293A1	0_2_100293A1
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000B6E0	0_2_1000B6E0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10028B99	0_2_10028B99
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10017BA0	0_2_10017BA0
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_1000EDA0	0_2_1000EDA0

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 004010F2 appears 138 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00685E68 appears 73 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 100260E2 appears 34 times
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: String function: 00401156 appears 99 times

Source: d3r1KVj317.exe, 00000000.00000000.1468315195.000000000078B000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe, 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmp	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe
Source: d3r1KVj317.exe	Binary or memory string: OriginalFilenameSkinH_EL.dll vs d3r1KVj317.exe

Source: d3r1KVj317.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal56.winEXE@1/2@0/1

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_006A3073 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,

0_2_006A3073

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00696385 __EH_prolog,FindResourceA,LoadResource,LockResource,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,

0_2_00696385

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Jump to behavior

Source: d3r1KVj317.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\Config.ini

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: d3r1KVj317.exe

ReversingLabs: Detection: 57%

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File read: C:\Users\user\Desktop\d3r1KVj317.exe

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: odbc32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: msvfw32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: dciman32.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File written: C:\Users\user\Desktop\Config.ini

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window found: window name: SysTabControl32

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Window detected: Number of UI elements: 144

Source: d3r1KVj317.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: d3r1KVj317.exe

Static file information: File size 5066752 > 1048576

Source: d3r1KVj317.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2ad000
Source: d3r1KVj317.exe	Static PE information: Raw size of .rdata is bigger than: 0x100000 < 0x1e5000

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_005DF2B0

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404291 push eax; retf 005Bh	0_2_00404292
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_004033A9 push eax; retf 005Bh	0_2_004033AA
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0040344E push eax; retf 005Bh	0_2_0040344F
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00403487 push eax; retf 005Bh	0_2_00403488
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_006836F0 push eax; ret	0_2_0068371E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00406756 push eax; retf 005Bh	0_2_00406757
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404960 push eax; retf 005Bh	0_2_00404961
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404927 push eax; retf 005Bh	0_2_00404928
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00404DD6 push ss; ret	0_2_00404DD9
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_00685E68 push eax; ret	0_2_00685E86
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10026100 push eax; ret	0_2_1002612E
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100209F7 pushfd ; mov dword ptr [esp], edx	0_2_100209F9

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\d3r1KVj317.exe

File created: C:\Users\user\Desktop\SkinH_EL.dll

Jump to dropped file

Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_0067D2A3 IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0067D2A3
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10004E30 IsWindowVisible,GetWindowRect,SelectObject,SelectObject,SetBkMode,SelectObject,SetTextColor,DrawIconEx,GetWindowTextA,DrawTextA,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,SelectObject,DeleteDC,SelectObject,DeleteObject,	0_2_10004E30
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10006010 IsWindowEnabled,SendMessageA,SendMessageA,GetWindowRect,IsRectEmpty,PtInRect,PtInRect,GetSystemMenu,GetMenuState,SendMessageA,NtdllDefWindowProc_A,PtInRect,IsIconic,PtInRect,IsZoomed,PtInRect,PtInRect,GetWindowRect,	0_2_10006010
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10023070 IsWindowVisible,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsRectEmpty,IsZoomed,IsRectEmpty,GetSystemMenu,GetMenuState,IsRectEmpty,SetBkMode,IsRectEmpty,IsRectEmpty,IsRectEmpty,IsIconic,IsRectEmpty,IsZoomed,IsRectEmpty,	0_2_10023070
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10025780 IsIconic,IsZoomed,IsRectEmpty,IsWindowVisible,	0_2_10025780
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_10021800 IsZoomed,SendMessageA,IsIconic,SendMessageA,SendMessageA,GetSystemMenu,GetMenuState,SendMessageA,SendMessageA,KillTimer,GetMenuItemID,SendMessageA,CallWindowProcA,	0_2_10021800
Source: C:\Users\user\Desktop\d3r1KVj317.exe	Code function: 0_2_100098B0 GetPropA,NtdllDefWindowProc_A,KillTimer,IsWindowVisible,IsIconic,SetTimer,	0_2_100098B0

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Dropped PE file which has not been started: C:\Users\user\Desktop\SkinH_EL.dll

Jump to dropped file

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Evasive API call chain: GetSystemTime,DecisionNodes

graph_0-81209

Source: C:\Users\user\Desktop\d3r1KVj317.exe

API coverage: 8.5 %

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00695CBB __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,

0_2_00695CBB

Source: d3r1KVj317.exe, 00000000.00000002.2729506189.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005DF2B0 GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,

0_2_005DF2B0

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_005C4160 GetProcessHeap,RtlAllocateHeap,

0_2_005C4160

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00685820 GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00685820

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_0068F4DC GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0068F4DC

Source: C:\Users\user\Desktop\d3r1KVj317.exe

Code function: 0_2_00697B51 __EH_prolog,GetVersion,

0_2_00697B51

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	21 Obfuscated Files or Information	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Software Packing	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
d3r1KVj317.exe	58%	ReversingLabs	Win32.Infostealer.Tinba
d3r1KVj317.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\SkinH_EL.dll	5%	ReversingLabs

Name	Source	Malicious	Reputation
http://112.74.185.5/3R%E6%8A%80%E6%9C%AF.exe	d3r1KVj317.exe	false	unknown
http://www.eyuyan.com)DVarFileInfo$	d3r1KVj317.exe	false	unknown
http://api.ttshitu.com/predict	d3r1KVj317.exe	false	unknown
http://api.ttshitu.com/predictto16unfunction	d3r1KVj317.exe	false	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
112.74.185.5	unknown	China		37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1520465
Start date and time:	2024-09-27 11:28:46 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	d3r1KVj317.exe renamed because original name is a hash value
Original Sample Name:	d5062f9d7dcb69516a2d2af3fb5a0c8d.exe
Detection:	MAL
Classification:	mal56.winEXE@1/2@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 60% Number of executed functions: 73 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
VT rate limit hit for: d3r1KVj317.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
112.74.185.5	pIbH4cYnMl.exe	Get hash	malicious	Unknown	Browse	112.74.185.5/AMS.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	http://aa5aa5aa5aa5aa44.app/	Get hash	malicious	Unknown	Browse	59.82.132.217
	http://hbyczyz.com/xrr	Get hash	malicious	Unknown	Browse	47.108.5.198
	http://www.tpckn.app/	Get hash	malicious	Unknown	Browse	203.107.62.140
	http://alibinaadi.com/.well-known/alibaba/Alibaba/index.php	Get hash	malicious	Unknown	Browse	59.82.33.225
	cjg7obu8xR.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	cjg7obu8xR.exe	Get hash	malicious	Unknown	Browse	112.74.185.5
	http://promo1.spik.ru/CN/	Get hash	malicious	HTMLPhisher	Browse	59.82.132.149
	https://oxbike-br.com/XRpb24t/zc2liaWx/	Get hash	malicious	HTMLPhisher	Browse	59.82.33.225
	http://wwwhd4480.com/	Get hash	malicious	Unknown	Browse	106.11.43.113
	GvQcD0PvEH.exe	Get hash	malicious	Unknown	Browse	47.117.76.6

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\Desktop\SkinH_EL.dll	wTe1JnpD30.exe	Get hash	malicious	Unknown	Browse
	RCepXxJiXT.exe	Get hash	malicious	Unknown	Browse
	#U8bbe#U7f6e.exe	Get hash	malicious	Unknown	Browse
	#U7389#U5154#U542f#U52a8#U5668.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.PUP-gen.2847.28870.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BackDoor.BlackHole.20333.28463.12775.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.BackDoor.BlackHole.20333.28463.12775.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.480.9036.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Evo-gen.480.9036.dll	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.FileRepMalware.17429.29089.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\Desktop\Config.ini

Download File

Process:	C:\Users\user\Desktop\d3r1KVj317.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	254
Entropy (8bit):	5.783477328385473
Encrypted:	false
SSDEEP:	3:pJKAKV6rFI/VCzY2lpgXiZVNXa7aftISbJuok2ubmJkPbmrvh2gtTE7bYU2/OUtG:pEAKVW82nsSVlUEqAklJb4UN7b5tUqjv
MD5:	45FFD29B9717D7CF91EF2460E28F5811
SHA1:	358ED2315324EFB383156349E042F860B006B334
SHA-256:	F0001973A941E220B9C4D4042EF40E69EA4AADDE52BAECD175D40C96D2BF1CC3
SHA-512:	107C06983AE93B368B7D5477B0E1D307E94D57CA20C6A0AC8F9BD584C643C618A162F3BE442DA77AE21795D90C145BEF3F19DF86988DD8A884F863248BC2A2AA
Malicious:	false
Reputation:	low
Preview:	[Config].........=.........=........=.........=.........->...->...................................=..........................................................=........=.............................................=..

C:\Users\user\Desktop\SkinH_EL.dll

Download File

Process:	C:\Users\user\Desktop\d3r1KVj317.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	88576
Entropy (8bit):	7.934132664312091
Encrypted:	false
SSDEEP:	1536:s5Np2dgZgIehUUS3E1Ujmrvl179D53UWnGQRJZiXRmrCnKptnouy8K:s5Np2dlUX0+Cx17F8QRJZKmOK3outK
MD5:	147127382E001F495D1842EE7A9E7912
SHA1:	92D1ED56032183C75D4B57D7CE30B1C4AE11DC9B
SHA-256:	EDF679C02EA2E170E67AB20DFC18558E2BFB4EE5D59ECEEAEA4B1AD1A626C3CC
SHA-512:	97F5AE90A1BBACFE39B9E0F2954C24F9896CC9DCA9D14364C438862996F3BBC04A4AA515742FCCB3679D222C1302F5BB40C7EADDD6B5859D2D6EF79490243A4D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 5%
Joe Sandbox View:	Filename: wTe1JnpD30.exe, Detection: malicious, Browse Filename: RCepXxJiXT.exe, Detection: malicious, Browse Filename: #U8bbe#U7f6e.exe, Detection: malicious, Browse Filename: #U7389#U5154#U542f#U52a8#U5668.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PUP-gen.2847.28870.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.BackDoor.BlackHole.20333.28463.12775.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.BackDoor.BlackHole.20333.28463.12775.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.480.9036.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Evo-gen.480.9036.dll, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.17429.29089.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........q..."..."...".."..."u."..."..."...".."..."..."Y.."u."..."%."..."u."..."Rich..."........PE..L...`..J...........!.....P.......`..p....p..................................................................................H...........H...........................................................................................................UPX0.....`..............................UPX1.....P...p...L..................@....rsrc................P..............@..............................................................................................................................................................................................................................................................................................................................................................................................................3.03.UPX!....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.646661372611354
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	d3r1KVj317.exe
File size:	5'066'752 bytes
MD5:	d5062f9d7dcb69516a2d2af3fb5a0c8d
SHA1:	5991f840b94f7855262e4f85ee3bc2faf1a72a9e
SHA256:	abf5bda7c2cf8a0f7b57b9e0abecee531818144c30d0f11a68b794cd2c3a6371
SHA512:	4d7d926e31ea2eb75e61d2e40e09dea3944a67195b245818aa450baf8e3d9983b5e7583726a65b386566d3a8dd0abc93be2576c4467dc78abfcc9a3dd24cbe8b
SSDEEP:	98304:ApyetVxRosZ4Y113f7MhfJBx/FqZVUzSnGYqdwkLcHHnit:ApyetVxRosZBXmjjAny
TLSH:	04366C13E351C5F0F55400B092BA87745E79B274AC26ABB7E7A0EDF50D39A70EA2321D
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$............u...u...u...j...u...j...u..8i...u...i...u..<i...u...j...u..8}...u...u..pw...j...u...S..gu...S..(u..Sj..>u..Sj...u...u...u.

File Icon


Icon Hash:	1370c6443191c913

Static PE Info

General

Entrypoint:	0x682114
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x66F534B4 [Thu Sep 26 10:17:24 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6484a6f708fa37c8c0be3e0080079152

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 0087F2F8h
push 00685028h
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [006AE1D4h]
xor edx, edx
mov dl, ah
mov dword ptr [009093B4h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [009093B0h], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [009093ACh], ecx
shr eax, 10h
mov dword ptr [009093A8h], eax
push 00000001h
call 00007F95585063AFh
pop ecx
test eax, eax
jne 00007F955850010Ah
push 0000001Ch
call 00007F95585001C8h
pop ecx
call 00007F955850615Ah
test eax, eax
jne 00007F955850010Ah
push 00000010h
call 00007F95585001B7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F9558505F88h
call dword ptr [006AE3F8h]
mov dword ptr [0090E604h], eax
call 00007F9558505E46h
mov dword ptr [0090931Ch], eax
call 00007F9558505BEFh
call 00007F9558505B31h
call 00007F9558504D23h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [006AE254h]
call 00007F9558505AC2h
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F9558500108h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[IMP] VS97 (5.0) SP3 link 5.10.7303
[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x48fc98	0x140	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x50f000	0x23b38	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2ae000	0x8e8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2ac90e	0x2ad000	02dfb899d0327e6a801389e013810c9a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x2ae000	0x1e47b6	0x1e5000	b58fbc5c04292366b79db08ae328c802	False	0.6536364368556701	data	7.059576649278061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x493000	0x7b60a	0x1e000	afc0d678454b5e5d7499465da58b735d	False	0.2856526692708333	data	4.909418642025077	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x50f000	0x23b38	0x24000	472f9c590c8d2b95a062c7777213b9e2	False	0.3845350477430556	data	4.7411316564765045	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0x50ffd0	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0x50ffdc	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0x50fff4	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0x510148	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0x51027c	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0x5103b0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0x5104e4	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0x510598	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.3598901098901099
RT_BITMAP	0x510704	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0x51094c	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0x510a90	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0x510be8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0x510d40	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0x510e98	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0x510ff0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0x511148	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0x5112a0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0x5113f8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0x511550	0x1b4	Device independent bitmap graphic, 11 x 11 x 24, image size 396	Chinese	China	0.18577981651376146
RT_BITMAP	0x511704	0x1b4	Device independent bitmap graphic, 11 x 11 x 24, image size 396	Chinese	China	0.11009174311926606
RT_BITMAP	0x5118b8	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0x511e9c	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0x511f54	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0x5120c0	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0x512204	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0x5124ec	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0x512614	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152			0.36829268292682926
RT_ICON	0x512c7c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512			0.4717741935483871
RT_ICON	0x512f64	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128			0.5844594594594594
RT_ICON	0x51308c	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors			0.4904051172707889
RT_ICON	0x513f34	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors			0.605595667870036
RT_ICON	0x5147dc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors			0.38583815028901736
RT_ICON	0x514d44	0x71cd	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			0.9972539731575876
RT_ICON	0x51bf14	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584			0.15263811664497812
RT_ICON	0x52c73c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600			0.2765560165975104
RT_ICON	0x52ece4	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224			0.33606941838649157
RT_ICON	0x52fd8c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088			0.4698581560283688
RT_MENU	0x5301f4	0xc	data	Chinese	China	1.5
RT_MENU	0x530200	0x284	data	Chinese	China	0.5
RT_DIALOG	0x530484	0x20	data	Chinese	China	0.84375
RT_DIALOG	0x5304a4	0x102	data	Chinese	China	0.751937984496124
RT_DIALOG	0x5305a8	0x1aa	data	Chinese	China	0.4859154929577465
RT_DIALOG	0x530754	0x41e	data	Chinese	China	0.349146110056926
RT_DIALOG	0x530b74	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0x530c0c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0x530d88	0xfa	data	Chinese	China	0.696
RT_DIALOG	0x530e84	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0x530f70	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0x531820	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0x5318d4	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0x5319a0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0x531a54	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0x531b38	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0x531cc4	0x70	data	Chinese	China	0.45535714285714285
RT_STRING	0x531d34	0x50	data	Chinese	China	0.85
RT_STRING	0x531d84	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0x531db0	0x78	data	Chinese	China	0.925
RT_STRING	0x531e28	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0x531fec	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0x532118	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0x532260	0x40	data	Chinese	China	0.65625
RT_STRING	0x5322a0	0x64	data	Chinese	China	0.73
RT_STRING	0x532304	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0x5324dc	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0x5325f0	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0x532614	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x532628	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0x53263c	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0x532660	0xa0	data			0.6375
RT_GROUP_ICON	0x532700	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0x532714	0x14	data	Chinese	China	1.25
RT_VERSION	0x532728	0x240	data	Chinese	China	0.5746527777777778
RT_MANIFEST	0x532968	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
RASAPI32.dll	RasHangUpA, RasGetConnectStatusA
WINMM.dll	midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutRestart, waveOutUnprepareHeader, waveOutPrepareHeader, waveOutWrite, waveOutPause, waveOutReset, waveOutClose, midiStreamStop, midiOutReset, midiStreamClose, midiStreamRestart, waveOutGetNumDevs
WS2_32.dll	select, recv, connect, ioctlsocket, recvfrom, send, closesocket, WSAAsyncSelect, htons, ntohl, accept, getpeername, WSACleanup, socket, WSAStartup, gethostbyname, inet_ntoa, inet_addr
KERNEL32.dll	GetWindowsDirectoryA, GetSystemDirectoryA, GetVersion, OpenProcess, CreateMutexA, ReleaseMutex, SuspendThread, GetStringTypeW, GetStringTypeA, SetUnhandledExceptionFilter, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetFileType, SetStdHandle, GetACP, HeapSize, RaiseException, GetLocalTime, GetSystemTime, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GetProfileIntA, GlobalFlags, GetCurrentThread, GetFileTime, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, TlsAlloc, LocalAlloc, lstrcmpA, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, DuplicateHandle, lstrcpynA, FileTimeToLocalFileTime, FormatMessageA, LocalFree, InterlockedDecrement, InterlockedIncrement, TerminateProcess, GetCurrentProcess, GetFileSize, SetFilePointer, CreateToolhelp32Snapshot, Process32First, Process32Next, FileTimeToSystemTime, SetLastError, GetTimeZoneInformation, TerminateThread, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, lstrlenW, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, GetUserDefaultLCID, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, GetTempPathA, FindFirstFileA, FindClose, SetFileAttributesA, GetFileAttributesA, DeleteFileA, CopyFileA, CreateDirectoryA, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, MulDiv, GetCommandLineA, GetTickCount, CreateProcessA, WaitForSingleObject, CloseHandle, CompareStringA, CompareStringW, IsBadReadPtr, IsBadCodePtr, InterlockedExchange
USER32.dll	FindWindowA, GetWindowThreadProcessId, GetClassNameA, GetDesktopWindow, FrameRect, GetDoubleClickTime, GetCursor, ClipCursor, GrayStringA, DrawTextA, TabbedTextOutA, SetWindowTextA, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSysColorBrush, LoadStringA, wvsprintfA, GetMenuCheckMarkDimensions, GetMenuState, SetMenuItemBitmaps, CheckMenuItem, MoveWindow, IsDialogMessageA, ScrollWindowEx, GetDlgItem, SendDlgItemMessageA, MapWindowPoints, AdjustWindowRectEx, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture, SetCapture, GetScrollRange, SetScrollRange, SetScrollPos, SetRect, InflateRect, IntersectRect, DestroyIcon, PtInRect, OffsetRect, IsWindowVisible, EnableWindow, RedrawWindow, GetWindowLongA, SetWindowLongA, GetSysColor, SetActiveWindow, SetCursorPos, LoadCursorA, SetCursor, GetDC, FillRect, InvertRect, IsRectEmpty, ScrollDC, ReleaseDC, IsChild, DestroyMenu, SetForegroundWindow, GetWindowRect, EqualRect, UpdateWindow, ValidateRect, InvalidateRect, GetClientRect, GetFocus, GetParent, GetTopWindow, PostMessageA, IsWindow, SetParent, DestroyCursor, SendMessageA, SetWindowPos, MessageBeep, MessageBoxA, GetCursorPos, GetSystemMetrics, IsClipboardFormatAvailable, EmptyClipboard, SetClipboardData, OpenClipboard, GetClipboardData, CloseClipboard, wsprintfA, WaitForInputIdle, GetWindowTextA, UnregisterClassA, GetForegroundWindow, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, RegisterClassA, GetScrollPos, ShowScrollBar, SetScrollInfo, GetScrollInfo, ScrollWindow
GDI32.dll	ExtSelectClipRgn, EndPath, PathToRegion, CreateEllipticRgn, CopyMetaFileA, GetViewportExtEx, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBrushIndirect, CreateHatchBrush, CreateBitmap, CreatePatternBrush, SelectObject, CreatePen, PatBlt, CombineRgn, CreateRectRgn, FillRgn, CreateSolidBrush, CreateFontIndirectA, GetStockObject, GetObjectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, SetPixelV, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, Pie, Chord, Arc, Polygon, GetTextExtentPoint32A, GetDeviceCaps, SelectPalette, StretchBlt, CreatePalette, GetSystemPaletteEntries, CreateDIBitmap, DeleteObject, SelectClipRgn, CreatePolygonRgn, GetClipRgn, SetStretchBltMode, CreateRectRgnIndirect, SetBkColor, PtVisible, RectVisible, TextOutA, ExtTextOutA, GetTextMetricsA, Escape, AbortDoc, CreateFontA, SetBrushOrgEx, BeginPath, GetWindowOrgEx, GetViewportOrgEx, GetWindowExtEx, GetDIBits, ExcludeClipRect, MoveToEx, GetStretchBltMode, LineTo, GetClipBox, ScaleWindowExtEx, SetWindowExtEx, OffsetWindowOrgEx, SetWindowOrgEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SetMapMode, SetTextColor, SetROP2, SetPolyFillMode, SetBkMode, RestoreDC, SaveDC, RealizePalette
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	RegCloseKey, RegQueryValueExA, RegOpenKeyExA, RegSetValueExA, RegCreateKeyA, RegQueryValueA, RegCreateKeyExA
SHELL32.dll	SHGetSpecialFolderPathA, Shell_NotifyIconA, ShellExecuteA
ole32.dll	CoTaskMemAlloc, OleDuplicateData, RevokeDragDrop, CoLockObjectExternal, DoDragDrop, OleGetClipboard, OleFlushClipboard, OleRun, CoCreateInstance, CreateStreamOnHGlobal, CLSIDFromString, OleUninitialize, OleInitialize, OleSetClipboard, CoTaskMemFree, ReleaseStgMedium, CLSIDFromProgID, OleIsCurrentClipboard
OLEAUT32.dll	SafeArrayGetElement, SysFreeString, SysStringLen, VarDateFromStr, UnRegisterTypeLib, GetActiveObject, LoadTypeLib, LHashValOfNameSys, RegisterTypeLib, SafeArrayPutElement, SafeArrayCreate, SafeArrayDestroy, SysAllocString, VariantInit, SafeArrayAccessData, SafeArrayUnaccessData, SafeArrayGetDim, SafeArrayGetLBound, SafeArrayGetUBound, VariantChangeType, VariantClear, VariantCopy, VariantCopyInd
ODBC32.dll
COMCTL32.dll	ImageList_AddMasked, ImageList_Draw, ImageList_Destroy, ImageList_Create, ImageList_Read, ImageList_SetBkColor, ImageList_GetImageCount, ImageList_GetImageInfo, ImageList_Duplicate
WININET.dll	InternetCloseHandle
comdlg32.dll	GetOpenFileNameA, ChooseColorA, ChooseFontA, GetFileTitleA, GetSaveFileNameA, PrintDlgA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 27, 2024 11:29:49.011063099 CEST	49704	8099	192.168.2.8	112.74.185.5
Sep 27, 2024 11:29:49.016021013 CEST	8099	49704	112.74.185.5	192.168.2.8
Sep 27, 2024 11:29:49.016109943 CEST	49704	8099	192.168.2.8	112.74.185.5
Sep 27, 2024 11:29:49.016779900 CEST	49704	8099	192.168.2.8	112.74.185.5
Sep 27, 2024 11:29:49.021960974 CEST	8099	49704	112.74.185.5	192.168.2.8
Sep 27, 2024 11:29:49.934381962 CEST	8099	49704	112.74.185.5	192.168.2.8
Sep 27, 2024 11:29:49.983678102 CEST	49704	8099	192.168.2.8	112.74.185.5

Target ID:	0
Start time:	05:29:46
Start date:	27/09/2024
Path:	C:\Users\user\Desktop\d3r1KVj317.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\d3r1KVj317.exe"
Imagebase:	0x400000
File size:	5'066'752 bytes
MD5 hash:	D5062F9D7DCB69516A2D2AF3FB5A0C8D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.9%
Total number of Nodes:	1848
Total number of Limit Nodes:	102

Executed Functions

Function 10004E30 Relevance: 33.6, APIs: 22, Instructions: 562
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowRect.USER32(?,?), ref: 10004E5F
SelectObject.GDI32(00000000,?), ref: 10004FDD
SetBkMode.GDI32(00000000,00000001), ref: 10004FE6

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Part of subcall function 100055A0: GetWindowRect.USER32(?,?), ref: 100055C2
Part of subcall function 100055A0: SetRect.USER32(?,00000000,00000000,?,0000001D), ref: 100055E3
Part of subcall function 100055A0: GetWindowLongA.USER32(?,000000F0), ref: 100055EF

SelectObject.GDI32(00000000,?), ref: 10005076
SetTextColor.GDI32(00000000,00FFFFFF), ref: 1000507F
DrawIconEx.USER32(00000000,?,?,?,?,?,00000000,00000000,00000003), ref: 100050B7
GetWindowTextA.USER32(?,?,00000400), ref: 10005127
DrawTextA.USER32(00000000,?,?,?,00040024), ref: 10005150
IsRectEmpty.USER32(?), ref: 10005179
IsIconic.USER32(?), ref: 1000518B
IsRectEmpty.USER32(?), ref: 1000525E
IsZoomed.USER32(?), ref: 10005270
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10005398
GetMenuState.USER32(00000000), ref: 1000539F
IsRectEmpty.USER32(?), ref: 1000543D
SetBkMode.GDI32(00000000,00000001), ref: 1000544A
SelectObject.GDI32(00000000,?), ref: 100054D5
DeleteDC.GDI32(00000000), ref: 100054DC
SelectObject.GDI32(00000000,?), ref: 100054F5
DeleteObject.GDI32(00000000), ref: 10005557

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Object$SelectWindow$EmptyText$DeleteDrawMenuMode$74001530ColorIconIconicLongStateSystemZoomed
String ID:
API String ID: 1340932111-0
Opcode ID: 74803d5d351751038353616b3efeb5d9278749a19af42b1450ece1d2114deb8e
Instruction ID: 250533d8752f0109e71349a667642d75282f207753a39658d14e2e8158d14daf
Opcode Fuzzy Hash: 74803d5d351751038353616b3efeb5d9278749a19af42b1450ece1d2114deb8e
Instruction Fuzzy Hash: DF227B79240205AFF324CB64CC89FAB77A9FF84745F20491CF95A87295EA71B906CB60

Function 10017540 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

??2@YAPAXI@Z.MSVCRT(00000000,00000000), ref: 100175E4
??3@YAXPAX@Z.MSVCRT(00000000,?,?,?,?,?,00000000), ref: 10017607
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10017695
??3@YAXPAX@Z.MSVCRT(00000000,?,-00000001,00000000), ref: 100176E6

Strings

s, xrefs: 10017B4B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$??2@
String ID: s
API String ID: 4113381792-453955339
Opcode ID: bf304b2523dd7e7a9fcd96391148d76558a07603fedb0a44f7bae8e4334ac867
Instruction ID: 33afa64b527c78f8bd4c2c7d176e8c765b8c94169a76a89671ef6ae364567c8b
Opcode Fuzzy Hash: bf304b2523dd7e7a9fcd96391148d76558a07603fedb0a44f7bae8e4334ac867
Instruction Fuzzy Hash: 8502D0756002488FDB28CF14D890BEA77E2FB88310F59857DED0A5F381DB75AA45CB91

Function 10003970 Relevance: 20.3, APIs: 13, Instructions: 806COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000008,?,1002CDA8,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020), ref: 100039AB
??2@YAPAXI@Z.MSVCRT(?,00000008,?,1002CDA8,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020), ref: 100039BD
PtInRegion.GDI32(?,00000000,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020), ref: 10003A4F
PtInRegion.GDI32(?,?,00000000,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020), ref: 10003AB3
??2@YAPAXI@Z.MSVCRT(00000008,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020,00000008), ref: 10003B14
??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020,00000008), ref: 10003C36
_ftol.MSVCRT ref: 10003D2F
OffsetRgn.GDI32(?,00000008,00000008), ref: 10004038
PtInRegion.GDI32(?,-00000001,00000009,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000), ref: 100041D4
??3@YAXPAX@Z.MSVCRT(?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020,00000008), ref: 1000428E
??3@YAXPAX@Z.MSVCRT(?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020,00000020), ref: 10004298
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000,00000020), ref: 100042A2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00000000,1002CDC8,?,?,?,?,?,?,100032B1,02820000,00000000), ref: 100042AC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@??3@$Region$Offset_ftol
String ID:
API String ID: 2490806229-0
Opcode ID: 5ee772813303892243ec62a05ff9d7b80bfa317d3e0f66a58c869604295b2c38
Instruction ID: 98ed0c605d52677ada83a984198e756a1aca9b3409a824ef284006b387393d3d
Opcode Fuzzy Hash: 5ee772813303892243ec62a05ff9d7b80bfa317d3e0f66a58c869604295b2c38
Instruction Fuzzy Hash: F3626975A086468FD709CF19C88051AB7E6FFC8384F15C92DE899DB359EB30E946CB81

Function 005DF2B0 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(00000000,008AC7CC), ref: 005DF317
LoadLibraryA.KERNEL32(?,?,008BD238), ref: 005DF409
LoadLibraryA.KERNEL32(?,?), ref: 005DF44F
LoadLibraryA.KERNEL32(?,?,008BD140,00000001), ref: 005DF497
LoadLibraryA.KERNEL32(00000001), ref: 005DF4AD
GetProcAddress.KERNEL32(00000000,?), ref: 005DF4BF
FreeLibrary.KERNEL32(00000000), ref: 005DF552

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID:
API String ID: 3120990465-0
Opcode ID: d3e44936ee72fe73960de709d645e2c4300a4880ae86c5046db1bd3c7078d3f4
Instruction ID: 91a5f07175987a1e1c18ca2140ad0b01eec33d3e6c4a362a14abdb73cb8d51f4
Opcode Fuzzy Hash: d3e44936ee72fe73960de709d645e2c4300a4880ae86c5046db1bd3c7078d3f4
Instruction Fuzzy Hash: B0A1B0B1600702ABDB24EF68D885B6BB7E9FF95310F044A2EF85697341DB34E905CB91

Function 10021370 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134nativewindowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE_F), ref: 1002137E
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1002139A
IsWindowVisible.USER32(?), ref: 100213D9
ShowWindow.USER32(?,00000000), ref: 100213E6

Strings

SHE_F, xrefs: 10021378

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$NtdllProc_PropShowVisible
String ID: SHE_F
API String ID: 2900772547-872208577
Opcode ID: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
Instruction ID: bd9fa984eed261b426f55b418d79167bb0f56a7a5cd861e89bf77d4c9bc891ea
Opcode Fuzzy Hash: 1dd075973b18bd4a155f3fa5b72aa87e198f8b617cdb39295f7a88e0023e63e6
Instruction Fuzzy Hash: 9531E97B301659ABE211DA95ECC4DBFB7ADEBD53D6F01841AF24187100C722AD06C775

Function 00695CBB Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00695CC0
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00695CDE
lstrcpynA.KERNEL32(?,?,00000104), ref: 00695CED
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00695D21
CharUpperA.USER32(?), ref: 00695D32
FindFirstFileA.KERNEL32(?,?), ref: 00695D48
FindClose.KERNEL32(00000000), ref: 00695D54
lstrcpyA.KERNEL32(?,?), ref: 00695D64

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: 840fa8a9e5f2fab8aff3dda57d2966f193118ebfa50041f5a8033bff99f5d509
Instruction ID: 41fcf5fdae77b6e1528d323db8b0152a093489533f47baa2aad45619b4f70e9f
Opcode Fuzzy Hash: 840fa8a9e5f2fab8aff3dda57d2966f193118ebfa50041f5a8033bff99f5d509
Instruction Fuzzy Hash: 06219A31901518ABDF21AFA4DC48EEF7FBEEF46760F004125F91AE2160D7309A49CBA0

Function 1001D8E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 150nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001D8EC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D908

Strings

SHE, xrefs: 1001D8E6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
Instruction ID: 3dd76a049db869770da15870645d9af25493a0817101984a39104c73db85ad87
Opcode Fuzzy Hash: e4a0d490164f6d9069ce7e86964c5195bdc24712ecee0d29021a28e2da7046a5
Instruction Fuzzy Hash: D741447A7082119BD640FE58E880E6F77A9EBD4750F108C1BF5818B256C270DCC697B2

Function 0068F4DC Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0068AAE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00684C68,00000009,00000000,00000000,00000001,00688265,00000001,00000074,?,?,00000000,00000001), ref: 0068AB21
Part of subcall function 0068AAE4: EnterCriticalSection.KERNEL32(?,?,?,00684C68,00000009,00000000,00000000,00000001,00688265,00000001,00000074,?,?,00000000,00000001), ref: 0068AB3C

Part of subcall function 0068AB45: LeaveCriticalSection.KERNEL32(?,00683B02,00000009,00683AEE,00000000,?,00000000,00000000,00000000), ref: 0068AB52

GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,0068F4CD,0068F19E,?,?,?,?,006858EE,?,?), ref: 0068F52A
WideCharToMultiByte.KERNEL32(00000220,Eastern Standard Time,000000FF,0000003F,00000000,?,?,0068F4CD,0068F19E,?,?,?,?,006858EE,?,?), ref: 0068F5C0
WideCharToMultiByte.KERNEL32(00000220,Eastern Summer Time,000000FF,0000003F,00000000,?,?,0068F4CD,0068F19E,?,?,?,?,006858EE,?,?), ref: 0068F5F9

Strings

Eastern Standard Time, xrefs: 0068F5B4
Eastern Summer Time, xrefs: 0068F5ED

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: Eastern Standard Time$Eastern Summer Time
API String ID: 3442286286-239921721
Opcode ID: 4092b80a3a7e0834d3197a5ab0d869d58d70eb4fd1ba7c7f6bb7c36a093ef760
Instruction ID: 6d37b88354831b3375eb8af3045f3c0f2f159536a5e963eb4d9b999f2e559e68
Opcode Fuzzy Hash: 4092b80a3a7e0834d3197a5ab0d869d58d70eb4fd1ba7c7f6bb7c36a093ef760
Instruction Fuzzy Hash: 5361F4715042659FEB31BF28EC41B6A7BAAFB05310F24173EF485972E2E7708982DB15

Function 10007A30 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 157nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10007A3D
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,100065A9,?,?,?,?), ref: 10007A59

Strings

SHE, xrefs: 10007A37

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
Instruction ID: 97ae2f1b3464a4c4e6a23b637a735b9b026802ad9d4f48c1e8d21a1d89c5b290
Opcode Fuzzy Hash: cb2a118e651b28c30f67082bd4fe69c13c495138cac0e45b77bb26f8af636f3a
Instruction Fuzzy Hash: BA415F767041019BE204DB58E8D4DBFB3A9EBD83A1F10882FF585C3256CB74AC5697B2

Function 1000D330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 94nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000D33D
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000D359

Strings

SHE, xrefs: 1000D337

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
Instruction ID: 3cad35e25735ce33caab85577b29180f6f89a3b7f1056cd299d0b253d523294e
Opcode Fuzzy Hash: 7c525df14ed70a4f11c4a69d41a52e97dcc25fc77dcc8a51e8dfaffd4d0c7820
Instruction Fuzzy Hash: 9C21B5B7700111ABE200EA58D8D8DAFF7ADEBD42A1F10852BF54187286C770DC46D7B2

Function 00685820 Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0068582D
GetSystemTime.KERNEL32(?), ref: 00685837
GetTimeZoneInformation.KERNEL32(?), ref: 0068588C

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: e4eedb9b7f1ac0439ec66852dedb341c0b2eafb578c227029171888a539acae8
Instruction ID: dda69a8002394cfccac9fe21bc7792bccba5153a249c43cd0477cf672116a4a4
Opcode Fuzzy Hash: e4eedb9b7f1ac0439ec66852dedb341c0b2eafb578c227029171888a539acae8
Instruction Fuzzy Hash: 722144A9804529E9DF25BF98DC046FE73BAEF09711F500612F916E62D0E3348DC2DB65

Function 00697B51 Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00697B56
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 00697D09

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 86fa2655353d4863f7ef8e9d5c2729b4fb36d9c2edf4015af410956e13206e59
Instruction ID: 79994b65bd1808b2590f2d8b1c58f2f5b11ab06879147e89de4fd7dd5f3a510c
Opcode Fuzzy Hash: 86fa2655353d4863f7ef8e9d5c2729b4fb36d9c2edf4015af410956e13206e59
Instruction Fuzzy Hash: 74E13970618219EFDF14DF64C881EBE77AEEF04310F108559F816AAA91DB35EE01DB68

Function 005C4160 Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42ba949ed5f13f7a13048d0cd2647f30b782fffce83c0990f55e93fa41166377
Instruction ID: 870b280583b2247d15a19da4ad626146278f649596d15c5dcdf4736055d4b433
Opcode Fuzzy Hash: 42ba949ed5f13f7a13048d0cd2647f30b782fffce83c0990f55e93fa41166377
Instruction Fuzzy Hash: 5D21F4B6600B019FE720DFA9E884F56BBE8FBA4365B14C92EE195C7210E371E845CB50

Function 1000D410 Relevance: 75.8, APIs: 40, Strings: 3, Instructions: 517
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowRect.USER32(?,?), ref: 1000D43B
OffsetRect.USER32(?,?,?), ref: 1000D454
SelectClipRgn.GDI32(?,00000000), ref: 1000D46A
DeleteObject.GDI32(00000000), ref: 1000D471
GetPropA.USER32(?,SHE_H), ref: 1000D495
SelectObject.GDI32(?,?), ref: 1000D4C7
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1000D4E1
GetWindowTextA.USER32(?,?,00000400), ref: 1000D4F5
SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 1000D540
GetIconInfo.USER32(00000000,?), ref: 1000D556
GetObjectA.GDI32(?,00000018,?), ref: 1000D568
OffsetRect.USER32(?,0000000A,00000000), ref: 1000D5D3
IsWindowEnabled.USER32(?), ref: 1000D5F3
DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1000D643
DeleteObject.GDI32(?), ref: 1000D654
DeleteObject.GDI32(?), ref: 1000D65B
BeginPath.GDI32(?), ref: 1000D671
Rectangle.GDI32(?,?,?,?,?), ref: 1000D690
EndPath.GDI32(?), ref: 1000D697
SelectClipPath.GDI32(?,00000004), ref: 1000D6A0
SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 1000D6C3
GetObjectA.GDI32(00000000,00000018,?), ref: 1000D6DD
SelectObject.GDI32(00000000,?), ref: 1000D6F2
SetRect.USER32(?,00000000,00000000,?,?), ref: 1000D70B
OffsetRect.USER32(?,0000000A,00000000), ref: 1000D75F
IsWindowEnabled.USER32(?), ref: 1000D77F
73F84D40.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 1000D7D2
DeleteDC.GDI32(00000000), ref: 1000D7D9
BeginPath.GDI32(?), ref: 1000D7F3

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 1000D834
SetBkMode.GDI32(?,00000001), ref: 1000D83D
DrawTextA.USER32(?,?,?), ref: 1000D87C
IsWindowEnabled.USER32(?), ref: 1000D8BC
GetPropA.USER32(?,SHE_G), ref: 1000D8E1
SetTextColor.GDI32(?,?), ref: 1000D8FF
OffsetRect.USER32(?,0000000A,00000000), ref: 1000D955
IsWindowEnabled.USER32(?), ref: 1000D975
DrawTextA.USER32(?,?,000000FF,?,00000025), ref: 1000D9D3
BeginPath.GDI32(?), ref: 1000D9D6
IsWindowEnabled.USER32(?), ref: 1000DA04

Strings

SHE_G, xrefs: 1000D8DB
s, xrefs: 1000D7D2
SHE_H, xrefs: 1000D48F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Window$Rect$EnabledPathSelect$DeleteOffsetText$BeginDrawMessagePropSend$ClipIcon$ColorInfoModeRectangle
String ID: SHE_G$SHE_H$s
API String ID: 2187885752-296884359
Opcode ID: 6fddeaad0acca133993aa1c44a543fc9cad7247503c1493824e52e6b78b187c0
Instruction ID: 50004852f72fae0a29118b72576feac184e73b219f1c45ddea06c1ed47f32cb6
Opcode Fuzzy Hash: 6fddeaad0acca133993aa1c44a543fc9cad7247503c1493824e52e6b78b187c0
Instruction Fuzzy Hash: 88026A79205301AFE344DF64CC88F6FB7E9EBC8744F108A1DF94597294DA74EA058B62

Function 1001DD00 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 639
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 1001DD15
SelectObject.GDI32(00000000,00000000), ref: 1001DD48
SetBkMode.GDI32(00000000,00000001), ref: 1001DD57
SelectObject.GDI32(00000000,?), ref: 1001DD67
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001DD7D
GetStockObject.GDI32(00000005), ref: 1001DD85
SelectObject.GDI32(00000000,00000000), ref: 1001DD8D
SetBkMode.GDI32(00000000,00000001), ref: 1001DD92
SetTextColor.GDI32(00000000,?), ref: 1001DDA8
IsWindowEnabled.USER32(?), ref: 1001DDB2
SendMessageA.USER32(?,00001328,00000000,?), ref: 1001DE08
SendMessageA.USER32(?,00001302,00000000,00000000), ref: 1001DE17

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

GetObjectA.GDI32(00000000), ref: 1001DE4A
CreateFontIndirectA.GDI32(?), ref: 1001DE91
SelectObject.GDI32(00000000,00000000), ref: 1001DE9D
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 1001DEB0
SendMessageA.USER32(?,00001304,00000000,00000000), ref: 1001DEC7
SetRectEmpty.USER32(?), ref: 1001DEEF
SendMessageA.USER32(?,0000130A,00000000,?), ref: 1001DF00
SetRectEmpty.USER32(?), ref: 1001E032
SendMessageA.USER32(?,0000130A,00000000,?), ref: 1001E047
IsRectEmpty.USER32(?), ref: 1001E18A
InflateRect.USER32(?,00000002,00000002), ref: 1001E1A1
73F84D40.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 1001E4C4
SelectObject.GDI32(00000000,?), ref: 1001E4D0
DeleteDC.GDI32(00000000), ref: 1001E4D7
DeleteObject.GDI32(?), ref: 1001E4E8
DeleteObject.GDI32(?), ref: 1001E4EF

Strings

s, xrefs: 1001E4C4

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$MessageSend$RectSelect$DeleteEmpty$Mode$ClientColorCreateEnabledFontIndirectInflatePropStockTextWindow
String ID: s
API String ID: 2090088722-453955339
Opcode ID: 97f9f2643606517d4a72aba39ad4632b4258dedb9dc8ca265b39ff01b36e7c9f
Instruction ID: be54d6abef2699d98cadc2507b809e01c9902be56bffb49cbb06b1a11f8f3968
Opcode Fuzzy Hash: 97f9f2643606517d4a72aba39ad4632b4258dedb9dc8ca265b39ff01b36e7c9f
Instruction Fuzzy Hash: 6D4224B4609341AFE304DF58C885E6ABBE9FF88744F10892DF5898B391D770E985CB52

Function 10013170 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 429
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 1001319A

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 100131E3
IsWindowEnabled.USER32(?), ref: 100131FE
InflateRect.USER32(?,000000FE,000000FE), ref: 100132E2
GetWindowTextA.USER32(?,?,00000400), ref: 10013319
SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 1001334D
GetIconInfo.USER32(00000000,?), ref: 10013369
GetObjectA.GDI32(?,00000018,?), ref: 1001337B
GetTextExtentPointA.GDI32(?,?,?,?), ref: 100133A5
DeleteObject.GDI32(?), ref: 100133E7
DeleteObject.GDI32(?), ref: 100133EE
SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 10013420
GetObjectA.GDI32(00000000,00000018,?), ref: 10013436
GetTextExtentPointA.GDI32(?,?,?,?), ref: 10013460
DrawTextA.USER32(?,?,-00000001,?,00000000), ref: 1001352A
GetPropA.USER32(?,SHE_G), ref: 100135C0
IsWindowEnabled.USER32(?), ref: 100135D1
SetTextColor.GDI32(?,?), ref: 10013607
OffsetRect.USER32(?,?,?), ref: 1001362B
SetBkMode.GDI32(?,00000001), ref: 10013638
DrawTextA.USER32(?,?,?,?,00000000), ref: 10013663
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001368D

Strings

SHE_G, xrefs: 100135BA
s, xrefs: 1001368D

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Text$Rect$DeleteMessageSelectSendWindow$ClipDrawEnabledExtentPointProp$ClientColorCreateIconInflateInfoModeOffset
String ID: SHE_G$s
API String ID: 884910163-571881213
Opcode ID: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
Instruction ID: 0720dea72c005f8db2774b89525498d56df710bbe5d87d96d133ef9dad5b9a48
Opcode Fuzzy Hash: caf21a1c7cf1fe260952df342b86851fbddba4b749565e73e7d7b216ba7894aa
Instruction Fuzzy Hash: 7FF14AB42087419FE324CF64C885E6BB7E9FBC8710F108A1CF69987290DB74E949CB52

Function 10005A40 Relevance: 39.3, APIs: 26, Instructions: 255
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

IsWindowEnabled.USER32(?), ref: 10005A4C
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10005A62
GetWindowRect.USER32(?,?), ref: 10005A7B
IsRectEmpty.USER32(?), ref: 10005AA1
PtInRect.USER32(?), ref: 10005AB8
SetTimer.USER32 ref: 10005BAC
GetWindowLongA.USER32(?,000000F0), ref: 10005BC6
SetRect.USER32(?,00000000,00000000,00000005,0000001D), ref: 10005BF3
OffsetRect.USER32(?,?,?), ref: 10005C08
SetRect.USER32(?,?,00000000,?,0000001D), ref: 10005C2A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendTimer
String ID:
API String ID: 70592305-0
Opcode ID: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
Instruction ID: d42ccc5a3b2781513f2fd8ff1ff6268cf5ee92936f68469feebf928f78cc2080
Opcode Fuzzy Hash: 9b1bcf4309ba79a44affa8d35e3d6eb1101dc492926530dc94eed6df942145db
Instruction Fuzzy Hash: CA819C75204706AFF320DBA4CC89FAB77E8EB88B81F104909F656C6294E771F905CB25

Function 1000C930 Relevance: 31.7, APIs: 21, Instructions: 208
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowLongA.USER32(?,000000F0), ref: 1000C945
GetWindowLongA.USER32(?,000000EC), ref: 1000C968
IsWindowEnabled.USER32(?), ref: 1000C982
SendMessageA.USER32(?,00000138,00000000,?), ref: 1000C9A3
GetClientRect.USER32(?,?), ref: 1000C9B4
GetWindowRect.USER32(?,?), ref: 1000C9C3
ClientToScreen.USER32(?,?), ref: 1000C9D8
ClientToScreen.USER32(?,?), ref: 1000C9E3
OffsetRect.USER32(?,?,?), ref: 1000C9FE
OffsetRect.USER32(?,?,?), ref: 1000CA13
SelectObject.GDI32(00000000,00000000), ref: 1000CA17
CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA39
CreateRectRgn.GDI32(?,?,?,?), ref: 1000CA51
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000CA5A
SelectClipRgn.GDI32(00000000,00000000), ref: 1000CA62
DeleteObject.GDI32(00000000), ref: 1000CA6F
DeleteObject.GDI32(00000000), ref: 1000CA72
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1000CA88
InflateRect.USER32(?,000000FE,000000FE), ref: 1000CACF
IsWindowEnabled.USER32(?), ref: 1000CAD9
GetFocus.USER32 ref: 1000CAE7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$ClientObject$CreateDeleteEnabledLongOffsetScreenSelect$ClipCombineFocusInflateMessageSend
String ID:
API String ID: 1428229788-0
Opcode ID: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
Instruction ID: f3ce32309e44c4e53b58f03bab4cd10378bf4dbb7bac6551a4584a97cbcaf063
Opcode Fuzzy Hash: d4372ce6a2278cce0392c1b9f9947206522c49e50afc0a6178835e897f4a38ff
Instruction Fuzzy Hash: 26714DB8204305AFE304DF65CC84E2BB7E8EFC9754F108A1DF99993260D675E946CB62

Function 00696F83 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0069FB7D: TlsGetValue.KERNEL32(00908F44,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000,?,00691BBF,00000000,00000000,00000000,00000000), ref: 0069FBBC

CallNextHookEx.USER32(?,00000003,?,?), ref: 00696FAD
GetClassLongA.USER32(?,000000E6), ref: 00696FF4
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_0029EEF7), ref: 00697020
lstrcmpiA.KERNEL32(?,ime), ref: 0069702F
GetWindowLongA.USER32(?,000000FC), ref: 006970A2
SetWindowLongA.USER32(?,000000FC,00000000), ref: 006970C3

Strings

AfxOldWndProc423, xrefs: 00697104, 00697109, 00697114, 0069711C, 00697125
ime, xrefs: 00697029

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: 8b5d24c515c9403b2287001c3f195bd9e8ab5ba2e81872aba901ad8c0f484400
Instruction ID: e62b3f7afbff1f17f9d5a08954ab68a3074954f61a3640821bb7b8e89461b46a
Opcode Fuzzy Hash: 8b5d24c515c9403b2287001c3f195bd9e8ab5ba2e81872aba901ad8c0f484400
Instruction Fuzzy Hash: A951CE71518225AFCF21AF65DC08BAA7BBEFF05361F145618F815A7AA0D731D900CFA0

Function 10013810 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 363
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32(?,?), ref: 1001383A

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 10013889
InflateRect.USER32(?,000000FF,000000FF), ref: 100138F0
InflateRect.USER32(00000000,000000FF,000000FF), ref: 100138FB
IsWindowEnabled.USER32(?), ref: 10013912
GetWindowTextA.USER32(?,?,00000400), ref: 10013AA2
DrawTextA.USER32(?,?,?,?,00000001), ref: 10013B3E
GetPropA.USER32(?,SHE_G), ref: 10013BD4
SetTextColor.GDI32(?,00000000), ref: 10013BFA
SetBkMode.GDI32(?,00000001), ref: 10013C07
DrawTextA.USER32(?,?,?,?,00000001), ref: 10013C2C
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10013C56

Strings

SHE_G, xrefs: 10013BCE
s, xrefs: 10013C56

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: RectText$ObjectSelect$ClipDrawInflatePropWindow$ClientColorCreateDeleteEnabledMessageModeSend
String ID: SHE_G$s
API String ID: 1435283344-571881213
Opcode ID: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
Instruction ID: 6eeb226ef1bb0de1b614e7657a0c8b189afcc3c0ce88ba382625342e3441b8cf
Opcode Fuzzy Hash: bf8b04a64fc7e9720845d1a8b633114ab653b3764a86c28c23747f38c52eb1d7
Instruction Fuzzy Hash: 5DE137B52083019FD354CF68C884A6AB7E5FFC8714F108A1DFAA987391D774E945CB92

Function 1001A4F0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetPropA.USER32(?,SHE_B,00000000), ref: 1001A559
SetPropA.USER32(?,SHE_B,00000000), ref: 1001A5AC
CallNextHookEx.USER32(?,?,?,?), ref: 1001A66D

Strings

SHE_C, xrefs: 1001A5FE, 1001A60D
SHE_B, xrefs: 1001A553, 1001A5A6
SHE, xrefs: 1001A5EF
SHE_A, xrefs: 1001A5E0, 1001A651

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop$CallHookNext
String ID: SHE$SHE_A$SHE_B$SHE_C
API String ID: 3868478265-22028169
Opcode ID: 3ad3b6f22818cb3d5e03a360cef7d00c705002ca51ab2797111fcf47ea3a9929
Instruction ID: 7811e094c1e109cc8e8b8a1a0b8848a8eb1566d8d7a83a7f68ba57272ffb72e5
Opcode Fuzzy Hash: 3ad3b6f22818cb3d5e03a360cef7d00c705002ca51ab2797111fcf47ea3a9929
Instruction Fuzzy Hash: 0D415479600611EFD614DB94CC80D2773E9EF966A07158A18F66ACB690D734FC85CB20

Function 10024520 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00080000,ComboLBox ,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024562
CreateWindowExA.USER32(00080000,ComboLBox ,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 10024594
CreateWindowExA.USER32(00080000,ComboLBox ,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245C6
CreateWindowExA.USER32(00080000,ComboLBox ,00000000,80000000,00000000,00000000,00000000,00000000,?,00000000,?,00000000), ref: 100245F8
SetPropA.USER32(?,SHE_F,?), ref: 10024613
SetPropA.USER32(?,SHE_F,?), ref: 10024622
SetPropA.USER32(?,SHE_F,?), ref: 10024631
SetPropA.USER32(?,SHE_F,?), ref: 10024640

Strings

SHE_F, xrefs: 1002460D, 1002461C, 1002462B, 1002463A
ComboLBox , xrefs: 10024558, 1002458A, 100245BC, 100245EE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CreatePropWindow
String ID: ComboLBox $SHE_F
API String ID: 661344865-4007208376
Opcode ID: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
Instruction ID: 9f628f48033890d7f24c30de2fa77ca5103cf21e47ce77eaf880fe3b7e00f918
Opcode Fuzzy Hash: 1089ebc232d11df68c40f06de5aeeb89f545c28512acefa0cdbd24b27eb5c3d6
Instruction Fuzzy Hash: F931B9753C0704BAE270DBA5DC86F93B7A8EF98B11F314519F749AB2D0C6A0B8418B58

Function 0060A2E0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 0060A309
OleInitialize.OLE32(00000000), ref: 0060A345
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0060A363
SetCurrentDirectoryA.KERNEL32(027256C8,?), ref: 0060A3BD
LoadCursorA.USER32(00000000,00007F00), ref: 0060A418
GetStockObject.GDI32(00000005), ref: 0060A439
GetCurrentThreadId.KERNEL32 ref: 0060A461

Strings

$j, xrefs: 0060A4F0
_EL_HideOwner, xrefs: 0060A443

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: $j$_EL_HideOwner
API String ID: 3783217854-3981174878
Opcode ID: 29583d984f0f1c8d4b8cf058cdd5e2c44807888f13fa5609fe9fc5642538a643
Instruction ID: 3e4eaca1cd0e317e5337d0f1a186104cbe070bbf7a941e73e2e02cf2405c834b
Opcode Fuzzy Hash: 29583d984f0f1c8d4b8cf058cdd5e2c44807888f13fa5609fe9fc5642538a643
Instruction Fuzzy Hash: 57E1CF70A402059FCB58EF94DC95FEE77BABF85300F14416CE905A7282DB74AA41CF65

Function 00696DA8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00696DAD
GetPropA.USER32(?,AfxOldWndProc423), ref: 00696DC5
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 00696E23

Part of subcall function 00696990: GetWindowRect.USER32(?,?), ref: 006969B5
Part of subcall function 00696990: GetWindow.USER32(?,00000004), ref: 006969D2

SetWindowLongA.USER32(?,000000FC,?), ref: 00696E53
RemovePropA.USER32(?,AfxOldWndProc423), ref: 00696E5B
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 00696E62
GlobalDeleteAtom.KERNEL32(00000000), ref: 00696E69

Part of subcall function 0069696D: GetWindowRect.USER32(?,?), ref: 00696979

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 00696EBD

Strings

AfxOldWndProc423, xrefs: 00696DBB, 00696DC3, 00696E59, 00696E61

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 965783a533c0af0edb4d62252c24bf4971197fb4c0c42de68888b1150666e4e3
Instruction ID: 68351df452b1a90b6df5bfa96f8933d637632f62b7aed728ecc0bc214a11d7b7
Opcode Fuzzy Hash: 965783a533c0af0edb4d62252c24bf4971197fb4c0c42de68888b1150666e4e3
Instruction Fuzzy Hash: D4315A3280020AAFCF01AFA5DD49EFF7ABEEF46310F000519F602A2560D7359A11DBA5

Function 1001C450 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetPropA.USER32(?,SHE), ref: 1001C463
RemovePropA.USER32(?,SHE_A), ref: 1001C471
SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1001C47F
GetPropA.USER32(?,SHE), ref: 1001C48B
IsWindowVisible.USER32(?), ref: 1001C4AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?,1001C40B,?), ref: 1001C4BD
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,?,1001C40B,?), ref: 1001C4CE

Strings

SHE, xrefs: 1001C45D, 1001C485
SHE_A, xrefs: 1001C46B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop$Window$InvalidateMessageRectRemoveSendVisible
String ID: SHE$SHE_A
API String ID: 2510188223-3055163332
Opcode ID: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
Instruction ID: 11fdaa9114d1614bf2f695c029d4fea50ea2cb84254ba2801cf49c8279bf9916
Opcode Fuzzy Hash: 51a537452bd44370889b0a1f1f194821304f9a483811099fd7e9da286f0db7f1
Instruction Fuzzy Hash: B0016D75202A29EFE780AF954CC8DFB76ACEF45285B1280B9F20596011C7708A428BA5

Function 0069F816 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00908F60,00908F34,00000000,?,00908F44,00908F44,0069FBB1,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000), ref: 0069F825
GlobalAlloc.KERNEL32(00002002,00000000,?,?,00908F44,00908F44,0069FBB1,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000), ref: 0069F87A
GlobalHandle.KERNEL32(00C02DC0), ref: 0069F883
GlobalUnlock.KERNEL32(00000000), ref: 0069F88C
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 0069F89E
GlobalHandle.KERNEL32(00C02DC0), ref: 0069F8B5
GlobalLock.KERNEL32(00000000), ref: 0069F8BC
LeaveCriticalSection.KERNEL32(006821F4,?,?,00908F44,00908F44,0069FBB1,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000), ref: 0069F8C2
GlobalLock.KERNEL32(00000000), ref: 0069F8D1
LeaveCriticalSection.KERNEL32(?), ref: 0069F91A

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 14a26840fa2a78f0605485d7b02b3a4015b96797ea69572b6435855661975171
Instruction ID: 3d653e622268a67838405aa4448a793a036817c86004630de7619ddcfc1a366f
Opcode Fuzzy Hash: 14a26840fa2a78f0605485d7b02b3a4015b96797ea69572b6435855661975171
Instruction Fuzzy Hash: 98315E716007059FDB64AF28DD89A6AB7FEFB45301B010A2DF492C7A61E771F8048F20

Function 1000C1C0 Relevance: 15.1, APIs: 10, Instructions: 88windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000C1D7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
IsWindowVisible.USER32(00000000), ref: 1000C211
GetWindowRect.USER32(00000000,?), ref: 1000C22D
OffsetRect.USER32(?,?,?), ref: 1000C242
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
DeleteObject.GDI32(00000000), ref: 1000C270
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: RectWindow$CreateFind$CombineDeleteObjectOffsetVisible
String ID:
API String ID: 1313402854-0
Opcode ID: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
Instruction ID: 0129f1f143ae883f5581523c8020f595d90fc1c3a02a3f94cc4d99a36711fcdf
Opcode Fuzzy Hash: 8629bedc85b525c95f566e4f9ec39ac268af53675b713f40d67e7f6029a4d90e
Instruction Fuzzy Hash: AD210C75205325AFE2109B65CC85F3BB7ECEBC9B55F104619FA45A3240DA20ED068B66

Function 10022200 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10022268
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 1002229B
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 100222D3
SetWindowPos.USER32(?,?,?,?,00000000,00000000,00002719), ref: 10022313
SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,0000271B), ref: 100223B8

Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765

CallWindowProcA.USER32(?,?,00000047,?,?), ref: 100223DC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Show$CallProcRect
String ID:
API String ID: 3118190714-0
Opcode ID: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
Instruction ID: 8dc1deb737b558b6c714bf112c7838984d22b05039a9ca3c04896061e2edaa8e
Opcode Fuzzy Hash: 0dca7d29e93af85ade0fce1f98af7d168de262e2d7b920e1a23795d0ee674c28
Instruction Fuzzy Hash: 3651FF75344701AFE224DA68DC96FABB3E9EB88B10F10890DF65A973D5CA74BC018B54

Function 10022A20 Relevance: 12.1, APIs: 8, Instructions: 120windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10022A2C
CallWindowProcA.USER32(?,?,?,?,?), ref: 10022A87
GetMenu.USER32(?), ref: 10022AB2
SetMenu.USER32(?,00000000), ref: 10022AC4
GetWindowRect.USER32(?,00400000), ref: 10022AEB
SendMessageA.USER32(?,00000083,00000000,?), ref: 10022B01
CallWindowProcA.USER32(?,?,?,?,?), ref: 10022B1E
SetMenu.USER32(?,00000000), ref: 10022B43

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Menu$CallProc$MessageRectSendVisible
String ID:
API String ID: 3332730756-0
Opcode ID: be17ffcd072d127f7334e16dffc81dd63c0512f848037c73dbf9b586abf24c7e
Instruction ID: 9276f38f3cf173ca9a812d88aef6df53489b9eb25c2b5bf1bf9ebad47c79e053
Opcode Fuzzy Hash: be17ffcd072d127f7334e16dffc81dd63c0512f848037c73dbf9b586abf24c7e
Instruction Fuzzy Hash: 5F416A79204701AFD260DBA9DC84E67B3E9EB88754F208A1DF55AC3661C634E942CB60

Function 100220A0 Relevance: 9.1, APIs: 6, Instructions: 114windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 100220B8
GetWindowRect.USER32 ref: 100220E3
IsRectEmpty.USER32(?), ref: 1002216B
IsRectEmpty.USER32(?), ref: 1002218E
IsRectEmpty.USER32(?), ref: 100221A5
SendMessageA.USER32(?,00007401,?,?), ref: 100221DA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Empty$Window$MessageSendVisible
String ID:
API String ID: 1963373104-0
Opcode ID: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
Instruction ID: 15d01376b549b43e06bef1ecdf41231e929ad262f4cddba4413b2d284a982563
Opcode Fuzzy Hash: e9bd8bf3015e0fc931efd3356353d720a6aee9b169a9c962a95d430c27da7b1e
Instruction Fuzzy Hash: A131AD38300B02ABD654DA75DC95FABB3E9EF94740F41890CFA5AC3250DB70E951CB90

Function 1000B4C0 Relevance: 7.6, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538
SelectObject.GDI32(00000000,00000000), ref: 1000B55F
74001530.MSIMG32(?,?,00BD2B74,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
DeleteObject.GDI32(?), ref: 1000B5C5
DeleteDC.GDI32(00000000), ref: 1000B5CC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: 74001530DeleteObject$Select
String ID:
API String ID: 905560827-0
Opcode ID: cea02a7140ad39d7cb010459c9ee0d1b607245b3b0f0fafe053c611a6cff785f
Instruction ID: a2bec2eff1570f1e033dcbeedc9227712d92de05b5e2e1092a7d92024c81a4dd
Opcode Fuzzy Hash: cea02a7140ad39d7cb010459c9ee0d1b607245b3b0f0fafe053c611a6cff785f
Instruction Fuzzy Hash: 083114B6206611BFE254DF59CC88F6BB7EDEBC8B91F10495CF64987250D630EC028B61

Function 1001E500 Relevance: 6.2, APIs: 4, Instructions: 200windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 1001E552
InflateRect.USER32(?,000000FE,000000FE), ref: 1001E599
6FA9CFD0.COMCTL32(?,?,?,00000000,?,00000001), ref: 1001E727

Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E942
Part of subcall function 1000E930: SetRectEmpty.USER32(?), ref: 1000E949

6FA9CFD0.COMCTL32(?,?,?,?,?,00000001), ref: 1001E685

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Empty$InflateMessageSend
String ID:
API String ID: 2147231653-0
Opcode ID: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
Instruction ID: 714f37e124b3561914c789874ae4d57327775486736af5f1980e57804d13f8a5
Opcode Fuzzy Hash: c1d657de1969eec40a7d2c4ceaca19b3ee4d01ccf90aa8a5cb8032dc9250f240
Instruction Fuzzy Hash: 8E81D0B56183409FD354CF58C880A6BFBE9FBC9700F108A2DFA9887351E771E9458B96

Function 10025C70 Relevance: 6.0, APIs: 4, Instructions: 31windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000007F,00000002,00000000), ref: 10025C83
SendMessageA.USER32(?,0000007F,00000000,00000000), ref: 10025C8E
GetClassLongA.USER32(?,000000F2), ref: 10025C97
SendMessageA.USER32(?,0000007F,00000001,00000000), ref: 10025CA7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$ClassLong
String ID:
API String ID: 1264571673-0
Opcode ID: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
Instruction ID: 947a8f3f8a0cea30fb6e839a99a16b54cd066c6a9c51171dd670646b1ab2be3e
Opcode Fuzzy Hash: 370d63bef3b9863a2f2e968b8f2886904922ea484c8d1e949867ab0d5a59f7f0
Instruction Fuzzy Hash: AEE0DF6A3453277DF11066269C02FAB328C8F91B91F224120FB04F50C4E2A6AD0306B8

Function 10024730 Relevance: 6.0, APIs: 4, Instructions: 26COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
ShowWindow.USER32(?,?), ref: 10024751
ShowWindow.USER32(?,?), ref: 1002475B
ShowWindow.USER32(?,?), ref: 10024765

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
Instruction ID: fbebdeaf8877d8e39abbbfefd4f084f7c7d7f891781dffc730fc7a01b7582861
Opcode Fuzzy Hash: 3295a3fcf0ae12c1fcbb8f7e5f53fbdeca41f72dae6878fcabe25103e68869c8
Instruction Fuzzy Hash: 28E092B6201750ABD224DAAACCC8D97F7ECFBCE711B50491EB259832008A75E801C774

Function 0069A229 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0069A23C
SetWindowsHookExA.USER32(000000FF,VnP,00000000,00000000), ref: 0069A24C

Part of subcall function 0069FC12: __EH_prolog.LIBCMT ref: 0069FC17

Strings

VnP, xrefs: 0069A245

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID: VnP
API String ID: 2183259885-3641916949
Opcode ID: 7953e8031589f70d2764d3e9a64a37643e37deefb840e4b5d9e347ad8de269c7
Instruction ID: a8bbeb9541754cab277bd53c70a096f9f9d346213d99f6b13e0c95a0c4717ae6
Opcode Fuzzy Hash: 7953e8031589f70d2764d3e9a64a37643e37deefb840e4b5d9e347ad8de269c7
Instruction Fuzzy Hash: E8F0A7315003105EDFA03FB0A80DB5936EB9B05310F070678F551DBDE1CA25AE408796

Function 10012060 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE_I), ref: 1001206C
SendMessageA.USER32(?,00000031,?,?), ref: 10012090

Strings

SHE_I, xrefs: 10012063

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessagePropSend
String ID: SHE_I
API String ID: 25370605-2739127632
Opcode ID: 7d5e3bc90b47571d82ce137a822031f71c38e63c62c9b70d0aa0c542d69259e0
Instruction ID: b8d12084a5fb27a2b02e8c7b5d46552afd1830b42c17ef8beebdc7801db986c6
Opcode Fuzzy Hash: 7d5e3bc90b47571d82ce137a822031f71c38e63c62c9b70d0aa0c542d69259e0
Instruction Fuzzy Hash: E4E06DB93003139BE360CB98CC84E5273ECEF88694B114518F509CB211D7B0EC91CB50

Function 10015400 Relevance: 4.6, APIs: 3, Instructions: 65COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000001,?,?), ref: 10015429
CallWindowProcA.USER32(?,?,00000001,?,?), ref: 100154AD
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,0000263F), ref: 100154C6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$CallProc
String ID:
API String ID: 883168683-0
Opcode ID: 049282dc8febc6ffcff643e693e9be518f14e6765984f4641e482d5a9bc57cbd
Instruction ID: 2f0a6d1fae90f1da847d9558e590aaa30e7de1fb8e63c55613dd495823e97c50
Opcode Fuzzy Hash: 049282dc8febc6ffcff643e693e9be518f14e6765984f4641e482d5a9bc57cbd
Instruction Fuzzy Hash: 4621E8B4204701EFE360CF24C884F97B7E9EB88314F10891DF5AA8B690D771E885CB60

Function 10026440 Relevance: 4.5, APIs: 3, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,10026677,00000000,00000020), ref: 10026463
FlushInstructionCache.KERNEL32(10026677,00000000,10026677,?,10026677,00000000,00000020), ref: 1002648E
VirtualProtect.KERNEL32(00000000,10026677,00000040,00000014,?,10026677,00000000,00000020), ref: 100264AB

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CacheCurrentFlushInstructionProcessProtectVirtual
String ID:
API String ID: 3733156554-0
Opcode ID: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
Instruction ID: 63f23e8b59d19312b92c29cae95ac7a559587f2e0b5583b49ef3a248e102aaa7
Opcode Fuzzy Hash: 6ab28333a214872ef38e7cec3ea03a05ced2cd15625bfb15ed58538e5cadbd30
Instruction Fuzzy Hash: 0E11A278A00208EFDB44DF98D984A9AB7F5FB48304F20C199F9099B350C735EE41DB90

Function 006968EA Relevance: 4.5, APIs: 3, Instructions: 34COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,?), ref: 006968F3
SetWindowLongA.USER32(?,?,?), ref: 00696912
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0069692C

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$Long
String ID:
API String ID: 847901565-0
Opcode ID: eb16f128ed70f18cf87e9200b8257269430a047657a6106005709ea66cf25e99
Instruction ID: 8d72f42764536bdc00601f433bdf8c74f1abe473a9dcb46b6d04dcbff35f4343
Opcode Fuzzy Hash: eb16f128ed70f18cf87e9200b8257269430a047657a6106005709ea66cf25e99
Instruction Fuzzy Hash: 90F0303515010ABFDF089F50DC5ACAE3F6AEB19351B005429F90AC5160D732E861EE60

Function 1002616D Relevance: 3.8, APIs: 3, Instructions: 54COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 1002619B
_initterm.MSVCRT ref: 100261C6
free.MSVCRT ref: 10026203

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: _inittermfreemalloc
String ID:
API String ID: 1678931842-0
Opcode ID: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
Instruction ID: c3025327f4686e2d82251761483d94adc5640adac6d06395e623d3ba54a4f38f
Opcode Fuzzy Hash: 28efe3b135363df1d26e65f438198e95a9e2b0e57acad8b9d4fda251abc1b172
Instruction Fuzzy Hash: 07115E316452A1CFF784CBA4EEC4B1A37A4FB09391B650479FC05CB2A5D721AC42CB00

Function 0069AF2B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069AF30

Part of subcall function 0069AC93: __EH_prolog.LIBCMT ref: 0069AC98

Strings

V"', xrefs: 0069AF86

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prolog
String ID: V"'
API String ID: 3519838083-1270798979
Opcode ID: 7c6d6b7227b7a7d9f92a285add359ba065695b78e6d83d28da7e62b1aca38c12
Instruction ID: 5bc4cf665504d5215e2d19bcf93d4d761aff09db64cafc03b33906f978bab8d4
Opcode Fuzzy Hash: 7c6d6b7227b7a7d9f92a285add359ba065695b78e6d83d28da7e62b1aca38c12
Instruction Fuzzy Hash: 8211D3B1600701DFCF24AF68C985AAAB7FEBF91354B10456DF04687A41EB70E801CB91

Function 10012140 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,SHE,00000000), ref: 10012151

Strings

SHE, xrefs: 10012148

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop
String ID: SHE
API String ID: 257714900-2947365353
Opcode ID: a6d25bf58fb53c56b6b5107b1a26f9500140b162eb96946241964c681cb2208e
Instruction ID: 35157bf594c235461d53df282a2f192a396ed101a5a2d3219a77b9f403ebd6a7
Opcode Fuzzy Hash: a6d25bf58fb53c56b6b5107b1a26f9500140b162eb96946241964c681cb2208e
Instruction Fuzzy Hash: 91E01A79504720EFC760DF69C888C47FBE8EF582203108B1EB499C3252D630E880CB90

Function 10014F80 Relevance: 3.2, APIs: 2, Instructions: 168COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000000,?,?), ref: 10015010
CallWindowProcA.USER32(?,?,?,?,?), ref: 10015136

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3a34cf9c1cf895b50e1ffedf62062b269e6f1887e1c20b20102255bf11944071
Instruction ID: 3a9bc6d7e016e4f588f7fcbb5cad357005f6a59b672cc3281e17a6244433939f
Opcode Fuzzy Hash: 3a34cf9c1cf895b50e1ffedf62062b269e6f1887e1c20b20102255bf11944071
Instruction Fuzzy Hash: 815151BA208610EFD249DB54D851E7FB3AAEBD8711F14C90DF2568F245CA31EC8287A5

Function 0069598F Relevance: 3.1, APIs: 2, Instructions: 107fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00695CBB: __EH_prolog.LIBCMT ref: 00695CC0
Part of subcall function 00695CBB: GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 00695CDE
Part of subcall function 00695CBB: lstrcpynA.KERNEL32(?,?,00000104), ref: 00695CED

CreateFileA.KERNEL32(00000000,80000000,00000000,0000000C,00000003,00000080,00000000,?,?,?,?), ref: 00695A6A
GetLastError.KERNEL32 ref: 00695A7C

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CreateErrorFileFullH_prologLastNamePathlstrcpyn
String ID:
API String ID: 1034715445-0
Opcode ID: ba801cb3a1b3cef24f2dc5ccfc612d830dfd16565ae23cf5b05676967b1ed21a
Instruction ID: 4a8178564a24b26fc69db01f72aef00f517f741132bcc6815bb8f80f1835894b
Opcode Fuzzy Hash: ba801cb3a1b3cef24f2dc5ccfc612d830dfd16565ae23cf5b05676967b1ed21a
Instruction Fuzzy Hash: 16313D32A10E05AFEF228F55CC86BEA739FAB84324F10861DF517CBAD0C6749D458744

Function 100264C0 Relevance: 3.0, APIs: 2, Instructions: 42memoryCOMMON

Download Yara Rule

APIs

FlushInstructionCache.KERNEL32(?,00000000,00000000), ref: 100264FF
VirtualProtect.KERNEL32(00000000,00000000,00000000,00000000), ref: 10026524

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CacheFlushInstructionProtectVirtual
String ID:
API String ID: 403598440-0
Opcode ID: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
Instruction ID: 4cf98e0dcf6dfc27f34e277785f8542e4947d89007de13e16ffdbbdb6af82732
Opcode Fuzzy Hash: c3da033d4900e79327e44b0a828f40d223d41c1a4726ae3b7a942c81a8011169
Instruction Fuzzy Hash: 5E01D778A00208EFD740CF94D894A9DFBB9FB48314F50C298E80997355D731EE86CB50

Function 100155D0 Relevance: 3.0, APIs: 2, Instructions: 39windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 100155D7
SendMessageA.USER32(?,00007401,?,?), ref: 10015622

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSendVisibleWindow
String ID:
API String ID: 3984873885-0
Opcode ID: e425412bac2dd5609632b791c03201e7e4bc2a645a05717b380cfd499959cf61
Instruction ID: 0f9f9009dd7f2be491e8c3b5c0e3d0049e76c27d9775cccff0fff9ef78c6cd96
Opcode Fuzzy Hash: e425412bac2dd5609632b791c03201e7e4bc2a645a05717b380cfd499959cf61
Instruction Fuzzy Hash: 04F06239314611ABE214DB65DC45E5BF7ADEBD8710B00890DF545CB250CA71FC42C7A0

Function 006A04DF Relevance: 3.0, APIs: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000000,00000000,0069B4E0,00000000,00000000,00000000,00000000,?,00000000,?,00691BBF,00000000,00000000,00000000,00000000,006821F4), ref: 006A04E8
SetErrorMode.KERNEL32(00000000,?,00000000,?,00691BBF,00000000,00000000,00000000,00000000,006821F4,00000000), ref: 006A04EF

Part of subcall function 006A0542: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 006A0573
Part of subcall function 006A0542: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 006A0614
Part of subcall function 006A0542: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 006A0641

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 4c325d04a5f0d6e4267e33b216cf9a87f0f65cdbc345125136d542c27478d317
Instruction ID: bac4e00a4e70e1717ff80ceb1c31de0e78ddff4d0a823e1d6ca1d2927017d611
Opcode Fuzzy Hash: 4c325d04a5f0d6e4267e33b216cf9a87f0f65cdbc345125136d542c27478d317
Instruction Fuzzy Hash: 99F090B49143118FDB94FF24D545B497BEAAF49710F06849EF4488B3A2CB70D840CF9A

Function 00695AE6 Relevance: 3.0, APIs: 2, Instructions: 31fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,?,00000001,?,005BDA3F,-00000010,?,?,00001011,00000000), ref: 00695B01
GetLastError.KERNEL32(?,?,005BDA3F,-00000010,?,?,00001011,00000000), ref: 00695B0E

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: b402cc0d89dcfbb95b312ef96cc12808fc3cbcc453e2601e4e810a9defec9065
Instruction ID: 925454e8fcc1a4d38e548afaf749c8041cbe5f9dad22e53178857bbba6d351a5
Opcode Fuzzy Hash: b402cc0d89dcfbb95b312ef96cc12808fc3cbcc453e2601e4e810a9defec9065
Instruction Fuzzy Hash: 6AF0A7361006047BCF216F95DC14E87BBAEFF55730F10C11AF92946564CB31A8008B60

Function 10019482 Relevance: 3.0, APIs: 2, Instructions: 30threadCOMMON

Download Yara Rule

APIs

Part of subcall function 100031A0: LoadCursorA.USER32 ref: 100031E6
Part of subcall function 100031A0: RegisterClassExA.USER32 ref: 1000320D

GetCurrentThreadId.KERNEL32 ref: 1001949E
SetWindowsHookExA.USER32(00000004,1001A4F0,?,00000000), ref: 100194AD

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ClassCurrentCursorHookLoadRegisterThreadWindows
String ID:
API String ID: 1908744831-0
Opcode ID: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
Instruction ID: 1960aa195ee1fe07530ea21f1dd313f19c5464d8ba1e979a915d34b59bad2663
Opcode Fuzzy Hash: 19cee74c161a8a1ef3f8c2fedae50ded263d7b6a45f83f2ca4177339b9e5c586
Instruction Fuzzy Hash: 40F082B9A001049FE314CF58E885B9A7BE8EB88711F00812AFA0BC7340EB31A451C751

Function 0068841C Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNEL32(00000000,00001000,00000000,00682172,00000001), ref: 0068842D

Part of subcall function 006882D4: GetVersionExA.KERNEL32 ref: 006882F3

HeapDestroy.KERNEL32 ref: 0068846C

Part of subcall function 0068BCE5: HeapAlloc.KERNEL32(00000000,00000140,00688455,000003F8), ref: 0068BCF2

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 93f11a5263b1ead9cc4c07324470462bcb4dc204936f8bc92a7023c5c43020e4
Instruction ID: b9f3a94b30038e2f7ad65cdff3eee61adefe3ee7c9e871b1add84bff456c4b70
Opcode Fuzzy Hash: 93f11a5263b1ead9cc4c07324470462bcb4dc204936f8bc92a7023c5c43020e4
Instruction Fuzzy Hash: BFF09B72596303AFEFA07B745C0A76936E79B40742F504929F551C91A0EF70C681A711

Function 00697543 Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 0069756A
CallWindowProcA.USER32(?,?,?,?,?), ref: 0069757F

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: f8e4541b742bda9d92195fa78d70fc4c29f7c3e90b2dac658db62484c40cfd57
Instruction ID: b515b80a5225269020c5a7c77219b58737aa9ddb9477968b974273d1b5fa36a7
Opcode Fuzzy Hash: f8e4541b742bda9d92195fa78d70fc4c29f7c3e90b2dac658db62484c40cfd57
Instruction Fuzzy Hash: B0F01536204208EFCF219F94DC08DDA7BBAFF09350B048428FA4686530DB32E920EF40

Function 00697179 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0069FB7D: TlsGetValue.KERNEL32(00908F44,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000,?,00691BBF,00000000,00000000,00000000,00000000), ref: 0069FBBC

GetCurrentThreadId.KERNEL32 ref: 0069719B
SetWindowsHookExA.USER32(00000005,00696F83,00000000,00000000), ref: 006971AB

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 43ed2762dd9d71883a69cf09b9963ceef8c4ce086f953f255cba19afeca53325
Instruction ID: 3822131800f7875805c81dd21fcdabd6c19520735c469869122a1f686f915608
Opcode Fuzzy Hash: 43ed2762dd9d71883a69cf09b9963ceef8c4ce086f953f255cba19afeca53325
Instruction Fuzzy Hash: 29E06D31204710AFDB70AF65A805B5777EFEB94B52F05052DE28686E94D631A804CF76

Function 00697675 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

GetWindowTextLengthA.USER32(?), ref: 00697682
GetWindowTextA.USER32(?,00000000,00000000), ref: 0069769A

Part of subcall function 00695636: lstrlenA.KERNEL32(?,00000104,00695E2E,000000FF), ref: 00695649

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: TextWindow$Lengthlstrlen
String ID:
API String ID: 288803333-0
Opcode ID: f0a3ff4b6dd44f6c2cba358cde508f914b892b07ec901295d7d215c18f8181d2
Instruction ID: 6cc3c7f18a0ee07f873131c05964c75bfd57a60328afb95a31a9da2e35d3b8c6
Opcode Fuzzy Hash: f0a3ff4b6dd44f6c2cba358cde508f914b892b07ec901295d7d215c18f8181d2
Instruction Fuzzy Hash: B4E03931108611EFCF58AF54E858CAA7BAAEF49320B148A6DB05B825B1CB31A846DB15

Function 1001C3E0 Relevance: 3.0, APIs: 2, Instructions: 6threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 1001C3E7
EnumThreadWindows.USER32(00000000), ref: 1001C3EE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Thread$CurrentEnumWindows
String ID:
API String ID: 2396873506-0
Opcode ID: d622cf26246987ff9e9421572da9bcdcb2b88d34bd5217939b00bcf58dbb3ef1
Instruction ID: 12c5552e0a4cb50a56c7161035d2123e8fa57657582dde7ac2283fab1c990b87
Opcode Fuzzy Hash: d622cf26246987ff9e9421572da9bcdcb2b88d34bd5217939b00bcf58dbb3ef1
Instruction Fuzzy Hash: BFB0027554511457ED1057A04D5DF95361C9744706F214440F305D50D0C67491A38755

Function 10019818 Relevance: 2.5, APIs: 2, Instructions: 45COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(00000054), ref: 1001981A
??2@YAPAXI@Z.MSVCRT(0000000C,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?,0000040C,?,?,10007AE0,?), ref: 10019EFD

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: e6a2a5606f05a9fb0a88c1fa756239c54736bf1f5f6895791adda2d0db9c1b8c
Instruction ID: c51b944b100109a9c67305362f38693a89095834d3b2e72ca071cf47241c3be2
Opcode Fuzzy Hash: e6a2a5606f05a9fb0a88c1fa756239c54736bf1f5f6895791adda2d0db9c1b8c
Instruction Fuzzy Hash: 87019EF1A047419FD758CF28945175ABBD0FB88710F00863EE91ACB381EB34E985CB86

Function 10024770 Relevance: 1.8, APIs: 1, Instructions: 266COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 10024A36

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ccc98896fe80d5754182099f52a7d0c2ef5bca29cf5af2a5b87928f1901503f8
Instruction ID: 0276685cddaf8491d1b69849fc3bfca2be8f4e4163da7e6ce67b870ed928455b
Opcode Fuzzy Hash: ccc98896fe80d5754182099f52a7d0c2ef5bca29cf5af2a5b87928f1901503f8
Instruction Fuzzy Hash: 358163BA308350AF9144DB58E491E7FB3E9EBD8710F51CD0DF55687244CB30AC8287AA

Function 100227C0 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000083,?,?), ref: 100227DD

Part of subcall function 10024E80: GetWindowInfo.USER32(?), ref: 10024E99
Part of subcall function 10024E80: IsWindowVisible.USER32(?), ref: 10024F00
Part of subcall function 10024E80: OffsetRect.USER32(?,?,?), ref: 10024F39
Part of subcall function 10024E80: OffsetRect.USER32(?,?,?), ref: 10024F4E
Part of subcall function 10024E80: EqualRect.USER32(?,?), ref: 10024F66
Part of subcall function 10024E80: EqualRect.USER32(?,?), ref: 10024F78

Part of subcall function 10022FD0: GetMenuItemCount.USER32(?), ref: 10022FE9
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 1002300D
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 10023021

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ItemMenuWindow$EqualOffset$CallCountInfoProcVisible
String ID:
API String ID: 2682827658-0
Opcode ID: ba77e99849152b532a34ce5233054817b3643cd4816e7d9f4adc947aa763c3b2
Instruction ID: e8be41dcc1f79ff3f90e0d34badb2271f0da0451bde1e7ce2bf7accdd2581f9d
Opcode Fuzzy Hash: ba77e99849152b532a34ce5233054817b3643cd4816e7d9f4adc947aa763c3b2
Instruction Fuzzy Hash: 9B711374601A029FC348CF69D994A56F7E2FF88314F65862DD85E8B755DB30F892CB80

Function 00683A35 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 00683B1C

Part of subcall function 0068AAE4: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00684C68,00000009,00000000,00000000,00000001,00688265,00000001,00000074,?,?,00000000,00000001), ref: 0068AB21
Part of subcall function 0068AAE4: EnterCriticalSection.KERNEL32(?,?,?,00684C68,00000009,00000000,00000000,00000001,00688265,00000001,00000074,?,?,00000000,00000001), ref: 0068AB3C

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 586d5748ee8e24fa5cc483c405fd088bb83d12e4d0b5ec590fbc4a704499f297
Instruction ID: 6c665b126fb14f320860abff7593f12e93e482e7211c28a30169482aab3696b9
Opcode Fuzzy Hash: 586d5748ee8e24fa5cc483c405fd088bb83d12e4d0b5ec590fbc4a704499f297
Instruction Fuzzy Hash: 0921B072A00225ABDB14FFA8DD42BDEB7A6EB00B30F144319F420EB3C0C774AA418B54

Function 00696AE0 Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00696AE5

Part of subcall function 0069FB7D: TlsGetValue.KERNEL32(00908F44,?,00000000,0069F604,0069EEF7,0069F620,0069A219,0069B4C1,?,00000000,?,00691BBF,00000000,00000000,00000000,00000000), ref: 0069FBBC

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: 2cb5c287767a0e3608d9660cf429e3d9915ae955f5357fda776e4040163ea94f
Instruction ID: c62af3ee0b618bdf6d11b39acff12718bb41d2216f75670dd16b8ee6f4e7a70a
Opcode Fuzzy Hash: 2cb5c287767a0e3608d9660cf429e3d9915ae955f5357fda776e4040163ea94f
Instruction Fuzzy Hash: A0215972A00209EFCF45DF54C581AEE7BBAFF48354F00406AF915ABA91D770AE55CBA0

Function 100154E0 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000083,?,?), ref: 100155BB

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 5d0bdd36328f84d96af1c0e60120005e76f9a7083c5701b91d0d2ef7dfa2a6cb
Instruction ID: 664da86f57333d2594dda9d77ea2a9eee9da370e28bc646d6d5ed37cb1cf24e2
Opcode Fuzzy Hash: 5d0bdd36328f84d96af1c0e60120005e76f9a7083c5701b91d0d2ef7dfa2a6cb
Instruction Fuzzy Hash: E2212674600B02DFD354CF29C890E96BBE6EF88324F14866DA55E8B365CB31F881CB50

Function 00697207 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,0060A461,?,?,?,?,?,?,?,?,?), ref: 006972A5

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 3431e973c6ee7721b4726d6cf38ae1044cfe4435cf00153356f36042c0829640
Instruction ID: 89b795add26894a9a9cc3edbdcf594ddb98d6ad83e90d0c26161cd7053433791
Opcode Fuzzy Hash: 3431e973c6ee7721b4726d6cf38ae1044cfe4435cf00153356f36042c0829640
Instruction Fuzzy Hash: 3631AA79A10219AFCF41DFA8C944ADEBBF6BF4C310F158069F908E7210E7359A519FA4

Function 00696A09 Relevance: 1.5, APIs: 1, Instructions: 39windowCOMMON

Download Yara Rule

APIs

Part of subcall function 006996FF: GetWindowLongA.USER32(?,000000F0), ref: 0069970B

SendMessageA.USER32(?,0000036E,?,00000000), ref: 00696A5D

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: LongMessageSendWindow
String ID:
API String ID: 3360111000-0
Opcode ID: 16f2af22e700e3e9cb0fc44b016c969f493ad38729b7b8db8a91875172171e29
Instruction ID: f1b778f8f65b0f0b60b2b4c42a9185d79cee7c4226f8cac84d1819fbea3a0eaa
Opcode Fuzzy Hash: 16f2af22e700e3e9cb0fc44b016c969f493ad38729b7b8db8a91875172171e29
Instruction Fuzzy Hash: ABF06876600708AFDF019F99D8819AEB7BEFF45750F10802AF501E7650EAB0EE0187A0

Function 00698788 Relevance: 1.5, APIs: 1, Instructions: 33windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000202B,?,?), ref: 006987A5

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 00c7de477d3c68e90cb7b1dbdf6a4cdb4cb5811a03eb2769e98c861548ffb91e
Instruction ID: b4cb42c3387a29388778933fdc4b61f1a876bb22acaba86aa71a6f70fc5c2975
Opcode Fuzzy Hash: 00c7de477d3c68e90cb7b1dbdf6a4cdb4cb5811a03eb2769e98c861548ffb91e
Instruction Fuzzy Hash: C6F01D36500209AFDF115E90D880BEE7B6FBF05714F244829F9196FA61CB32DD61DB50

Function 00696D57 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a49c624c6404d3334b761d3254c05257aca3161a464cc373ff50f96c7b8dcdf
Instruction ID: f5859adbba6beb3fb76db035690d017d7b937ef73763d21c178bc570cefd90d7
Opcode Fuzzy Hash: 3a49c624c6404d3334b761d3254c05257aca3161a464cc373ff50f96c7b8dcdf
Instruction Fuzzy Hash: 58F01C36141719FBCF125E80DC04DEA3B2EAF04361F008415FA2555860C776D565EFA5

Function 0069AC93 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069AC98

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f3095d2028c6c01cfb68bf7f09824238d1ba4f5b30ddeb6af8f3666f464e442a
Instruction ID: 762f1f5ca4550a258250baace070c3874b74125991cfb67ea41c62d4a86239b7
Opcode Fuzzy Hash: f3095d2028c6c01cfb68bf7f09824238d1ba4f5b30ddeb6af8f3666f464e442a
Instruction Fuzzy Hash: A0E01A75D01208DFCB40EFA8D5056AEBBF5FB48314F20857EE405E2601E3318E02CBA1

Function 005E7D20 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00BF0000,00000000,00000008,?,?,005C0141,00000008,?), ref: 005E7D31

Part of subcall function 005DF650: wsprintfA.USER32 ref: 005DF662

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: AllocateHeapwsprintf
String ID:
API String ID: 1352872168-0
Opcode ID: 7ca36ae2c40924570e04c368218e41a2f7c2790ce34f741881c13e587d36e006
Instruction ID: 7d00a5bff9c455e5b5f60c6ff01099db412f908ef0e8c879ce949926f11e2e9b
Opcode Fuzzy Hash: 7ca36ae2c40924570e04c368218e41a2f7c2790ce34f741881c13e587d36e006
Instruction Fuzzy Hash: A5E0ECB590420CFBDB14DFA4ED59AAA7BB8FB48300F104659F9099B341E632EE40DB95

Function 100223F0 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000046,?,?), ref: 1002241D

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: e3bc2e746433023f95ead78f46c0119a23b9cb0d4e988137bf02804617c1a965
Instruction ID: 7a9d2a18568fca2f1777ed7b6681e46c759f9dce21c5a15a22889261b2edb605
Opcode Fuzzy Hash: e3bc2e746433023f95ead78f46c0119a23b9cb0d4e988137bf02804617c1a965
Instruction Fuzzy Hash: 41E092B6A00201ABD644DE98D885E52B3E9EBA8784B248058F64CCB255D236ED87DB91

Function 0069AD9C Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 0069ADB3

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: cffe3ade15676af77ec8942256eb73c44084609f6a31a2ebb3800ea6fa43bc10
Instruction ID: caf159088dd21b6a3b54e98a9e356fe637f40e26df3717ee8465cb37cf63b4ea
Opcode Fuzzy Hash: cffe3ade15676af77ec8942256eb73c44084609f6a31a2ebb3800ea6fa43bc10
Instruction Fuzzy Hash: CAD0A7724083629BCB41DF609808D8FBBE9BF55320B054C4DF48083112E321D404CB62

Function 1001C400 Relevance: 1.5, APIs: 1, Instructions: 13COMMON

Download Yara Rule

APIs

Part of subcall function 1001C450: GetPropA.USER32(?,SHE), ref: 1001C463
Part of subcall function 1001C450: RemovePropA.USER32(?,SHE_A), ref: 1001C471
Part of subcall function 1001C450: SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1001C47F
Part of subcall function 1001C450: GetPropA.USER32(?,SHE), ref: 1001C48B
Part of subcall function 1001C450: IsWindowVisible.USER32(?), ref: 1001C4AF
Part of subcall function 1001C450: InvalidateRect.USER32(?,00000000,00000001,?,?,?,1001C40B,?), ref: 1001C4BD
Part of subcall function 1001C450: SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,?,1001C40B,?), ref: 1001C4CE

EnumChildWindows.USER32(?,1001C430,?), ref: 1001C419

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop$Window$ChildEnumInvalidateMessageRectRemoveSendVisibleWindows
String ID:
API String ID: 3749985120-0
Opcode ID: b9a06091cf27c0a1cdba5cc864607ad6be3b95ef9907f11268cd4fc7a1c9827e
Instruction ID: 9d20c7b3d0f7a05e384f27410cf9e7c35a197a4ef50129b58ecd41070bc00b86
Opcode Fuzzy Hash: b9a06091cf27c0a1cdba5cc864607ad6be3b95ef9907f11268cd4fc7a1c9827e
Instruction Fuzzy Hash: 1AC0127901913067E100D7089C50DDB725CEF55218F004411F94497200C334F99647E6

Function 00699795 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(?,005EB2CA), ref: 006997A3

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: TextWindow
String ID:
API String ID: 530164218-0
Opcode ID: 976511ab485e600d6d9ec136b3e4be0f1cb1690e7570aea46be81987ee12290f
Instruction ID: 6efa054a5ba9f4a54e824537c5c81f017226aece51b0503c478fc3040fa1ca35
Opcode Fuzzy Hash: 976511ab485e600d6d9ec136b3e4be0f1cb1690e7570aea46be81987ee12290f
Instruction Fuzzy Hash: 7ED09E34604100DFCF459FA4D958A15B7B6BF94705B249968F046CA565DB32DC12EB50

Function 00699882 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,00000004,006990B3,00000001), ref: 00699890

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: a036a09e40000de4e15da71341883008812acae4f1ff4ffb96d59ef028c14d17
Instruction ID: d7e6f0df9a370c56d337c1aaf4c80bdc3c00e24676ce88f278fcb13491eb4f8e
Opcode Fuzzy Hash: a036a09e40000de4e15da71341883008812acae4f1ff4ffb96d59ef028c14d17
Instruction Fuzzy Hash: ACD05E306002009FCF048F20CA04A0577A2BF91304B20586CE00586561E332CC12EB00

Function 10013720 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F2,00000000,00000000), ref: 1001372D

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: d102f5a994199ecbae38a8bf162942365c1c1ec884b4c8760e8e85280e29fec2
Instruction ID: 7f6d1ec73a62ab110425be29495af5b6e635f02e2435d0823e1a95cbb802a244
Opcode Fuzzy Hash: d102f5a994199ecbae38a8bf162942365c1c1ec884b4c8760e8e85280e29fec2
Instruction Fuzzy Hash: 23B012747C0313B7FD308750CD4AF0036246700B00F30C040B308AD4C1C9E1A802CB08

Function 10025D00 Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(0000045C,10025D96,?,10026268,?,?,?,?,?,?), ref: 10025D0F

Part of subcall function 10019250: 6E8E4BC0.MSVFW32 ref: 10019374
Part of subcall function 10019250: GetVersion.KERNEL32 ref: 10019392

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@Version
String ID:
API String ID: 2373634075-0
Opcode ID: f27efdd1245afede06008fc464cf577d34035a28804bbbb13cb8f8ca7a3b9afa
Instruction ID: 7e419e08a8c89389e48617f3b5b6180ff5c9c39a8ef321e5e2b9f2201d5a6f9d
Opcode Fuzzy Hash: f27efdd1245afede06008fc464cf577d34035a28804bbbb13cb8f8ca7a3b9afa
Instruction Fuzzy Hash: 29E09A787001098FE728CB78ECD4E2637E1EBD8600B21853DE90AC3292FA31E862D604

Non-executed Functions

Function 005413CE Relevance: 36.3, Strings: 23, Instructions: 7548COMMON

Download Yara Rule

Strings

U8k, xrefs: 0054155D
U8k, xrefs: 00541404
U8k, xrefs: 005413E9
U8k, xrefs: 005414F1
U8k, xrefs: 00541527
U8k, xrefs: 005415C9
U8k, xrefs: 0054163C
U8k, xrefs: 0054161A
U8k, xrefs: 0054147E
U8k, xrefs: 005415E4
U8k, xrefs: 00541657
U8k, xrefs: 00541542
U8k, xrefs: 005414B4
U8k, xrefs: 00541499
U8k, xrefs: 005414D6
U8k, xrefs: 0054143A
U8k, xrefs: 0054141F
U8k, xrefs: 0054150C
U8k, xrefs: 005415AE
U8k, xrefs: 00541593
U8k, xrefs: 005415FF
U8k, xrefs: 00541578
U8k, xrefs: 00541463

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k$U8k
API String ID: 0-1719796224
Opcode ID: bce7397dd8c5b39671c52a64c45bbba76e5e1e4383b3256d8ff8765c5af3f054
Instruction ID: d09725406e9cb0a6d87388c560619c9d746f6ba3909d78aca6dc0c9debc3c95e
Opcode Fuzzy Hash: bce7397dd8c5b39671c52a64c45bbba76e5e1e4383b3256d8ff8765c5af3f054
Instruction Fuzzy Hash: A0C3C5B1E44215E7FB209A64DC86FE97B75FB04310F104198F648BA2C1EBF5AEA4CB15

Function 10023070 Relevance: 25.9, APIs: 17, Instructions: 358windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10023094
IsRectEmpty.USER32(?), ref: 10023107
IsIconic.USER32(?), ref: 10023115
IsRectEmpty.USER32(?), ref: 100231E6
IsZoomed.USER32(?), ref: 100231F4
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
GetMenuState.USER32(00000000), ref: 1002331E
IsRectEmpty.USER32(?), ref: 100233BD
SetBkMode.GDI32(?,00000001), ref: 100233CA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: EmptyRect$Menu$IconicModeStateSystemVisibleWindowZoomed
String ID:
API String ID: 549281773-0
Opcode ID: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
Instruction ID: d06e77375d5cb7ab1f1ac25b83a2b383d651d1881662a64e5f1b630b1572dc97
Opcode Fuzzy Hash: 0859ee2c90a4b87bb8b63a2d08eab5df806f4869aada2a1f22d7c7a97dd138e1
Instruction Fuzzy Hash: 1DD16CB9241B06AFE324CB64DCC4FAB73A9FF84744F60891CE55A87241E634FD468B60

Function 10006010 Relevance: 25.7, APIs: 17, Instructions: 164windownativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 1000601C
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10006032
SendMessageA.USER32(?,000000A2,00000000,?), ref: 10006052
GetWindowRect.USER32(?,?), ref: 10006062
IsRectEmpty.USER32(?), ref: 1000608D
PtInRect.USER32(?,?,?), ref: 100060A0
GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 100060BF
GetMenuState.USER32(00000000), ref: 100060C6
SendMessageA.USER32(?,00000112,0000F180,?), ref: 100060F9
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,10004C8B), ref: 10006113

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageRectSendWindow$Menu$EmptyEnabledNtdllProc_StateSystem
String ID:
API String ID: 2671586774-0
Opcode ID: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
Instruction ID: db1f306a8784ca8736970017476ad2195cdbaa505f3b9dba42231a781a1f9d91
Opcode Fuzzy Hash: f247dd20f8a3ef77669b665c33eb62aa311374e3ee6afc9b99d1d99878e1aa7b
Instruction Fuzzy Hash: 1551AE75240716AFF320DBA5CC89FAB77EDEB88780F20492CF55683695DA34E945CB20

Function 10021800 Relevance: 19.7, APIs: 13, Instructions: 170windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 1002198A
GetMenuItemID.USER32(?,?), ref: 100219E3
SendMessageA.USER32(?,00000111,00000000), ref: 100219F3
CallWindowProcA.USER32(?,?,000000A2,?,?), ref: 10021A38

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallItemKillMenuMessageProcSendTimerWindow
String ID:
API String ID: 2515994771-0
Opcode ID: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
Instruction ID: 89b724dc2ca4cdc55add286efa33b9077fff919ea1f62498a6f78f4254ff7468
Opcode Fuzzy Hash: 3b3b23c477d770ed4f7aa771234f3d45869d44fa6d65c12bb79bc5aa267ef81e
Instruction Fuzzy Hash: 64518179304702AFE354DB64D895FEBB3E9FB98740F50891DF696C6190CB70A886CB50

Function 10009340 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10009350
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000936C

Strings

SHE, xrefs: 1000934A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
Instruction ID: 66a860390867b69e52e3412568fee3c891a1f5c98dd500308f81789add6bf3bd
Opcode Fuzzy Hash: 9ead5d21b62799828bb9cc85ce7bf4125b4fa391575515c34ce0a3c6fe3e6a79
Instruction Fuzzy Hash: E941907A205600ABE200DB58DC84DABB3E8FBC4751F50491DF98683251C774ED0ACBB2

Function 1000C3F0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000C400
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000C41C

Strings

SHE, xrefs: 1000C3FA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
Instruction ID: e4712fcc12151d2cebdf1b72559aff8232ef5eb8468fa4595113e4497e6478ba
Opcode Fuzzy Hash: d5b8f05a9e68d77798507910b0dc128c9ddebfdd8b18848f9afa2fd6e5e951aa
Instruction Fuzzy Hash: 7F419F7A205704ABE250EB58DC88D6BB7E8FBC8751F50491DF94283252C774ED0A8BB2

Function 005E0030 Relevance: 18.3, APIs: 12, Instructions: 273windowthreadnetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005E0055
IsWindow.USER32(00020400), ref: 005E0071
SendMessageA.USER32(00020400,000083E7,?,00000000), ref: 005E008A
ExitProcess.KERNEL32 ref: 005E009F
FreeLibrary.KERNEL32(?), ref: 005E0183
FreeLibrary.KERNEL32 ref: 005E01D7
DestroyIcon.USER32(0012023F), ref: 005E0227
DestroyIcon.USER32(00010403), ref: 005E023E
IsWindow.USER32(00020400), ref: 005E0255
DestroyIcon.USER32(?,00000001,00000000,000000FF), ref: 005E0304
WSACleanup.WS2_32 ref: 005E034F

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: DestroyIcon$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 3816745216-0
Opcode ID: 42ebcb66921771243638a6dda88637871bea3cb5f899dff8711f44241657d514
Instruction ID: ffdcbe38da6ef9eaa8f6335396674c6655c4650148593162a15abbc592053156
Opcode Fuzzy Hash: 42ebcb66921771243638a6dda88637871bea3cb5f899dff8711f44241657d514
Instruction Fuzzy Hash: 01B17D706007429FCB28DF75C8D9BAABBE5BF88300F50592DE59AC7291DB70B981CB51

Function 00696385 Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0069638A
FindResourceA.KERNEL32(?,00000000,00000005), ref: 006963C2
LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006963CA

Part of subcall function 006971C5: UnhookWindowsHookEx.USER32(?), ref: 006971EA

LockResource.KERNEL32(?,?,?,?), ref: 006963D7
IsWindowEnabled.USER32(00000000), ref: 0069640A
EnableWindow.USER32(00000000,00000000), ref: 00696418
EnableWindow.USER32(00000000,00000001), ref: 006964A6
GetActiveWindow.USER32 ref: 006964B1
SetActiveWindow.USER32(00000000,?,?,?,?), ref: 006964BF

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: 63b5d490bdeaf0c745d7095f4b5e123635102f37d1a1efd775dc635f507866d9
Instruction ID: e2f66decd2cd6e44b34c0ef669e47e255909020688fddda79adb10b0c7e61f93
Opcode Fuzzy Hash: 63b5d490bdeaf0c745d7095f4b5e123635102f37d1a1efd775dc635f507866d9
Instruction Fuzzy Hash: BA418030900715DFDF21AFA8C949AAEBBFBAF44B11F10451DF102A2A91DB769D01CFA5

Function 10017BA0 Relevance: 12.9, APIs: 6, Strings: 1, Instructions: 613COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 10017FBB

Strings

d, xrefs: 10017CB8

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ObjectSelect
String ID: d
API String ID: 1517587568-2564639436
Opcode ID: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
Instruction ID: 4b82767d9c842e9e08e3940738fc6923ca1a8521680a6cc2111a8d75eee5b889
Opcode Fuzzy Hash: bde552e54f32443e204c6f3d8f074d9ca5ab16db1e7efedaa453502c1c712233
Instruction Fuzzy Hash: 4A32E571A047128FD319CF14D8907AAB3E5FFC8340F558A7DE8969B291D734EA89CB42

Function 100098B0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 85nativetimeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 100098BE
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100098DA
KillTimer.USER32(?,?,00000000), ref: 10009914

Strings

SHE, xrefs: 100098B8

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: KillNtdllProc_PropTimerWindow
String ID: SHE
API String ID: 3733616403-2947365353
Opcode ID: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
Instruction ID: adc7337034f0b9ec4e7ed3ed95778db363d18d8614baef39ea8ea303d17308f6
Opcode Fuzzy Hash: 3c55ececde0a7ee3e163387940c24b6939577072ee2d8cbbac78a905ef7d04e5
Instruction Fuzzy Hash: EF21F336305215ABE210DA54ECC4E7F77ACEBC5BE1F10451EF68293241C726AC069761

Function 10005940 Relevance: 12.1, APIs: 8, Instructions: 83nativetimeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 10005959
GetWindowRect.USER32(?,?), ref: 1000596C
PtInRect.USER32(?,?,?), ref: 1000599D
PtInRect.USER32(?,?,?), ref: 100059B4
PtInRect.USER32(?,?,?), ref: 100059CB
PtInRect.USER32(?,?,?), ref: 100059E2
KillTimer.USER32(?,00006625,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 100059F2

Part of subcall function 10004E30: GetWindowRect.USER32(?,?), ref: 10004E5F

NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,?,?,?,?,10004CEB,?,?,00000000,?,?), ref: 10005A27

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$CursorKillNtdllProc_Timer
String ID:
API String ID: 1632373092-0
Opcode ID: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
Instruction ID: 9a3ddf00fd3851daef2864d54b78be332d389b06acf702b9600ba59b9845d60c
Opcode Fuzzy Hash: b8796e62a7e9f8a1269d68023e98339359b7a28a012fa2bbc78eefee34ee6aa6
Instruction Fuzzy Hash: 51212CB6614302AFE314DB64CC88C6BB7E9FFC8794F008A1DF49AD3214D631E9058B62

Function 1000B6E0 Relevance: 11.6, APIs: 5, Strings: 1, Instructions: 1050COMMON

Download Yara Rule

APIs

73F84D40.GDI32(?,00000000,?,?,?,?,?,?,00CC0020,75756BA0,00000000,00000000,?,?,1002CDA8), ref: 1000BB67
73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 1000BE29
73F84D40.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BEF2
OffsetRect.USER32(?,1000329E,000000FF), ref: 1000BFA9
73F84D40.GDI32(?,?,?,00000020,?,?,?,?,00CC0020), ref: 1000BC0B

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Part of subcall function 1000B4C0: SelectObject.GDI32(00000000,00000000), ref: 1000B55F
Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,00BD2B74,?,?,00000000,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?), ref: 1000B5BA
Part of subcall function 1000B4C0: DeleteObject.GDI32(?), ref: 1000B5C5
Part of subcall function 1000B4C0: DeleteDC.GDI32(00000000), ref: 1000B5CC

Part of subcall function 1000B5F0: 73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,1000BBE1,?,?,?,?,?), ref: 1000B646

Part of subcall function 1000B120: 73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B1A0
Part of subcall function 1000B120: 73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B216

Part of subcall function 1000B120: 73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B273
Part of subcall function 1000B120: 73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B2C9

Strings

s, xrefs: 1000BB67, 1000BC0B, 1000BE29, 1000BEF2

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: 74001530DeleteObject$OffsetRectSelect
String ID: s
API String ID: 3996303290-453955339
Opcode ID: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
Instruction ID: b631010fc7c61f0dbc485572ac6f53e1cb0354f72aed0dfdbd8fa92e86ef0b76
Opcode Fuzzy Hash: cac2739ba0984c5b844557e8b4f5d791b105f7fe2c822b0771468b378f7f900f
Instruction Fuzzy Hash: F872B6B5700901AFD358CE6ECE95D27F7EAEFC8610314CA1CA55EC3A5CEA30F8558A64

Function 005FE680 Relevance: 11.2, Strings: 8, Instructions: 1189COMMON

Download Yara Rule

Strings

WEDT, xrefs: 005FEC1D
WCDB, xrefs: 005FE8A1
EDT, xrefs: 005FEB78
ENX, xrefs: 005FEE42
EDB, xrefs: 005FE71A
WEDB, xrefs: 005FE852, 005FE858
WEDB, xrefs: 005FE870
WENX, xrefs: 005FEFAB, 005FEFB6

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: EDB$EDT$ENX$WCDB$WEDB$WEDB$WEDT$WENX
API String ID: 0-3140496049
Opcode ID: 3db61376f8749df3261f3da93820f35f83081bfffd94b8dbca1a61c97b93d166
Instruction ID: 0c5594e3ecda07ccc3b87f6a6f1b92ad5fd27dafe0c89e3b2ca7c5e71a14d704
Opcode Fuzzy Hash: 3db61376f8749df3261f3da93820f35f83081bfffd94b8dbca1a61c97b93d166
Instruction Fuzzy Hash: F5A2E270A0021EDBDF14DF68C885BFDBBB5BF54310F208569EA16AB281D7349E45CB91

Function 10008310 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000831C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008338

Strings

SHE, xrefs: 10008316

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
Instruction ID: d5cf22ff5653e0c4365a76e3bc0a6f530f10b9ff97d098438d5549bdcf248cbb
Opcode Fuzzy Hash: 76ff8970db67151db0b6f6ec3473056875dcff3a0f31a7fb73f1cb6230d5cb84
Instruction Fuzzy Hash: 0E216476308612ABE204DB18EC84EAF77A9EBD8760F104919F181D7295C770ED9687B1

Function 1001FD50 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001FD66
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FD7E
FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1001FDBE
GetPropA.USER32(00000000,SHE), ref: 1001FDD0
GetWindowRect.USER32(00000000,?), ref: 1001FDED

Strings

SHE, xrefs: 1001FD60, 1001FDCA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Prop$FindNtdllProc_Rect
String ID: SHE
API String ID: 1621342347-2947365353
Opcode ID: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
Instruction ID: 6b8d0221fe97fab34533167ca4c9a37e3e90209f2d168c5ada330748bbe964d0
Opcode Fuzzy Hash: e209e126209f789dd80fe51a7b19f8c596f70caf1b5d236961e23ecb73bb45dc
Instruction Fuzzy Hash: F83187356042009FD304DF18C888E7BB3E9FBD8654F55895DF9459B352C730EE468B66

Function 10006210 Relevance: 9.1, APIs: 6, Instructions: 56windownativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10006219
SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 1000622F
SendMessageA.USER32(?,000000A3,00000000,?), ref: 10006251
IsZoomed.USER32(?), ref: 10006263
SendMessageA.USER32(?,00000112,0000F120,?), ref: 1000628C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000629E

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Window$EnabledNtdllProc_Zoomed
String ID:
API String ID: 1736178447-0
Opcode ID: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
Instruction ID: 53ad444b2308a7bebedf1b38f9ffedf2fa5899a07a2aa37d5df76109a97d8af9
Opcode Fuzzy Hash: 31b90f1f2f4758470e2ea2747ea2563a49cebe7bfef6ce3f53ee5ca3d1f04934
Instruction Fuzzy Hash: E1118E35305B12EFE220CB95DC84E9BB3EDEB8CB40F20880CF68597594C670E841C764

Function 10008710 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 176nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000871D
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008739

Strings

SHE, xrefs: 10008717

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
Instruction ID: 4fac22d2b0eaef5fff40d3138b4cbdac12c866ca4beaf184c634f33bf18d14c9
Opcode Fuzzy Hash: 826a2f52f7e6cf888468cf574442a5b1d842237e04ebc0d74020836fc4713a4a
Instruction Fuzzy Hash: 055164763041119BE204DA48D8D4DBFB3AEEBD4392F14842BF68187296CB71EC5697B2

Function 1001FEA0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001FEAD
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001FEC9

Strings

SHE, xrefs: 1001FEA7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
Instruction ID: 62426f1cfc6e2e8613ee12b2a616a1d9dd04dd25ff66616f45cf830b1ca35ad5
Opcode Fuzzy Hash: 5716e03bdd05c131fa1711044e4bacf8af709cbf5cb97f13cea4ef0443b835b5
Instruction Fuzzy Hash: 6341A6B77042115BE100DA58E8C4EBFB39ADBD83A1F50842FF68587252C770DC9697B5

Function 10011630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 133nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001163C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10011658

Strings

SHE, xrefs: 10011636

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
Instruction ID: e71c5dea82c0fa7fedd5e34c1b30a37f09bcbf9f8200f5aed356c99c4536bfaa
Opcode Fuzzy Hash: 526c9ef3a2a92265fd59938002838eeed9a0dafe04fa7b4cf744bce3a05f278e
Instruction Fuzzy Hash: DB41767A7082119BD248DA08E894DAF73E9DBD8750F10491DF142CB396C770EC8A87B2

Function 10008D40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE_B), ref: 10008D4C
RemovePropA.USER32(?,SHE_B), ref: 10008D5E
CallWindowProcA.USER32(00000000,?,?,?,?), ref: 10008D88
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008DD0

Strings

SHE_B, xrefs: 10008D46, 10008D58

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PropWindow$CallNtdllProcProc_Remove
String ID: SHE_B
API String ID: 167436498-881925336
Opcode ID: 4fde51698650941a6b19f69bd186d707d8d7f3a0b8f26816a8294531b4babb50
Instruction ID: 7f1ce935ea723094267178f469a7703aac22c69bbb9d6f32e347a6d7df6c448d
Opcode Fuzzy Hash: 4fde51698650941a6b19f69bd186d707d8d7f3a0b8f26816a8294531b4babb50
Instruction Fuzzy Hash: 6D11697A105511ABA241DB18DC84CBF7BADEFD5790F10491DF58183296C720AD4AC7F6

Function 1000F750 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 165nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000F75C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000F778

Strings

SHE, xrefs: 1000F756

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
Instruction ID: 2528abf51e870a12b61f462225b441024f09dc823bf7e01d6d69a58c881fcfe4
Opcode Fuzzy Hash: d06918abb0d3f2a99f0b8790ebeffd6e64b80bf03755ea9d7ece643dea9d183d
Instruction Fuzzy Hash: A74177B63086119FE248DE08E865D7F73AADBD4750F10891DF14287296CB30AC8A97B6

Function 10014790 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 140nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001479C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100147B8

Strings

SHE, xrefs: 10014796

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
Instruction ID: 5cef6116b7980ede2fc3cff8751f03a03dbdccd6a3174d1e1b5d14adc9a2bdd3
Opcode Fuzzy Hash: aabdaddb52ba19fe15e07398bace0ccf46ff83178fe0b4999134df6da741ce6e
Instruction Fuzzy Hash: 134153B67086119BD244DA18E8A5D7F73A9EBD4750F01481DF1428B3A6CF70EC8687B6

Function 1000FD50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 131nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000FD5B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000FD77

Strings

SHE, xrefs: 1000FD55

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
Instruction ID: 4488ee033ce5568a6e9b86f628f37d529af62b25991ac58fd4dce584937037cd
Opcode Fuzzy Hash: 44a9cc59f4e6ab64c4beb2c156f6846ce86c779df6cdf7289ec6719d91925d85
Instruction Fuzzy Hash: D9414AB63082459BE240DE54D980D7F73E9EBC4790F118C0EF5818765AC770EC8697B6

Function 1001C800 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001C80C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001C828

Strings

SHE, xrefs: 1001C806

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
Instruction ID: 1e50225a5a76dfa976e6c4c56d3e30440892ed78c8c68004a9b13c076068a0f2
Opcode Fuzzy Hash: f8d477e5692cdd5ca17986cf2d97dfdfc446317701b126a3d5f38e338d641d94
Instruction Fuzzy Hash: A13155BB7083159BD240DE58E884D6F73A9EBD4760F108C1AF5819B256C770ECCA97B2

Function 1000DA90 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 117nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000DA9C
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000DAB8

Strings

SHE, xrefs: 1000DA96

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
Instruction ID: 228e3ab525f591684e137e6fd99d1f9435fde28c84332add3aa5917434ab564e
Opcode Fuzzy Hash: 6840023b0d9f93a644c901cc63a780c081a2c5d3ad5d97a37642cacfd9b32677
Instruction Fuzzy Hash: 6E31397A7042019BE100EE58E880D6F77E9DBD47A0F118C1BF6819725AC770DC8697B2

Function 1001E7F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 102nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001E7FC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001E818

Strings

SHE, xrefs: 1001E7F6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
Instruction ID: 8b1d6d09460b07866bb12f6193a6cd946900c67d8b00bd84724c958df11b5175
Opcode Fuzzy Hash: 2bb6b4c9f7c8451d55efabac318bb80ec691770c947b02e026458401ab56470f
Instruction Fuzzy Hash: 063152BA6082519BD240DE58E880DAFB7E9EBD8751F108C19F281C7252C730ECCAD7B1

Function 10013DA0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10013DAC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10013DC8

Strings

SHE, xrefs: 10013DA6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
Instruction ID: 4bf817b2858c0e7a759d776878d335dbdc853776b506ffad1926632038d3614c
Opcode Fuzzy Hash: 8ce96701103211df28a60adab9aab3bd328910b0f052636790040f0ca7b46eaf
Instruction Fuzzy Hash: 992133BB704211ABD240DA58E884D6F77E9DBD4760F11C919F541CB296C270DCCA97B1

Function 10012AD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10012ADB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012AF7

Strings

SHE, xrefs: 10012AD5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
Instruction ID: d284b80dbbabb1398f9d2070992cac2ce438575b69408aea9e9a94da9e131599
Opcode Fuzzy Hash: f859cb2866e1b746edcdcea0132dc8f0da540a57dcf5b24eda86e99f76fe94e6
Instruction Fuzzy Hash: 5E111FFA208212AFD244DF58E984DAB73E9EBC8750F108D09F5819B245C734EC96C7B6

Function 10012BF0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10012BFC
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10012C18

Strings

SHE, xrefs: 10012BF6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
Instruction ID: 2331f883b3d6d46fcb743b651009c8baabaccb07b2ddfb5f76acc19c2e81c812
Opcode Fuzzy Hash: 185552ad6ea6ac270079b2802cbaebd668f86dd486cc4b8468dc4ddae3fa65e1
Instruction Fuzzy Hash: 231154BA2082129BD204DF59E880DAFB7A9EBD4721F118C1AF641C7211C770EC96C7B1

Function 006A3073 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000017,0087C110,00000000,0000004C,0000004C), ref: 006A309F
CoCreateInstance.OLE32(?,00000000,00000007,0087C110,00000000), ref: 006A30B7
OleRun.OLE32(00000000), ref: 006A30C5

Strings

ac, xrefs: 006A3073

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CreateInstance
String ID: ac
API String ID: 542301482-1282211480
Opcode ID: 4eb9fc12876df7ef5c22458a726a79e014bad4e3e1c2fb8edac87ec5f4b1576b
Instruction ID: 19af0a409033f78ac907b999797ad0ad5aec2972d0558bc35d1fb840a9967572
Opcode Fuzzy Hash: 4eb9fc12876df7ef5c22458a726a79e014bad4e3e1c2fb8edac87ec5f4b1576b
Instruction Fuzzy Hash: D4112E71A00218FFDB10DF90CC89F9E7BB9EB06750F208069F504EA251D6759E409F54

Function 1001D330 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 52nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001D33B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1001D357
CallWindowProcA.USER32(?,?,?,?,?), ref: 1001D386

Strings

SHE, xrefs: 1001D335

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID: SHE
API String ID: 1641805499-2947365353
Opcode ID: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
Instruction ID: 45f5a508404fa7b349f84285f489640ca45463347baf7dd885cba52e9e31337c
Opcode Fuzzy Hash: 46341e93d8e58ef3595aaf0da966454599506139a11b45700178d658ee10fc8e
Instruction Fuzzy Hash: 83017576205211AFD641EE68D894D9B77E9EBC8700F10CD0AF5819B209C370ED86C7B2

Function 10006350 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000635B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006377
CallWindowProcA.USER32(?,?,?,?,?), ref: 100063A3

Strings

SHE, xrefs: 10006355

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID: SHE
API String ID: 1641805499-2947365353
Opcode ID: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
Instruction ID: b12fdf80a4ee98a0669d910f96ba9de27c494e6b3a9d2ac390c97d8e35b7d40b
Opcode Fuzzy Hash: b2e07a47a1426d67f7f142ce626aa22bb2d9af6c5e67b1305e8dc8a19f5800c8
Instruction Fuzzy Hash: 2A010CB6205212AFE604DE54D844CAB77E9EBC8750F10890DF58597245C730ED4687B6

Function 1000E440 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000E44B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000E465
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E48F

Strings

SHE, xrefs: 1000E445

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID: SHE
API String ID: 1641805499-2947365353
Opcode ID: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
Instruction ID: 3a83241c110d65d65373b22bd99f22be1f6ecbda2895f89fe6f1498726ca76d1
Opcode Fuzzy Hash: 84638921357078577de142535a6b59ebe40062ceaa83d5b013f43905e33e93f3
Instruction Fuzzy Hash: A5F01DB6205611EFA204DF54ED44CAB77E9EBC8740F10C90DF545A7259D730EC0A87B2

Function 10006560 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000656B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10006585

Strings

SHE, xrefs: 10006565

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
Instruction ID: 5dbf9fbb83ff20062e3ed168ee9e718ee031d4db6b7bc6fcd510bc647bf1e31e
Opcode Fuzzy Hash: 49e39e83e9a89f6ca4b8d7cd12482889b2ec6db643a0077634f122c1e9a6dbe2
Instruction Fuzzy Hash: A8F014B5209621AFE204DF40DC84DAB73A9EFC8740F208908F58697249C770ED46CBB2

Function 10020B70 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10020B7B
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10020B95
CallWindowProcA.USER32(?,?,?,?,?), ref: 10020BB8

Strings

SHE, xrefs: 10020B75

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$CallNtdllProcProc_Prop
String ID: SHE
API String ID: 1641805499-2947365353
Opcode ID: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
Instruction ID: 8febcc7cfdc6d2d48d38ff73ec199bb7e5977764db5be9c515e8769bbb7d267c
Opcode Fuzzy Hash: c3d1fd1e4d7f990324f643c9a0f4cf6b2b597ee975d3aeca719244d55fd90ff2
Instruction Fuzzy Hash: BFF03CB5209611AFE204DF54E898CAB73EAEFC8610F108D0DF58583252D770EC46CBB2

Function 10025780 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 10025794
IsZoomed.USER32(?), ref: 100257A2

Part of subcall function 10024730: ShowWindow.USER32(?,?,00000000,?,76C15440,1002584E,00000000), ref: 10024747
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024751
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 1002475B
Part of subcall function 10024730: ShowWindow.USER32(?,?), ref: 10024765

IsRectEmpty.USER32(?), ref: 10025808
IsWindowVisible.USER32(?), ref: 10025816

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Show$EmptyIconicRectVisibleZoomed
String ID:
API String ID: 3753707372-0
Opcode ID: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
Instruction ID: f748418fd072593a3d66f39f517992ca0597f05378dce08ab7b824f94379abf5
Opcode Fuzzy Hash: c1c3f4868670907c5ce2aaa56f8e4901cd67358b1a5e343eccb99875e79ee5f4
Instruction Fuzzy Hash: 6B213D34305B52CBE760CB35F888B9B73E8EF44786F82446DE45BDA240EB75E8418B48

Function 10008CB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10008CBB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10008CD7

Strings

SHE, xrefs: 10008CB5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
Instruction ID: ba7b9a7e75b5fd1a47e67aed631709819a18bd4e2cca9f68860d5bab8b638427
Opcode Fuzzy Hash: feaf19fdce81d9a1ca190ef1869b546541239fbc762c3de87076e7c699cb6eff
Instruction Fuzzy Hash: CA01FFB6209212AFE640DB54E880DAF73E9EFD4740F118D0DF58197255C770ED868BB6

Function 1000CBC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000CBCB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 1000CBE7

Strings

SHE, xrefs: 1000CBC5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
Instruction ID: 539b395f2d12ac3cc3f2cd791ecb8ee3aacd8a81aa599b83fb95c9963a22f77c
Opcode Fuzzy Hash: a25ab68950917d6236ee748f622a9537c84212b176b5efc6b59e8fcbf1fbc87d
Instruction Fuzzy Hash: A0F04F76108655ABE200DB48E890DAF73E8EBC5740F11CC0DF485D7216C770EC8687B2

Function 100214B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 100214BB
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100214D5

Strings

SHE, xrefs: 100214B5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
Instruction ID: 2e47a34acdab9f8ecda0e86b8cba3aa85b6d9dc765e54781da42e49aa2a1b60d
Opcode Fuzzy Hash: c35ed24f15a732a2fb9719cd40208895b9e4687b4f23d394dfac90f4a6c104ed
Instruction Fuzzy Hash: 0CE0C075219651AB9204DF54E894CAB73E9EBC8700F118D0DF55593241C730AC458BB6

Function 10014EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10014EAB
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,1000C929,?,?,?,?), ref: 10014EC5

Strings

SHE, xrefs: 10014EA5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_PropWindow
String ID: SHE
API String ID: 2172124074-2947365353
Opcode ID: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
Instruction ID: 23f51dd478920679ccafe8476a3c24c847d47fdfb480d2aa289d71b137eb8eb9
Opcode Fuzzy Hash: 783af7ae8caf7b65d366def2194d219bf0924809f2022b0113ac818fb61e7c82
Instruction Fuzzy Hash: 15E0C9B6219652AFA204DF54EC94CAB73EDEBC8700F118D0DF58597255CB30EC468BB6

Function 0067D2A3 Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f229e0f7b1bc2b716cd21636abe0148fcee8658066fa46abd7199e9c9d2f973e
Instruction ID: 62d2a9dd47cfb5093e42ca0ad35283ce74ac17248ff4886bd7e32a2dcd1cbad8
Opcode Fuzzy Hash: f229e0f7b1bc2b716cd21636abe0148fcee8658066fa46abd7199e9c9d2f973e
Instruction Fuzzy Hash: 9EF03731500109ABDF01AF71DD48AAE3BBBAF11390B08C820F92AD4121DB31EA56EF61

Function 0069A5D9 Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0069A600
GetKeyState.USER32(00000011), ref: 0069A609
GetKeyState.USER32(00000012), ref: 0069A612

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: 7a1ba59a3d844e92cac9f2af2f84325acdade6743dc56ebdc55f36aad4a5a123
Instruction ID: 4f08c5510088e2ac304b660a43776a300b92f2cf2f3ecf8e42765f45c81fca63
Opcode Fuzzy Hash: 7a1ba59a3d844e92cac9f2af2f84325acdade6743dc56ebdc55f36aad4a5a123
Instruction Fuzzy Hash: DBE09B3558025D9DEF5056C08A00FF46ED65B00794F0D4455EAC4AB495DEE0D8439BFB

Function 100062B0 Relevance: 4.5, APIs: 3, Instructions: 28nativewindowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 100062CA
SendMessageA.USER32(?,00000313,00000000,?), ref: 100062E0
NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 100062F6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
Instruction ID: b518878becbef3456e94c07293a0586dd5aa6203277d98abda6802a90051a15b
Opcode Fuzzy Hash: 29ef5c36759909998ca288fb9ceec95f70c955037747a1ce61ac65453ab41c58
Instruction Fuzzy Hash: 4FF0F879204712ABE250CF65DD48E97B7FDEBD8740F20480CB58193260C770E949CB65

Function 10005900 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10005906
EnableWindow.USER32(?,00000001), ref: 10005913
NtdllDefWindowProc_A.NTDLL(?,?,?,?,?,10004C2B,?,?,?,?,?), ref: 10005929

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnableEnabledNtdllProc_
String ID:
API String ID: 1897713328-0
Opcode ID: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
Instruction ID: 33976d3887a1ec7a0cf96d3802eee5120e501a190f8f2c604677c3bb47bb1761
Opcode Fuzzy Hash: d8f3d101fd2ff192c26bcb8c68b95ec9de1c7bd83f65ef2fc7084ca5d7d2d836
Instruction Fuzzy Hash: C5E0EC79116A22EFE201DF10DC88DAB77ACEF89751F108408F94193211C770AE068BAA

Function 006655A0 Relevance: 3.3, APIs: 2, Instructions: 278COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 006657EF
GlobalUnlock.KERNEL32(?), ref: 00665834

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Global$LockUnlock
String ID:
API String ID: 2502338518-0
Opcode ID: a40856b629597babf818bcb987f58b3f716b85793390287df95e45dd76726979
Instruction ID: 64df8c32f91eb9e734651812ab90013813c80175cdbc5348d2c06feefd775e77
Opcode Fuzzy Hash: a40856b629597babf818bcb987f58b3f716b85793390287df95e45dd76726979
Instruction Fuzzy Hash: 6591B6762001058BDB08DF14D8855BAF7E6FF88320B58C1ADED4E8B355EB36D885C7A0

Function 00609480 Relevance: 2.5, APIs: 1, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8603e78bcaa07ca77d24e34a73a2884c637ac09073518441a4a987bfb82c6653
Instruction ID: 3e7f669c6039e60feda3537b35516c30f6de88b362bc946a56c18776fdd0bc6f
Opcode Fuzzy Hash: 8603e78bcaa07ca77d24e34a73a2884c637ac09073518441a4a987bfb82c6653
Instruction Fuzzy Hash: AD925571648B418FD329CF29C0906A7FBE2EF99304F24892DD5DB87BA2D631B845CB51

Function 005EB300 Relevance: 2.1, APIs: 1, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e85d96860ab1808ee8419e1598777b976ece19128c461c69847cd3e0e381b656
Instruction ID: fba948c506b9dbbeee5f4350aa95cc812496134bb883b3df89a807fab9c4e44c
Opcode Fuzzy Hash: e85d96860ab1808ee8419e1598777b976ece19128c461c69847cd3e0e381b656
Instruction Fuzzy Hash: 0832C571E00246DFDF18DFA5C891BAEBBB6BF48311F244669E546A7381D730AD40CB91

Function 10004BD0 Relevance: 1.6, APIs: 1, Instructions: 111nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004D01

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: NtdllProc_Window
String ID:
API String ID: 4255912815-0
Opcode ID: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
Instruction ID: 0b222c3024169f657697f4807f45d8ba6cc9b1c5df0fdb5bc05cb1375a895788
Opcode Fuzzy Hash: 31a8e49bf0f8921b0a2aa4cc36cf9ef07e022d74f52cb5b04577164ebb7e90d0
Instruction Fuzzy Hash: 4431A9FA618241AFD248DF58D891C2BB3E9EBD8700F54890CB69587256D731EC19CB72

Function 100048E0 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004929

Part of subcall function 10004800: IsWindowEnabled.USER32(?), ref: 10004809
Part of subcall function 10004800: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction ID: 225bf36e4a0812ad4753787a01e5a8dd77c9d750d7cfa771ec93f23d9b1118eb
Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction Fuzzy Hash: CCF0B6F9618242AFE204DB54D890D2BB3E9EBC8780F118D1DB685C3265DA30ED04CB36

Function 10004510 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10004559

Part of subcall function 10004430: IsWindowEnabled.USER32(?), ref: 10004439
Part of subcall function 10004430: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction ID: 426c8d43d59635654131c640abf00cd082b32ef771906314d33d0ca2d6834fbf
Opcode Fuzzy Hash: 85290e7a88c611dc07aaac6370783e7bcb03fd41bf1290a2f333ba97cf3b24a8
Instruction Fuzzy Hash: B2F0B6F9618642AFE204DA54D881D2BB3E9EBC8780F518D0DB68583256DA30EC44CB36

Function 10002E40 Relevance: 1.5, APIs: 1, Instructions: 39nativeCOMMON

Download Yara Rule

APIs

NtdllDefWindowProc_A.NTDLL(?,?,?,?), ref: 10002E89

Part of subcall function 10002C90: IsWindowEnabled.USER32(?), ref: 10002C9C
Part of subcall function 10002C90: SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnabledMessageNtdllProc_Send
String ID:
API String ID: 2494340020-0
Opcode ID: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
Instruction ID: 6bebc549723526bab81e68595eedc138839718632c5911c4ede022b626121a3a
Opcode Fuzzy Hash: eafbc55fe3c2f1772681b34cb3290cd541762abe2b2c9e9570eb85c6031177f9
Instruction Fuzzy Hash: E8F0B6B9608242AFE604DA54D885D2BB3E9EBC8780F108D0DB685C3266D730EC44CB32

Function 100293A1 Relevance: 1.4, Strings: 1, Instructions: 174COMMON

Download Yara Rule

Strings

R, xrefs: 10029508

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: R
API String ID: 0-1466425173
Opcode ID: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
Instruction ID: 8be94b6153ab9119319510401fc8330cfa8a6dc569db2486da79333d3fcb569b
Opcode Fuzzy Hash: cd3b73b7348ff081589cfac0100b05dc96f159948ea6ee02f68d477cfa1a48d5
Instruction Fuzzy Hash: E1519E5804D7C11FC3278B3888659A7BF216F57528B0F8AEBD4D08F963C249994AD7A2

Function 00670510 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d82c935249b4d991eb2b1483091393da92c1c778db3535f608811f0d9819b57
Instruction ID: 81db38a1700c373166eba62f60e211c33046af845de5b0cb69a5da3c99e5e768
Opcode Fuzzy Hash: 6d82c935249b4d991eb2b1483091393da92c1c778db3535f608811f0d9819b57
Instruction Fuzzy Hash: 0352B8767447095BD308CE9ACC9159EF3E3ABC8304F498A3CE955C3346EEB8E90AC655

Function 1000EDA0 Relevance: .9, Instructions: 855COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
Instruction ID: 983c4fcd37887a59a0cb9d3b85b446299f8e70ed709c6495451e70af00230a31
Opcode Fuzzy Hash: a339960ffb5a704b000e7367763248f18282941ed323104f3f76a1d61ee49cb0
Instruction Fuzzy Hash: 1142A2377406154BEB0CCD5EC8B16BDB3D3ABC835474D463D9A5BD3782EDB8A80A8684

Function 005C1450 Relevance: .7, Instructions: 739COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Value
String ID:
API String ID: 3702945584-0
Opcode ID: d82b6c8e176aa3948a3db742e7bced8d3c5ab277da8d1fa0aa27e7199d2c7306
Instruction ID: b0691ee313e6a361c0430cd779e12b2b730a0485db04e4a6dee7a0902d6943e3
Opcode Fuzzy Hash: d82b6c8e176aa3948a3db742e7bced8d3c5ab277da8d1fa0aa27e7199d2c7306
Instruction Fuzzy Hash: 6D626B70E006199FDB14CF98C895FAEBBB5BF89310F24815DE806AB382D730AD45CB95

Function 10002250 Relevance: .6, Instructions: 617COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
Instruction ID: 93596e6502c76a15187eaa282ea5bd3d0e08f7ebc6713d694ddc07016d6b6326
Opcode Fuzzy Hash: 07396eee454c85584817cf15b8c0d006d29891ab31e0bab80244d1fd90dbd4d6
Instruction Fuzzy Hash: 19124A32B086154FE71CCE28C49426EB7E2EBC8394F16463EE95AD7748DA30D945CBC1

Function 006905EA Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b7103bbff9bb46e8b1c699a3fd87319a9224fc46cc9d04f049bd417a7061a11
Instruction ID: 157b9e4211eebc0b11849ab779b197fa045a1ad80d6481328339103e49d09ed3
Opcode Fuzzy Hash: 8b7103bbff9bb46e8b1c699a3fd87319a9224fc46cc9d04f049bd417a7061a11
Instruction Fuzzy Hash: 90E1CC31E55219DEFF248FA8C9157FDBBBFBB44310F28501AD441EAA82D3748992DB90

Function 0068C536 Relevance: .3, Instructions: 259COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: f50d382940d8a071dac74b7dcc8aa6f29507da1d888404485ea76d337f176c83
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 0DB15E7590020ADFDB15DF04C5D0AA8BBA2FF58324F24C2ADD81A5B346D731EE56CBA0

Function 10028B99 Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
Instruction ID: 428467e42f7f86c7821e8e1e21e6f22a2fc9309eb635c514b15cab7e2e214c89
Opcode Fuzzy Hash: a01781256ee79fcf471860e977b16b7ce8c920ade3d6f3453a41c6b7b0ce33b4
Instruction Fuzzy Hash: 3C61C82914D3C15FC7874B7444661A27FB1AE1B22870E85DAC9C18F173D299AC4FEFA1

Function 006843A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: ac8fe5352a1e1d9cbaeca4538297fd12cb43e28c55d5f6a293b95013ae7dd433
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: 921104B7206053839614AA2FD4F03FBA3D7EBC9321B2C436AD0828B748DE6299458700

Function 1001A030 Relevance: 102.0, APIs: 29, Strings: 29, Instructions: 463COMMON

Download Yara Rule

APIs

Part of subcall function 1001A9C0: _mbscmp.MSVCRT ref: 1001A9D3

_mbscmp.MSVCRT ref: 1001A065

Strings

AfxFrameOrView, xrefs: 1001A390
msctls_statusbar32, xrefs: 1001A2F4
Button, xrefs: 1001A0AD
ReBarWindow32, xrefs: 1001A2CD
Afx:, xrefs: 1001A4AE
msctls_hotkey32, xrefs: 1001A3ED
ToolbarWindow32, xrefs: 1001A279
SysTabControl32, xrefs: 1001A1DD
ComboBox, xrefs: 1001A1B6
msctls_progress32, xrefs: 1001A31B
#32768, xrefs: 1001A086
msctls_updown32, xrefs: 1001A22B
SysTreeView32, xrefs: 1001A168
ScrollBar, xrefs: 1001A3C6
SysHeader32, xrefs: 1001A204
ComboLBox, xrefs: 1001A18F
AfxControlBar, xrefs: 1001A2A6
Edit, xrefs: 1001A0CC
SysAnimate32, xrefs: 1001A43B
SysDateTimePick32, xrefs: 1001A342
#32770, xrefs: 1001A05F
msctls_trackbar32, xrefs: 1001A252
ListBox, xrefs: 1001A11A
SysIPAddress32, xrefs: 1001A414
MDIClient, xrefs: 1001A39F
SysMonthCal32, xrefs: 1001A369
RICHEDIT, xrefs: 1001A0F3
TravelBand, xrefs: 1001A462
SysListView32, xrefs: 1001A141

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: _mbscmp
String ID: #32768$#32770$Afx:$AfxControlBar$AfxFrameOrView$Button$ComboBox$ComboLBox$Edit$ListBox$MDIClient$RICHEDIT$ReBarWindow32$ScrollBar$SysAnimate32$SysDateTimePick32$SysHeader32$SysIPAddress32$SysListView32$SysMonthCal32$SysTabControl32$SysTreeView32$ToolbarWindow32$TravelBand$msctls_hotkey32$msctls_progress32$msctls_statusbar32$msctls_trackbar32$msctls_updown32
API String ID: 2888065108-1725761304
Opcode ID: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
Instruction ID: 3c9746c1fec8770da351958914ea95a60552062d740270c3ce570340641db563
Opcode Fuzzy Hash: 2db2da2f1ae1e61f1de84b9da0cee3094acc3992bba78dd0357555a99ed89133
Instruction Fuzzy Hash: A6B1902739152923D101F2E5BCC1EEE634CDFE22A7F118032F705ED081DA36EA9682B5

Function 10005D40 Relevance: 51.0, APIs: 28, Strings: 1, Instructions: 254windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10005D4C
SendMessageA.USER32(?,00000020,?,0201FFFE), ref: 10005D62
GetWindowRect.USER32(?,?), ref: 10005D7B
IsRectEmpty.USER32(?), ref: 10005DA1
PtInRect.USER32(?), ref: 10005DB8
IsZoomed.USER32(?), ref: 10005E71
GetWindowLongA.USER32(?,000000F0), ref: 10005E8E
SetRect.USER32(?,00000000,00000000,00000005,0000001D), ref: 10005EBB
OffsetRect.USER32(?,?,?), ref: 10005ED0
SetRect.USER32(?,?,00000000,?,0000001D), ref: 10005EF1
SetRect.USER32(?,00000005,00000000,?,00000004), ref: 10005F0F
PtInRect.USER32(?), ref: 10005F1E

Strings

SHE_J, xrefs: 10005F9E

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$EmptyEnabledLongMessageOffsetSendZoomed
String ID: SHE_J
API String ID: 3721721508-977966314
Opcode ID: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
Instruction ID: b63b4231ee4676df5d12ce30ad5422ad18bad84e1520a447d21eb9a6881f90ac
Opcode Fuzzy Hash: 1c55317af7e18a16ab680dc0c89327f4a8ef3d22245125a4e3fe7293c6f417bf
Instruction Fuzzy Hash: 5781A375204316AFF320DBA4DCC9F6B77ECEB84B81F10491DF64682194EA75EA05C761

Function 1001CC00 Relevance: 45.9, APIs: 23, Strings: 3, Instructions: 431windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001CC0F
ScreenToClient.USER32(?,?), ref: 1001CC1E
GetClientRect.USER32(?,?), ref: 1001CC57
GetParent.USER32(?), ref: 1001CC61
GetClassNameA.USER32(00000000,?,00000040), ref: 1001CC73
_mbscmp.MSVCRT ref: 1001CC89
_mbscmp.MSVCRT ref: 1001CC9C
SelectObject.GDI32(00000000,00000000), ref: 1001CCDD
SelectObject.GDI32(00000000,?), ref: 1001CCEC
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CD02
SetRect.USER32(?,?,?,?,?), ref: 1001CD41
SetRect.USER32(?,?,?,?,?), ref: 1001CD64
IsWindowEnabled.USER32(?), ref: 1001CD6A
PtInRect.USER32(?,?,?), ref: 1001CD8D
PtInRect.USER32(?,?,?), ref: 1001CE0C
PtInRect.USER32(?,?,?), ref: 1001CFDF
73F84D40.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 1001D0F1
DeleteDC.GDI32(00000000), ref: 1001D0F8
DeleteObject.GDI32(?), ref: 1001D103

Strings

DTPicker20WndClass, xrefs: 1001CC96
SysDateTimePick32, xrefs: 1001CC83
s, xrefs: 1001D0F1

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Object$ClientDeleteSelect_mbscmp$ClassCursorEnabledNameParentScreenWindow
String ID: DTPicker20WndClass$SysDateTimePick32$s
API String ID: 1246724160-92371016
Opcode ID: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
Instruction ID: 3e656c1c5e6747a07933068c804b643b2a797f552276aae395ead9c06b7a3bed
Opcode Fuzzy Hash: c2ef48b3f6ec4ec22484b2a45e11998c80fbc2def04bd750a7d1df5ab2a244b6
Instruction Fuzzy Hash: 20F159B9204204AFE304DB54CC85EABB3ADFFC8744F148A69F95887355D634EE46CB61

Function 10021CA0 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 355COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10021CB2
PtInRect.USER32(?,?,?), ref: 10021CE2
PtInRect.USER32(?,?,?), ref: 10021D00

Strings

SHE_J, xrefs: 10021E05

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window
String ID: SHE_J
API String ID: 924285169-977966314
Opcode ID: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
Instruction ID: 9d0981d9d4456fe75954a96ff124bc768ed38601b0fc248c18501ffb98e7e012
Opcode Fuzzy Hash: 10a71a3ec35c7868adf77ffbb036b0aa99efc379083cf3b09a92fc681535840c
Instruction Fuzzy Hash: BDB1B276600305ABE360CBA9ECC4EE7B7ECEBD8790F51492EF859C6240D635E949C760

Function 1001D420 Relevance: 44.1, APIs: 24, Strings: 1, Instructions: 336windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001D44A

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 1001D4A3

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 1001D4B8
SendMessageA.USER32(?,00000406,00000000,00000000), ref: 1001D4E1
IsRectEmpty.USER32(?), ref: 1001D4FA
SendMessageA.USER32(?,0000040A,00000000,?), ref: 1001D55E
SendMessageA.USER32(?,00000414,00000000,00000000), ref: 1001D56B
GetIconInfo.USER32(00000000,?), ref: 1001D580
GetObjectA.GDI32(?,00000018,?), ref: 1001D598
DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1001D5D1
DeleteObject.GDI32(?), ref: 1001D5E5
DeleteObject.GDI32(?), ref: 1001D5EF
SendMessageA.USER32(?,00000403,00000000,00000000), ref: 1001D60E
??2@YAPAXI@Z.MSVCRT(00000001,?,?,?,?,?,?,?,00000000), ref: 1001D622
SendMessageA.USER32(?,00000402,00000001,00000000), ref: 1001D64B
SetTextColor.GDI32(?,?), ref: 1001D674
DrawTextA.USER32(?,00000000,?,?,00000024), ref: 1001D694
??3@YAXPAX@Z.MSVCRT(00000000,?,?,00000024,?,?,?,?,?,?,?,?,00000000), ref: 1001D69B
SendMessageA.USER32(?,00000402,00000000,00000000), ref: 1001D6EB
GetParent.USER32(?), ref: 1001D726
IsWindowEnabled.USER32(?), ref: 1001D732
SendMessageA.USER32(00000000,0000002B,00000000,?), ref: 1001D775
SelectClipRgn.GDI32(?,00000000), ref: 1001D7BC
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,000000F0,?,00000000), ref: 1001D83D

Strings

s, xrefs: 1001D83D

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Object$Select$ClipDeleteRect$DrawIconText$??2@??3@ClientColorCreateEmptyEnabledInfoModeParentPropWindow
String ID: s
API String ID: 332510004-453955339
Opcode ID: 81f81083b6e7c4d168103e5f7740c43e00f37b7134bee56763b3c919f4d90482
Instruction ID: 90df3fa2a803067d4cdad2171947ebf974ab48cb4e9fe13901dbc3d04bca41ca
Opcode Fuzzy Hash: 81f81083b6e7c4d168103e5f7740c43e00f37b7134bee56763b3c919f4d90482
Instruction Fuzzy Hash: D1D10675604341AFE354DF68C884E6BB7E9FBC8700F148A2DF68987291DB70E945CB62

Function 10014B40 Relevance: 40.8, APIs: 27, Instructions: 270windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?), ref: 10014BF2
CallWindowProcA.USER32(?,?,00000001,?,?), ref: 10014C13
CallWindowProcA.USER32(?,?,00000001,00000000,?), ref: 10014C38
IsWindowVisible.USER32(?), ref: 10014C42
InvalidateRect.USER32(?,00000000,00000001), ref: 10014C54
GetWindowRect.USER32(?,000000F0), ref: 10014C87
GetParent.USER32(?), ref: 10014C9D
ScreenToClient.USER32(00000000), ref: 10014CA6
GetParent.USER32(?), ref: 10014CB1
ScreenToClient.USER32(00000000), ref: 10014CB4
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014CE7
GetWindowRect.USER32(?,000000F0), ref: 10014CF6
GetParent.USER32(?), ref: 10014D1C
ScreenToClient.USER32(00000000), ref: 10014D25
GetParent.USER32(?), ref: 10014D30
ScreenToClient.USER32(00000000), ref: 10014D33
GetWindowRect.USER32(?,000000F0), ref: 10014D72
GetParent.USER32(?), ref: 10014D88
ScreenToClient.USER32(00000000), ref: 10014D91
GetParent.USER32(?), ref: 10014D9C
ScreenToClient.USER32(00000000), ref: 10014D9F
GetParent.USER32(?), ref: 10014DE5
ScreenToClient.USER32(00000000), ref: 10014DEE
GetParent.USER32(?), ref: 10014DF9
ScreenToClient.USER32(00000000), ref: 10014DFC
MoveWindow.USER32(?,?,?,?,?,00000001), ref: 10014E2F
GetWindowRect.USER32(?,000000F0), ref: 10014E3E

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$ClientParentScreen$Rect$CallMoveProc$InvalidateMessageSendVisible
String ID:
API String ID: 1330197011-0
Opcode ID: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
Instruction ID: c47097b4e2208499dd9ef6fa9ca82aafd1a7c7d366bf9be39b5b8423eecfa7f7
Opcode Fuzzy Hash: 27cd31995633851774bee205df8a30004b9258d202a727f50e8ef6ab539021a8
Instruction Fuzzy Hash: 67A139B52047069FE314CF65C884F6BB7E9EBC8704F11891CF599972A0DA74F98ACB60

Function 100250C0 Relevance: 39.4, APIs: 26, Instructions: 416windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10022FD0: GetMenuItemCount.USER32(?), ref: 10022FE9
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 1002300D
Part of subcall function 10022FD0: GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,100250E4,00040024,?,00000000,?), ref: 10023021

SetRectEmpty.USER32(?), ref: 100252A5
SetRectEmpty.USER32(?), ref: 100252AE
SetRectEmpty.USER32(?), ref: 100252B7
SetRectEmpty.USER32(?), ref: 100252C0
SetRectEmpty.USER32(?), ref: 100253EE
SetRectEmpty.USER32(?), ref: 100253F7
IsRectEmpty.USER32(?), ref: 10025400
IsRectEmpty.USER32(?), ref: 1002540B
SetRectEmpty.USER32(?), ref: 100254E0
SetRectEmpty.USER32(?), ref: 1002552F
SetRectEmpty.USER32(?), ref: 10025538
SetRectEmpty.USER32(?), ref: 10025541
SetRectEmpty.USER32(?), ref: 1002554A
SetRectEmpty.USER32(?), ref: 10025553
IsRectEmpty.USER32(?), ref: 1002556E
IsRectEmpty.USER32(?), ref: 100255B6
IsRectEmpty.USER32(?), ref: 100255C3
SetRectEmpty.USER32(?), ref: 1002561A
SetRectEmpty.USER32(?), ref: 10025623
SetRectEmpty.USER32(?), ref: 1002562C
SetRectEmpty.USER32(?), ref: 10025635
SetRectEmpty.USER32(?), ref: 1002563E
SetRectEmpty.USER32(?), ref: 10025647
GetMenuItemCount.USER32(?), ref: 100256E8
GetMenuItemRect.USER32(?,?,00000000,?,?,?,?,?,?,?,1002388F,?), ref: 10025708
GetMenuItemRect.USER32(?,?,-00000001,?,?,?,?,?,?,?,1002388F,?), ref: 1002571C

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Empty$ItemMenu$Count
String ID:
API String ID: 3556175780-0
Opcode ID: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
Instruction ID: 3580b85264a0b11b2af6f932b74e5bb24bd1c90a80f22c94ed852e82d06a07f9
Opcode Fuzzy Hash: 51b63d87aa26e79ce635bc53da4e79dd0ac5e2a0a2ba4a142e7e1ecfd1e9703b
Instruction Fuzzy Hash: 4D12CF75605B058FC368CB28D888AE6B7E5FF88305F65896ED8AF87315DB31B841CB44

Function 10011B50 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 404windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10011B62
SendMessageA.USER32(?,00001009,00000000,?), ref: 10011B78
InflateRect.USER32(?,00000000,00000005), ref: 10011BE9
SetRect.USER32(00000060,?,?,?,?), ref: 10011CC0
SetRect.USER32(00000050,?,?,?,?), ref: 10011CDE
InflateRect.USER32(00000050,00000004,00000004), ref: 10011CEB
InflateRect.USER32(00000060,00000004,00000004), ref: 10011CF2
SetRectEmpty.USER32(00000050), ref: 10011D0E
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D49
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011D8D
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011DE0
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E17
IsRectEmpty.USER32(00000050), ref: 10011E2F
InflateRect.USER32(00000050,00000001,00000001), ref: 10011E3E
SetRectEmpty.USER32(?), ref: 10011E62
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011E95
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011EC9
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F14
SendMessageA.USER32(?,0000100E,00000000,00000020), ref: 10011F45
IsRectEmpty.USER32(?), ref: 10011F61
InflateRect.USER32(?,00000001,00000001), ref: 10011F78

Strings

, xrefs: 10011D18

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$MessageSend$Inflate$Empty$Client
String ID:
API String ID: 1339602669-3916222277
Opcode ID: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
Instruction ID: a0f7648be8e36038d2b16f179121c650e50f05b29048d1dfe480584c03a9469a
Opcode Fuzzy Hash: c0bd68143ee354b4ca45915280152967c7e5e1a2a28bd3c8534a58b4e74df048
Instruction Fuzzy Hash: 21E17D752087069FD318CF29C9C1A9AB7E6FBC8344F144A2DF585DB251D7B0E886CB52

Function 10023960 Relevance: 37.2, APIs: 19, Strings: 2, Instructions: 425windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002399F
IsRectEmpty.USER32(?), ref: 100239B4
SetBkMode.GDI32 ref: 10023A30
SelectObject.GDI32(?,?), ref: 10023A4D
SelectObject.GDI32(?,?), ref: 10023A5D
SetTextColor.GDI32(?,?), ref: 10023AAD
73F84D40.GDI32(?,00000000,00000000,?,00000001,00000000,?,?,00CC0020), ref: 10023AE3
GetMenuItemCount.USER32(00000000), ref: 10023B2A
GetMenuItemInfoA.USER32(00000000,00000000,00000400,?), ref: 10023B88

Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,75756D90,00000000,10023B9B,00000000,?), ref: 10024DCB
Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9

InflateRect.USER32(?,000000FF,000000FF), ref: 10023BC7
SetTextColor.GDI32(?,?), ref: 10023BEF
SetTextColor.GDI32(?,?), ref: 10023C25
SetTextColor.GDI32(?,?), ref: 10023C69
DrawTextA.USER32(?,?,?,?,00000025), ref: 10023C8B
SetTextColor.GDI32(?,?), ref: 10023C9B
DrawIconEx.USER32(?,?,?,00000000,00000010,00000010,00000000,00000000,00000003), ref: 10023CE9
GetSystemMetrics.USER32(00000020), ref: 10023CFE
OffsetRect.USER32(?,00000000), ref: 10023D19
73F84D40.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 10023E64

Strings

s, xrefs: 10023AE3, 10023E64
0, xrefs: 10023B6C

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Text$ColorRect$ItemMenu$DrawObjectOffsetSelect$CountEmptyIconInflateInfoMetricsModeSystemVisibleWindow
String ID: 0$s
API String ID: 2055320636-3821993378
Opcode ID: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
Instruction ID: a9acdb67b72450ec93636fc2c6a84ac6b9940729399217752d96d5b5a37b2c08
Opcode Fuzzy Hash: 37e9a5e0e2e580665de7cd9a3032d2bb2df789812bb621c82e55d9ffef3a9a1e
Instruction Fuzzy Hash: 5DF14975204741AFE354CF28D885FABB3E9FB88704F608A2DF95997290DB30E906CB51

Function 100101C0 Relevance: 37.1, APIs: 19, Strings: 2, Instructions: 378windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000000), ref: 10010213
GetClientRect.USER32(?,?), ref: 10010222
ClientToScreen.USER32(?,?), ref: 10010237
ClientToScreen.USER32(?,?), ref: 10010242
SetBkMode.GDI32(?,00000001), ref: 10010281
SelectObject.GDI32(?,?), ref: 10010299
ClientToScreen.USER32(?,?), ref: 100102EA
MenuItemFromPoint.USER32(00000000,?,?,?), ref: 100102FB
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010325
GetMenuItemRect.USER32(?,?,00000000,?), ref: 1001033D
GetMenuItemCount.USER32(?), ref: 10010357
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10010389
OffsetRect.USER32(?,?,?), ref: 100103AC
GetMenuItemInfoA.USER32 ref: 10010419
SetRect.USER32(?,?,?,?,?), ref: 1001053E
SetRect.USER32(?,?,?,?,?), ref: 10010564
OffsetRect.USER32(?,?,?), ref: 10010579
OffsetRect.USER32(?,?,?), ref: 10010591
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1001060C

Strings

s, xrefs: 1001060C
0, xrefs: 100103F7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ItemMenu$Client$OffsetScreen$CountFromInfoModeObjectPointSelectWindow
String ID: 0$s
API String ID: 303195050-3821993378
Opcode ID: 89fcb85ae9aa16eb442b25c4fe38410ef75d27222e2efcb4e3de1833d90adcb3
Instruction ID: 6d8a838f2cf942f80ceea1e64f1f331affabfdd12ad0cf7db43c7e0335608dc7
Opcode Fuzzy Hash: 89fcb85ae9aa16eb442b25c4fe38410ef75d27222e2efcb4e3de1833d90adcb3
Instruction Fuzzy Hash: 56E113B5208345AFE354CF68C884E6BB7E9FBC8744F108A1DF58A83254DB74E945CB62

Function 100034F0 Relevance: 33.3, APIs: 22, Instructions: 321COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(00000000,00000000,1002CDA8,?), ref: 10003521
SelectObject.GDI32(?,?), ref: 10003586
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 100035F1
SelectObject.GDI32(?,?), ref: 10003791
OffsetRgn.GDI32(00000000,?,0000001D), ref: 1000380A
CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003819
DeleteObject.GDI32(?), ref: 10003824
SetRect.USER32(?,00000000,00000000,00000000,00000005), ref: 1000385B
SelectObject.GDI32(?,?), ref: 100038A2
SelectObject.GDI32(?,?), ref: 100038EF
SelectObject.GDI32(?,?), ref: 100037DD

Part of subcall function 1001C210: ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C3BC
Part of subcall function 1001C210: GlobalFree.KERNEL32(00000000), ref: 1001C3C3

OffsetRgn.GDI32(00000000,00000000,?), ref: 10003918
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10003923
DeleteObject.GDI32(00000000), ref: 1000392A
DeleteObject.GDI32(?), ref: 100035FC

Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E

SelectObject.GDI32(?,?), ref: 100035D2

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,00000000,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

SelectObject.GDI32(?,?), ref: 10003683
SelectObject.GDI32(?,?), ref: 100036CF
OffsetRgn.GDI32(00000000,00000000,0000001D), ref: 100036F2
CombineRgn.GDI32(00000000,00000000,?,00000003), ref: 10003701
DeleteObject.GDI32(?), ref: 1000370C
SetRect.USER32(?,00000000,00000000,00000005,?), ref: 10003753

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$Global$DeleteRect$Combine$Offset$AllocCreateLockUnlock$FreeRegion
String ID:
API String ID: 3906817788-0
Opcode ID: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
Instruction ID: 7ad6e692fdaee63a5d88ca3bc9fb50060419e0f4e25ce673a8ec1ac2766f1ee5
Opcode Fuzzy Hash: 28d03ff82f9fef2848c515fd377fc677e97226a5aac8fcd684cd577ae0ea30f7
Instruction Fuzzy Hash: B8D107B9504318AFE354CFA4CD84D6BBBE9FB88740F204A1DF55987264D770E906CBA2

Function 1000AF00 Relevance: 33.2, APIs: 22, Instructions: 151COMMON

Download Yara Rule

APIs

EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
IsRectEmpty.USER32(?), ref: 1000AF21
CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
DeleteObject.GDI32(00000000), ref: 1000AF7F
DeleteObject.GDI32(00000000), ref: 1000AF82
CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
CreatePen.GDI32(00000000,00000001,?), ref: 1000AFD6
CreatePen.GDI32(00000000,00000001,?), ref: 1000B008
CreateSolidBrush.GDI32(?), ref: 1000B041
SelectObject.GDI32(?,00000000), ref: 1000B051
SelectObject.GDI32(?,00000000), ref: 1000B059
Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
SelectObject.GDI32(?,?), ref: 1000B080
SelectObject.GDI32(?,?), ref: 1000B088
IsRectEmpty.USER32(?), ref: 1000B08F
SelectClipRgn.GDI32(?,00000000), ref: 1000B09B
DeleteObject.GDI32(00000000), ref: 1000B0A8
DeleteObject.GDI32(00000000), ref: 1000B0AB

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$CreateSelect$Rect$Delete$ClipEmpty$BrushCombineEqualRectangleSolid
String ID:
API String ID: 1312918531-0
Opcode ID: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
Instruction ID: ed92dcb72f46cb93286c5d67c269e6d90022c8bc6c11db7440066506c94aadbf
Opcode Fuzzy Hash: 37fa40e2efc1a56c945f34d09480b679d3446cfe2338074c795da41fd2fd06c2
Instruction Fuzzy Hash: 2D515779205215AFE244DBA4CCC4E6BB7E9FFC8744F208A19FA0597260D770ED46CBA1

Function 10013F20 Relevance: 32.0, APIs: 16, Strings: 2, Instructions: 493windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10013F4E
OffsetRect.USER32(?,?,?), ref: 10013F67

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 10013F9A

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 10013FB5
SelectObject.GDI32(?,?), ref: 10013FC9
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10013FED
SendMessageA.USER32(?,0000040C,00000000,00000000), ref: 1001400F
??2@YAPAXI@Z.MSVCRT(00000000), ref: 10014027
SetRectEmpty.USER32(00000000), ref: 10014046
SendMessageA.USER32(?,00000409,00000000,00000000), ref: 1001405B
SendMessageA.USER32 ref: 10014247
SetRect.USER32(?,?,?,?,?), ref: 1001431F
DrawTextA.USER32(?,?,?,?,00000025), ref: 10014469
??3@YAXPAX@Z.MSVCRT(00000000), ref: 10014484
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 100144FE

Strings

P, xrefs: 10014226
s, xrefs: 100144FE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$MessageObjectSelectSend$Clip$??2@??3@CreateDeleteDrawEmptyModeOffsetPropTextWindow
String ID: P$s
API String ID: 2997811249-2870556290
Opcode ID: 6bf5f1eede09a990148878d6f040693836f70d3ed6ccbac3a398924fc484e971
Instruction ID: 667f0b52e11a95e24b10ca477dcf0e066d8db5c2e0f9aabd908416b331fe757d
Opcode Fuzzy Hash: 6bf5f1eede09a990148878d6f040693836f70d3ed6ccbac3a398924fc484e971
Instruction Fuzzy Hash: 831269756043019FD314CF58C880A6AB7E6FFC8704F258A1DF6998B361DA71EC86CB52

Function 100201A0 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 351windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000020), ref: 100201C0
OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
SelectObject.GDI32(00000000,00000000), ref: 100201FC
SelectObject.GDI32(00000000,?), ref: 1002020B
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F

Part of subcall function 10020700: SendMessageA.USER32(?,0000041A,00000000,00000044), ref: 1002071E
Part of subcall function 10020700: SendMessageA.USER32(?,00000419,00000000,00000034), ref: 1002072F
Part of subcall function 10020700: GetClientRect.USER32(?,?), ref: 10020749

IsWindowEnabled.USER32(?), ref: 1002024C
IsWindowEnabled.USER32(?), ref: 1002028A
GetFocus.USER32 ref: 100202CF
IsWindowEnabled.USER32(?), ref: 10020411
IsWindowEnabled.USER32(?), ref: 1002044B
73F84D40.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 100205BD
DeleteObject.GDI32(?), ref: 100205C8
DeleteDC.GDI32(00000000), ref: 100205CF

Strings

s, xrefs: 100205BD

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Enabled$ObjectRect$DeleteMessageSelectSend$ClientFocusOffset
String ID: s
API String ID: 750652982-453955339
Opcode ID: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
Instruction ID: 94777b03be6e9f1ae59e0413948786f371ff679d45ed1d23647022047fdc10e1
Opcode Fuzzy Hash: 5b169589681542832a6b021b38e202f014957ac69c21412b49005b06810db579
Instruction Fuzzy Hash: 91C138B9200715DFE364CB54DCC1EAB73AAFF88740F618969FA0587762D634ED418B60

Function 1000DEF0 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 269windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000DF29
OffsetRect.USER32(?,?,?), ref: 1000DF42

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SetBkMode.GDI32(?,00000001), ref: 1000DF94

Part of subcall function 10012060: GetPropA.USER32(?,SHE_I), ref: 1001206C
Part of subcall function 10012060: SendMessageA.USER32(?,00000031,?,?), ref: 10012090

SelectObject.GDI32(?,00000000), ref: 1000DFA9
IsWindowEnabled.USER32(?), ref: 1000DFB3
SendMessageA.USER32(?,00001209,00000000,00000000), ref: 1000DFCE
SendMessageA.USER32 ref: 1000DFFA
SendMessageA.USER32(?,0000120F,?,00000000), ref: 1000E02B
SendMessageA.USER32(?,00001203,00000000,?), ref: 1000E03E
SendMessageA.USER32(?,00001207,00000000,?), ref: 1000E04F
6FA9CFD0.COMCTL32(?,?,?,?,?,00000001,?,?,?,00001200,00000000,00000000), ref: 1000E156
SetTextColor.GDI32(?,?), ref: 1000E1A9
DrawTextA.USER32(?,?,?,?,00000024), ref: 1000E1D4
73F84D40.GDI32(00000000,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 1000E210

Strings

7, xrefs: 1000DFE6
s, xrefs: 1000E210

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$ObjectRectSelect$ClipTextWindow$ColorCreateDeleteDrawEnabledModeOffsetProp
String ID: 7$s
API String ID: 2257661393-3867274023
Opcode ID: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
Instruction ID: d6cd2112b19415e89498b4abe21e6ca38dab58f18fec7e0c69950289425e1392
Opcode Fuzzy Hash: 209c6b230ae2945e32d27e986554ab5b0cf3fdf4ca1b30fa4d1875b4f07b6efb
Instruction Fuzzy Hash: 58A14A75208341AFE314CF24C884F6BB7E9EBC8744F108A1CF599973A1DA75E945CB62

Function 10009550 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10009562
GetWindowRect.USER32(?,?), ref: 10009571
ClientToScreen.USER32(?,?), ref: 10009586
ClientToScreen.USER32(?,?), ref: 10009591
OffsetRect.USER32(?,?,?), ref: 100095AC
OffsetRect.USER32(?,?,?), ref: 100095C1
IsWindowEnabled.USER32(?), ref: 100095D2
GetFocus.USER32 ref: 100095E0
FindWindowExA.USER32(?,00000000,msvb_lib_updown,00000000), ref: 1000964D
FindWindowExA.USER32(?,00000000,msctls_updown32,00000000), ref: 10009662
SelectObject.GDI32(00000000,?), ref: 100096C6
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100096E8
IsWindowEnabled.USER32(?), ref: 100096F2

Strings

msvb_lib_updown, xrefs: 10009645
msctls_updown32, xrefs: 1000965B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Rect$Client$EnabledFindOffsetScreen$FocusObjectSelect
String ID: msctls_updown32$msvb_lib_updown
API String ID: 995514740-3795123653
Opcode ID: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
Instruction ID: 219e8067712f3e67318549e0e7e2ffd899cab36933d0d05de9bc9511727c2731
Opcode Fuzzy Hash: 82dd0a023d1e9244c0f8f06e9f0e271506f95df6bee9012c3d74dd2b6a11903f
Instruction Fuzzy Hash: BB6115B8204702AFE314DF69C880E6BB7E8FF88744B208A5DF94987355D735E946CB61

Function 1000CE20 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 199windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000CE96
OffsetRect.USER32(?,?,?), ref: 1000CEAF
GetClientRect.USER32(?,?), ref: 1000CEC1
SelectObject.GDI32(?,?), ref: 1000CEFA
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1000CF18
SetMapMode.GDI32(?,00000001), ref: 1000CF24
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF34
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF44
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000CF54
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000CF64
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,?,?,?), ref: 1000CFB5

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1

??3@YAXPAX@Z.MSVCRT(?), ref: 1000D017
InvalidateRect.USER32(?,00000000,00000001), ref: 1000D031

Strings

s, xrefs: 1000CFB5

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$DeleteRect$SelectWindow$Viewport$??3@ClientInvalidateModeOffset
String ID: s
API String ID: 648218233-453955339
Opcode ID: 47ef9256d5867152c693d037c591e560f0a365e510b02cba8d0e83b7b33722bb
Instruction ID: 2f10df49a190d83ca2c48d706accd39583ccff9776fc3dcd98fdd01acb908c43
Opcode Fuzzy Hash: 47ef9256d5867152c693d037c591e560f0a365e510b02cba8d0e83b7b33722bb
Instruction Fuzzy Hash: 6A615C79244342AFE224DF14CC85F2BB7A8FB88B40F20891DFA5997295C771FD428B61

Function 0067D175 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0067D2AE), ref: 0067D197
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0067D1AF
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0067D1C0
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0067D1D1
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0067D1E2
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0067D1F3
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0067D204

Strings

USER32, xrefs: 0067D192
GetMonitorInfoA, xrefs: 0067D1FE
MonitorFromWindow, xrefs: 0067D1BA
MonitorFromPoint, xrefs: 0067D1DC
GetSystemMetrics, xrefs: 0067D1A9
MonitorFromRect, xrefs: 0067D1CB
EnumDisplayMonitors, xrefs: 0067D1ED

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: d01309fa5d5a575f7f39e1bb2a05b19fde93f82e1a25986844c3a971ef9b82ec
Instruction ID: 129a75ab767a628a095725c062761a841f20a0d2c653bac7baaec40ef93c0852
Opcode Fuzzy Hash: d01309fa5d5a575f7f39e1bb2a05b19fde93f82e1a25986844c3a971ef9b82ec
Instruction Fuzzy Hash: 30116071B682129EC7019F75ACC042BBBBBB749740360C83ED268D2251CF758542AFD0

Function 10018F60 Relevance: 24.2, APIs: 16, Instructions: 171COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 10018F91
DeleteObject.GDI32(?), ref: 10018FA7
DeleteObject.GDI32(?), ref: 10018FC1
DeleteObject.GDI32(?), ref: 10018FCE
CreateFontIndirectA.GDI32(00000000), ref: 1001900A
CreateFontIndirectA.GDI32(00000000), ref: 1001902C
SystemParametersInfoA.USER32(0000001F,0000003C,?,00000000), ref: 10019057
CreateFontIndirectA.GDI32(?), ref: 1001905E
CreateFontIndirectA.GDI32 ref: 10019076
SystemParametersInfoA.USER32 ref: 100190A3
CreateFontIndirectA.GDI32(?), ref: 100190BA
CreateFontIndirectA.GDI32(?), ref: 100190CD
CreateFontIndirectA.GDI32(?), ref: 10019102
CreateFontIndirectA.GDI32(?), ref: 10019116
CreateFontIndirectA.GDI32(?), ref: 10019131
CreateFontIndirectA.GDI32(?), ref: 10019145

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CreateFontIndirect$DeleteObject$InfoParametersSystem
String ID:
API String ID: 3387422844-0
Opcode ID: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
Instruction ID: 711df5a203e8b563da40807aa8fc905527dfc6b6a225bd5e8f361db8bcb87da6
Opcode Fuzzy Hash: 830815c587014a26e3a7e992bde17b6236e9c72615f67e54c72626ec8243f3db
Instruction Fuzzy Hash: DD6116B06007468FE720CF69C880A9BF7E5FF88744F504A2EE98A87640E774FA45CB55

Function 10015C70 Relevance: 22.8, APIs: 15, Instructions: 254windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10015C7C
GetClientRect.USER32(?,?), ref: 10015CA1
GetWindowRect.USER32(?,?), ref: 10015CB0
ClientToScreen.USER32(?,?), ref: 10015CC5
ClientToScreen.USER32(?,?), ref: 10015CD0
OffsetRect.USER32(?,?,?), ref: 10015CEB
OffsetRect.USER32(?,?,?), ref: 10015D00
EqualRect.USER32(?,?), ref: 10015D0C
IsWindowEnabled.USER32(?), ref: 10015D96
GetFocus.USER32 ref: 10015DF8

Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Object$Select$Create$ClientWindow$DeleteEmptyEqualOffsetScreen$BrushClipCombineEnabledFocusRectangleSolidVisible
String ID:
API String ID: 2232225062-0
Opcode ID: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
Instruction ID: 8293882ae8f60722bbcd7dca41eebeae144ae381a56dea18b72fd41b6b61f364
Opcode Fuzzy Hash: 6fd00cd0d9cef5d93f091ee120e2f42cff278c3d6447bc84d75fe32b91aeaa54
Instruction Fuzzy Hash: 6291F4B96043019FD304DF69C88592BB7E9EBC8310F14CA1DF9998B355DA31E946CB92

Function 100055A0 Relevance: 22.7, APIs: 15, Instructions: 222COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100055C2
SetRect.USER32(?,00000000,00000000,?,0000001D), ref: 100055E3
GetWindowLongA.USER32(?,000000F0), ref: 100055EF
SetRectEmpty.USER32(?), ref: 100056EC
SetRectEmpty.USER32(?), ref: 100056F5
SetRectEmpty.USER32(?), ref: 1000578A
SetRectEmpty.USER32(?), ref: 100057BC
SetRectEmpty.USER32(?), ref: 10005815
SetRectEmpty.USER32(?), ref: 1000581E
SetRectEmpty.USER32(?), ref: 10005827
SetRectEmpty.USER32(?), ref: 10005830
SetRectEmpty.USER32(?), ref: 10005839
IsRectEmpty.USER32(?), ref: 10005854
IsRectEmpty.USER32(?), ref: 1000589C
IsRectEmpty.USER32(?), ref: 100058A9

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Empty$Window$Long
String ID:
API String ID: 1594619121-0
Opcode ID: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
Instruction ID: d0c9926444baea1fe4ebff3a720e05cc6beccc75dc12de5c1cc4c6843b7c2cf1
Opcode Fuzzy Hash: bb4e3b14c8995c92c39710eed11583c245718b1c2e8e577bdaf230dd83820362
Instruction Fuzzy Hash: FFA11375605B058FE364CF28C888BA7B7E5FF88345F25896DD89E87215DB32A806CF50

Function 100240D0 Relevance: 22.7, APIs: 15, Instructions: 199timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006626), ref: 1002412C
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 1002413C

Part of subcall function 10024CF0: GetMenuItemInfoA.USER32 ref: 10024D26

Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3

KillTimer.USER32(?,?), ref: 10024176
TrackPopupMenu.USER32(?,00000000,00000000,00000000,00000000,?), ref: 100241DA

Part of subcall function 10023F00: GetCursorPos.USER32(?), ref: 10023F0E
Part of subcall function 10023F00: GetWindowRect.USER32(?,?), ref: 10023F1D
Part of subcall function 10023F00: PtInRect.USER32(?,?,?), ref: 10023F38
Part of subcall function 10023F00: PtInRect.USER32(00000168,?,?), ref: 10023F67
Part of subcall function 10023F00: GetMenuItemCount.USER32(?), ref: 10023F94
Part of subcall function 10023F00: GetMenuItemInfoA.USER32 ref: 10023FE3
Part of subcall function 10023F00: OffsetRect.USER32(?,?,00000000), ref: 1002401B
Part of subcall function 10023F00: PtInRect.USER32(?,00000400,00000000), ref: 10024030

Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024082
Part of subcall function 10024060: GetMenuItemRect.USER32(?,?,?,?), ref: 10024099

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Menu$Item$Timer$InfoKill$CountCursorMessageOffsetPopupSendTrackWindow
String ID:
API String ID: 2948288781-0
Opcode ID: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
Instruction ID: 37a8328168521e0b11368bf9a4f74ca38fbc0c8ce550388fabf89b9119d921f0
Opcode Fuzzy Hash: 51ee28288f19f70f4e95dd3a8ef5f6a57d4dcf2b95c017293d7a3d885d298ca3
Instruction Fuzzy Hash: 0F71EF79200702ABE310DB28DC84FABB7F9EF98754F11891DF55A87290DB31E945CB51

Function 10002C90 Relevance: 22.6, APIs: 15, Instructions: 150windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10002C9C
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 10002CBD
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10002CDD
GetCursorPos.USER32(?), ref: 10002D06
GetWindowRect.USER32(?,?), ref: 10002D1C
GetWindowRect.USER32(?,?), ref: 10002D2A
GetWindowRect.USER32(?,?), ref: 10002D38
PtInRect.USER32(?,?,?), ref: 10002D87
LoadCursorA.USER32(00000000,00007F85), ref: 10002DC6
SetCursor.USER32(00000000), ref: 10002DCD
SendMessageA.USER32(?,?,0000000F,?), ref: 10002DE9

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: RectWindow$CursorMessageSend$EnabledLoad
String ID:
API String ID: 4229092383-0
Opcode ID: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
Instruction ID: dc413347daec2f70c86c06c67fd336eb8edfad542e32f7a3e4721b36555a0e72
Opcode Fuzzy Hash: f0ec41966ff8e8fd90f7b837bfef7e6c1f3a3dc11e14d87aa70b65b93e45b5b6
Instruction Fuzzy Hash: 66517975608742AFE310DB65CC88E9BB7E9FFC8B50F60891DF58983250D674E905CB62

Function 10017350 Relevance: 22.6, APIs: 15, Instructions: 88COMMON

Download Yara Rule

APIs

DeleteDC.GDI32(?), ref: 10017387
DeleteDC.GDI32(?), ref: 10017394
DeleteObject.GDI32(?), ref: 100173A1
??3@YAXPAX@Z.MSVCRT(?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173D4
??3@YAXPAX@Z.MSVCRT(?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173E0
??3@YAXPAX@Z.MSVCRT(?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173EC
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718,?,?,?), ref: 100173F8
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718,?,?,?), ref: 10017404
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718), ref: 10017410
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718), ref: 10017424
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF,10019718), ref: 10017430
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A,000000FF), ref: 1001743C
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000,1002781A), ref: 10017448
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C,00000000), ref: 10017454
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,00BD2830,00000000,00BD283C), ref: 10017460

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$Delete$Object
String ID:
API String ID: 1805807598-0
Opcode ID: 7dfc8e9b76ec8d4358b16a62e95c70112af35dfd5ff9e327eec210a0c710efcf
Instruction ID: 8eb2a162a59bfd02bb3efb1085eef2ff5d2453cd59b241f8ea59b29271d371ff
Opcode Fuzzy Hash: 7dfc8e9b76ec8d4358b16a62e95c70112af35dfd5ff9e327eec210a0c710efcf
Instruction Fuzzy Hash: 0D3105B9500B519BC720DFB8D8C5A9BB7E8FB4C210FA08D1DB5AA87241C676F9449B60

Function 100169C0 Relevance: 21.4, APIs: 14, Instructions: 408COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10016A9B
SetRect.USER32(?,00000000,?,?,?), ref: 10016C24
MulDiv.KERNEL32(?,?,?), ref: 10016C3D
OffsetRect.USER32(?,00000000,00000000), ref: 10016C51
OffsetRect.USER32(?,00000000,?), ref: 10016C7F
IsRectEmpty.USER32(?), ref: 10016C85
MulDiv.KERNEL32(?,76C22370,?), ref: 10016CDB
MulDiv.KERNEL32(-00000001,?,?), ref: 10016CFA
MulDiv.KERNEL32(?,?,?), ref: 10016D1F
SetRect.USER32(?,?,00000000,?,?), ref: 10016DB7
SetRectEmpty.USER32(?), ref: 10016DC3
EqualRect.USER32(?,?), ref: 10016DED
EqualRect.USER32(?,?), ref: 10016DFD
SetRectEmpty.USER32(?), ref: 10016E30

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Empty$EqualOffset$EnabledWindow
String ID:
API String ID: 1250441839-0
Opcode ID: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
Instruction ID: b6d8e02c079bcafa56aa8081014225c04d9d0cf20a220bfdce263d8fab6bfb8f
Opcode Fuzzy Hash: 488337cf230d6d23f37ee5c869d15c7c6214d7048653378568f50572e3e0747a
Instruction Fuzzy Hash: 3302E4746047019FC718CF69C98491AFBF6FF88304F248A2DE98A8B755D731E985CB91

Function 006A317F Relevance: 21.4, APIs: 14, Instructions: 385stringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006A3184
lstrlenA.KERNEL32(?,00000000,00000000,0000004C), ref: 006A31B5
VariantClear.OLEAUT32(?), ref: 006A3458
VariantClear.OLEAUT32(?), ref: 006A347F
SysFreeString.OLEAUT32(00000000), ref: 006A34E3
SysFreeString.OLEAUT32(0000004C), ref: 006A34F8
SysFreeString.OLEAUT32(?), ref: 006A350D
VariantChangeType.OLEAUT32(?,?,00000000,80020004), ref: 006A3548
VariantClear.OLEAUT32(?), ref: 006A3558

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Variant$ClearFreeString$ChangeH_prologTypelstrlen
String ID:
API String ID: 344392101-0
Opcode ID: e18b0969c3f4faf47e2834b8430c4c2c74f152685def922f4c522012ce3ac46a
Instruction ID: 2ef561572cde8e91d010b2cd62ed5e0b977e12e3273426c55b1ca52f971fde96
Opcode Fuzzy Hash: e18b0969c3f4faf47e2834b8430c4c2c74f152685def922f4c522012ce3ac46a
Instruction Fuzzy Hash: DAE1587190422ADFDF11EFA8D885AAEBBB6EF06310F144129F911AB350D774AE51CF60

Function 10012D70 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 272windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10012DA6
OffsetRect.USER32(?,?,?), ref: 10012DBF

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

SelectObject.GDI32(?,?), ref: 10012DF5
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 10012E0F
SendMessageA.USER32(?,00000408,00000000,00000000), ref: 10012E28
SendMessageA.USER32(?,00000407,00000001,00000000), ref: 10012E3C
IsWindowEnabled.USER32(?), ref: 10012E7B
IsWindowEnabled.USER32(?), ref: 10012F5A
IsWindowEnabled.USER32(?), ref: 10012F95
IsWindowEnabled.USER32(?), ref: 1001306D
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,00000000), ref: 100130BE

Strings

s, xrefs: 100130BE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Enabled$ObjectRectSelect$ClipMessageSend$CreateDeleteOffset
String ID: s
API String ID: 1340192756-453955339
Opcode ID: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
Instruction ID: 4c5c30fd0665583f47b77be65c20ac278036d55bad62e296687f2ec44f63bcda
Opcode Fuzzy Hash: 6133fc0ec921e100b3f7b777ce710fdf6920ba7fd51a58843914a26640d38602
Instruction Fuzzy Hash: A9B148B9204301AFE348CF68C885E6AB7EAFBC8714F148A2DF95997351DB30E941CB51

Function 100065F0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 232windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000669B
SelectObject.GDI32(?,?), ref: 100066CF
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100066E7
GetPropA.USER32(?,SHE), ref: 100066F3
IsWindowEnabled.USER32(?), ref: 10006700
GetFocus.USER32 ref: 10006745
InflateRect.USER32(?,000000FB,000000FB), ref: 100067AA
InflateRect.USER32(?,00000005,00000005), ref: 100067F1
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10006813
??3@YAXPAX@Z.MSVCRT(?), ref: 10006877

Strings

SHE, xrefs: 100066ED
s, xrefs: 10006813

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Inflate$??3@ClientEnabledFocusObjectPropSelectWindow
String ID: SHE$s
API String ID: 24168671-2844048607
Opcode ID: 56a6494f06aac4152130a0ded8c5564aef69c26dddad691a5dc4789beaeebca9
Instruction ID: 808e24e67ffa3fdcadfbf8160937d97e86c192aaa0f854ceeccdbcc12e2f0151
Opcode Fuzzy Hash: 56a6494f06aac4152130a0ded8c5564aef69c26dddad691a5dc4789beaeebca9
Instruction Fuzzy Hash: 3A8159B96043419FE314CF54CC84E6BB3EAFB88794F218A2CF95987355DA30ED458B61

Function 10007550 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F6,00000001,00000000), ref: 10007570
GetIconInfo.USER32(00000000,?), ref: 10007586
GetObjectA.GDI32(?,00000018,?), ref: 10007598
DrawIconEx.USER32(?,?,?,00000000,?,?,00000000,00000000,00000003), ref: 1000761E
DeleteObject.GDI32(?), ref: 1000762F
DeleteObject.GDI32(?), ref: 10007636
SendMessageA.USER32(?,000000F6,00000000,00000000), ref: 1000764D
GetObjectA.GDI32(00000000,00000018,?), ref: 10007665
SelectObject.GDI32(00000000,00000000), ref: 1000767A
73F84D40.GDI32(?,?,?,?,?,00000000,00000000,00000000,00CC0020), ref: 10007701
DeleteDC.GDI32(00000000), ref: 10007708

Strings

s, xrefs: 10007701

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Delete$IconMessageSend$DrawInfoSelect
String ID: s
API String ID: 2392992781-453955339
Opcode ID: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
Instruction ID: 5ad2fc0d9cfef1da6667f6bfad95baaf5387ec86fbaa1d7a00321d89c8de7b88
Opcode Fuzzy Hash: 122180a6be51cacf192691a891b99cc1150dfe11f8c774a4c476940fe2165945
Instruction Fuzzy Hash: BD516075300611AFD344CA7CCD85F6BB7EAEFC8244F198628FA49C7255D671EC068790

Function 10011460 Relevance: 21.0, APIs: 14, Instructions: 49COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 10011466
GetSystemMetrics.USER32(0000000F), ref: 10011476
GetSystemMetrics.USER32(00000000), ref: 1001147D
GetSystemMetrics.USER32(00000001), ref: 10011484
GetSystemMetrics.USER32(0000000B), ref: 1001148B
GetSystemMetrics.USER32(0000000C), ref: 10011492
GetSystemMetrics.USER32(00000002), ref: 10011499
GetSystemMetrics.USER32(00000003), ref: 100114A0
GetSystemMetrics.USER32(00000020), ref: 100114A7
GetSystemMetrics.USER32(00000021), ref: 100114AE
GetSystemMetrics.USER32(00000007), ref: 100114B5
GetSystemMetrics.USER32(00000008), ref: 100114BC
GetSystemMetrics.USER32(00000004), ref: 100114C3
GetSystemMetrics.USER32(00000033), ref: 100114CA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MetricsSystem$Color
String ID:
API String ID: 3740768223-0
Opcode ID: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
Instruction ID: b415c9ff06fc4772aef4a92c67fdb6d16b11039c2eda6f13e71a1828a8f5e86c
Opcode Fuzzy Hash: 4821abbd3c922a8ad17e9c27865194d4b68152617fa17cc4b81dc97e02bf1303
Instruction Fuzzy Hash: F00187B0D417449AE7306FB29D4EF07BEE0EFC0B00F11492EE2858BA81D6B5A141CF40

Function 0063B5B0 Relevance: 19.8, APIs: 13, Instructions: 287COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0063B628
VariantClear.OLEAUT32(?), ref: 0063B62E
VariantCopyInd.OLEAUT32(?,00000000), ref: 0063B72E
VariantCopyInd.OLEAUT32(?,00000000), ref: 0063B7C3
VariantClear.OLEAUT32(?), ref: 0063B814
VariantClear.OLEAUT32(?), ref: 0063B81A
VariantClear.OLEAUT32(?), ref: 0063B843
VariantClear.OLEAUT32(?), ref: 0063B849
VariantClear.OLEAUT32(?), ref: 0063B889
VariantClear.OLEAUT32(?), ref: 0063B88F
VariantClear.OLEAUT32(?), ref: 0063B8AC
VariantClear.OLEAUT32(?), ref: 0063B8B2

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Variant$Clear$Copy
String ID:
API String ID: 1429811287-0
Opcode ID: a5448d8d053f8b978c1a218a2f5ffe5b98ef813420d81f71033a96ed32c29006
Instruction ID: 58719d0aa31a377f7f2f9b611a392a35fd08803ff3731b1aacd54b2a1e1553dc
Opcode Fuzzy Hash: a5448d8d053f8b978c1a218a2f5ffe5b98ef813420d81f71033a96ed32c29006
Instruction Fuzzy Hash: 04B14C70A002069FDB18CF58D890EAAB3BAFF88310B14C95DEA5ACB355D735ED51CB90

Function 1001CA30 Relevance: 19.6, APIs: 13, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1001CA4C
GetWindowRect.USER32(?,?), ref: 1001CA5B
ClientToScreen.USER32(?,?), ref: 1001CA70
ClientToScreen.USER32(?,?), ref: 1001CA7B
OffsetRect.USER32(?,?,?), ref: 1001CA96
OffsetRect.USER32(?,?,?), ref: 1001CAAB
EqualRect.USER32(?,?), ref: 1001CAB7
BeginPath.GDI32(00000000), ref: 1001CAC2
Rectangle.GDI32(00000000,?,?,?,?), ref: 1001CADD
EndPath.GDI32(00000000), ref: 1001CAE4
SelectClipPath.GDI32(00000000,00000004), ref: 1001CAED
SelectObject.GDI32(00000000,?), ref: 1001CB00
PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1001CB1A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ClientPath$OffsetScreenSelect$BeginClipEqualObjectRectangleWindow
String ID:
API String ID: 2221267872-0
Opcode ID: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
Instruction ID: 2ba2e5f7c95da289b8c11f671d4d77d81127840f5cb8de534027a22f72d25923
Opcode Fuzzy Hash: 219697da08de77e07886dc8c6d20df574dcbbf54c4940b152de1776a259c56e3
Instruction Fuzzy Hash: B231C879204316AFE714DB65CCC9D7BB3F9FBC8614F108A0CF55683250DA74E94A8B61

Function 100084B0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 173windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100084C9
GetComboBoxInfo.USER32 ref: 100084DC
GetWindowRect.USER32(?,?), ref: 100084FD
OffsetRect.USER32(?,?,?), ref: 1000851B
CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 10008566
IsWindowEnabled.USER32(?), ref: 10008599
GetFocus.USER32 ref: 100085A7
IsRectEmpty.USER32(?), ref: 10008606
SelectObject.GDI32(00000000,?), ref: 10008646
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000866A

Strings

4, xrefs: 100084D4

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: RectWindow$CallComboEmptyEnabledFocusInfoObjectOffsetProcSelect
String ID: 4
API String ID: 3620934650-4088798008
Opcode ID: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
Instruction ID: 5cea887d1a42687cc65618457859d6ae2faca28e616dd28a7858be6a4daf13f9
Opcode Fuzzy Hash: ff69685712dfb7541cd1ad91b48a2aaedd911cbe40dfa843f3ff19d120081c87
Instruction Fuzzy Hash: 275127B9208701AFE314DF68C880E6BB7E9FBC8750F108A1DF99987355DA30E945CB52

Function 1001A9C0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 70COMMON

Download Yara Rule

APIs

_mbscmp.MSVCRT ref: 1001A9D3
_mbscmp.MSVCRT ref: 1001A9FD
GetParent.USER32(?), ref: 1001AA0B
FindWindowExA.USER32(00000000,00000000,DiDaSG,00000000), ref: 1001AA23
FindWindowExA.USER32(00000000,00000000,DiDaGrid,00000000), ref: 1001AA31
FindWindowExA.USER32(00000000,00000000,DiDaViewCtrl,00000000), ref: 1001AA3F

Strings

DiDaGrid, xrefs: 1001AA2A
DiDaViewCtrl, xrefs: 1001AA38
Edit, xrefs: 1001A9CD
DiDaSG, xrefs: 1001AA1B
ScrollBar, xrefs: 1001A9F7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: FindWindow$_mbscmp$Parent
String ID: DiDaGrid$DiDaSG$DiDaViewCtrl$Edit$ScrollBar
API String ID: 3521712903-213082921
Opcode ID: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
Instruction ID: 07a90f14033cc30d1d35d2e0eeef8570c81e30e2f87793286d4a341ae43e1c20
Opcode Fuzzy Hash: 5e0b855fcac5159f367e03da2c711da51616acd7177871d874b9811b27d61f41
Instruction Fuzzy Hash: D111C8773516252BE200F6A8AC90FAB63CCDFD5666F514022FB00EA140D334ED8687B5

Function 1000C6F0 Relevance: 18.2, APIs: 12, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000C702
GetWindowRect.USER32(?,?), ref: 1000C711
ClientToScreen.USER32(?,?), ref: 1000C726
ClientToScreen.USER32(?,?), ref: 1000C731
OffsetRect.USER32(?,?,?), ref: 1000C74C
OffsetRect.USER32(?,?,?), ref: 1000C761
IsWindowEnabled.USER32(?), ref: 1000C778
GetFocus.USER32 ref: 1000C782
InflateRect.USER32(00000020,000000FE,000000FE), ref: 1000C81C
SelectObject.GDI32(00000000,?), ref: 1000C830
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 1000C84F
IsWindowEnabled.USER32(?), ref: 1000C859

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ClientWindow$EnabledOffsetScreen$FocusInflateObjectSelect
String ID:
API String ID: 3408369734-0
Opcode ID: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
Instruction ID: d3539a25c7ff0506e7ee7ab9e9479a1055ac5ff067c866c20199165bfa3bfce7
Opcode Fuzzy Hash: 3be52d9941539292c299830c6e9bf5df74aa8ccb6bf1b58d779688aaf5952ba0
Instruction Fuzzy Hash: C25119B8204706AFE314DF69C884D2BB7E9FFC8354B208A1DF85987365D631ED468B61

Function 10016060 Relevance: 18.2, APIs: 12, Instructions: 157windowCOMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 1001608F
CallWindowProcA.USER32(?,?,?,?,?), ref: 100160C2
GetParent.USER32(?), ref: 1001611B
SendMessageA.USER32(00000000), ref: 10016122

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow$MessageParentSend
String ID:
API String ID: 482362837-0
Opcode ID: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
Instruction ID: 0d51841f0734fbb8e4940dc07b8de3669c789b49538fb586d0ae161ad6d6c563
Opcode Fuzzy Hash: 916f991154467816be997b105c9d4eb4c11a9125e158527fd240b7089936db19
Instruction Fuzzy Hash: 4E519E76200611AFE310DB68CC85FAB73E8EB8C750F144918F95ACB292D670E985CBA1

Function 1000C030 Relevance: 18.1, APIs: 12, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?), ref: 1000C03F
GetClientRect.USER32(?,?), ref: 1000C04B
ClientToScreen.USER32(?,?), ref: 1000C05D
ClientToScreen.USER32(?,?), ref: 1000C065
OffsetRect.USER32(?,?,?), ref: 1000C080
OffsetRect.USER32(?,?,?), ref: 1000C095
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0B1
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C0C9
CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C0D2
SelectClipRgn.GDI32(?,00000000), ref: 1000C0DE
DeleteObject.GDI32(00000000), ref: 1000C0EB
DeleteObject.GDI32(00000000), ref: 1000C0EE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Client$CreateDeleteObjectOffsetScreen$ClipCombineSelectWindow
String ID:
API String ID: 2240990249-0
Opcode ID: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
Instruction ID: 6da254da4a0019f5656eed989aa654683ae0a7bab9e4da9d351570924b964c57
Opcode Fuzzy Hash: 4b3a124ec8f7523d0d551fb504430074e69b4b5c7f317864df0b48e49119c4e9
Instruction Fuzzy Hash: C021D8B9115225BFE304DB55CC84CABB7EDEFC9710F158A0DF98593210D674EA0A8BA2

Function 006902F2 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 221COMMONLIBRARYCODE

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0087FA3C,00000001,0087FA3C,00000001,00000000,027211AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00682862), ref: 00690330
CompareStringA.KERNEL32(00000000,00000000,0087FA38,00000001,0087FA38,00000001), ref: 0069034D
CompareStringA.KERNEL32(00624130,006241D0,00624280,00000000,b(h,00000000,00000000,027211AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00682862), ref: 006903AB
GetCPInfo.KERNEL32(00000000,00000000,00000000,027211AC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,00682862,00000000), ref: 006903FC
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0069047B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 006904DC
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 006904EF
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0069053B
CompareStringW.KERNEL32(00623EF6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00690553

Strings

b(h, xrefs: 0069039E, 00690384

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID: b(h
API String ID: 1651298574-2854650268
Opcode ID: 5c0e6266643f555dc37cd1e75106d56ceb446345be79ce9ef079dd057871ce94
Instruction ID: dd9611b21c42eb4b76ce4865cadc7a6560537f93cdb66e3775e4d525e5b97130
Opcode Fuzzy Hash: 5c0e6266643f555dc37cd1e75106d56ceb446345be79ce9ef079dd057871ce94
Instruction Fuzzy Hash: 2A71AB7290024AEFEF219F548D859EE7BBFFB09704F11412AF951A2661D3328D51DFA0

Function 10012750 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 187windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,?), ref: 10012809
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 1001281F
SetMapMode.GDI32(?,00000001), ref: 1001282B
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001283B
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001284B
SetViewportOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1001285B
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1001286B
73F84D40.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 100128B8

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Part of subcall function 1000E340: SelectObject.GDI32(?,?), ref: 1000E3AA
Part of subcall function 1000E340: DeleteDC.GDI32(?), ref: 1000E3B4
Part of subcall function 1000E340: DeleteObject.GDI32(?), ref: 1000E3D1

??3@YAXPAX@Z.MSVCRT(?), ref: 1001292B

Strings

s, xrefs: 100128B8

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Delete$Select$ViewportWindow$??3@Mode
String ID: s
API String ID: 2611903862-453955339
Opcode ID: 2c7208d9f9cc6fae1fbc982cd13d60a7d2cd2e901e4ab997d711d0d3189936f4
Instruction ID: 5a2126a295ea02ada3bf3e3be973f49605dcc2c156f47a887c0508dc2def5236
Opcode Fuzzy Hash: 2c7208d9f9cc6fae1fbc982cd13d60a7d2cd2e901e4ab997d711d0d3189936f4
Instruction Fuzzy Hash: FA614BB9640301AFE724CF18CC85F5B77A9FB88B50F20891CF9599B391C671E881CBA5

Function 0069605F Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00696064
GetSystemMetrics.USER32(0000002A), ref: 00696115
GlobalLock.KERNEL32(00000000), ref: 0069619F
CreateDialogIndirectParamA.USER32(?,FFFFFFB2,?,00695EA7,00000000), ref: 006961D1

Strings

MS Sans Serif, xrefs: 00696136
MS Shell Dlg, xrefs: 00696123
Helv, xrefs: 00696149

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2364537584-2894235370
Opcode ID: 897c0adc9d3ac681d4ccfe0feedc56f3ad4b8be52cd44cbb38c191b2e127cbba
Instruction ID: 8069f3ef6fd83b2afe12f2f2e8a58fa7cee0eb94e1e521f12d89f9e8fda503ef
Opcode Fuzzy Hash: 897c0adc9d3ac681d4ccfe0feedc56f3ad4b8be52cd44cbb38c191b2e127cbba
Instruction Fuzzy Hash: 2C617A7190030AEFCF14EFA8D9859EEBBBAFF14304F24402EF506A2691DB359A44CB55

Function 0067E132 Relevance: 16.7, APIs: 11, Instructions: 185stringCOMMON

Download Yara Rule

APIs

#45.ODBC32 ref: 0067E14E
#45.ODBC32(?,00000050,?,00000004,?), ref: 0067E185
#45.ODBC32(?,0000002E,?,00000002,?), ref: 0067E1B5
#45.ODBC32(?,00000017,?,00000002,?), ref: 0067E1E3
#45.ODBC32(?,00000018,?,00000002,?), ref: 0067E206
#45.ODBC32(?,00000052,?,00000004,?), ref: 0067E22A
#45.ODBC32(?,00000051,?,00000004,?), ref: 0067E246
#45.ODBC32(?,00000019,?,0000000A,?), ref: 0067E27A
lstrcmpA.KERNEL32(?,0087EDB4), ref: 0067E29B
#50.ODBC32(?,00000065,00000001), ref: 0067E2B9
#45.ODBC32(?,0000001D,?,00000002,?,?,00000065,00000001), ref: 0067E2CC

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: lstrcmp
String ID:
API String ID: 1534048567-0
Opcode ID: ba11b6ed57c480dbfbca8db65cb9cafc69c1171ccff2d6492b7698edc1827bff
Instruction ID: 13585e91537854cccdfa895dc737c36a24caf1dc77576364f2328888c8ff658c
Opcode Fuzzy Hash: ba11b6ed57c480dbfbca8db65cb9cafc69c1171ccff2d6492b7698edc1827bff
Instruction Fuzzy Hash: 79619171600609BFEB21CBA0CC4AFEBB7FEAF08704F108499E546D6681E775DA49CB54

Function 1001BBF0 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 1001BC14
DeleteObject.GDI32(?), ref: 1001BC2F
DeleteObject.GDI32(?), ref: 1001BC5B
DeleteObject.GDI32(?), ref: 1001BC7F
DeleteObject.GDI32(?), ref: 1001BCA2
DeleteObject.GDI32(?), ref: 1001BCBB
SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BD28
IsWindowVisible.USER32(?), ref: 1001BD38

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: DeleteObject$MessageSendVisibleWindow
String ID:
API String ID: 2663172341-0
Opcode ID: 9eaa5807c86f827a565e6f2b3feca2c72fbca985b45077f70f87822426f3090f
Instruction ID: 69cb3e28c512f8bc434b60400197b4956680df1e75d225c41875b39bfed14100
Opcode Fuzzy Hash: 9eaa5807c86f827a565e6f2b3feca2c72fbca985b45077f70f87822426f3090f
Instruction Fuzzy Hash: C15149B96006198FD744DF65D8C4D19BBE6EF84754B66806DE4098F261CB32ECC2CF54

Function 10023530 Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 308windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 1002356E
SetTextColor.GDI32(?,?), ref: 1002374A

Part of subcall function 10023070: IsWindowVisible.USER32(?), ref: 10023094
Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 10023107
Part of subcall function 10023070: IsIconic.USER32(?), ref: 10023115
Part of subcall function 10023070: IsRectEmpty.USER32(?), ref: 100231E6
Part of subcall function 10023070: IsZoomed.USER32(?), ref: 100231F4
Part of subcall function 10023070: GetSystemMenu.USER32(?,00000000,0000F060,00000000), ref: 10023317
Part of subcall function 10023070: GetMenuState.USER32(00000000), ref: 1002331E

GetWindowTextA.USER32(?,?,00000400), ref: 100237DD
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 1002381F
SetBkMode.GDI32(?,00000001), ref: 100238A2
SelectObject.GDI32(?,00000000), ref: 100238B7
DrawTextA.USER32(?,?,?,?,00040024), ref: 100238DE
73F84D40.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 1002390B

Strings

s, xrefs: 1002390B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: TextWindow$DrawEmptyMenuRectVisible$ColorIconIconicModeObjectSelectStateSystemZoomed
String ID: s
API String ID: 3608014746-453955339
Opcode ID: f2973cb4028198a9a51bb3a7a6b7762885dc349face6f824e9808d953d14431b
Instruction ID: 3263a162000869abdaed50fa1a63b18b52f79a3c691ea1695c1955725f713e6b
Opcode Fuzzy Hash: f2973cb4028198a9a51bb3a7a6b7762885dc349face6f824e9808d953d14431b
Instruction Fuzzy Hash: 20C108B9240705AFE354CB64CC85FA7B3E9EB88740F208A1DF55A87255DA75FC068BA0

Function 1000FF70 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 198windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 1000FF8B
GetMenuItemInfoA.USER32 ref: 1000FFCB
??3@YAXPAX@Z.MSVCRT(?), ref: 10010083
??2@YAPAXI@Z.MSVCRT(00000014), ref: 1001008D
??2@YAPAXI@Z.MSVCRT(0000000C,00000014), ref: 100100B2
SetMenuItemInfoA.USER32 ref: 10010127
??2@YAPAXI@Z.MSVCRT(0000000C), ref: 10010174

Strings

0, xrefs: 1000FFBB

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@ItemMenu$Info$??3@Count
String ID: 0
API String ID: 1280313425-4108050209
Opcode ID: cc8c67f2bd9abdc1bcf278f41cf6078ea078a8eb8a740d13d7db29cf79bdf8f8
Instruction ID: 9c73eb5ddcbb23b1021a2a30c8f8144f940f888cd30e2e31c2a3417c855ec077
Opcode Fuzzy Hash: cc8c67f2bd9abdc1bcf278f41cf6078ea078a8eb8a740d13d7db29cf79bdf8f8
Instruction Fuzzy Hash: 117128B1B042429FD304CF14C880A5ABBE5FF88754F25C56DF8899B361D7B6E886CB91

Function 10023F00 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 10023F0E
GetWindowRect.USER32(?,?), ref: 10023F1D
PtInRect.USER32(?,?,?), ref: 10023F38
PtInRect.USER32(00000168,?,?), ref: 10023F67
GetMenuItemCount.USER32(?), ref: 10023F94

Part of subcall function 10024DB0: GetMenuItemRect.USER32(?,00000000,?,?,?,?,75756D90,00000000,10023B9B,00000000,?), ref: 10024DCB
Part of subcall function 10024DB0: OffsetRect.USER32(?,?,?), ref: 10024DF9

GetMenuItemInfoA.USER32 ref: 10023FE3
OffsetRect.USER32(?,?,00000000), ref: 1002401B
PtInRect.USER32(?,00000400,00000000), ref: 10024030

Strings

0, xrefs: 10023FD3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ItemMenu$Offset$CountCursorInfoWindow
String ID: 0
API String ID: 1145675194-4108050209
Opcode ID: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
Instruction ID: 31d5a28eec6a1afefc3e1dee2d447974a65d6f43cb3d9e79273529089ad59d0b
Opcode Fuzzy Hash: 175602bbc668ff8853d7943d656a5cc7ce6d6184f3f0c48b566ecbe4b546db37
Instruction Fuzzy Hash: BE415B752087019FD304DF68DC88A6BB7F9FBC8650F11891DFA5583250DB71E94ACBA2

Function 10006A30 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 100069F0: DeleteObject.GDI32(?), ref: 100069FE

SelectObject.GDI32(00000000,?), ref: 10006A8A
GetObjectA.GDI32(?,00000018,?), ref: 10006AA2
SelectObject.GDI32(00000000,000000FF), ref: 10006AD1
73F84D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 10006AEE
SelectObject.GDI32(00000000,00000000), ref: 10006AF6
SelectObject.GDI32(00000000,00000000), ref: 10006AFE
DeleteDC.GDI32(00000000), ref: 10006B07
DeleteDC.GDI32(00000000), ref: 10006B0A

Strings

s, xrefs: 10006AEE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$Delete
String ID: s
API String ID: 4028988585-453955339
Opcode ID: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
Instruction ID: 18bf3757976541dfd00de2af7b288375a6f254a0424e89b954cf1b644370f741
Opcode Fuzzy Hash: 9590772b2381df981e00ce1ca602ee8b7f492eed31d7fb91fb646ce7ea8e8a2e
Instruction Fuzzy Hash: A221A0762043196BF250EB59CCC0F2BB7EDEBC9790F60442DFA4097244DA64EC068BA2

Function 005C0180 Relevance: 15.3, APIs: 10, Instructions: 324COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005C01AB
VariantInit.OLEAUT32(00000000), ref: 005C01DA
VariantCopyInd.OLEAUT32(00000000), ref: 005C01E2
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 005C0285

Part of subcall function 005E7D20: RtlAllocateHeap.NTDLL(00BF0000,00000000,00000008,?,?,005C0141,00000008,?), ref: 005E7D31

VariantCopyInd.OLEAUT32(?), ref: 005C0465
VariantChangeType.OLEAUT32(00000000,?,00000000,?), ref: 005C0480

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Variant$CopyInit$AllocateArrayChangeElementHeapSafeType
String ID:
API String ID: 2026756349-0
Opcode ID: c22d80ca2c7c2f4310e5297dfb7347758e71b3a9863db011d946845882f9f18c
Instruction ID: a6569ae457fa3fba65bfbf70b49f45d83d197d2b03c3cf3f78df96e546bfc027
Opcode Fuzzy Hash: c22d80ca2c7c2f4310e5297dfb7347758e71b3a9863db011d946845882f9f18c
Instruction Fuzzy Hash: ECD14374509382CFC714DF94C884B6ABBE5FF89714F10992DE889873A0E735E945CB92

Function 10017090 Relevance: 15.2, APIs: 12, Instructions: 162COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT ref: 100170FF
??2@YAPAXI@Z.MSVCRT(00000100), ref: 1001710F
??2@YAPAXI@Z.MSVCRT(00000078,00000100), ref: 1001711C
??2@YAPAXI@Z.MSVCRT(00000010,00000078,00000100), ref: 10017129
??2@YAPAXI@Z.MSVCRT(000054F0,00000010,00000078,00000100), ref: 10017139
??2@YAPAXI@Z.MSVCRT(000003DC,000054F0,00000010,00000078,00000100), ref: 10017149
??2@YAPAXI@Z.MSVCRT ref: 100171FB
??2@YAPAXI@Z.MSVCRT(00000100), ref: 1001720B
??2@YAPAXI@Z.MSVCRT(00000078,00000100), ref: 10017218
??2@YAPAXI@Z.MSVCRT(00000010,00000078,00000100), ref: 10017225
??2@YAPAXI@Z.MSVCRT(000054F0,00000010,00000078,00000100), ref: 10017235
??2@YAPAXI@Z.MSVCRT(000003DC,000054F0,00000010,00000078,00000100), ref: 10017245

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 410dd1f96e3f1d1cea1fdd0126b62a2689596ec5cbd5351870bc8534d49ce999
Instruction ID: 0f10bd593ae600cb38cbaaa22fec1f499e913940d81218a79a1784d92bf44df9
Opcode Fuzzy Hash: 410dd1f96e3f1d1cea1fdd0126b62a2689596ec5cbd5351870bc8534d49ce999
Instruction Fuzzy Hash: FF7118B45007889BEB30CF29C8A17DABBE1FF4C310F90442E9A4D9B791DB7666558B81

Function 1001C210 Relevance: 15.2, APIs: 10, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,00000000,?,1002CDA8,?,1002CDC8), ref: 1001C227
GlobalLock.KERNEL32(00000000), ref: 1001C230
SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
GlobalLock.KERNEL32(00000000), ref: 1001C316
SetRect.USER32(?,?,?,?,?), ref: 1001C339
ExtCreateRegion.GDI32(00000000,00000062,00000000), ref: 1001C3B3
GlobalUnlock.KERNEL32(00000000), ref: 1001C3BC
GlobalFree.KERNEL32(00000000), ref: 1001C3C3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Global$AllocLockRectUnlock$CreateFreeRegion
String ID:
API String ID: 2388356299-0
Opcode ID: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
Instruction ID: 800a03afdf74d798d33c9bbd273a6215fc8d6eee2ba7c904765c8bbc0eaa987e
Opcode Fuzzy Hash: 6ba06d16079189b5735e3eb41b3e1a1aff45cf1b4ebc31a8399078287940a643
Instruction Fuzzy Hash: 165179752047058FD314CF19C8C4E1ABBE6FBC8354F158A2DF8969B252D730E98ACBA1

Function 1000C100 Relevance: 15.1, APIs: 10, Instructions: 75COMMON

Download Yara Rule

APIs

GetUpdateRect.USER32(?,?,00000000), ref: 1000C110
GetWindowRect.USER32(?,?), ref: 1000C126
ClientToScreen.USER32(?,?), ref: 1000C138
ClientToScreen.USER32(?,?), ref: 1000C140
OffsetRect.USER32(?,?,?), ref: 1000C155
CreateRectRgn.GDI32(?,?,?,?), ref: 1000C16F
CombineRgn.GDI32(00000000,00000000,00000000,00000001), ref: 1000C195
DeleteObject.GDI32(00000000), ref: 1000C19C
SelectClipRgn.GDI32(?,00000000), ref: 1000C1A4
DeleteObject.GDI32(00000000), ref: 1000C1AB

Part of subcall function 1000C1C0: GetWindowRect.USER32(?,?), ref: 1000C1D7
Part of subcall function 1000C1C0: CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 1000C1F5
Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C204
Part of subcall function 1000C1C0: IsWindowVisible.USER32(00000000), ref: 1000C211
Part of subcall function 1000C1C0: GetWindowRect.USER32(00000000,?), ref: 1000C22D
Part of subcall function 1000C1C0: OffsetRect.USER32(?,?,?), ref: 1000C242
Part of subcall function 1000C1C0: CreateRectRgn.GDI32(?,?,?,?), ref: 1000C25C
Part of subcall function 1000C1C0: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000C269
Part of subcall function 1000C1C0: DeleteObject.GDI32(00000000), ref: 1000C270
Part of subcall function 1000C1C0: FindWindowExA.USER32(?,00000000,00000000,00000000), ref: 1000C280

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$CreateDeleteObject$ClientCombineFindOffsetScreen$ClipSelectUpdateVisible
String ID:
API String ID: 3337848875-0
Opcode ID: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
Instruction ID: 74d7dfbfc758c62a16206c90bb991d6bb96e2836b961c83879c6e1e08fceeccd
Opcode Fuzzy Hash: ab81bbd6e475fd5f65db4c67aaa5c7c4afadf060e7e249b2e30564a5a9679415
Instruction Fuzzy Hash: 4611477A105221AFF300DB65CCC4DABB7ACEFC9740F14490DF94582200E734EA0A8BB2

Function 00680407 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 155COMMON

Download Yara Rule

APIs

#17.ODBC32(00000012,?,00000013,?, WHERE CURRENT OF ,?,DELETE FROM ), ref: 0068054C
#19.ODBC32(?,00000000,000000FD,000000FF,00000000,00000000,?, WHERE CURRENT OF ,?,DELETE FROM ), ref: 006805B1

Part of subcall function 00695593: lstrlenA.KERNEL32(?,005DF680,?,005DF6FB,?), ref: 006955A4

Strings

INSERT INTO , xrefs: 00680431
SET , xrefs: 006804B4
WHERE CURRENT OF , xrefs: 0068051A
UPDATE , xrefs: 0068049A
DELETE FROM , xrefs: 006804EB
VALUES (, xrefs: 00680475

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: lstrlen
String ID: SET $ VALUES ($ WHERE CURRENT OF $DELETE FROM $INSERT INTO $UPDATE
API String ID: 1659193697-2930128812
Opcode ID: 37acb3997bf981464d4e33f933918fdaba8ff65eb3109a94853adbbf9a89c15b
Instruction ID: e641faeee4bc492aed8caf570aee0304f2f4deb3aee004d13c62be14de23bd4f
Opcode Fuzzy Hash: 37acb3997bf981464d4e33f933918fdaba8ff65eb3109a94853adbbf9a89c15b
Instruction Fuzzy Hash: FD51B130300704ABEE65AA64C855FBEB7AFEF88700F404D1DF45B9B292DB74AC048B64

Function 1000AAE0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000AAED

Strings

SHE, xrefs: 1000AAE7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop
String ID: SHE
API String ID: 257714900-2947365353
Opcode ID: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
Instruction ID: 2e390604217a2b3f58ee7591da4aaa58580bf2b8c483784fb10c7b559247f76a
Opcode Fuzzy Hash: 2c6010a68df39a012fe3cfaaf114c4777e7ed861bf3d100bc81ecca3e0610d64
Instruction Fuzzy Hash: 6741BF72600705DFE720DF59D8C0FABB7D9EB853A1F41852EF14A86102C731A8C5CB25

Function 10018E00 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 10018E2A
DeleteObject.GDI32(?), ref: 10018E3E
SelectObject.GDI32(?,?), ref: 10018E89
73F84D40.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 10018EC1
SelectObject.GDI32(?,?), ref: 10018ECF
CreateSolidBrush.GDI32(?), ref: 10018F16
CreatePatternBrush.GDI32(?), ref: 10018F23

Strings

s, xrefs: 10018EC1

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$BrushCreateDeleteSelect$PatternSolid
String ID: s
API String ID: 22681066-453955339
Opcode ID: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
Instruction ID: 23f9e4fe7887b74c245d57b0e501ed812031919aed004f8028d95dad6bed7b15
Opcode Fuzzy Hash: 493c7b64c06f7fda6f307e4e9a9fb4371a82727674913205bff5ba11ea4a1bec
Instruction Fuzzy Hash: E03148B52007019FE214DF64C895FA7B7E9EB88750F11892DF69A872A1DB30F945CB60

Function 10012370 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,?,?,?), ref: 1001238D
GetPropA.USER32(?,SHE), ref: 100123B4
SetBkColor.GDI32(?,?), ref: 100123D2
SetTextColor.GDI32(?,?), ref: 100123EC

Strings

SHE, xrefs: 100123AE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Color$CallProcPropTextWindow
String ID: SHE
API String ID: 1567449379-2947365353
Opcode ID: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
Instruction ID: 4c3276a66a0a9f635cfbb79f7bd4f3ded52351a7d3631d5cad51002f68e975b9
Opcode Fuzzy Hash: fd243b49dd2b70934088a78486ed71f3f6b1e30930e2a5d8f73f0faa35da5f50
Instruction Fuzzy Hash: 32213C7A200215DFE214CF55DCC8EA7B7A9FF88711F258579FA0987612C731AC86CB60

Function 0069B389 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 0069B3A5
GetStockObject.GDI32(0000000D), ref: 0069B3AD
GetObjectA.GDI32(00000000,0000003C,?), ref: 0069B3BA
GetDC.USER32(00000000), ref: 0069B3C9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 0069B3E0
MulDiv.KERNEL32(?,00000048,00000000), ref: 0069B3EC
ReleaseDC.USER32(00000000,00000000), ref: 0069B3F7

Strings

System, xrefs: 0069B39E, 0069B40D

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 4715cfa00b7778b07bb3170876234c21c8a5a33a8063199f8de7cf325c60b32e
Instruction ID: b4bfe99713a1d882ea69c467723e22ed7429d683e1cd9431b57c588431e0bf27
Opcode Fuzzy Hash: 4715cfa00b7778b07bb3170876234c21c8a5a33a8063199f8de7cf325c60b32e
Instruction Fuzzy Hash: 26118271A00218ABEF00AFA1ED49FAE3BBEEB15740F005015F605E71D0D7B1AD01CBA1

Function 1001BB00 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 1001BB16

Strings

SHE_C, xrefs: 1001BB35
SHE_A, xrefs: 1001BB41

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window
String ID: SHE_A$SHE_C
API String ID: 2353593579-3829401601
Opcode ID: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
Instruction ID: 61a02fd3fe343e1cbdaa3c21f8ae578eda2fb75fcd6781e2b5076b330a8b8943
Opcode Fuzzy Hash: f539908fe5b4ee91853859bd00b7215825581461b09397d3a58328f8b06297f0
Instruction Fuzzy Hash: EEF03035346A31B7FA91ABA4BC8AFDB3658DF05741F214010F701AA0D4D7A4AB8747EA

Function 00699208 Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00699502,00000000,00020000,?,?,00000000), ref: 00699211
LoadLibraryA.KERNEL32(COMCTL32.DLL,?,00000000,?,?,?,?,?,?,?,?,006960A7,00000010,00000000), ref: 0069921A
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 0069922E
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,006960A7,00000010,00000000), ref: 00699249
#17.COMCTL32(?,00000000,?,?,?,?,?,?,?,?,006960A7,00000010,00000000), ref: 00699265
FreeLibrary.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,006960A7,00000010,00000000), ref: 00699271

Strings

InitCommonControlsEx, xrefs: 00699226
COMCTL32.DLL, xrefs: 0069920A, 00699210, 00699217

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: 37a4bdbc32809743f3fffd6b1049c67fb2f92ccc3d4172ace63338cc51eb861e
Instruction ID: 0fcf378e3cd2df81f391a590d18020e8c41003aebe46182a16113da8587b8c0e
Opcode Fuzzy Hash: 37a4bdbc32809743f3fffd6b1049c67fb2f92ccc3d4172ace63338cc51eb861e
Instruction Fuzzy Hash: B9F02836654212A79F11AFA89C4894B76EFEF957617051428F505F3310CB60FD088FB1

Function 00663130 Relevance: 13.7, APIs: 9, Instructions: 183COMMON

Download Yara Rule

APIs

#3.ODBC32(?,?), ref: 0066315E
#19.ODBC32(?,?,000000FD,?,00000000,?,?,?), ref: 006631A7
#72.ODBC32(?,?,00000001,00000001,000000FF,00000000,00000000,?,00000000,FFFFFFFD,?,?,00000001,000000FE,000000FC,00000001), ref: 0066320E
#72.ODBC32(?,?,00000001,000000FE,000000FC,00000001,00000000,?,00000001,00000001,?,00000000,?,?,?,000000FD), ref: 0066322F
#12.ODBC32(?,?,00000000,?,?,?,000000FD,?,00000000,?,?,?), ref: 0066323E

Part of subcall function 0067D5CF: __EH_prolog.LIBCMT ref: 0067D5D4

#18.ODBC32(?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?,?), ref: 0066326F
#13.ODBC32(?,?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?), ref: 00663285
#61.ODBC32(?,?,?,?,00000000,?,?,?,00000000,?,?,?,000000FD,?,00000000,?), ref: 006632AB
#16.ODBC32(?,00000001,?,00000000,?,?,?,?,?,00000000,?,?,?,00000000,?,?), ref: 006632DF

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: b2aea5b424d7e622b0eec6a75990a3fe05cacb132fec0d69f9b6b7183e70dc8a
Instruction ID: e9eb0688e3759070c83910bcee0c4d8fb5021b5fff6c1b2442ddd03bac30b3ac
Opcode Fuzzy Hash: b2aea5b424d7e622b0eec6a75990a3fe05cacb132fec0d69f9b6b7183e70dc8a
Instruction Fuzzy Hash: 11518171900125ABDB54EBA8CD85EFFB77EEF85720F20821CB819A7381D6349E4187B5

Function 100194E0 Relevance: 13.7, APIs: 9, Instructions: 156COMMON

Download Yara Rule

APIs

UnhookWindowsHookEx.USER32(?), ref: 1001950B
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019534
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001956D
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100195A6
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100195DF
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019618
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 10019651
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001968A
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 100196C3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$HookUnhookWindows
String ID:
API String ID: 4067003578-0
Opcode ID: ccb9e22b7223a151e8cdee0c69a935e96b33eb5907197e5facc0244b726fac03
Instruction ID: 68d6bc10badb6e31eff8a5ceec3b68c03d71041423b9f4d656f5879cd019a15e
Opcode Fuzzy Hash: ccb9e22b7223a151e8cdee0c69a935e96b33eb5907197e5facc0244b726fac03
Instruction Fuzzy Hash: 45613DB5900B418BC721CF6DC8C068AFBE5FB58250F95482EE1AE87352D735F984CB96

Function 10012180 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 100121A6
SelectObject.GDI32(?,?), ref: 100121CC
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100121E4
SelectObject.GDI32(?,00000000), ref: 100121EC
73F84D40.GDI32 ref: 1001224C
CallWindowProcA.USER32(?,?,00000014,00000000,?), ref: 10012262
SelectObject.GDI32(00000000,?), ref: 100122A0
PatBlt.GDI32(00000000,00000000,00000000,?,00CC0020,00F00021), ref: 100122BE
73F84D40.GDI32(?,00000000,00000000,?,?,00000001,00000000,00000000,00CC0020,00000000,?,?,?,00000000,00000000,00CC0020), ref: 10012316

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ObjectSelect$CallClientProcRectWindow
String ID:
API String ID: 1176863719-0
Opcode ID: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
Instruction ID: 521344e5b0112258a1cfddc808acbd5a461835463cd1efe4b2e01d7775b1bad5
Opcode Fuzzy Hash: 8d9555288dfa4cb6b9910587152f2368e31d67d4d9cfedcddf4c0e453304757e
Instruction Fuzzy Hash: BB51F9B9254300AFE214DB54CC86F6BB7A8EBC8B50F20491CFA4597391C6B5FC458BA6

Function 1000D060 Relevance: 13.6, APIs: 9, Instructions: 119COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1000D08E
OffsetRect.USER32(?,?,?), ref: 1000D0A7
GetClientRect.USER32(?,?), ref: 1000D0B9
SetRectEmpty.USER32(?), ref: 1000D11A
BeginPath.GDI32(?), ref: 1000D147
Rectangle.GDI32(?,?,?,?,?), ref: 1000D164
EndPath.GDI32(?), ref: 1000D16B
SelectClipPath.GDI32(?,00000005), ref: 1000D179
SelectClipPath.GDI32(?,00000004), ref: 1000D18B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PathRect$ClipSelect$BeginClientEmptyOffsetRectangleWindow
String ID:
API String ID: 926769777-0
Opcode ID: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
Instruction ID: ba60728ec9fc36432d1322e881ef709b7ac6645eae2937ea16e8d96f42463b8c
Opcode Fuzzy Hash: 0826a6cac50ff6d8cc9cb84acf4d3d3ae261592e089b67d3ff386e635de06544
Instruction Fuzzy Hash: 4B413979609211AFE744EF04C884D9FB7E9EFC8761F50881DF94A87214D730E94ACBA2

Function 10016650 Relevance: 13.6, APIs: 9, Instructions: 89windowtimeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006622,76C03760,00000000,100161F8,?,?), ref: 10016663
KillTimer.USER32(?,00006623,?,?), ref: 1001666E
KillTimer.USER32(?,00006624,?,?), ref: 10016679
GetParent.USER32(?), ref: 100166B6
SendMessageA.USER32(00000000,?,?), ref: 100166BF
GetParent.USER32(?), ref: 100166CF
SendMessageA.USER32(00000000,?,?), ref: 100166D2
SendMessageA.USER32(?,?,?,00000000), ref: 100166FA
SendMessageA.USER32(?,?,00000008,00000000), ref: 1001670B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$KillTimer$Parent
String ID:
API String ID: 639473585-0
Opcode ID: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
Instruction ID: 23e64ce1f8e016dc164ffd5e7c53ec1364c03778283d0123c89ade336ad14168
Opcode Fuzzy Hash: 43e7f77cbceff515ad615a55a00688c3b258852cb15ecafe0dc3e5f4f77e3c47
Instruction Fuzzy Hash: 1F212175200B01ABE664DB65CC51FA7B3EDEF88714F11481DF6569B290CAB1F841CB60

Function 10004800 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10004809
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000482A
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004847
LoadCursorA.USER32(00000000,00007F84), ref: 1000486B
SetCursor.USER32(00000000), ref: 10004872
SendMessageA.USER32(?,?,0000000B,?), ref: 1000488F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Cursor$EnabledLoadWindow
String ID:
API String ID: 952789742-0
Opcode ID: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
Instruction ID: a48a6881d2a0336a3b2bb6231070b8bc95643f1d678b29964c15dfe4c6f22d82
Opcode Fuzzy Hash: 32ed43d69171fde928c40ca07546bdfc92c8bcd283c9c7b1e6585add4f52f139
Instruction Fuzzy Hash: 0521BE75609763AFF250CB64EC88F8B37E8EF58750F128C14F241D6990CBA0E8458795

Function 10004430 Relevance: 13.6, APIs: 9, Instructions: 80windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 10004439
SendMessageA.USER32(?,00000020,?,0200FFFE), ref: 1000445A
SendMessageA.USER32(?,00000020,?,0202FFFE), ref: 10004477
LoadCursorA.USER32(00000000,00007F84), ref: 1000449B
SetCursor.USER32(00000000), ref: 100044A2
SendMessageA.USER32(?,?,0000000A,?), ref: 100044BF

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Cursor$EnabledLoadWindow
String ID:
API String ID: 952789742-0
Opcode ID: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
Instruction ID: 4b1eefcfb1eff533e0469eb4f3c20f4418bd10dfbad317feed312d8172fc31b6
Opcode Fuzzy Hash: e8c35d7865301e7346ea7a2614379b4a33c7a3f3bf2c79482a3e40d957fdedee
Instruction Fuzzy Hash: 5D21D175709723AFF650CB64EC88F8B37E8EF59750F128804F242D7890C6A0E846C795

Function 10015840 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 287windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 10015860
SelectObject.GDI32(?,?), ref: 10015903
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F
SelectObject.GDI32(?,?), ref: 100159B3
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 100159C9
73F84D40.GDI32(?,?,76C22370,?,?,?,00000000,00000000,00CC0020), ref: 10015B86

Part of subcall function 1000FC70: SelectObject.GDI32(?,?), ref: 1000FC7A
Part of subcall function 1000FC70: DeleteDC.GDI32 ref: 1000FC83
Part of subcall function 1000FC70: DeleteObject.GDI32(?), ref: 1000FC8D

Strings

s, xrefs: 10015B86

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$Delete$VisibleWindow
String ID: s
API String ID: 2338221860-453955339
Opcode ID: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
Instruction ID: f04d0c149d7934839a0fbc71b930f3873cc576cb42b8e8f7a274e06dc9e73843
Opcode Fuzzy Hash: 421cafb401685e9174eb1292b169dd592b5d176713f7d8995dcaaaaccdaf3922
Instruction Fuzzy Hash: 79B104B8200205AFE714CF54C8C5EAB77A8FF88B44F14496CF8498B256DB75ED46CBA1

Function 10022B70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 192windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 10022B92
GetMenuItemInfoA.USER32 ref: 10022BD3
??2@YAPAXI@Z.MSVCRT(0000000C), ref: 10022D74

Strings

0, xrefs: 10022BC3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ItemMenu$??2@CountInfo
String ID: 0
API String ID: 343086914-4108050209
Opcode ID: 7604f01f02f115ee7be7c09a562ee55d0e31972dcad4367c5aef172024b37c1e
Instruction ID: eeaf9257602ae2fb2291704959b8afc54feedf824bc9d131a5182b5c0530c076
Opcode Fuzzy Hash: 7604f01f02f115ee7be7c09a562ee55d0e31972dcad4367c5aef172024b37c1e
Instruction Fuzzy Hash: 97717EB0604246AFE754CF64E880A5ABBE5FF84744FA5C52EE809CB751E731EC42CB81

Function 0067F43C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0067F441
#11.ODBC32(000000FF,?,000000FD,?,?,?,?,?,?,?,State:S1C00), ref: 0067F467
#19.ODBC32(00000001,?,000000FD,?,?,00000000,?,?,00664A46,000000FF,00000000,00000000,?), ref: 0067F47D
#51.ODBC32(000000FF,00000007,00000001,?,?,?,?,?,?,?,State:S1C00), ref: 0067F535
#12.ODBC32(00000001,?,00000000,?,?,00664A46,000000FF,00000000,00000000,?), ref: 0067F575
#46.ODBC32(00000001,00000007,?,?,00000000,?,?,00664A46,000000FF,00000000,00000000,?), ref: 0067F5B3

Strings

State:S1C00, xrefs: 0067F4DA

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: H_prolog
String ID: State:S1C00
API String ID: 3519838083-3597892918
Opcode ID: dc3f0704b099b72b5fe1eebc55fc5ff765f4eb3156c1dc0626ebc221ebf720de
Instruction ID: 96e462b3294693508971a56b9d159ad17172f2236cc2fe8d4cfadf3e77a848d9
Opcode Fuzzy Hash: dc3f0704b099b72b5fe1eebc55fc5ff765f4eb3156c1dc0626ebc221ebf720de
Instruction Fuzzy Hash: 71519C312006019FEB25DF68C849FAAB7E7BF54714F14892EE1AAD72A1DB70AD41DB10

Function 10024B50 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 138windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 10024BB5
GetMenuItemCount.USER32(?), ref: 10024BC4
GetMenuItemInfoA.USER32 ref: 10024C09
SetMenuItemInfoA.USER32(?,00000000,00000400,?), ref: 10024C73
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,10024A51,?,?,00000000), ref: 10024CC7
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,10024A51,?,?,00000000), ref: 10024CD0

Strings

0, xrefs: 10024BF9

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@ItemMenu$Info$Count
String ID: 0
API String ID: 1300621985-4108050209
Opcode ID: db8b0735270c628eb056c6a9a50a2a714bdc7e32e5f6497291ea89124fa9fdc6
Instruction ID: ba23ef1283d543214e51f6240621ccfcbfd39c9ee9b7c6bd65e8a0915674a4ed
Opcode Fuzzy Hash: db8b0735270c628eb056c6a9a50a2a714bdc7e32e5f6497291ea89124fa9fdc6
Instruction Fuzzy Hash: 1D519E746012028FD754CF18E8C4A56B7F9EF88754F66C669E809CB350EB31EC42CB91

Function 0068F280 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0087FA3C,00000001,?,7556E860,0090D264,?,?,0068403D,?,?,?,00000000,00000001), ref: 0068F2BF
GetStringTypeA.KERNEL32(00000000,00000001,0087FA38,00000001,?,?,0068403D,?,?,?,00000000,00000001), ref: 0068F2D9
GetStringTypeA.KERNEL32(?,?,?,?,=@h,7556E860,0090D264,?,?,0068403D,?,?,?,00000000,00000001), ref: 0068F30D
MultiByteToWideChar.KERNEL32(?,0090D265,?,?,00000000,00000000,7556E860,0090D264,?,?,0068403D,?,?,?,00000000,00000001), ref: 0068F345
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0068403D,?), ref: 0068F39B
GetStringTypeW.KERNEL32(?,?,00000000,=@h,?,?,?,?,?,?,0068403D,?), ref: 0068F3AD

Strings

=@h, xrefs: 0068F3A5, 0068F300

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: =@h
API String ID: 3852931651-1625426366
Opcode ID: 823584412d834f5e73764d503d097cd02297b398649b21cfc71e2f8c9839f7c1
Instruction ID: aee5b141489bfa8e13c30a0d60d480a468f2d7fbc3131b24c3085c104f363943
Opcode Fuzzy Hash: 823584412d834f5e73764d503d097cd02297b398649b21cfc71e2f8c9839f7c1
Instruction Fuzzy Hash: 1441AB72A00219AFCF21AF95DC86DEE7F7AFB09710F100629F915E2261D331DA519BE0

Function 10024E80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

GetWindowInfo.USER32(?), ref: 10024E99
IsWindowVisible.USER32(?), ref: 10024F00
OffsetRect.USER32(?,?,?), ref: 10024F39
OffsetRect.USER32(?,?,?), ref: 10024F4E
EqualRect.USER32(?,?), ref: 10024F66
EqualRect.USER32(?,?), ref: 10024F78

Strings

<, xrefs: 10024E90

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$EqualOffsetWindow$InfoVisible
String ID: <
API String ID: 2641278648-4251816714
Opcode ID: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
Instruction ID: 43e9ea39151c7cd5d2d9fc7f3b5f0f6f8eba1aada2934db523e61a0316c8f1e6
Opcode Fuzzy Hash: 43b4f7e995c0a357d226bfec25f4c2e0ace47f82f58a39247d552d2796c55144
Instruction Fuzzy Hash: 294128756047029FD354CF28D484A9BB7E8FFC8304F518A2EF89987250DB31E946CB62

Function 006884B2 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0068851F
GetStdHandle.KERNEL32(000000F4,0087F7BC,00000000,00000000,00000000,?), ref: 006885F5
WriteFile.KERNEL32(00000000), ref: 006885FC

Strings

..., xrefs: 00688571
Runtime Error!Program: , xrefs: 00688585
Microsoft Visual C++ Runtime Library, xrefs: 006885CB
<program name unknown>, xrefs: 0068852F

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 07970004debe172317d1dd19b29694db1808d9fdb62bffb4da9847a9c0160a7b
Instruction ID: 77fe0ad8d2f4b9c1575a17b3bd318a33be00da713a1af6846af1789f498af10c
Opcode Fuzzy Hash: 07970004debe172317d1dd19b29694db1808d9fdb62bffb4da9847a9c0160a7b
Instruction Fuzzy Hash: 3C31D8726002185EEF20B7A0CC45FDA736EFF46300F504A7AF645E7241EA74E9818B56

Function 005E91F0 Relevance: 12.3, APIs: 8, Instructions: 299COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d6de7a768be5ead32382cdc21de427f2c4f9e8752da9d0d89bdfa833a855e63
Instruction ID: 8537e0ab13999d065024f23fa1a23548df020667e1ac877825fc5b978c423c7b
Opcode Fuzzy Hash: 6d6de7a768be5ead32382cdc21de427f2c4f9e8752da9d0d89bdfa833a855e63
Instruction Fuzzy Hash: CAC1B5741497829FDB1ACF25C0A442EBBE1BFCA314F24888DE8998B764C776D855CB42

Function 1001A700 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 23libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(User32,UpdateLayeredWindow,00000000,?,?,1001928B), ref: 1001A715
GetProcAddress.KERNEL32(00000000), ref: 1001A71E
GetModuleHandleA.KERNEL32(User32,SetLayeredWindowAttributes,?,?,1001928B), ref: 1001A72C
GetProcAddress.KERNEL32(00000000), ref: 1001A72F

Strings

User32, xrefs: 1001A710, 1001A725
SetLayeredWindowAttributes, xrefs: 1001A720
UpdateLayeredWindow, xrefs: 1001A709

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: SetLayeredWindowAttributes$UpdateLayeredWindow$User32
API String ID: 1646373207-1189491841
Opcode ID: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
Instruction ID: e5961c9c5a536ee549249fec62f5ee9ffd92b965adf733a9a8c24a5aa6594063
Opcode Fuzzy Hash: b978585602eefc31c83160de33f8556ed3312a0566cad042a39d1910bad30d93
Instruction Fuzzy Hash: 58D05B766012186FD610FBF9AC98CA7F79CDD95551391452AF344D3111C7709C018BB0

Function 006553E0 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 006553FA
GetDeviceCaps.GDI32(?,0000005A), ref: 00655403
GetDeviceCaps.GDI32(?,0000006E), ref: 00655414
GetDeviceCaps.GDI32(?,0000006F), ref: 00655431
GetDeviceCaps.GDI32(?,00000070), ref: 00655446
GetDeviceCaps.GDI32(?,00000071), ref: 0065545B
GetDeviceCaps.GDI32(?,00000008), ref: 00655470
GetDeviceCaps.GDI32(?,0000000A), ref: 00655485

Part of subcall function 006555E0: __ftol.LIBCMT ref: 006555E5

Part of subcall function 00655610: __ftol.LIBCMT ref: 00655615

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: f188b425a3b516e5a2545e5bec3b397a633301c569b18d536f9cd7cccb7f84fe
Instruction ID: 9dea135849bb40a06dcdcad671280fe9c915c9dcab27dd08f9e58671573cdb5c
Opcode Fuzzy Hash: f188b425a3b516e5a2545e5bec3b397a633301c569b18d536f9cd7cccb7f84fe
Instruction Fuzzy Hash: DA517A70208B40ABD300AF35C899A6FFBF5FFC9B01F81491CF5D956290DA71A9188B96

Function 006133A0 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 006133B8
GetDeviceCaps.GDI32(?,0000005A), ref: 006133C1
GetDeviceCaps.GDI32(?,0000006E), ref: 006133D2
GetDeviceCaps.GDI32(?,0000006F), ref: 006133EF
GetDeviceCaps.GDI32(?,00000070), ref: 00613404
GetDeviceCaps.GDI32(?,00000071), ref: 00613419
GetDeviceCaps.GDI32(?,00000008), ref: 0061342E
GetDeviceCaps.GDI32(?,0000000A), ref: 00613443

Part of subcall function 00613180: __ftol.LIBCMT ref: 00613185

Part of subcall function 006131B0: __ftol.LIBCMT ref: 006131B5

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: d7a10d4b0c9e1f62fb4caba7312571e537f11e1ef69fc4e0563845951c3b9785
Instruction ID: 72b8e2cecdea49ebb0fb2c4e2fb836379c3ee27e5434308fcceaf1b6f3d5db4f
Opcode Fuzzy Hash: d7a10d4b0c9e1f62fb4caba7312571e537f11e1ef69fc4e0563845951c3b9785
Instruction Fuzzy Hash: 05514670508701AFD340EF6ACC86A6BBBF5FFC9700F05495CF68456290DB729A648B96

Function 100106C0 Relevance: 12.1, APIs: 8, Instructions: 119COMMON

Download Yara Rule

APIs

CallWindowProcA.USER32(?,?,00000005,?,?), ref: 100106F0
GetWindowRect.USER32(?,?), ref: 10010725
OffsetRect.USER32(?,?,?), ref: 1001073E
SelectObject.GDI32(?,?), ref: 10010782
SelectObject.GDI32(?,00000000), ref: 100107C7
CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 100107D7

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,00000000,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 100107F7
DeleteObject.GDI32(00000000), ref: 100107FE

Part of subcall function 10006920: DeleteObject.GDI32(?), ref: 1000692E

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: GlobalRect$Object$AllocDeleteLockSelectWindow$CallCombineCreateOffsetProcUnlock
String ID:
API String ID: 4094057805-0
Opcode ID: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
Instruction ID: 73ca99926bc02046f123c486a2af454b80d39e45caa77a60c923b30de1dd379e
Opcode Fuzzy Hash: 8d9b0bf1d7519ee72f556b295753cef8cb64391f53ae4860d5cb9819d170f47e
Instruction Fuzzy Hash: 4041FA79204740AFE354CF64CC85E6BB7A9FBC8710F108A1CF65987251DB74E905CBA1

Function 10017480 Relevance: 12.1, APIs: 8, Instructions: 76fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?), ref: 1001749D
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174B9
CloseHandle.KERNEL32(00000000,?,?,?,?,1001B7C8,?,?,10025DCF,?,?), ref: 100174C6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: File$CloseCreateHandleSize
String ID:
API String ID: 1378416451-0
Opcode ID: 2c01451aa05b8898809a72a0113405d7757f3eea56a2802639cca7eb58879ac2
Instruction ID: 8b3d300d7cd505047f5b36438d5475ead2230649a77d8796dbb5cbe265e0d923
Opcode Fuzzy Hash: 2c01451aa05b8898809a72a0113405d7757f3eea56a2802639cca7eb58879ac2
Instruction Fuzzy Hash: 8411EB7734122027E220A659EC8DF6BB79CE7D9BB2F208136FA45D62C0D661EC568371

Function 005C31D0 Relevance: 10.8, APIs: 7, Instructions: 319COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005C322A
VariantCopyInd.OLEAUT32(?,?), ref: 005C323B
VariantClear.OLEAUT32(?), ref: 005C35DB

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Variant$ClearCopyInit
String ID:
API String ID: 1785138364-0
Opcode ID: 9074d391dfd86444f1f3bc5a5f3f0fd26283b8a04de94400acadd5622b1bc764
Instruction ID: 020b578692ec818d9be715ebca06b9396c519d359d6703a3c5666381a5a234e0
Opcode Fuzzy Hash: 9074d391dfd86444f1f3bc5a5f3f0fd26283b8a04de94400acadd5622b1bc764
Instruction Fuzzy Hash: 3EC17F75608246CFD714DF98C584F6ABFE4FB89B00F14882DE9818B390DA7ADE41CB52

Function 10011880 Relevance: 10.6, APIs: 7, Instructions: 148windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,?), ref: 1001189F
IsRectEmpty.USER32(00000050), ref: 100118A9
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 100118D6
IsWindowEnabled.USER32(?), ref: 100118DC
IsRectEmpty.USER32(00000060), ref: 1001196A
PatBlt.GDI32(00000000,?,?,?,?,00F00021), ref: 10011991
IsWindowEnabled.USER32(?), ref: 10011997

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: EmptyEnabledRectWindow$ObjectSelect
String ID:
API String ID: 2275352032-0
Opcode ID: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
Instruction ID: a48e8d2156bf71d1f245c115769e0258ac4b106f3870a774a9d1c5f789da5c24
Opcode Fuzzy Hash: 61536b1bc63d1b18624d50eafd3497a21945634e6b3a74052bb211d21fc59686
Instruction Fuzzy Hash: 7B5159B82016019FE318CB55CCD4EAB73EAEF88754B118968E9598B715DB35FC82CB20

Function 10022DD0 Relevance: 10.6, APIs: 7, Instructions: 144windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,?), ref: 10022E00
GetWindowRect.USER32(?,?), ref: 10022E22
GetMenuItemCount.USER32(?), ref: 10022E2F
GetMenuItemRect.USER32(?,?,00000000,?), ref: 10022E5E
OffsetRect.USER32(?,?,?), ref: 10022E8B
GetSubMenu.USER32(?,?), ref: 10022F11
??2@YAPAXI@Z.MSVCRT(00000010), ref: 10022F29

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MenuRect$Item$??2@??3@CountOffsetWindow
String ID:
API String ID: 386475264-0
Opcode ID: 8089e1a617a6e8cc98d1eeacfd2fb3d6702982595fa214f7e2881a2ea1b30c89
Instruction ID: b4e87db7927906467f26b41a9e75fc39679a568fb5d8f31fe5ea3c43946c0583
Opcode Fuzzy Hash: 8089e1a617a6e8cc98d1eeacfd2fb3d6702982595fa214f7e2881a2ea1b30c89
Instruction Fuzzy Hash: 415153B4A083069FC708CF69D88095AFBE5FB88710F558A6DF85A8B311DB30E945CB81

Function 0069903D Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 00699071
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 0069909A
UpdateWindow.USER32(?), ref: 006990B6
SendMessageA.USER32(?,00000121,00000000,?), ref: 006990DC
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 006990FB
UpdateWindow.USER32(?), ref: 0069913E
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 00699171

Part of subcall function 006996FF: GetWindowLongA.USER32(?,000000F0), ref: 0069970B

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: f73c5ca41b3606affe9eaa7ad40c3c0ef4a441165c47baf3a41bc6554e482f2a
Instruction ID: 5bc482d4f1a06a7329a34d5ef219eae9f06bec7e7fb06cfcf84be54289db93af
Opcode Fuzzy Hash: f73c5ca41b3606affe9eaa7ad40c3c0ef4a441165c47baf3a41bc6554e482f2a
Instruction Fuzzy Hash: 9C41A1306043419BDF20EF6A8848A6BBAEEFFD5B00F140A1DF49586691C772D945CBB2

Function 100125E0 Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 10012615
SetRectEmpty.USER32(?), ref: 10012682
BeginPath.GDI32(?), ref: 100126AB
Rectangle.GDI32(?,?,?,?,?), ref: 100126C8
EndPath.GDI32(?), ref: 100126CF
SelectClipPath.GDI32(?,00000004), ref: 100126E2
IsWindowEnabled.USER32(?), ref: 100126F0

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Path$Rect$BeginClientClipEmptyEnabledRectangleSelectWindow
String ID:
API String ID: 1084965025-0
Opcode ID: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
Instruction ID: b8edb3d788cc78fff0226b0fdbf1bf844b5db10293aac1c63da7d3a1532afda8
Opcode Fuzzy Hash: c99acffac70395a903fcda901865948252828067514702023488eea6cbb16816
Instruction Fuzzy Hash: 1A4146B8205201AFD308DF14C884E6BB7E8EF89750F15856DF9458B265D730ED89CBA2

Function 10011300 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(?), ref: 10011314
GetMenuItemInfoA.USER32 ref: 10011357
SetMenuItemInfoA.USER32(?,00000000,00000400,00000400), ref: 100113C7
??3@YAXPAX@Z.MSVCRT ref: 1001141C
??3@YAXPAX@Z.MSVCRT(?), ref: 10011425

Strings

0, xrefs: 10011347

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ItemMenu$??3@Info$Count
String ID: 0
API String ID: 736798657-4108050209
Opcode ID: d3c2b47d8225addc68ad56b22471a1853af76f7ec8e84051da2f3aa790ca5467
Instruction ID: 6d719e0a32b6bda592360f4ae478a4486d40816c5b56cfaf3c9dbc286bc1d952
Opcode Fuzzy Hash: d3c2b47d8225addc68ad56b22471a1853af76f7ec8e84051da2f3aa790ca5467
Instruction Fuzzy Hash: 39316D746043129FD708CF18C880A9AB3E9FF88B58F258529F959DB351E731EC82CB52

Function 1000C5D0 Relevance: 10.6, APIs: 7, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,00000000), ref: 1000C5E8
InflateRect.USER32(000000FE,000000FE,000000FE), ref: 1000C5F9
CallWindowProcA.USER32(?,?,0000000F,?,?), ref: 1000C61A
GetClientRect.USER32(?,?), ref: 1000C62B
InflateRect.USER32(?,000000FE,000000FE), ref: 1000C661
IsWindowEnabled.USER32(?), ref: 1000C667
GetFocus.USER32 ref: 1000C675

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$ClientInflateWindow$CallEnabledFocusProc
String ID:
API String ID: 3997489093-0
Opcode ID: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
Instruction ID: 0210b2d985ab851d087a4ba75c5b64220f905e20614fa079e217abae1528d616
Opcode Fuzzy Hash: 81175768eda5f638bfd17fee8b037c0f1c98ebf9303a901b092cef3987487af0
Instruction Fuzzy Hash: FD314A75604301AFD314DF6AC880D1BF7E9EFC9254F208A1DF59983365DA32E846CB92

Function 0069E36E Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069FC12: __EH_prolog.LIBCMT ref: 0069FC17

Part of subcall function 006996FF: GetWindowLongA.USER32(?,000000F0), ref: 0069970B

SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 0069E3B7
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0069E3C6
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 0069E3DF
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 0069E407
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 0069E416
SendMessageA.USER32(?,00000198,?,?), ref: 0069E42C
PtInRect.USER32(?,000000FF,?), ref: 0069E438

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$H_prologLongRectWindow
String ID:
API String ID: 2846605207-0
Opcode ID: 243a27d41d8f7b95d7d9ecae46e929af30624eb6a9ae17f641d5c39d4ed95de7
Instruction ID: 06c8cd39e9662d91f343a77c1861e5b3e6a95a3c310dd1b99d7e80caa355bca5
Opcode Fuzzy Hash: 243a27d41d8f7b95d7d9ecae46e929af30624eb6a9ae17f641d5c39d4ed95de7
Instruction Fuzzy Hash: 42310470A00209FFDF10DFA8DC81DAEB7FAEB44748B218469E511A72A1D671AE12DB10

Function 1000AE20 Relevance: 10.6, APIs: 7, Instructions: 81COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 1000AE2F
GetWindowRect.USER32(?,?), ref: 1000AE3B
ClientToScreen.USER32(?,?), ref: 1000AE4D
ClientToScreen.USER32(?,?), ref: 1000AE55
OffsetRect.USER32(?,?,?), ref: 1000AE70
OffsetRect.USER32(?,?,?), ref: 1000AE85
EqualRect.USER32(?,?), ref: 1000AE91

Part of subcall function 1000AF00: EqualRect.USER32(1000AEEB,?), ref: 1000AF0A
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000AF21
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF49
Part of subcall function 1000AF00: CreateRectRgn.GDI32(?,?,?,?), ref: 1000AF61
Part of subcall function 1000AF00: CombineRgn.GDI32(00000000,00000000,00000000,00000004), ref: 1000AF6A
Part of subcall function 1000AF00: SelectClipRgn.GDI32(?,00000000), ref: 1000AF72
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF7F
Part of subcall function 1000AF00: DeleteObject.GDI32(00000000), ref: 1000AF82
Part of subcall function 1000AF00: CreatePen.GDI32(00000000,00000001,?), ref: 1000AFA1
Part of subcall function 1000AF00: CreateSolidBrush.GDI32(?), ref: 1000B041
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B051
Part of subcall function 1000AF00: SelectObject.GDI32(?,00000000), ref: 1000B059
Part of subcall function 1000AF00: Rectangle.GDI32(?,?,?,?,?), ref: 1000B074
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B080
Part of subcall function 1000AF00: SelectObject.GDI32(?,?), ref: 1000B088
Part of subcall function 1000AF00: IsRectEmpty.USER32(?), ref: 1000B08F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Object$Select$Create$Client$DeleteEmptyEqualOffsetScreen$BrushClipCombineRectangleSolidWindow
String ID:
API String ID: 1135996890-0
Opcode ID: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
Instruction ID: bacedecaa7b5975dfe14453393d98d9b711d5753841d023854cdc35a831728b0
Opcode Fuzzy Hash: b217bab60f10c5aea6f42e71060e513870f453460a2ff76ab6cc9e0435775f34
Instruction Fuzzy Hash: 59211979109201AFE304DF19C885C6BBBF9EFC9350F11CA1DF44987225D634EA46CBA2

Function 10008B70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10008BBA

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,SHE_E), ref: 10008BD2
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027404,000000FF,10008B58), ref: 10008BE6
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027404,000000FF,10008B58), ref: 10008C10

Strings

SHE_D, xrefs: 10008BB4
SHE_E, xrefs: 10008BCC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D$SHE_E
API String ID: 1378348335-1595638419
Opcode ID: 9ad5bbbc9b323f0afc41a5c25cbfbc6780b7d4b2a62ad30eccf9ebe4d4521583
Instruction ID: 4856fc888e7d091422dc3a361147995440e5673d3ac1890a2cd9819baa295a63
Opcode Fuzzy Hash: 9ad5bbbc9b323f0afc41a5c25cbfbc6780b7d4b2a62ad30eccf9ebe4d4521583
Instruction Fuzzy Hash: A621AFB56007829FD710CF5AD8C0A8AF7E4FB48210F804A2DF16987341C778E9498B91

Function 0067D30E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0067D34C
GetSystemMetrics.USER32(00000000), ref: 0067D364
GetSystemMetrics.USER32(00000001), ref: 0067D36B
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0067D38F

Strings

DISPLAY, xrefs: 0067D389
B, xrefs: 0067D32D

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 3d92a58d67bb663b2e4d8419ad9019150ed779fce1fc04dc508102e35c295a81
Instruction ID: 6a86821031a40c2b99232af106885397d875c055cdff39831733ca0adffed11b
Opcode Fuzzy Hash: 3d92a58d67bb663b2e4d8419ad9019150ed779fce1fc04dc508102e35c295a81
Instruction Fuzzy Hash: EF117371A00324ABDF119F64DC8499B7FBEEF0A765B008856FD099E145D6B1E940CBE1

Function 00642200 Relevance: 9.2, APIs: 6, Instructions: 214COMMON

Download Yara Rule

APIs

Part of subcall function 0069C22C: __EH_prolog.LIBCMT ref: 0069C231
Part of subcall function 0069C22C: CreateSolidBrush.GDI32(?), ref: 0069C24E

FillRect.USER32(?,?,?), ref: 00642322
FillRect.USER32(?,?,?), ref: 00642372
IntersectRect.USER32(?,?,?), ref: 00642383
FillRect.USER32(?,?,?), ref: 006423D1

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Fill$BrushCreateH_prologIntersectSolid
String ID:
API String ID: 3792315602-0
Opcode ID: 5a1ffae9df2e947c2d9c3b506d17f5b799254f19d2cb56efe7694d94ce037142
Instruction ID: 0e7d785861f6ffc4850de074db242c5bcd1e98cb8e169134b9d54229329a54dd
Opcode Fuzzy Hash: 5a1ffae9df2e947c2d9c3b506d17f5b799254f19d2cb56efe7694d94ce037142
Instruction Fuzzy Hash: C38114B16087818FC705CF68C490A5FFBE6BBD9700F508A2DF59983250EB74E909CB56

Function 10016760 Relevance: 9.2, APIs: 6, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B

OffsetRect.USER32(?,00000000,?), ref: 1001683C
OffsetRect.USER32(?,00000000,?), ref: 10016852
OffsetRect.USER32(?,00000000,?), ref: 1001686D
MulDiv.KERNEL32(?,?,?), ref: 100168B4
GetParent.USER32(?), ref: 100168F6
SendMessageA.USER32(?,?,00000000,00000000), ref: 10016918

Part of subcall function 10015840: IsWindowVisible.USER32(?), ref: 10015860
Part of subcall function 10015840: SelectObject.GDI32(?,?), ref: 10015903
Part of subcall function 10015840: PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 1001592F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Offset$Window$CursorMessageObjectParentSelectSendVisible
String ID:
API String ID: 410164804-0
Opcode ID: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
Instruction ID: 5b3f42e8751718efe35102d26408225ceaa88a89c417ccc3e437b77936ff3ce4
Opcode Fuzzy Hash: e54e0525136698f0fd5e31759bfa30945750bee2bbb6fc76e0388ad5adbd1f6c
Instruction Fuzzy Hash: 6D611774204606AFD708DF39CD94A6AB7E9FB88704F108A1DF85A9B344DB30FA45CB95

Function 10010C70 Relevance: 9.1, APIs: 6, Instructions: 143COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(00000000,?), ref: 10010CEA
SelectObject.GDI32(?,?), ref: 10010D3A
_mbsstr.MSVCRT ref: 10010D4A
DrawTextA.USER32(?,?,00000000,?,00000024), ref: 10010D6C
DrawTextA.USER32(00000000,00000001,?,?,00000026), ref: 10010D9F
DrawTextA.USER32(?,?,?,?,00000024), ref: 10010DC7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Text$Draw$ColorObjectSelect_mbsstr
String ID:
API String ID: 2554462136-0
Opcode ID: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
Instruction ID: caa0527cdf57b14729ef594e8188670eae6bffac27ed0865ed6a9a4dbb4e9640
Opcode Fuzzy Hash: 167540bd5a1515ecb06707f3ebbd2082f6ec1e01a77e5fac4a1d7c74e16ee5d3
Instruction Fuzzy Hash: E4515C792042009FD308CF68C884E67B7E9FF88354F108A6DF9598B355DB70E946CBA1

Function 1000E680 Relevance: 9.1, APIs: 6, Instructions: 135COMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,00000000), ref: 1000E6C6
OffsetRect.USER32(?,?,?), ref: 1000E76A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
Instruction ID: 55dceb283fd2939f53b1af87dd3abf76b527e98de1fc72b27c0b69958cadab38
Opcode Fuzzy Hash: aaa94e786c78679375264d08a80620499181ed88b43f71d2a266caf68266feef
Instruction Fuzzy Hash: 70314B763029559FF3049E7C9E8CABEBBCAD7C82A2F29573DF606D1048D661FC094250

Function 006806A2 Relevance: 9.1, APIs: 6, Instructions: 125COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 006806A7
#48.ODBC32(?,?,00000000), ref: 006806BB
GlobalLock.KERNEL32(?), ref: 00680735
#49.ODBC32(?,?,?), ref: 00680747
GlobalUnlock.KERNEL32(?), ref: 00680757
#48.ODBC32(?,?), ref: 00680772

Part of subcall function 006858FC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,006821F4,00000000), ref: 0068592A

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Global$ExceptionH_prologLockRaiseUnlock
String ID:
API String ID: 1299615377-0
Opcode ID: f216b533cf29f951813062e89956d41cd7d69c7d789d2bd50da68a0e77e6902a
Instruction ID: 90245e2c23bcce400738da4a55848418ff0d8a6b6aac229dd886ea8835982fc9
Opcode Fuzzy Hash: f216b533cf29f951813062e89956d41cd7d69c7d789d2bd50da68a0e77e6902a
Instruction Fuzzy Hash: D141BF31A00116AFDF51AF64C889DEDBBB7EF48340F104529F906E7261DB709D95DB90

Function 10015630 Relevance: 9.1, APIs: 6, Instructions: 114COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 10015671
GetClientRect.USER32(?,?), ref: 10015680
ClientToScreen.USER32(?,?), ref: 10015695
ClientToScreen.USER32(?,?), ref: 100156A0
OffsetRect.USER32(?,?,?), ref: 100156BB
OffsetRect.USER32(?,?,?), ref: 100156D0

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Client$OffsetScreen$Window
String ID:
API String ID: 3447441489-0
Opcode ID: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
Instruction ID: c2827e8d9cd10a597387bf157e688e7552e1f46be816908af53a9ee1b8aa0ec2
Opcode Fuzzy Hash: 7cd20ebc07aa8017c6d87fa62e7aa96f440e11c1cf49f979fd91717a38e00a84
Instruction Fuzzy Hash: E241F578204706DFD714CF29C881EA7B7E9EF88754F14891DE89ACB250E731F9858BA1

Function 100259E0 Relevance: 9.1, APIs: 6, Instructions: 102COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 10025A15
SelectObject.GDI32(?,?), ref: 10025A7D
SelectObject.GDI32(?,00000000), ref: 10025AC2

Part of subcall function 1001C210: GlobalAlloc.KERNEL32(00000002,00000660,75756BA0,00000000,00000000,?,?,?,10003905,?,00000000,?,1002CDA8,?,1002CDC8), ref: 1001C227
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C230
Part of subcall function 1001C210: SetRect.USER32(00000010,7FFFFFFF,7FFFFFFF,00000000,00000000), ref: 1001C25D
Part of subcall function 1001C210: GlobalUnlock.KERNEL32(00000000), ref: 1001C2EB
Part of subcall function 1001C210: GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 1001C30D
Part of subcall function 1001C210: GlobalLock.KERNEL32(00000000), ref: 1001C316
Part of subcall function 1001C210: SetRect.USER32(?,?,?,?,?), ref: 1001C339

OffsetRgn.GDI32(00000000,00000000,?), ref: 10025AE4
CombineRgn.GDI32(00000000,00000000,00000000,00000003), ref: 10025AF8
DeleteObject.GDI32(00000000), ref: 10025AFF

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Global$ObjectRect$AllocLockSelect$CombineDeleteEmptyOffsetUnlock
String ID:
API String ID: 505361263-0
Opcode ID: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
Instruction ID: cf9c318b9d579a266dc806ebc7a0d6f04a146a731b116f9e3c9b73cee362de29
Opcode Fuzzy Hash: 29ebdb5e4d99459ae6c459a07793ccd64b701410539c83b757910fb199093e9e
Instruction Fuzzy Hash: 7F41FB79604751AFD314CF64C880E6BB7E8FF88650F208A1DF55587641DB34E909CBA1

Function 005EB1A0 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 005EB22D
wsprintfA.USER32 ref: 005EB249

Strings

- [, xrefs: 005EB1C8
%d / %d], xrefs: 005EB227
?? / %d], xrefs: 005EB243
- , xrefs: 005EB274

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]
API String ID: 2111968516-3107364983
Opcode ID: 219ab6e0df89051af13f074660a22bd435b658978a66fc154ae35f5129cb4a73
Instruction ID: cd0626cc5af77019f62b0781bd9c40f17dba7fbce7b4c9aa1ad790ef79927aa4
Opcode Fuzzy Hash: 219ab6e0df89051af13f074660a22bd435b658978a66fc154ae35f5129cb4a73
Instruction Fuzzy Hash: D4319574104741AFD714EB25C851BAF7BEAFF84710F044A1CF5AA87691DB74E804CB52

Function 1001DC40 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 1001DC52
GetCursorPos.USER32(?), ref: 1001DC5D
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1001DC92
SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1001DCB0
SendMessageA.USER32(?,00001207,00000000,?), ref: 1001DCC1
PtInRect.USER32(?,?,?), ref: 1001DCD2

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Rect$CursorWindow
String ID:
API String ID: 1680679697-0
Opcode ID: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
Instruction ID: b91518a891387c981cce0504226fb2a498f6544864ac186356a6de0c8c4ec29a
Opcode Fuzzy Hash: fc3e80be71d03c64dc65eb24677b2ab1e78b96a8fe08b6872ed11463f4ba74dc
Instruction Fuzzy Hash: 102181762043069FD304DF69CCC0E5BB7E8EBC8660F104A1EF551D7250D6B0E9498BA1

Function 1000DE30 Relevance: 9.1, APIs: 6, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1000DE3E
GetWindowRect.USER32(?,?), ref: 1000DE4D
SendMessageA.USER32(?,00001200,00000000,00000000), ref: 1000DE82
SendMessageA.USER32(?,0000120F,00000000,00000000), ref: 1000DEA5
SendMessageA.USER32(?,00001207,00000000), ref: 1000DEB1
PtInRect.USER32(?,?,?), ref: 1000DEC2

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$Rect$CursorWindow
String ID:
API String ID: 1680679697-0
Opcode ID: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
Instruction ID: 25e19ebef5cfb3a3824964290d61ec62e8227a99a9e9e0869e33b01463ce3919
Opcode Fuzzy Hash: 93dd26b5b11665f8d53c80fd854311e6abff328d32208a84f31c42ea47ed69d3
Instruction Fuzzy Hash: B02181752043069FE304DF65CCC0E6BB7E9EBC8660F104A1EF950C7250D670E9498B61

Function 1001EBC0 Relevance: 9.1, APIs: 6, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001EBD4
GetWindowRect.USER32(?,?), ref: 1001EBE3
GetClientRect.USER32(?,?), ref: 1001EBF2
ClientToScreen.USER32(?,?), ref: 1001EC07
ClientToScreen.USER32(?,?), ref: 1001EC12
SendMessageA.USER32(?,00000445,00000000,?), ref: 1001EC54

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Client$RectScreen$CursorMessageSendWindow
String ID:
API String ID: 1353371867-0
Opcode ID: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
Instruction ID: c36cae17ecde68ff4f981e12f48877b9c68e936cd5b1928b6e4795760c61fe65
Opcode Fuzzy Hash: 7e52564109b9bdb87fea7c149928c1ee72434fd62f985c6adbb850f7f3630d07
Instruction Fuzzy Hash: 2B110479108746EFD708DF29C888D6BB7E8EBD8604F10C91DF58983220E670E94ACB52

Function 1001B8F0 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,?,?,10025E63,?,?,?,?,?,?), ref: 1001B8F4
FindResourceA.KERNEL32(00000000,?,?), ref: 1001B913

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: FindHandleModuleResource
String ID:
API String ID: 3537982541-0
Opcode ID: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
Instruction ID: 5268aa00fc51c7ef6193ce43b0a0328cd4925fc10cfa97f1260c64665a9d4d10
Opcode Fuzzy Hash: 20047523e8b2d551bcd9e8a145dcbb2bf7234696f2abbd8170a661a441ae52bd
Instruction Fuzzy Hash: 0501DF7A2056206BE3119728EC88D6F77ECEFC9211F114119FA44C7200DB34CE4387B1

Function 10019170 Relevance: 9.0, APIs: 6, Instructions: 23COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?), ref: 1001917A
??3@YAXPAX@Z.MSVCRT(?,?), ref: 10019186
??3@YAXPAX@Z.MSVCRT(?,?,?), ref: 10019192
??3@YAXPAX@Z.MSVCRT(?,?,?,?), ref: 1001919E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?), ref: 100191AA
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?), ref: 100191B6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 3f9b1faf2624ccd382fc81ce35ce4ef0c2eebfc1694b7b4716764da7c7a510ad
Instruction ID: b30d290d8c7ff241b3e1323c47ca36b58938814fe857fb6cef48acb235ac3c58
Opcode Fuzzy Hash: 3f9b1faf2624ccd382fc81ce35ce4ef0c2eebfc1694b7b4716764da7c7a510ad
Instruction Fuzzy Hash: ADE0757A51062057C224E7B4ACC1DD772A9BB4C210FA08D0CB19A47201C977F940E790

Function 1000B120 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

APIs

73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B1A0
73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B216
73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B273
73F84D40.GDI32(?,?,?,?,?,?,?,?,00CC0020,?,?,?,?,?,?), ref: 1000B2C9

Strings

s, xrefs: 1000B1A0, 1000B216, 1000B273, 1000B2C9

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: s
API String ID: 0-453955339
Opcode ID: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
Instruction ID: 0e05779d305182e8bcc6fd0604af41abdce4d5981c7c16a485e6175e980c0b19
Opcode Fuzzy Hash: bbb36afaebd339171a8ba2a9bff4ae1e802011074496994489dee8731f070884
Instruction Fuzzy Hash: 9451E474209341AFD344CF1AC980A1BFBE9EFCC698F549A1DF99993314D670ED018B66

Function 10008FB0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 10009048
CallWindowProcA.USER32(?,?,0000002B,?,?), ref: 100090CB
CallWindowProcA.USER32(?,?,0000002B,00000000,?), ref: 10009100
DeleteDC.GDI32(?), ref: 1000910C

Strings

SHE, xrefs: 10009042

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow$DeleteProp
String ID: SHE
API String ID: 3390023778-2947365353
Opcode ID: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
Instruction ID: f2b3dcc440dab69ee4fbcbe6af92302eeabc2b2a5026597934c7d9f665362333
Opcode Fuzzy Hash: 088e118dbf137e4194a6ec5c3e0d9fc1955a6b201465a2604efd515ce137b97b
Instruction Fuzzy Hash: AA4134753007129FE310CF6AD884B66B7E8FF847D0F158129F9498B295D732E882CBA1

Function 006882D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 006882F3
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 00688328
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00688388

Strings

__GLOBAL_HEAP_SELECTED, xrefs: 00688362
__MSVCRT_HEAP_SELECT, xrefs: 00688323

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: 94af1556f0b245b342947444a34c8bc539cffa10a11576685e282b386ffb88cd
Instruction ID: e711b23e86686f6a9c9ebc6c6c9dd81053b4c16167e615c22803624999706171
Opcode Fuzzy Hash: 94af1556f0b245b342947444a34c8bc539cffa10a11576685e282b386ffb88cd
Instruction Fuzzy Hash: FA316A728402486FEF31B6B09C55BED37AB9B02B04F9806E9E145D7242EE31DEC9CB11

Function 006973D3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 0069748C
GetWindowLongA.USER32(?,000000FC), ref: 0069749D
GetWindowLongA.USER32(?,000000FC), ref: 006974AD
SetWindowLongA.USER32(?,000000FC,?), ref: 006974C9

Strings

(, xrefs: 00697477

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: db938a0cdbdfb20c5fa51ac76d47f27883471546cccb1947cb868377a9d71ae5
Instruction ID: 37da72bb550271c7f463fab6653052be16214a687a3a4524bcb969ed7483fd9f
Opcode Fuzzy Hash: db938a0cdbdfb20c5fa51ac76d47f27883471546cccb1947cb868377a9d71ae5
Instruction Fuzzy Hash: E231BC716043109FDF20AF64D884AA9BBFABF18B10F15463DE15297A92CB31E804CF94

Function 006A0542 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 006A0573

Part of subcall function 006A065F: lstrlenA.KERNEL32(00000104,00000000,?,006A05A3), ref: 006A0696

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 006A0614
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 006A0641

Strings

.INI, xrefs: 006A063B
.HLP, xrefs: 006A060E

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: 55cd4da48622da9d19cafa80e105268f3ada45c29d76e2ae2ce0f9f2a8426547
Instruction ID: bb5a914b05cc9df30d1cfbb7ff47ca5335c8ba1d54d08bbdb34abafe3e34b1af
Opcode Fuzzy Hash: 55cd4da48622da9d19cafa80e105268f3ada45c29d76e2ae2ce0f9f2a8426547
Instruction Fuzzy Hash: 1C3170B68047189FEB61EF70DC85BC6B7FDAB09300F1049AAE19AD3141DB70AA84CF10

Function 0069D5A9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0069D721: GetParent.USER32(?), ref: 0069D754
Part of subcall function 0069D721: GetLastActivePopup.USER32(?), ref: 0069D763
Part of subcall function 0069D721: IsWindowEnabled.USER32(?), ref: 0069D778
Part of subcall function 0069D721: EnableWindow.USER32(?,00000000), ref: 0069D78B

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 0069D5DF
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 0069D64D
MessageBoxA.USER32(00000000,?,?,00000000), ref: 0069D65B
EnableWindow.USER32(00000000,00000001), ref: 0069D677

Strings

Xi, xrefs: 0069D5A9

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID: Xi
API String ID: 1958756768-2979349729
Opcode ID: 211dc28eeb8111620ac9b32c113debbaa03b7c72cf1509b70453b0c6c827acf2
Instruction ID: 83128d53287917638478b32a671676b343dd92cb446c00c53c3908191ecaebcc
Opcode Fuzzy Hash: 211dc28eeb8111620ac9b32c113debbaa03b7c72cf1509b70453b0c6c827acf2
Instruction Fuzzy Hash: 94219F72A00208AFDF209FA4CCC5AEEB7BEEB04744F650439E618E7690C7719D41CBA0

Function 1000E270 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

SelectObject.GDI32(?,00000000), ref: 1000E2A6
SelectObject.GDI32(?,?), ref: 1000E2C0
73F84D40.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020,?,?,?,?,1000D0ED,?,?), ref: 1000E2DA
??2@YAPAXI@Z.MSVCRT(0000000C,?,?,?,?,1000D0ED,?,?,?,?,?), ref: 1000E2F0

Strings

s, xrefs: 1000E2DA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ObjectSelect$??2@
String ID: s
API String ID: 2738994556-453955339
Opcode ID: 9bd297f74d96eef5bb199b85e09045d6e339c48dbbaf093c3168865b39efbbd7
Instruction ID: 676109a112f91462f0683b0e748601321322578746db1e72dd9edd93884032e7
Opcode Fuzzy Hash: 9bd297f74d96eef5bb199b85e09045d6e339c48dbbaf093c3168865b39efbbd7
Instruction Fuzzy Hash: 6F21F5B9601702AFE314CF59D884E16FBE8FB88751F20C62EFA5987751D730A841CBA0

Function 10009120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 10009179
SelectObject.GDI32(00000000,?), ref: 100091A7
GetTextExtentPointA.GDI32(00000000,?,?,00000400), ref: 100091C7

Strings

0, xrefs: 10009161
@, xrefs: 10009169

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ExtentInfoItemMenuObjectPointSelectText
String ID: 0$@
API String ID: 1214468274-1545510068
Opcode ID: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
Instruction ID: 3d2f61126256a53cf897c85a85e5fe7bc4fb7c3a9049d66df69f7ce8b741961f
Opcode Fuzzy Hash: 917930f70828090b676f5c8c02eca02738ab7c5eca451f6404b20d046d03fd04
Instruction Fuzzy Hash: 46111F75209300AFE750DB24C955BEFB7E8FBC4350F40491DF69992290DB79AA09CB92

Function 10007720 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 1000772F
GetPropA.USER32(?,SHE_H), ref: 1000773E
SelectObject.GDI32(?,?), ref: 10007783
PatBlt.GDI32(?,00F00021,?,?,?,00F00021), ref: 100077A3

Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106

Strings

SHE_H, xrefs: 10007738

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$BrushClientCreateDeletePropRectSolid
String ID: SHE_H
API String ID: 3435410480-3561289158
Opcode ID: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
Instruction ID: 0ce474bad31ea1b146f6a7476c3485cc4b4618f4c22a3676eee4e6d7add3520a
Opcode Fuzzy Hash: ee39c86b8713ff7bd0879a4eba1016b9c2dcf60cedc71159b2e0360e7d2bf52b
Instruction Fuzzy Hash: 570117BA604211EFE204DB58CC84DABB7ACEFC8250F508A0DFA5983211D630ED45CBA2

Function 1000E4B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000E4C5
SendMessageA.USER32(?,00006A30,00000000,00000000), ref: 1000E4DB
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E4F5
CallWindowProcA.USER32(?,?,?,?,?), ref: 1000E512

Strings

SHE, xrefs: 1000E4BF

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow$MessagePropSend
String ID: SHE
API String ID: 3197700573-2947365353
Opcode ID: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
Instruction ID: 451063f49a3e527fd8d608dc22c3f8f1e55c4af648b6bbb05c8928ea7c27e05f
Opcode Fuzzy Hash: 16cd9c1c8a4f09862bd2c9aa2b2deed388164335538f6a85cc36725207bd56c1
Instruction Fuzzy Hash: EA014B7A201621EBE204DF54DC88EABB7ADEFD9761F20840DF60593241C721ED06CBB5

Function 10024650 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

RemovePropA.USER32(?,SHE_F), ref: 1002466D
RemovePropA.USER32(?,SHE_F), ref: 1002467B
RemovePropA.USER32(?,SHE_F), ref: 10024689
RemovePropA.USER32(?,SHE_F), ref: 10024697

Strings

SHE_F, xrefs: 10024667, 10024675, 10024683, 10024691

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PropRemove
String ID: SHE_F
API String ID: 3213287156-872208577
Opcode ID: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
Instruction ID: 8634cc0847dbc949a985fe4dc17aacceb001e21e00327079f9f065a41ef256d6
Opcode Fuzzy Hash: 482fe341d6cdaa7da7b42383c716d25f52f4c96051cfc89517db10860ab7a2cb
Instruction Fuzzy Hash: 31019AB2541B489BC620EFBA9C84DD7F7EDAFE9301F514A2EE259D3210CA75A8018B50

Function 1001BDF0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 38windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001BDFC
SendMessageA.USER32(?,00006A31,00000000,00000000), ref: 1001BE12
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE30
InvalidateRect.USER32(?,00000000,00000001,?,?,1001BB2D,?,?,10025F3F,?,?), ref: 1001BE3B

Strings

SHE, xrefs: 1001BDF6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: InvalidateMessagePropRectSendWindow
String ID: SHE
API String ID: 1683571725-2947365353
Opcode ID: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
Instruction ID: 61bc7c0cfe7dd8b66f4080b3c9d4250a00e71bb5cd075d56d4ab3ddb2b0c9d6c
Opcode Fuzzy Hash: f1fa45ef511af30ddd497535aa07129b0897fb5ddec85c8cb697c59cca0d390d
Instruction Fuzzy Hash: FBF0E535342A21FBF6515758AC89FCE37A59F85B10F200001F700EA1D0CBE49A834B55

Function 1001C740 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001C753
LockWindowUpdate.USER32(?,?,10025F1F,?,?), ref: 1001C76F
GetPropA.USER32(?,SHE), ref: 1001C781
LockWindowUpdate.USER32(00000000), ref: 1001C79E

Strings

SHE, xrefs: 1001C74D, 1001C77B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: LockPropUpdateWindow
String ID: SHE
API String ID: 165959620-2947365353
Opcode ID: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
Instruction ID: 7a3979f4e55717f4f8ab17c69277cc3bf6940b2a43d5fdf8dbe088e1ab8e3198
Opcode Fuzzy Hash: 21e405a72cf705807934c4471f6505aaf612a935a217802134ff392a136f5abf
Instruction Fuzzy Hash: 1EF01738206625DBEB98DB21CC88FAA37E8EF40B91F168498F1099B1A1C770D881CF51

Function 10018890 Relevance: 7.9, APIs: 5, Instructions: 413COMMON

Download Yara Rule

APIs

_ftol.MSVCRT ref: 10018A8B
_ftol.MSVCRT ref: 10018AD0
_ftol.MSVCRT ref: 10018D13
_ftol.MSVCRT ref: 10018D49
_ftol.MSVCRT ref: 10018D7A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: _ftol
String ID:
API String ID: 2545261903-0
Opcode ID: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
Instruction ID: 0b0bc44675ec839da114b02f6054aa0f657a73593dc5a8713aae574027d7ad68
Opcode Fuzzy Hash: 54f8a28af38cbc904a6a211d7a6f8c81f12d1385314ea70c361e39c26235b509
Instruction Fuzzy Hash: DBF1CF71909B61EBE351DF10D89428A7BE4FFC5380FA14A5DF4C1961A1EB31CB96CB82

Function 10003220 Relevance: 7.7, APIs: 5, Instructions: 239windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,01050EB8), ref: 100032C0

Part of subcall function 100042C0: PtInRegion.GDI32(?,00000000,?,00000000,00000000,1002CDA8,1002CDC8,1002CDC8,?,00000000), ref: 100042F8

SelectObject.GDI32(00000000,?), ref: 1000342A
DeleteDC.GDI32(00000000), ref: 10003431
DeleteObject.GDI32(00000000), ref: 10003438
IsWindowVisible.USER32(?), ref: 10003491

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$DeleteSelect$RegionVisibleWindow
String ID:
API String ID: 4027411055-0
Opcode ID: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
Instruction ID: b148bc9a0c6a2d913fc867f66123447b75209ee6773f678a23cc705497eb98c2
Opcode Fuzzy Hash: 91ee33ab1b69a359ab367a5ca384a9598f5026615020f2f567bafd236aa3cddf
Instruction Fuzzy Hash: EF915D796006048FE709CF69C8C4C2BB7EAFFC8694B158A2DF85987369DB30E945CB51

Function 10010E00 Relevance: 7.7, APIs: 5, Instructions: 218windowCOMMON

Download Yara Rule

APIs

OffsetRect.USER32(?,?,?), ref: 10010E51

Part of subcall function 1000FBF0: SelectObject.GDI32(00000000,00000000), ref: 1000FC21
Part of subcall function 1000FBF0: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
Part of subcall function 1000FBF0: GetClipRgn.GDI32(?,00000000), ref: 1000FC44
Part of subcall function 1000FBF0: SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
Part of subcall function 1000FBF0: DeleteObject.GDI32(00000000), ref: 1000FC5A

Part of subcall function 1000B0C0: CreateSolidBrush.GDI32(?), ref: 1000B0C9
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B0DD
Part of subcall function 1000B0C0: PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
Part of subcall function 1000B0C0: SelectObject.GDI32(?,00000000), ref: 1000B103
Part of subcall function 1000B0C0: DeleteObject.GDI32(00000000), ref: 1000B106

SetBkMode.GDI32(?,00000001), ref: 10010EA8
SelectObject.GDI32(?,?), ref: 10010EBD
SendMessageA.USER32(?,0000002B,00000000,?), ref: 10010F7B
GetPixel.GDI32(?,?,?), ref: 10011008

Part of subcall function 1000B4C0: 74001530.MSIMG32(?,?,?,?,?,?,1000BFD7,1000BFD7,?,1000BFD7,?,00000000,?,?,1000BFD7,?), ref: 1000B538

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$ClipCreateDeleteRect$74001530BrushMessageModeOffsetPixelSendSolid
String ID:
API String ID: 3401237145-0
Opcode ID: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
Instruction ID: a69ee935151e19899d8c4b44d90f6d6784ea96e440500a2836e4d15a7f76abeb
Opcode Fuzzy Hash: f5c3c6a3893a7df674df041db2b20e0fcbff9e871180a081f6335cb58035cd86
Instruction Fuzzy Hash: 0981E4B4608340AFE314CB58C882F6BB7E9FB88740F108A1DF99997391D670E945CB62

Function 1001A750 Relevance: 7.7, APIs: 6, Instructions: 171COMMON

Download Yara Rule

APIs

??2@YAPAXI@Z.MSVCRT(000002CC,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A7A0
??2@YAPAXI@Z.MSVCRT(00000150,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A7F7
??2@YAPAXI@Z.MSVCRT(000002F4,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A852
??2@YAPAXI@Z.MSVCRT(0000007C,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A8AA
??2@YAPAXI@Z.MSVCRT(00000064,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A902
??2@YAPAXI@Z.MSVCRT(00000020,?,?,10027B52,000000FF,10019EEE,?,?,?,?,00000000,?,10027AF9,000000FF,10007A0D,?), ref: 1001A95A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??2@
String ID:
API String ID: 1033339047-0
Opcode ID: 2fd3899075fec84021d5f9c17f83d9ec05ac7b7a79fa2950404c67290ba10dc0
Instruction ID: 780453279fc9d404bdb8cca2fd0b2e9d713902c348bdb508de38a8486bde4cdd
Opcode Fuzzy Hash: 2fd3899075fec84021d5f9c17f83d9ec05ac7b7a79fa2950404c67290ba10dc0
Instruction Fuzzy Hash: 2951A1B5A083519BD604DF289C91B1A73D0EB98B60F004A2EF196DB381DB34ED848B93

Function 10016480 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

PtInRect.USER32(0000002C,00000000,00000000), ref: 100164CD
PtInRect.USER32(0000006C,?,?), ref: 10016519
PtInRect.USER32(0000003C,?,?), ref: 1001656D
PtInRect.USER32(0000005C,?,?), ref: 1001659C

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect
String ID:
API String ID: 400858303-0
Opcode ID: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
Instruction ID: 88eee75a724b57100442f45c2dc2b334c4b92a05eceda69fcc84a06ca03c096a
Opcode Fuzzy Hash: 8c6a47cf31c48d3af39ec7387fbf4fc412dc478c91933e0ee7674804f5ed87f4
Instruction Fuzzy Hash: 04514C753007069BD714DF69EC84AABB3E9FB88B14F40092DF85A87240DB75F989CB61

Function 1001C570 Relevance: 7.7, APIs: 5, Instructions: 157COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(00BD2830,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C58A
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C5EB
??3@YAXPAX@Z.MSVCRT(?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C64E
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C6AF
??3@YAXPAX@Z.MSVCRT(?,?,?,?,1001B7DB,?,?,10025DCF,?,?), ref: 1001C712

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@
String ID:
API String ID: 613200358-0
Opcode ID: 276115195efb06a48f5fe9cc15f69497a4a6cd0156965c0c902d25048cb0634b
Instruction ID: 207150d8cd520f2c8076046b94b252afd95317543a8e9ea73a38ad0b49929f05
Opcode Fuzzy Hash: 276115195efb06a48f5fe9cc15f69497a4a6cd0156965c0c902d25048cb0634b
Instruction Fuzzy Hash: 305134B6A0025D8FC714CF4AC894C56B7E1EF886507AAC4AED54A5F622CA31FC86CF44

Function 0068801D Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 0068807B
GetFileType.KERNEL32(?,?,00000000), ref: 00688126
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00688189
GetFileType.KERNEL32(00000000,?,00000000), ref: 00688197
SetHandleCount.KERNEL32 ref: 006881CE

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 8dc5551ba8093a0ed0357bd12463a694037aff8ee9fe50151abef27e8e3689e9
Instruction ID: 9f2edb0c32f6772c3b41a4b9a244ab3964fb7e62e7a3c54befdc0443655592b9
Opcode Fuzzy Hash: 8dc5551ba8093a0ed0357bd12463a694037aff8ee9fe50151abef27e8e3689e9
Instruction Fuzzy Hash: 2C5105316046028FD720BB6CCC8876577E6AB12364FA8476CD4A6973E1DF31D90ADB51

Function 1001E9A9 Relevance: 7.6, APIs: 5, Instructions: 149timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1001EA96
GetWindowRect.USER32(?,?), ref: 1001EAA5
PtInRect.USER32(?,?,?), ref: 1001EABA
KillTimer.USER32(?,00007720), ref: 1001EAD3
InvalidateRect.USER32(?,00000000,00000000), ref: 1001EAE7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CursorInvalidateKillTimerWindow
String ID:
API String ID: 1204915734-0
Opcode ID: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
Instruction ID: 1aaf348c908433e104cd2ce18659ca1b4ce5b612a6fc862c77d7acbc4d0a29e2
Opcode Fuzzy Hash: 9ef916551e3afd5be42b82f6000de7f42f9ff66f33c1c6494cbb8683e67b5be9
Instruction Fuzzy Hash: F40113B9504752AFD710DB28C8C886BB7F9EF49744B10894DF58AC7220D630F945CB61

Function 10011160 Relevance: 7.6, APIs: 5, Instructions: 145COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,00000018,?), ref: 10011285
SelectObject.GDI32(00000000,00000000), ref: 1001129D
74001530.MSIMG32(?,?,?,00000010,00000010,00000000,00000000,00000000,?,?,00FF01FF,?,?), ref: 100112DB
SelectObject.GDI32(00000000,00000000), ref: 100112E3
DeleteDC.GDI32(00000000), ref: 100112E6

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$74001530Delete
String ID:
API String ID: 3014387588-0
Opcode ID: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
Instruction ID: fced8d308138b36c133f8264daa482e3f1224d76aacb4f59917f490493d9ace5
Opcode Fuzzy Hash: 30058f95b80ec2afb2eca019207f2575a1dc55e2264cb8df5d5b038a1d08b1d2
Instruction Fuzzy Hash: 954190767402049FD344DB58CC80FAAB3A9EF89360F25855AED04CF351C635EC96CBA1

Function 10021500 Relevance: 7.6, APIs: 5, Instructions: 145windowCOMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?), ref: 10021551
SendMessageA.USER32(?,00000112,0000F093,?), ref: 1002158D
IsZoomed.USER32(?), ref: 1002159F
GetSystemMetrics.USER32(00000004), ref: 100215AF
CallWindowProcA.USER32(?,?,000000A1,?,?), ref: 100216B3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@CallMessageMetricsProcSendSystemWindowZoomed
String ID:
API String ID: 3560867145-0
Opcode ID: b294be7c8ffcdc43dd77355312227d240affd950f5218a8cf851ab3ae9a0d9ef
Instruction ID: 6bec9c70b05b0ba5ee56a74e6e33481ab579d1bccf6329b3e51cbdad3a69271d
Opcode Fuzzy Hash: b294be7c8ffcdc43dd77355312227d240affd950f5218a8cf851ab3ae9a0d9ef
Instruction Fuzzy Hash: B441E27A7002119BE710DF94E8C9FDBB399EBA4750F80803AF9099F282C7719C5487A0

Function 10010840 Relevance: 7.6, APIs: 5, Instructions: 91COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100108A4
OffsetRect.USER32(?,?,?), ref: 100108BD
GetSystemMetrics.USER32(00000000), ref: 100108CB
GetSystemMetrics.USER32(00000001), ref: 100108D1
CallWindowProcA.USER32(?,?,00000046,?,?), ref: 10010933

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MetricsRectSystemWindow$CallOffsetProc
String ID:
API String ID: 3217627387-0
Opcode ID: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
Instruction ID: 23580ca9b0729daaad7b279e8dc62797c40a95a429eab73825f66c9b8e763cb3
Opcode Fuzzy Hash: 8be756d99e248d4b1e801939b3714eb5480deeaa81697c236dc379206ebd8c11
Instruction Fuzzy Hash: 9D314C753092069FE718DF18C8A4E6AB7E6FF88740F24851DF9CA8B252D670E981CB51

Function 10016350 Relevance: 7.6, APIs: 5, Instructions: 75timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,?), ref: 10016363

Part of subcall function 100124D0: SetTimer.USER32(?,?,00000000,10012490), ref: 100124E3

GetParent.USER32(?), ref: 100163A2
SendMessageA.USER32(00000000), ref: 100163A9

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Timer$KillMessageParentSend
String ID:
API String ID: 4215942989-0
Opcode ID: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
Instruction ID: cfa475f0d94ce1742ae4734d9acbaaceee74d3da44fb01cfd7150537f1731013
Opcode Fuzzy Hash: 929a81d9524b9661685c560c274d4be5b9dbd8275d2883391fbb45ab76854343
Instruction Fuzzy Hash: D9216F79301B12ABE624D764CC95FDB72E9EB58B40F404818F656CE280DA76ED82C754

Function 006985A4 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 006985B2
GetWindow.USER32(?,00000005), ref: 006985D1
GetWindowRect.USER32(00000000,?), ref: 006985DE

Part of subcall function 0069BD35: ScreenToClient.USER32(?,006985EF), ref: 0069BD49
Part of subcall function 0069BD35: ScreenToClient.USER32(?,006985F7), ref: 0069BD52

SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015,?), ref: 00698609
ScrollWindow.USER32(?,?,?,?,?), ref: 00698623

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$ClientScreen$RectScrollVisible
String ID:
API String ID: 1714389229-0
Opcode ID: 99213fab644e7527df05bace83950077ffb24524de3416b002adda7d145d196b
Instruction ID: b306e1e7845f5516d6cf043b8b33b066bdcf8c99c6522780bf2666af8ca5c32f
Opcode Fuzzy Hash: 99213fab644e7527df05bace83950077ffb24524de3416b002adda7d145d196b
Instruction Fuzzy Hash: B7213831600209AFDF219F54DC48EAF7BBAEF8A710B004929F90597661EB71AD11DB60

Function 00681287 Relevance: 7.6, APIs: 5, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GlobalUnlock.KERNEL32(00000000), ref: 00681294
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 006812BD
GlobalLock.KERNEL32(00000000), ref: 006812E9
#43.ODBC32(?,?,000000FE,?,?,?,?,?,00665A2E,?,00000000,?,?,?,?,?), ref: 0068130C
GlobalUnlock.KERNEL32(00000000), ref: 00681336

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Global$Unlock$AllocLock
String ID:
API String ID: 2918905081-0
Opcode ID: acd8c322ed648db6743ac70f587849fa94c088596290a053035094b42d7d0736
Instruction ID: ae3c6d18247e20df8c3c37da97d7bb44d7e9fa4e4fe5d0f143b7f310767e4e6d
Opcode Fuzzy Hash: acd8c322ed648db6743ac70f587849fa94c088596290a053035094b42d7d0736
Instruction Fuzzy Hash: CF21293510020AEFCF11EF54D948DAA7BBAFF49310B04C559F9599B661C731E892CF54

Function 100200C0 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(00000000), ref: 100200D7
ScreenToClient.USER32(?,00000000), ref: 100200E6
PtInRect.USER32(00000034,00000000,?), ref: 100200FA
TrackMouseEvent.USER32(?,?,?,?,?,?,?,?,1001FFAC,?,?), ref: 10020142
CallWindowProcA.USER32(?,?,00000200,?,?), ref: 1002015F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallClientCursorEventMouseProcRectScreenTrackWindow
String ID:
API String ID: 246821313-0
Opcode ID: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
Instruction ID: 3019ab15dc7928b1b202b4615dd38406c76b54fbe59730a3b13cec038340f0e3
Opcode Fuzzy Hash: 452f02149016ab57f0be7edff06aaeae5fa3b70f219bffea2e1b92ae58be304f
Instruction Fuzzy Hash: D4113A79204701EFD314DF14C885A5BB7E9FB88700F504A0DF98683621D770E949CB91

Function 1000FBF0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON

Download Yara Rule

APIs

SelectObject.GDI32(00000000,00000000), ref: 1000FC21
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 1000FC3A
GetClipRgn.GDI32(?,00000000), ref: 1000FC44
SelectClipRgn.GDI32(?,00000000), ref: 1000FC53
DeleteObject.GDI32(00000000), ref: 1000FC5A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ClipObjectSelect$CreateDeleteRect
String ID:
API String ID: 4028927186-0
Opcode ID: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
Instruction ID: 8b55c2d16eca8a6de84a41ee3e6a417fb1aae9501b44e532c548ffb84ecac7fc
Opcode Fuzzy Hash: da83c9e4fb198581466429983a14078e16099fff12b7c695a401a7cb8fb48538
Instruction Fuzzy Hash: 5001D379601314AFE3509FA59CC8F26BBECFF48A51F20891EFA86D2250C674A9058B20

Function 10014EF0 Relevance: 7.5, APIs: 5, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 10014F03
GetClassLongA.USER32(00000000), ref: 10014F0A
SendMessageA.USER32(?,00000115,00000000,00000000), ref: 10014F30
SendMessageA.USER32(?,00000115,00000001,00000000), ref: 10014F47
CallWindowProcA.USER32(?,?,0000020A,?,?), ref: 10014F6A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSend$CallClassLongParentProcWindow
String ID:
API String ID: 1353622983-0
Opcode ID: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
Instruction ID: d2383e6da1af4afa3427e5b8932eb01d4800057d420c1cdead8e2e9a0b4738ac
Opcode Fuzzy Hash: cfb1d0e207854fb8dcd69ebbbabeafc674c5207766cd86b1f8a176c5c5f3fc80
Instruction Fuzzy Hash: BE018436214711EFE354DB54CC89FC777A5FB98740F118918F2568B6A4C6B0E882CB50

Function 00688240 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,006847BE,006856E7,00000000,?,?,00000000,00000001), ref: 00688242
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 00688250
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 0068829C

Part of subcall function 00684BB2: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,00688265,00000001,00000074,?,?,00000000,00000001), ref: 00684CA8

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 00688274
GetCurrentThreadId.KERNEL32 ref: 00688285

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: 4d62f2d06305c769ed8041499cd7e5ec57e17ed5707b0d4609c1b019562bb77b
Instruction ID: e344443b53aef2797988b6e29f632b4ec1885e79cf5261bf9809d15b5b2ff1c7
Opcode Fuzzy Hash: 4d62f2d06305c769ed8041499cd7e5ec57e17ed5707b0d4609c1b019562bb77b
Instruction Fuzzy Hash: 72F09032500B225FE7253B70BC2DA5A3B66EF027727101729FA45972A0CF259A828BD0

Function 1000B0C0 Relevance: 7.5, APIs: 5, Instructions: 36windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 1000B0C9
SelectObject.GDI32(?,00000000), ref: 1000B0DD
PatBlt.GDI32(?,?,00000000,?,10007767,00F00021), ref: 1000B0FB
SelectObject.GDI32(?,00000000), ref: 1000B103
DeleteObject.GDI32(00000000), ref: 1000B106

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Object$Select$BrushCreateDeleteSolid
String ID:
API String ID: 1979645813-0
Opcode ID: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
Instruction ID: 83e1346f7fd50f5c1e27b067344e86bff92973f43accc98672dc9dd08b035da2
Opcode Fuzzy Hash: 8202d082a8d02d7cb35fd4a3e7ed27b63294127b33079cb5fb6f541fec19d876
Instruction Fuzzy Hash: E9F0587A205214AFE200DB65DCC8CBBBBECEBCDA54F10051CF94893200C634AD0A8B72

Function 1000FCA0 Relevance: 7.5, APIs: 5, Instructions: 32COMMON

Download Yara Rule

APIs

SetMapMode.GDI32(00000000,00000001), ref: 1000FCA8
SetWindowOrgEx.GDI32(?,00000000,00000000,00000000), ref: 1000FCB7
SetWindowExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCC6
SetViewportOrgEx.GDI32(00000000,00000000,00000000,00000000), ref: 1000FCD5
SetViewportExtEx.GDI32(?,00000001,00000001,00000000), ref: 1000FCE4

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ViewportWindow$Mode
String ID:
API String ID: 1998588776-0
Opcode ID: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
Instruction ID: 19eb1e7a97a7d17af1ec9957c6ac4774e2def1865d773f4b49123eaa02bc8819
Opcode Fuzzy Hash: d550d996791e68486d74e7e69cc671b827fb91bbe54977dfd5cc9daaae8f4344
Instruction Fuzzy Hash: 94F09878391310BBF6749B60CCCAF957765AB48B11F304809FA81AA2D0C6F5A5859B64

Function 1000A460 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000A46F
ShowScrollBar.USER32(?), ref: 1000A608
IsWindowVisible.USER32(?), ref: 1000A61B

Strings

SHE, xrefs: 1000A469

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PropScrollShowVisibleWindow
String ID: SHE
API String ID: 925533089-2947365353
Opcode ID: 29df2c69f6a12156ba3bd4c419ce6b73a943d47a4a0f7b6e38221999c43efb81
Instruction ID: 5d9c8eb271cc9b0f02aa51a35db3e0294c315e2d033d928ddf3a82af3e440562
Opcode Fuzzy Hash: 29df2c69f6a12156ba3bd4c419ce6b73a943d47a4a0f7b6e38221999c43efb81
Instruction Fuzzy Hash: 36617C75304B029FE724CE24D984B5BB7E5FB86395F20CA2DE846CB648E771E885CB50

Function 10008DE0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 10008E73
CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F42
CallWindowProcA.USER32(?,?,0000002C,?,?), ref: 10008F98

Strings

0, xrefs: 10008E63

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: CallProcWindow$InfoItemMenu
String ID: 0
API String ID: 1396499677-4108050209
Opcode ID: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
Instruction ID: 3a263b56c78cee0a8e23883c6dc5574ccc9387f68b94d4295bca3dd9a186fa29
Opcode Fuzzy Hash: 4e8d0b03f25231fc6dcbf2cc5d41fcfb2e5006d6da9717ac153e70087d0b34e5
Instruction Fuzzy Hash: EC513B793102018FE704CF18C884AA6B7E9FF88394F18856EED488B355D736ED46CBA1

Function 1000A730 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000A73C

Strings

SHE, xrefs: 1000A736

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop
String ID: SHE
API String ID: 257714900-2947365353
Opcode ID: 70a0cc52a7083c0dc236e42b745e6e3c8ddb7900b31ff5634154d4c4bc5afb41
Instruction ID: 2bfca706224cabb067b43e3ba5804daf98d0a1a007aca9f1d630acb475a629e4
Opcode Fuzzy Hash: 70a0cc52a7083c0dc236e42b745e6e3c8ddb7900b31ff5634154d4c4bc5afb41
Instruction Fuzzy Hash: 75417C716047029BF720CA25C980F5BB3E8EB85BD0F10CA1DF94ADA285D771EC868B61

Function 0069B26F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(FFFFFFB2), ref: 0069B28B
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 0069B2DE
GlobalUnlock.KERNEL32(?), ref: 0069B375

Strings

System, xrefs: 0069B275

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: System
API String ID: 231414890-3470857405
Opcode ID: 2d1cd5e97bdcd2fc6d587ff19535f43d8fade62c8b2e589561c125ea694fa063
Instruction ID: 386c4985cfcff2778f80f4e0675bbf599bb6234c009ee633b014054b4f733e2f
Opcode Fuzzy Hash: 2d1cd5e97bdcd2fc6d587ff19535f43d8fade62c8b2e589561c125ea694fa063
Instruction Fuzzy Hash: BF41C472800219EBCF10DF98D9859FEBBBAFF40714B14C169E815AB684D731AA46CF94

Function 006A00D7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 006A00E3
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 006A0192
LoadBitmapA.USER32(00000000,00007FE3), ref: 006A01AA

Strings

, xrefs: 006A00F2

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: 34aed2f8f9bbffc86a12e5174039c6735d96cbd4248f58fe07ef438c74446221
Instruction ID: 37970da40117683a90b007761dde4365a792decdcdedaf21664d22549f4c7408
Opcode Fuzzy Hash: 34aed2f8f9bbffc86a12e5174039c6735d96cbd4248f58fe07ef438c74446221
Instruction Fuzzy Hash: 48212572E00219AFEB109BB8DC85BEE7BBAEB45704F0541A6E505EB282D6709E04CF50

Function 0067F602 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

#44.ODBC32(?,0000003B,?), ref: 0067F618
#45.ODBC32(?,0000000A,?,0000001E,?), ref: 0067F65D

Strings

2, xrefs: 0067F680
0, xrefs: 0067F67A

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: 0$2
API String ID: 0-3793063076
Opcode ID: 48c24c1751f061434979c89717ab890ea9b6bde46380cab6aee8d0cc97c5e698
Instruction ID: fd32d7eaab3bec0483c8bb60aa0e134b2c857f92d8f85e441c55d83a7c0ee7a3
Opcode Fuzzy Hash: 48c24c1751f061434979c89717ab890ea9b6bde46380cab6aee8d0cc97c5e698
Instruction Fuzzy Hash: 54118E31700604AFDB21DB69C945F9EBBFEAF58B00F10806EF546DB2A1EB60DD418B14

Function 10011FD0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

RemovePropA.USER32(?,SHE), ref: 10011FF2
??3@YAXPAX@Z.MSVCRT(?,?,?,10006328), ref: 10012038
??3@YAXPAX@Z.MSVCRT(?,?,?,10006328), ref: 10012051

Strings

SHE, xrefs: 10011FEC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE
API String ID: 1378348335-2947365353
Opcode ID: ea02168a8f5deea71d01e7a4b0e4aa03e97b304decad5a25f71ffbf8e252d058
Instruction ID: 3aa8719c9e4c45493a9abc554e870e85d9e8a9d78f5f4f171f35c498cd83d2f1
Opcode Fuzzy Hash: ea02168a8f5deea71d01e7a4b0e4aa03e97b304decad5a25f71ffbf8e252d058
Instruction Fuzzy Hash: 521130B96001119FC714DF19E8C0C56B7E5EFDC25032AC66AE508CB222E631ECC7CB90

Function 1001C4E0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32(?), ref: 1001C4EB
GetMenuItemInfoA.USER32 ref: 1001C524
SetMenuItemInfoA.USER32(?,?,00000400,?), ref: 1001C561

Strings

0, xrefs: 1001C514

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Menu$InfoItem
String ID: 0
API String ID: 1040333723-4108050209
Opcode ID: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
Instruction ID: f8b742696180afde77dc344fc1703784ab48d404007203de0ad804771102cd86
Opcode Fuzzy Hash: 243637d71311623db6106a7351d464556d75ae7d0fb0a3426c1bbd7d193cda2a
Instruction Fuzzy Hash: CA115774204311AFE310CF28C884E6BB7E8EF88794F50891DF999D7690E770E982CB56

Function 1001B9A0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SHE_H, xrefs: 1001B9DA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: SHE_H
API String ID: 0-3561289158
Opcode ID: ec69a33f17c807fc65332e5d29f5715ed3d611abf23a5220b33cbc44939167a6
Instruction ID: ed2eb374b2d90629944acc07784bf30b6d56568a33e5823ac3835ed5382d68f0
Opcode Fuzzy Hash: ec69a33f17c807fc65332e5d29f5715ed3d611abf23a5220b33cbc44939167a6
Instruction Fuzzy Hash: 0CF0A031219972ABE7529B28FC84FEB2BD8DF89240F050424F580DA140C324DD8787E5

Function 1001BAA0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMON

Download Yara Rule

Strings

SHE_G, xrefs: 1001BADA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: SHE_G
API String ID: 0-1157359703
Opcode ID: 4bc4de0adbfbafee8f82ec7b16aaf11f122c791ef9270b2a07ba812af1ae456e
Instruction ID: 717698f055d0c19db96feb0f21cf654685e41ef80d95125d4512f973e7f62a11
Opcode Fuzzy Hash: 4bc4de0adbfbafee8f82ec7b16aaf11f122c791ef9270b2a07ba812af1ae456e
Instruction Fuzzy Hash: 31F0A032219972ABE7529B68EC44BEB2BD8DF89350F0A0424F450CA100C324EE8787A6

Function 100031A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32registryCOMMON

Download Yara Rule

APIs

LoadCursorA.USER32 ref: 100031E6
RegisterClassExA.USER32 ref: 1000320D

Strings

0, xrefs: 100031BE
ComboLBox , xrefs: 10003201

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ClassCursorLoadRegister
String ID: 0$ComboLBox
API String ID: 1693014935-848744724
Opcode ID: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
Instruction ID: 197b4fdf75a9891b34d05670b40042e82415c0f2dfe413ea69ca17455c6e27b2
Opcode Fuzzy Hash: 28f346c1f4dfbe2856f6f1ab5a9c9bdac0e0dbbb8d7eea49bca441095fb31d7d
Instruction Fuzzy Hash: F501FBB44193619BE300CF18D45464BFFE4EF88754F804A1EF48596260D7B596498BCA

Function 10008C50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

SetPropA.USER32(?,SHE_D,?), ref: 10008C8A
SetPropA.USER32(?,SHE_E,?), ref: 10008CA7

Strings

SHE_D, xrefs: 10008C84
SHE_E, xrefs: 10008CA1

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop
String ID: SHE_D$SHE_E
API String ID: 257714900-1595638419
Opcode ID: f51451f89e470c2f28b512993583d5a39172c9183de96b87797a79f144c0ae74
Instruction ID: 49cf2e3ec83171f721d29627037efbf36aadcaff1d07842d891325c5e52def58
Opcode Fuzzy Hash: f51451f89e470c2f28b512993583d5a39172c9183de96b87797a79f144c0ae74
Instruction Fuzzy Hash: 5BF03076241B00ABE634C7A5DCD5FD7A36ADBC4700F00090DB355AB181CBB4B84587A4

Function 1001BB90 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE_J), ref: 1001BBB2
RemovePropA.USER32(?,SHE_J), ref: 1001BBC2

Strings

SHE_J, xrefs: 1001BBAC, 1001BBBC, 1001BBD2

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Prop$Remove
String ID: SHE_J
API String ID: 722682530-977966314
Opcode ID: 16df7e44346833617413e8d424880a7d35195720ed8bc54dee9827241916062d
Instruction ID: 698ab00d73aecd855d15cbcb811a8036f5f521c7cdad0f36f2d8e36d79ce0730
Opcode Fuzzy Hash: 16df7e44346833617413e8d424880a7d35195720ed8bc54dee9827241916062d
Instruction Fuzzy Hash: D5E06D3520A522EBEB40DBE4ECC4ECA3BD8DF44684F450850F204DB454D374D88287A0

Function 1001BA50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

Strings

SHE_I, xrefs: 1001BA75

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID:
String ID: SHE_I
API String ID: 0-2739127632
Opcode ID: 5653f05df02ec0164a37a22cefba73dc40c74f5dbd4fc65037476540090369b8
Instruction ID: f879918b1ab4c0261feb2549141845b8577b79e0b8aeeddf4ae7b2019ef3aec8
Opcode Fuzzy Hash: 5653f05df02ec0164a37a22cefba73dc40c74f5dbd4fc65037476540090369b8
Instruction Fuzzy Hash: 4DE01A36246932ABE65197A4BC84FCB3B98DF48750F164011F904DA120C734AE8647E5

Function 100262D0 Relevance: 6.4, APIs: 5, Instructions: 114COMMON

Download Yara Rule

APIs

SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002630B
SetLastError.KERNEL32(00000006,?,00000000,?,00000001), ref: 1002632C
SetLastError.KERNEL32(00000009,?,00000000,?,00000001), ref: 10026368
SetLastError.KERNEL32(0000000C,?,00000000,?,00000001), ref: 10026395

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
Instruction ID: b3c434b615bc2635f358bc3621d77ed4a3c5ae3a0f0d1fd31a7ebcab961547c0
Opcode Fuzzy Hash: c3616aa7b4a34e8de724524b9adc4ac18453dfc774abf1496d12cb01671f6ebc
Instruction Fuzzy Hash: F941F774E04109EFDB04DFA8D895ADDBBB1EF4C314F608559E94AAB285D730AA41CFA0

Function 00644610 Relevance: 6.3, APIs: 4, Instructions: 288COMMON

Download Yara Rule

APIs

Part of subcall function 00649B70: IsWindow.USER32(?), ref: 00649B7D

GetDC.USER32(?), ref: 00644687
CreatePen.GDI32(00000000,?,?), ref: 00644745
InvalidateRect.USER32(?,?,00000001,00000000), ref: 00644945

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CreateInvalidateRectWindow
String ID:
API String ID: 2485191128-0
Opcode ID: 9b5b18b4901ac8df413971372b05f9f99e2f4ca338df92a83d02a1969497a1b5
Instruction ID: 75905768e5e55d85a24a285b3c98907c9bd93bfc53c840bae6e5ab27e4640767
Opcode Fuzzy Hash: 9b5b18b4901ac8df413971372b05f9f99e2f4ca338df92a83d02a1969497a1b5
Instruction Fuzzy Hash: A5B11775A00249AFDB14DFA9D981EAEB7BAFF89700F10851DF91A97341DB30E901CB64

Function 005F31C0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(008BCDE0,008BCE08,00000001,005F37F0,008BCDC4,00030000,?,008BCDC4,?,00000000), ref: 005F31EB
midiStreamProperty.WINMM ref: 005F32D2
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,008BCDC4,?,00000000), ref: 005F3420

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: a0eb6731ddef4e90154cd690d5b3cbabf3f3a4d3ca76729cd5ec9d2184433ee1
Instruction ID: 9a276285eb7dbd23e4867f7f0e157f278cab7e4d85f805224848ed64a0fa5b7a
Opcode Fuzzy Hash: a0eb6731ddef4e90154cd690d5b3cbabf3f3a4d3ca76729cd5ec9d2184433ee1
Instruction Fuzzy Hash: 64A17D752006068FD724DF68D894BBABBF6FB84304F10492DE686C7650EB36FA19CB40

Function 0068E2E0 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 0068E35A
GetLastError.KERNEL32 ref: 0068E364
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 0068E42A
GetLastError.KERNEL32 ref: 0068E434

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 6601a189c9f7a88e7064276027c479884e7b3d0c34fcc59ba5dc1447da852841
Instruction ID: 922d4c2c8695dbd805d3528aeb12171666f5d47e3bba4cb00c0fe932ba7cf85f
Opcode Fuzzy Hash: 6601a189c9f7a88e7064276027c479884e7b3d0c34fcc59ba5dc1447da852841
Instruction Fuzzy Hash: 10510430604385DFDF21AF98C884BED7BF2AF02304F544299E8698B392C376D946CB51

Function 0068E0F0 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0068E1B7

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 60ccd19fe1659425e8ba59bbcadc112e00520cc0948df5979c5417522961c2c2
Instruction ID: fdb6103697a23fdaeaa9929c52e46bbae86b198482fcdc398ccc3880574078ac
Opcode Fuzzy Hash: 60ccd19fe1659425e8ba59bbcadc112e00520cc0948df5979c5417522961c2c2
Instruction Fuzzy Hash: 6A51A271900208EFCF11EFA8C898ADD7BF6FF45340F2486AAE8559B261D731DA41CB60

Function 10025870 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 100258B1
OffsetRect.USER32(?,?,?), ref: 100258CA
CreateRoundRectRgn.GDI32(00000005,0000001D,?,?,00000001,00000001), ref: 1002590F

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CreateOffsetRoundWindow
String ID:
API String ID: 3966507845-0
Opcode ID: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
Instruction ID: fd809a4ceb687a9920e0430a40226c629e5b8fbea5758eea80f51bca6e6e67d1
Opcode Fuzzy Hash: cea002b6a8ef21f2cb3a895f42f3fb7a80bcb03468e2dcf9a5a67d2188188a0a
Instruction Fuzzy Hash: EC4161B9214601AFE714DB68D885EABB3E9EBC4700F50C91DF89A87240DA70FD05CBA5

Function 10015F60 Relevance: 6.1, APIs: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 10016440: GetCursorPos.USER32(?), ref: 1001644C
Part of subcall function 10016440: GetWindowRect.USER32(?,?), ref: 1001645B

PtInRect.USER32(0000002C,76C21B80,?), ref: 10015FAA
PtInRect.USER32(0000003C,?,?), ref: 10015FEA
PtInRect.USER32(0000006C,?,?), ref: 10016016

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CursorWindow
String ID:
API String ID: 2067259548-0
Opcode ID: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
Instruction ID: 942b3ee6e408d2d77c3cbed3ca5e98908d906ac42d301ec7afef9c4228c91e15
Opcode Fuzzy Hash: e1af6214a6f7562a9d61b136065f3798b9d7b294db994c50de0c6dc41576ed19
Instruction Fuzzy Hash: EE313C763007029BC714CF65EC809ABF3E8FB84751F45462DE95987600DB36E8498BA1

Function 100080F0 Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 100080F7

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: EnabledWindow
String ID:
API String ID: 1255321416-0
Opcode ID: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
Instruction ID: 37371956b553b68bbaf28cfff257a7f0d6f94ec872bf77a3ed07d6cbcf5e9166
Opcode Fuzzy Hash: 7eca8c281a0b202235e49865d5931ba51e94db6309202c9b20545d352822c802
Instruction Fuzzy Hash: CE11B1772444628BF720D67CE846ACAA3D4FB74390F018D27F59AC7288D628DD878754

Function 00682114 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0068213A

Part of subcall function 0068841C: HeapCreate.KERNEL32(00000000,00001000,00000000,00682172,00000001), ref: 0068842D
Part of subcall function 0068841C: HeapDestroy.KERNEL32 ref: 0068846C

GetCommandLineA.KERNEL32 ref: 0068219A
GetStartupInfoA.KERNEL32(?), ref: 006821C5
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 006821E8

Part of subcall function 00682241: ExitProcess.KERNEL32 ref: 0068225E

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 4a44793649be9073143b84ce9b5a601a1bb7f6f5b9b684ad2e33f39bc5343519
Instruction ID: 983064e108dea127f016b3a154c98fc4a4ae28b1081c9921edd6b1351cbbfbf2
Opcode Fuzzy Hash: 4a44793649be9073143b84ce9b5a601a1bb7f6f5b9b684ad2e33f39bc5343519
Instruction Fuzzy Hash: 3A21B4B19447069EDB48BFB0DC59A6E7BABEF04700F20422DFA019B2A5DF358800CB54

Function 10016220 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,00000001), ref: 10016247
PtInRect.USER32(?,?,?), ref: 10016273
PtInRect.USER32(?,?,?), ref: 1001629F
CallWindowProcA.USER32(?,?,00000084,?,?), ref: 100162BC

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$Window$CallProc
String ID:
API String ID: 2141924492-0
Opcode ID: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
Instruction ID: 6bb5dbdf489e1a6f0cc29fa7beb5d91727bcf99365b1c6db062720247cfdbd6a
Opcode Fuzzy Hash: 42652ddef185d08e1dd2a8195f870a649398aa3ec5a314d83f618bccea3ac0b9
Instruction Fuzzy Hash: 0C218176300B165BE360DAAACCC4E67B3ECFB88A50F40492EF985C7641D635FD598760

Function 1000E340 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

??3@YAXPAX@Z.MSVCRT(?,?,?,?,10012579,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 1000E39A
SelectObject.GDI32(?,?), ref: 1000E3AA
DeleteDC.GDI32(?), ref: 1000E3B4
DeleteObject.GDI32(?), ref: 1000E3D1

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: DeleteObject$??3@Select
String ID:
API String ID: 3433755800-0
Opcode ID: 659a5a91fa5da59b4b2db8e33fef2b4ce9102b4330a9ee2afd06dbb0d76968bb
Instruction ID: eff67cfb01a4d2600c09c765b352805dfe5dc578d0251df350f47da1601aa07e
Opcode Fuzzy Hash: 659a5a91fa5da59b4b2db8e33fef2b4ce9102b4330a9ee2afd06dbb0d76968bb
Instruction Fuzzy Hash: E3113AB4600642AFE714CF15C8C8E16BBE9FF88380B29C56AE808D7325D771ED41CB90

Function 100117B0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 100117CF
PtInRect.USER32(00000060,?), ref: 100117DF
PtInRect.USER32(00000050,?), ref: 100117FC
CallWindowProcA.USER32(?,?,00000200,?,?), ref: 10011838

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
Instruction ID: 8c562a3d8ffa91b3488f9b2e3c9223cef3bcf56be9e3598e3ad49312dabcbff5
Opcode Fuzzy Hash: 3ea446e5017dbbd17509b2e94ce09de6277395e8464c5c9cb4b424a2b4c0ace6
Instruction Fuzzy Hash: 17117C75600715AFE328CF16CC88EA777FCEB80B85F10481DF58286651DA31E886CB60

Function 10011AC0 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 10011AD9
PtInRect.USER32(00000060,?), ref: 10011AE9
PtInRect.USER32(00000050,?), ref: 10011AFB
CallWindowProcA.USER32(?,?,00000202,?,?), ref: 10011B37

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
Instruction ID: 8a3aa6fa90d41ed69226067b3e75a7c91dc2c122c79226572cad67fafd763433
Opcode Fuzzy Hash: 59ffc7ff1c5213b1cf39a1a4bbb19d144ce8416fa73da0f37271d160e36c8f56
Instruction Fuzzy Hash: C6014C75605725AFE328CB56DCC8EABBBFCEB84B81B10481EF54286211D731E9858B61

Function 10011A30 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

PtInRect.USER32(00000050,?), ref: 10011A49
PtInRect.USER32(00000060,?), ref: 10011A59
PtInRect.USER32(00000050,?), ref: 10011A6B
CallWindowProcA.USER32(?,?,00000201,?,?), ref: 10011AAA

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Rect$CallProcWindow
String ID:
API String ID: 2854435161-0
Opcode ID: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
Instruction ID: e73e578019d50ab50198203406a73d3f958aba72b0e288fd38bf24a79029c17e
Opcode Fuzzy Hash: 81c6700b62b5b93b1d102745a9a0f424a562618402be3bbb7fec3a059a690f7a
Instruction Fuzzy Hash: B7018CB5201715AFE324CF56CC88EABBBFCEF84B81F10080DF58286111C631E984CB61

Function 0069838A Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00698398
SendMessageA.USER32(00000000,?,?,?), ref: 006983CE
GetTopWindow.USER32(00000000), ref: 006983DB
GetWindow.USER32(00000000,00000002), ref: 006983F9

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 1713fcf902ec59db64e35355d2410e5571df15c4c8a110aa3cf11ded05c3e38a
Instruction ID: 1e4bcbd0d37d51aaac44840a059c4515e77b648c94812a11571ef67a3a5cf059
Opcode Fuzzy Hash: 1713fcf902ec59db64e35355d2410e5571df15c4c8a110aa3cf11ded05c3e38a
Instruction Fuzzy Hash: 8A01D03200122AFBCF126F919C04EDF3A2BAF56B90F058015FA1166560CB36C922EBA5

Function 0067C55A Relevance: 6.0, APIs: 4, Instructions: 49memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0067C567
lstrlenA.KERNEL32(00000000,?,0065FDFE,?,008E4EC8,?), ref: 0067C580
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,0065FDFE,?,008E4EC8,?), ref: 0067C5A4
SysAllocString.OLEAUT32(00000000), ref: 0067C5AE

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: AllocByteCharClearMultiStringVariantWidelstrlen
String ID:
API String ID: 3257503732-0
Opcode ID: f09f0e3b6828a91a86d8e2162a6b563331c787672dd4cbac50e1d99521336906
Instruction ID: 4fb51fb5ddbefaa4c186af4e6a4358799b858e920a613bf70d19ec14a0465ec2
Opcode Fuzzy Hash: f09f0e3b6828a91a86d8e2162a6b563331c787672dd4cbac50e1d99521336906
Instruction Fuzzy Hash: B601ADB2500225AFEB10AF69CC858AB7BADEF4A770310452AF811D3310E771AE408BB0

Function 10015BE0 Relevance: 6.0, APIs: 4, Instructions: 47timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32(?,00006622,00000000,?,10008828,?,?,?), ref: 10015C04
KillTimer.USER32(?,00006623), ref: 10015C0F
KillTimer.USER32(?,00006624), ref: 10015C1A
CallWindowProcA.USER32(?,?,?,?,?), ref: 10015C60

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: KillTimer$CallProcWindow
String ID:
API String ID: 4157066807-0
Opcode ID: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
Instruction ID: 7c6a0bc5b88cb8bece1b2373cc4b17ef2a87975b470b42242de656e3c344c917
Opcode Fuzzy Hash: 73276a6097d022647674bceacd34be44969d3857d0e8de3a6d1c863b984271ce
Instruction Fuzzy Hash: 3901E975204B05EBE224DB6AC890F9BB3E9EF98700F14890DF5599F290C676E8818B50

Function 0067C4EC Relevance: 6.0, APIs: 4, Instructions: 44memorystringCOMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 0067C4F5
lstrlenA.KERNEL32(00000000,?,?,0065F296,?), ref: 0067C50F
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,000000FF,?,00000001,?,?,0065F296,?), ref: 0067C535
SysAllocString.OLEAUT32 ref: 0067C53C

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: AllocByteCharClearMultiStringVariantWidelstrlen
String ID:
API String ID: 3257503732-0
Opcode ID: 59b87241f7efca7e41127c5bf1239c92cbdd1996c97f3ccb83085f28b532e4ab
Instruction ID: ad5c9ae01f8ed1e8e8e0d8254cd4fdce21aabd4dcc4ec231e92c01db8078e903
Opcode Fuzzy Hash: 59b87241f7efca7e41127c5bf1239c92cbdd1996c97f3ccb83085f28b532e4ab
Instruction Fuzzy Hash: 96012D71500205BBDB006F65DC45A6BBBAEFF46371F108125F814C2210D771A964CBA1

Function 10014AB0 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 10014AE1
SendMessageA.USER32(?,000000E9,00000000), ref: 10014AF1
IsWindowVisible.USER32(?), ref: 10014B15
SendMessageA.USER32(?,000000E9,00000000), ref: 10014B25

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessageSendVisibleWindow
String ID:
API String ID: 3984873885-0
Opcode ID: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
Instruction ID: fc90fe054d96e1b13d9ec6b26fe80a5f78d3395466cc4f4aa367405a843ec8f6
Opcode Fuzzy Hash: 5673385011df388f717717f68ae525e54092af11df8779ffd9ee95a29302be15
Instruction Fuzzy Hash: 0D014F79104A12DFE660DB64CC84FE373E8EB18300F018919F6A6C7660C770E845CB64

Function 100205F0 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 100205FB
ScreenToClient.USER32(?,?), ref: 1002060A
PtInRect.USER32(00000034,?,?), ref: 1002061E
CallWindowProcA.USER32(?,?,00000201,?,?), ref: 1002064D

Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Rect$EnabledObjectSelect$CallClientCursorOffsetProcScreen
String ID:
API String ID: 2879931018-0
Opcode ID: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
Instruction ID: 9c0e68a1bfba51fb30c42bce227b29f8990f29df3688151d92ec8c3378a25188
Opcode Fuzzy Hash: afb86ea5bd93d0f3c5f6897db7f249f6baaa89d0f154500c220c73288da3c33b
Instruction Fuzzy Hash: C8F019B9210311AFE714DB54CD89D67B3E9FB88B00F50890DF58683650DB70F919CBA1

Function 10020690 Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 1002069B
ScreenToClient.USER32(?,?), ref: 100206AA
PtInRect.USER32(00000034,?,?), ref: 100206BE
CallWindowProcA.USER32(?,?,00000203,?,?), ref: 100206ED

Part of subcall function 100201A0: GetWindowRect.USER32(?,00000020), ref: 100201C0
Part of subcall function 100201A0: OffsetRect.USER32(00000020,00000000,?), ref: 100201D2
Part of subcall function 100201A0: SelectObject.GDI32(00000000,00000000), ref: 100201FC
Part of subcall function 100201A0: SelectObject.GDI32(00000000,?), ref: 1002020B
Part of subcall function 100201A0: PatBlt.GDI32(00000000,00000000,00000000,?,?,00F00021), ref: 1002021F
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002024C
Part of subcall function 100201A0: IsWindowEnabled.USER32(?), ref: 1002028A

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: Window$Rect$EnabledObjectSelect$CallClientCursorOffsetProcScreen
String ID:
API String ID: 2879931018-0
Opcode ID: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
Instruction ID: 3f66a2042e15db7492eec8571bc4eccf41e5f2ab532cfb3c276876021694c1e2
Opcode Fuzzy Hash: e5acc8b09ba55b0c849634dbc04fec6fda9d79dfec1a49745e8be55ffeea7e36
Instruction Fuzzy Hash: AAF019B9200311AFE204DB54DD89D67B3EDFB88B00F10890DF58683650DB70F909CBA1

Function 006822E2 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 00682372

Strings

pow, xrefs: 0068234A, 00682367

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 2f75cbe8b21e1639d142b73d8d64b0e0c3e3463033a4ed291806de5cb6226932
Instruction ID: 96c05f36496a213b4f9ed9a3c984c2dbc2fe2473e07b21868e4225fc313c5a77
Opcode Fuzzy Hash: 2f75cbe8b21e1639d142b73d8d64b0e0c3e3463033a4ed291806de5cb6226932
Instruction Fuzzy Hash: 05513A709082038BDB11B718C9213FA27D7EB51750F684F6CE4C9823A9EF388CD5AB56

Function 005DC630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 005E0030: GetCurrentThreadId.KERNEL32 ref: 005E0055
Part of subcall function 005E0030: IsWindow.USER32(00020400), ref: 005E0071
Part of subcall function 005E0030: SendMessageA.USER32(00020400,000083E7,?,00000000), ref: 005E008A
Part of subcall function 005E0030: ExitProcess.KERNEL32 ref: 005E009F

DeleteCriticalSection.KERNEL32(008BDAE8,?,?,?,?,?,?,?,?,005E769D), ref: 005DC66A

Part of subcall function 00697339: __EH_prolog.LIBCMT ref: 0069733E

Strings

#, xrefs: 005DC8E3
!, xrefs: 005DC658

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#
API String ID: 2888814780-2504090897
Opcode ID: 0e7295c10222b9fb5b2a98ea1a6cad0f532a86fbfa65784899c74a6b336cf879
Instruction ID: 8e4e8ad66d78a4b78bdc4ce3aa0b006a6b64ceba9c1bc3e180dc9ba64d47af13
Opcode Fuzzy Hash: 0e7295c10222b9fb5b2a98ea1a6cad0f532a86fbfa65784899c74a6b336cf879
Instruction Fuzzy Hash: A39123301087828ED326DFB4D49579ABFE4FFA5344F14484DE8DA47292DBB4924CCBA2

Function 00687593 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 006875A7

Strings

, xrefs: 006875CC
, xrefs: 006875F0

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: f555937f37e0552fbab8e2882b7d8dff115431614bffffa2461e996c919bb65b
Instruction ID: 4202b4e6766698b9391ca31a7b136cc79e07998ef3771be85f077af4172191a2
Opcode Fuzzy Hash: f555937f37e0552fbab8e2882b7d8dff115431614bffffa2461e996c919bb65b
Instruction Fuzzy Hash: E5419D3110D2985EEB16A798CC59BFB3F9BEB01704F2415E4E549CB193D271C984DBB2

Function 1000A640 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1000A64C
IsWindowVisible.USER32(?), ref: 1000A70B

Strings

SHE, xrefs: 1000A646

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PropVisibleWindow
String ID: SHE
API String ID: 1620322772-2947365353
Opcode ID: bad8104be658c59a684335e1eefddabc784d6684cc733e057d74aa60459c6a08
Instruction ID: 8444408dea7ff7839f6b8436bf1c1fa47ad4da62727e2c49b37074e0dc349d79
Opcode Fuzzy Hash: bad8104be658c59a684335e1eefddabc784d6684cc733e057d74aa60459c6a08
Instruction Fuzzy Hash: 2431B6357046028FE308DE25D984E5BB3E6FFC53D0B158629E445CB259D731EC81C7A1

Function 1001BF60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE), ref: 1001BF6B
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00002237), ref: 1001BFF8

Strings

SHE, xrefs: 1001BF65

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: PropWindow
String ID: SHE
API String ID: 1558329881-2947365353
Opcode ID: 2cdb5b4ba0fe46f17e6190b4a4db435ebc833164ec97df49ba75b8f31de11ba6
Instruction ID: 85ba090588071c15dea8798befb6bd26134b634a8105cef830c30bee5b463931
Opcode Fuzzy Hash: 2cdb5b4ba0fe46f17e6190b4a4db435ebc833164ec97df49ba75b8f31de11ba6
Instruction Fuzzy Hash: 3211F3747066429FE768CF16D859BAA37E2EF85740F1680BCE5498F265D73098828B81

Function 100129F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10012A31
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027683,000000FF,100129D8), ref: 10012A49

Strings

SHE_D, xrefs: 10012A2B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: f3ff36c292f7d38f49ef2197e5346b7988b11e70b60e7cb463876f272c911453
Instruction ID: 0e30da24780e8a31cd8a941f5683c0ca121a3312a339123d0852e3ec0cd51ef7
Opcode Fuzzy Hash: f3ff36c292f7d38f49ef2197e5346b7988b11e70b60e7cb463876f272c911453
Instruction Fuzzy Hash: BB0100B2500B809FC720CF0EC880A4BFBE8FB58220F900A2DF05587751C778E9888BC2

Function 10008250 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10008291
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,100273B3,000000FF,10008238), ref: 100082A9

Strings

SHE_D, xrefs: 1000828B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: ce6b8d6d78edfa3f5972500ae81a72c4b6c8e4efcde3114484507a996ace6328
Instruction ID: 8d0c2f96915b7ab9911d7cedcb7b10105890ee57c753d0c92d78f16e1c7d39c9
Opcode Fuzzy Hash: ce6b8d6d78edfa3f5972500ae81a72c4b6c8e4efcde3114484507a996ace6328
Instruction Fuzzy Hash: D90100B2500B409FC720CF4ECC80A5AFBE8FB58660F900A2DF49583351C778EA488BD1

Function 1001D260 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 1001D2A1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027B93,000000FF,1001D248), ref: 1001D2B9

Strings

SHE_D, xrefs: 1001D29B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: 1833871151e406caf127f19b24a23f9786be65095826091c877ad101a53bada5
Instruction ID: e0b074cf4f92b3f65884162d90763629b618ad9cf82673e82fae43a31723a83f
Opcode Fuzzy Hash: 1833871151e406caf127f19b24a23f9786be65095826091c877ad101a53bada5
Instruction Fuzzy Hash: B701EDB2500B449FC720CF5EC880A5AFBE8FB58220F900A2EF06587351C778E9488BD1

Function 10009270 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,SHE_E), ref: 100092B1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027443,000000FF,10009258), ref: 100092C9

Strings

SHE_E, xrefs: 100092AB

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_E
API String ID: 1378348335-2868218235
Opcode ID: 3eaaf8f3b4fb42674a05c4b62e771ab408c757b91f93078ad7cbc9b3c523134a
Instruction ID: 4a82254dc74f1477473a6a160ec31319b4cd8df32d3868b8b15ac01bce60e4b2
Opcode Fuzzy Hash: 3eaaf8f3b4fb42674a05c4b62e771ab408c757b91f93078ad7cbc9b3c523134a
Instruction Fuzzy Hash: 5A01D2B2500B449FD710CF4EDC80A9AFBE8FB58660F904A2EF05983751C779F9488B91

Function 1000C320 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,SHE_E), ref: 1000C361
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,100274C3,000000FF,1000C308), ref: 1000C379

Strings

SHE_E, xrefs: 1000C35B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_E
API String ID: 1378348335-2868218235
Opcode ID: 9e7e7eb8ea5cca787e46e223241693e1a3cb544618ff71b9b3a46ab16fa6dc53
Instruction ID: 0c26b64d7df9c784b094d09015dba98d2bb46ed3e40cb1f0f5a5ad785079c762
Opcode Fuzzy Hash: 9e7e7eb8ea5cca787e46e223241693e1a3cb544618ff71b9b3a46ab16fa6dc53
Instruction Fuzzy Hash: 6001D2B2500B449FD710CF5ED8C0A5AFBE8FB58660F908A2EF05983751C779F9488B92

Function 10007420 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,SHE_E), ref: 10007461
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027373,000000FF,10007408), ref: 10007479

Strings

SHE_E, xrefs: 1000745B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_E
API String ID: 1378348335-2868218235
Opcode ID: ec716047fd65eb0eccd1595b79ca2fe1785e7679646b1605d2834223fa98ca4e
Instruction ID: e6d9dad6b6dd912bf92acecef5264b8e265586fca7b24c0f8ad47dfeb5240409
Opcode Fuzzy Hash: ec716047fd65eb0eccd1595b79ca2fe1785e7679646b1605d2834223fa98ca4e
Instruction Fuzzy Hash: 840122B2500B449FC710CF0EC880A4AFBE8FB58660F908A2EF45983350C778F9488B91

Function 10006450 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10006491
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027313,000000FF,10006438), ref: 100064A9

Strings

SHE_D, xrefs: 1000648B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: 18bd0f665fc88a98aea10154e4e22eb1fc06547ea1984a2e6176b8e6993260dd
Instruction ID: 05dc49d5b12f37d6491de5426442c1301d529882e0af30903f3f038979945fda
Opcode Fuzzy Hash: 18bd0f665fc88a98aea10154e4e22eb1fc06547ea1984a2e6176b8e6993260dd
Instruction Fuzzy Hash: A601ADB2500B409FD720CF5ECC80A4AFBE8FB58760F904A2DF45587651C779EA488B91

Function 10013D00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10013D41
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027723,000000FF,10013CE8), ref: 10013D59

Strings

SHE_D, xrefs: 10013D3B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: a3b39698868ad8c7d107261a63e3651b997ec77a06157ada41c8f6553e1c346f
Instruction ID: 699a71fb3ecb9e6724347a62b7a2d1e64fb38cbe61c78c588d24fe9252aab333
Opcode Fuzzy Hash: a3b39698868ad8c7d107261a63e3651b997ec77a06157ada41c8f6553e1c346f
Instruction Fuzzy Hash: 060100B2500B409FC720CF0EE880A4AFBF8FB48260F904A2DF05687351C778EA488BC1

Function 10011560 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 100115A1
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027603,000000FF,10011548), ref: 100115B9

Strings

SHE_D, xrefs: 1001159B

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: eba5d9089076f73c4cf66b3081e62dd1230cd1a596af3f71fd889702384bf9b0
Instruction ID: 99b60781cb19179c95cc5a1685a9630f106624611f935e127a3f31f2dea81dd4
Opcode Fuzzy Hash: eba5d9089076f73c4cf66b3081e62dd1230cd1a596af3f71fd889702384bf9b0
Instruction Fuzzy Hash: 2001E1B1500B409FC714CF1EC880A8AFBE8FB48220F900A2DF05687351C778EA488BC1

Function 100146C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 1000CD20: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10007458,?,?,?,?,?,10027373,000000FF,10007408), ref: 1000CD95

RemovePropA.USER32(?,SHE_E), ref: 10014704
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027786,000000FF,100146A8), ref: 1001471C

Strings

SHE_E, xrefs: 100146FE

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_E
API String ID: 1378348335-2868218235
Opcode ID: a1f1971c98501fb8739864ea938d6ac13d53ffdc9c2e9a14246e976696dc74be
Instruction ID: 5b8dc865c417dc958ddeb291251b6182677f2da39e8d14cab1cdba83473914df
Opcode Fuzzy Hash: a1f1971c98501fb8739864ea938d6ac13d53ffdc9c2e9a14246e976696dc74be
Instruction Fuzzy Hash: 3801E1B1500B449FC310CF0DC880A4AFBE8FB48660F904A2DF05987751C779E9488B81

Function 100097D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 10012540: ??3@YAXPAX@Z.MSVCRT(?,?,?,?,10006488,?,?,?,?,?,10027313,000000FF,10006438), ref: 100125B5

RemovePropA.USER32(?,SHE_D), ref: 10009814
??3@YAXPAX@Z.MSVCRT(?,?,?,?,?,?,?,10027486,000000FF,100097B8), ref: 1000982C

Strings

SHE_D, xrefs: 1000980E

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ??3@$PropRemove
String ID: SHE_D
API String ID: 1378348335-3723672045
Opcode ID: ea3462801c90b1125c2bcb9151d58f5aa8be3e0c25dfc94a5ceebbe1e2969b19
Instruction ID: adf58b0f266f2269a7dbc2d909c93f9f224550e7970bb0ca61c1719deb64407c
Opcode Fuzzy Hash: ea3462801c90b1125c2bcb9151d58f5aa8be3e0c25dfc94a5ceebbe1e2969b19
Instruction Fuzzy Hash: 0601EDB2500B409FC720CF0EC880A4AFBE8FB48620F904A2EF05987351C738FA488BC1

Function 100120B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25windowCOMMON

Download Yara Rule

APIs

GetPropA.USER32(?,SHE_I), ref: 100120BC
SendMessageA.USER32(?,00000031,?,?), ref: 100120E0

Strings

SHE_I, xrefs: 100120B3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: MessagePropSend
String ID: SHE_I
API String ID: 25370605-2739127632
Opcode ID: a8e4bd74622fca06d7cadcd8699fe6d8eadf07913165d6e1e37a9601fa529543
Instruction ID: 60dc968c14120ed847476635f92a0f7727cc0b769e9d2866b2aed8ee30803cda
Opcode Fuzzy Hash: a8e4bd74622fca06d7cadcd8699fe6d8eadf07913165d6e1e37a9601fa529543
Instruction Fuzzy Hash: 3AE06D79344653DBE320CB98CD84E5233ECFF88694B114418F509CB210D770EC91CB90

Function 1001FCD0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 1001FCD9
GetPropA.USER32(00000000), ref: 1001FCE0

Strings

SHE, xrefs: 1001FCD3

Memory Dump Source

Source File: 00000000.00000002.2729993183.0000000010001000.00000040.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2729980808.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.000000001002C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010030000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2729993183.0000000010038000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730060601.000000001003A000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2730072340.000000001003C000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_d3r1KVj317.jbxd

Similarity

API ID: ParentProp
String ID: SHE
API String ID: 919147419-2947365353
Opcode ID: 41bab890e70a3c0de5d20fd45f7fa028098c1cfb9798b3a15b5c4427c667dfa4
Instruction ID: d2b12472386ee0a5c21a37737c778ad982b9e21b2e97661caa3ee413317f26b3
Opcode Fuzzy Hash: 41bab890e70a3c0de5d20fd45f7fa028098c1cfb9798b3a15b5c4427c667dfa4
Instruction Fuzzy Hash: 43D0A730601559CBE754CB60CDD8935769EDB10340B30425CFA07CA071CB34CAC2D780

Function 0068C38A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,0068C152,00000000,00000000,00000000,00683A83,00000000,00000000,?,00000000,00000000,00000000), ref: 0068C3B2
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,0068C152,00000000,00000000,00000000,00683A83,00000000,00000000,?,00000000,00000000,00000000), ref: 0068C3E6
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 0068C400
HeapFree.KERNEL32(00000000,?), ref: 0068C417

Memory Dump Source

Source File: 00000000.00000002.2728816348.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2728796518.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.00000000006AE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000076D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729010169.000000000078B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729188588.0000000000893000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729208683.0000000000895000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729227365.0000000000897000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729247124.00000000008A2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729265197.00000000008A3000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729285190.00000000008A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729297360.00000000008A7000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729309751.00000000008AC000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008B0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.00000000008BD000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.0000000000907000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729321881.000000000090D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000091D000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2729378821.000000000092C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_d3r1KVj317.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 75a3eedbe90c82c188d6ce8852dd5063cd8c9334635904668378316604a21abc
Instruction ID: f014b9703a8f83c6ca6daeae801c824880adf375dd7510280c22a156d300476c
Opcode Fuzzy Hash: 75a3eedbe90c82c188d6ce8852dd5063cd8c9334635904668378316604a21abc
Instruction Fuzzy Hash: F3112B71215201DFEB31AFADEC45965BBB6FB857607104A19F162C71B0C371A882EF10

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report d3r1KVj317.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\Desktop\Config.ini

C:\Users\user\Desktop\SkinH_EL.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Windows Analysis Report
d3r1KVj317.exe

Function 10004E30 Relevance: 33.6, APIs: 22, Instructions: 562
windowCOMMON

Function 10017540 Relevance: 21.5, APIs: 11, Strings: 1, Instructions: 476
COMMON

Function 005DF2B0 Relevance: 15.3, APIs: 10, Instructions: 287
libraryloaderCOMMON

Function 1000D410 Relevance: 75.8, APIs: 40, Strings: 3, Instructions: 517
windowCOMMON

Function 1001DD00 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 639
windowCOMMON

Function 10013170 Relevance: 44.2, APIs: 23, Strings: 2, Instructions: 429
windowCOMMON

Function 10005A40 Relevance: 39.3, APIs: 26, Instructions: 255
windowtimeCOMMON

Function 1000C930 Relevance: 31.7, APIs: 21, Instructions: 208
windowCOMMON

Function 00696F83 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Function 10013810 Relevance: 24.9, APIs: 12, Strings: 2, Instructions: 363
COMMON

Function 1001A4F0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 128
COMMON

Function 10024520 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 99
COMMON

Function 0060A2E0 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 370
commemorythreadCOMMON

Function 00696DA8 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 1001C450 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50
windowCOMMON