Edit tour

Windows Analysis Report
Label.exe

Overview

General Information

Sample name:	Label.exe
Analysis ID:	1525466
MD5:	e12f93d462a622f32a4ff1e646549c42
SHA1:	540853beffb0ba9b26cf305bcf92fad82599eb3c
SHA256:	f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
Tags:	exePreftuser-smica83
Infos:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Drops password protected ZIP file

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

AV process strings found (often used to terminate AV products)

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found large amount of non-executed APIs

Installs a raw input device (often for capturing keystrokes)

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Label.exe (PID: 6396 cmdline: "C:\Users\user\Desktop\Label.exe" MD5: E12F93D462A622F32A4FF1E646549C42)

cmd.exe (PID: 4444 cmdline: "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 4068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

PING.EXE (PID: 1440 cmdline: ping -n 3 127.0.0.1 MD5: 2F46799D79D22AC72C241EC0322B011D)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Label.exe	ReversingLabs: Detection: 42%
Source: Label.exe	Virustotal: Detection: 62%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.4% probability

Source:	Binary string: ntkrnlmp.pdbD! source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdbD!68A17FAF3012B7846079AEECDBE0A5831 source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdb source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdbD!01AB9056EA9380F71644C4339E3FA1AC2 source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdbD! source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdb0 source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdb source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdbl source: c.tmp~.0.dr

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014003E654 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

0_2_000000014003E654

Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior

Networking

Uses ping.exe to check the status of other devices and networks

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140056A50 SrcHashImpl::SrcHashImpl,CreateCompatibleDC,CreateCompatibleBitmap,FillRect,OpenClipboard,EmptyClipboard,CloseClipboard,SetClipboardData,CloseClipboard,

0_2_0000000140056A50

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014002C3A8 GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,NotifyWinEvent,NotifyWinEvent,SetCapture,RedrawWindow,

0_2_000000014002C3A8

Source: c.tmp~.0.dr

Binary or memory string: _WinAPI_RegisterRawInputDevices.au3

memstr_ece8dcda-a

Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140054154 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageW,ScreenToClient,GetCursorPos,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SetWindowPos,SendMessageW,SendMessageW,GetParent,		0_2_0000000140054154
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140014234 GetKeyState,GetKeyState,GetKeyState,SendMessageW,		0_2_0000000140014234

System Summary

Drops password protected ZIP file

Source: c.tmp-.0.dr	Zip Entry: encrypted
Source: ~E52D1ACF.tmp.0.dr	Zip Entry: encrypted

Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140015FF8	0_2_0000000140015FF8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140082020	0_2_0000000140082020
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003404C	0_2_000000014003404C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014001A0EC	0_2_000000014001A0EC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140041118	0_2_0000000140041118
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014004E138	0_2_000000014004E138
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140054154	0_2_0000000140054154
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140020280	0_2_0000000140020280
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014000C33C	0_2_000000014000C33C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014002C3A8	0_2_000000014002C3A8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400373BC	0_2_00000001400373BC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400383C4	0_2_00000001400383C4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400353CC	0_2_00000001400353CC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400A33EC	0_2_00000001400A33EC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400453F4	0_2_00000001400453F4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140022458	0_2_0000000140022458
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014005948C	0_2_000000014005948C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014002649C	0_2_000000014002649C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400304C4	0_2_00000001400304C4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400434F8	0_2_00000001400434F8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140027588	0_2_0000000140027588
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014002D6B0	0_2_000000014002D6B0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003C6D0	0_2_000000014003C6D0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140047788	0_2_0000000140047788
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001401898BC	0_2_00000001401898BC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014002F934	0_2_000000014002F934
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003A9A0	0_2_000000014003A9A0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140056A50	0_2_0000000140056A50
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140089A44	0_2_0000000140089A44
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140047AD0	0_2_0000000140047AD0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400A5B34	0_2_00000001400A5B34
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140197B80	0_2_0000000140197B80
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140038BAC	0_2_0000000140038BAC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014004EBC8	0_2_000000014004EBC8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140029BF8	0_2_0000000140029BF8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140190C40	0_2_0000000140190C40
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140039CE0	0_2_0000000140039CE0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140055D1C	0_2_0000000140055D1C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014000ADB4	0_2_000000014000ADB4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140037DE0	0_2_0000000140037DE0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140096E18	0_2_0000000140096E18
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400E8E28	0_2_00000001400E8E28
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140058E50	0_2_0000000140058E50
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140025E50	0_2_0000000140025E50
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014000BEE4	0_2_000000014000BEE4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140043F6C	0_2_0000000140043F6C
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_00000001400CFFC4	0_2_00000001400CFFC4
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F885F0	0_2_01F885F0
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01FA0494	0_2_01FA0494
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F87410	0_2_01F87410
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01FA27A8	0_2_01FA27A8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F87910	0_2_01F87910
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F9E860	0_2_01F9E860
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F87B70	0_2_01F87B70
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F9ED30	0_2_01F9ED30
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F91C10	0_2_01F91C10
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F95F70	0_2_01F95F70
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F9BF74	0_2_01F9BF74
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01F91E8C	0_2_01F91E8C

Source: Label.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal64.troj.evad.winEXE@6/6@0/1

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140007258 CoInitialize,CoCreateInstance,

0_2_0000000140007258

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014000807C FindResourceW,LoadResource,LockResource,FreeResource,

0_2_000000014000807C

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4068:120:WilError_03

Source: C:\Users\user\Desktop\Label.exe

File created: C:\Users\user\AppData\Local\Temp\temp

Jump to behavior

Source: Label.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Label.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Label.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Label.exe	ReversingLabs: Detection: 42%
Source: Label.exe	Virustotal: Detection: 62%

Source: C:\Users\user\Desktop\Label.exe

File read: C:\Users\user\Desktop\Label.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Label.exe "C:\Users\user\Desktop\Label.exe"
Source: C:\Users\user\Desktop\Label.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Users\user\Desktop\Label.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1	Jump to behavior

Source: C:\Users\user\Desktop\Label.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\PING.EXE	Section loaded: mswsock.dll	Jump to behavior

Source: C:\Users\user\Desktop\Label.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Label.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Label.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: Label.exe

Static file information: File size 2814800 > 1048576

Source: Label.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1ad200

Source: Label.exe

Static PE information: More than 200 imports for USER32.dll

Source: Label.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: ntkrnlmp.pdbD! source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdbD!68A17FAF3012B7846079AEECDBE0A5831 source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdb source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdbD!01AB9056EA9380F71644C4339E3FA1AC2 source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdbD! source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdb0 source: c.tmp~.0.dr
Source:	Binary string: winload_prod.pdb source: c.tmp~.0.dr
Source:	Binary string: ntkrnlmp.pdbl source: c.tmp~.0.dr

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014003E924 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

0_2_000000014003E924

Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003BFF1 push rbp; iretd	0_2_000000014003BFF7
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003BA80 push rbp; iretd	0_2_000000014003BA81
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014003BFCB push rbp; iretd	0_2_000000014003BFCC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01FAA2CD push rcx; retf 003Fh	0_2_01FAA2CE
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_01FA9925 push rsi; ret	0_2_01FA9926

Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140004430 IsIconic,	0_2_0000000140004430
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140046A00 IsWindowVisible,IsIconic,	0_2_0000000140046A00
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014002CBC8 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageW,UpdateWindow,GetParent,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_000000014002CBC8
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140015FC4 IsIconic,	0_2_0000000140015FC4

Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Uses ping.exe to sleep

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\Label.exe

API coverage: 0.0 %

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE	Last function: Thread delayed

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014003E654 GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,

0_2_000000014003E654

Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\SOPHIA\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\DC\Cache\	Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	File opened: c:\Documents and Settings\user\AppData\Local\Adobe\Acrobat\	Jump to behavior

Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: F\|Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumn
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: F]Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: FYHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: F`HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.catM%t
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: c.tmp~.0.dr	Binary or memory string: FWHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: F_Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumw
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: F\|Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: FWHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: F^HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: F_HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.catg-
Source: c.tmp~.0.dr	Binary or memory string: F_HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumw
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: FXMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: FZMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mumY
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr	Binary or memory string: FaMicrosoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.mume
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.cat
Source: c.tmp~.0.dr	Binary or memory string: F_Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: FsMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: FNMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: FXHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mumB
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumn
Source: c.tmp~.0.dr	Binary or memory string: FsMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: F^Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum\|
Source: c.tmp~.0.dr	Binary or memory string: FPMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: F]Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumx
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: FaHyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: F^HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: FxMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: FUMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: FPMicrosoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mumh
Source: c.tmp~.0.dr	Binary or memory string: FaMicrosoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FaHyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FUMicrosoft-Hyper-V-Online-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr	Binary or memory string: FxMicrosoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mumP
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FVMicrosoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr	Binary or memory string: FWHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum;
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: FXMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: FYHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Core-Group-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mum
Source: c.tmp~.0.dr	Binary or memory string: FVMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F`HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1566.mumk
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: F\Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.cat
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mump
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.mum
Source: c.tmp~.0.dr	Binary or memory string: FXMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Offline-Common-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Disabled-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: c.tmp~.0.dr	Binary or memory string: FNMicrosoft-Hyper-V-Services-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F^HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1741.mumt
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: F^Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: FWHyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: F\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: FSHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: FYMicrosoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1415.cat
Source: c.tmp~.0.dr	Binary or memory string: FXMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum/
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mum
Source: c.tmp~.0.dr	Binary or memory string: F\HyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.488.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: FSHyperV-Primitive-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.mum
Source: c.tmp~.0.dr	Binary or memory string: FXHyperV-Compute-System-VirtualMachine-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat
Source: c.tmp~.0.dr	Binary or memory string: FYHyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mumP
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FVMicrosoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum,
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.mum
Source: c.tmp~.0.dr	Binary or memory string: FSMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.cat
Source: c.tmp~.0.dr	Binary or memory string: F^HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1766.mumO
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Windows-HyperV-OptionalFeature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Hypervisor-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FTMicrosoft-Hyper-V-Hypervisor-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat%pH
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: FYHyperV-Feature-VirtualMachinePlatform-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat
Source: c.tmp~.0.dr	Binary or memory string: FRMicrosoft-Hyper-V-Package-base-Package~31bf3856ad364e35~amd64~~10.0.19041.1682.cat
Source: c.tmp~.0.dr	Binary or memory string: Microsoft-Hyper-V-Online-Services-merged-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: F[Microsoft-Hyper-V-ClientEdition-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat$"t
Source: c.tmp~.0.dr	Binary or memory string: FZMicrosoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FSMicrosoft-Hyper-V-ClientEdition-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.mum
Source: c.tmp~.0.dr	Binary or memory string: HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.mum
Source: c.tmp~.0.dr	Binary or memory string: FVMicrosoft-Hyper-V-Offline-Common-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat'"t

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140185454 GetLastError,IsDebuggerPresent,OutputDebugStringW,

0_2_0000000140185454

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140009FF0 OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError,

0_2_0000000140009FF0

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_000000014003E924 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

0_2_000000014003E924

Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_000000014018A7FC RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000000014018A7FC
Source: C:\Users\user\Desktop\Label.exe	Code function: 0_2_0000000140184BFC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0000000140184BFC

Source: C:\Users\user\Desktop\Label.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"			Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping -n 3 127.0.0.1			Jump to behavior

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_01FA25F0 cpuid

0_2_01FA25F0

Source: C:\Users\user\Desktop\Label.exe

Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,

0_2_000000014001C3CC

Source: C:\Users\user\Desktop\Label.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\Label.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140184E98 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000140184E98

Source: C:\Users\user\Desktop\Label.exe

Code function: 0_2_0000000140005240 GetCurrentThread,GetCurrentThreadId,GetVersionExW,

0_2_0000000140005240

Source: c.tmp~.0.dr

Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	11 Process Injection	11 Process Injection	31 Input Capture	1 System Time Discovery	Remote Services	31 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Obfuscated Files or Information	LSASS Memory	31 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	1 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	3 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	33 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Label.exe	42%	ReversingLabs	Win64.Backdoor.Preft
Label.exe	62%	Virustotal		Browse

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525466
Start date and time:	2024-10-04 09:17:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Label.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@6/6@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.

Process:	C:\Users\user\Desktop\Label.exe
File Type:	GIF image data, version 89a, 20545 x 7507
Category:	dropped
Size (bytes):	5209155
Entropy (8bit):	7.999971086114151
Encrypted:	true
SSDEEP:	98304:1nNMt4OEk4QD1LfAVyfaMeTBSgyDVQw31AuQX471A:1NAik4QNfwFMeTBSiiDP
MD5:	97E12642562963839F57295FE4956C4A
SHA1:	CEDB2F227A7F57B4A3C4B3F886647A090FCB2A1B
SHA-256:	EDB96A1DED100A20DBDE74D16E75CAD6FFAADF17E18C8C4E24137AF15D3EEF10
SHA-512:	1BA2FBBDDBBCBA141DEC69E4ABD1AFE5D90306F44BA4F3FC12175BABE6CCFB10C5F9465EC862D6C14280E58841AC10DB683D3B46EA682E9AD0916A1A971E8517
Malicious:	false
Reputation:	low
Preview:	GIF89aAPS.xxgY7u6KE89Q28g4xYQ3P4mybIIlT........V:DY........(#;.....c.datUT.....f..f...f6n.. ....3.....<.%l......K..g.....\g.....0d......9.2R...C.'\Nv.#.....~.....R:.G"..}p.....N..y....,..... ..Ca....l.O.?.C..e\|....W.8#.>.U./6...d1?..s..JU..'..H41........k.M_N....u.H)Y..T...9..)...y.ZC..C......F.]7...9.}....y..L....\|\....}....hDHq7A...Z.R..>.T..\B..BE.k.q..d"..+.... .q.K.K&.%^..B.<.4x>D....w....w.CV.......V.p...ODBo.....U.u..;q.....kx..\|...:..l.K..E...K.Xx..Jd..-B0...hv...$.....%wB.I.(...N'....e..h....o8...R@n.K9r.(.@8#;H..'..x./..nBY.7..Y.U.!..:..@>...].DTt.ev..t.s46.....}.....P.C..6V8.K..f..y.k..a...L....!,...........S.5....^...O..?.v.a%....v.9..f....O...t.]<..:..\..(T...H.r...B...M.m..VP.k.Vd0....."e...z4.t...r.B.r.-R..O..s.....+..U...W,..T.}L...4>.K.9....C.g$=O+}.Ry.R..Y...g.&V.T/.id.3O./>\|NPy.8dR...w.....sSM....a.+.E....#&4...r..;...Z.o....V.............."a..pz....Ar..k...5.x..FI...y9~.>.......6.W.....-.x..#N..*.8d.y..t..`....+.

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp-

Download File

Process:	C:\Users\user\Desktop\Label.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	5208876
Entropy (8bit):	7.999970639752912
Encrypted:	true
SSDEEP:	98304:FnNMt4OEk4QD1LfAVyfaMeTBSgyDVQw31AuQX471AJ:FNAik4QNfwFMeTBSiiDPU
MD5:	1227D1E23D584D086E22B224D124A012
SHA1:	85C906E90E1C954D2708C5BBCA62009C265C1C45
SHA-256:	838FB96586C8AB1947EE23B7BEAD7770023AA1B428016399712F2860C3E538CF
SHA-512:	BBD9BB9F9B7E3E0773C336AC9CF99A9319A54C5B211593F812D9BD8BF3C76E7BBCEB4E820C93D110BBFC0F4B8E5C26E8582A570B6CCDD56F7291880AA3B605FB
Malicious:	false
Reputation:	low
Preview:	PK........V:DY........(#;.....c.datUT.....f..f...f6n.. ....3.....<.%l......K..g.....\g.....0d......9.2R...C.'\Nv.#.....~.....R:.G"..}p.....N..y....,..... ..Ca....l.O.?.C..e\|....W.8#.>.U./6...d1?..s..JU..'..H41........k.M_N....u.H)Y..T...9..)...y.ZC..C......F.]7...9.}....y..L....\|\....}....hDHq7A...Z.R..>.T..\B..BE.k.q..d"..+.... .q.K.K&.%^..B.<.4x>D....w....w.CV.......V.p...ODBo.....U.u..;q.....kx..\|...:..l.K..E...K.Xx..Jd..-B0...hv...$.....%wB.I.(...N'....e..h....o8...R@n.K9r.(.@8#;H..'..x./..nBY.7..Y.U.!..:..@>...].DTt.ev..t.s46.....}.....P.C..6V8.K..f..y.k..a...L....!,...........S.5....^...O..?.v.a%....v.9..f....O...t.]<..:..\..(T...H.r...B...M.m..VP.k.Vd0....."e...z4.t...r.B.r.-R..O..s.....+..U...W,..T.}L...4>.K.9....C.g$=O+}.Ry.R..Y...g.&V.T/.id.3O./>\|NPy.8dR...w.....sSM....a.+.E....#&4...r..;...Z.o....V.............."a..pz....Ar..k...5.x..FI...y9~.>.......6.W.....-.x..#N..*.8d.y..t..`....+..3;."...\.W.....:C.0KU.xi.....k-...

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~

Download File

Process:	C:\Users\user\Desktop\Label.exe
File Type:	data
Category:	dropped
Size (bytes):	20652840
Entropy (8bit):	6.121611638874144
Encrypted:	false
SSDEEP:	393216:S4exspmNOEmwp15YBV6w9NOEmwGQA7L6oQ+oOEmwV3Lx:S4exspmNOEmwp15YBV6w9NOEmwGQA7Lg
MD5:	FB34AB10F355B61BE843A899A334449E
SHA1:	ED4944C873850AE9F8BEDD1D0BE85B3D81B52556
SHA-256:	04ABE2480DC404B9B9214E4800702A196D1B12C4153BABCE55BD1C2E64A52946
SHA-512:	BE4433E53C94F76B0FEDC3567DC9FBD2A5A19F1B4460C57A324A8593965EFF62FE97868738AABB83432319F379E4965D7F89FDFDA0BAD79CC67C7A98D868BEFA
Malicious:	false
Reputation:	low
Preview:	..c:\.D..$Recycle.Bin.D..S-1-5-21-2246122658-3693405117-2476756634-1000.F..desktop.ini.........E.......D..S-1-5-21-2246122658-3693405117-2476756634-1001.F..desktop.ini.........J.0.....D..S-1-5-21-2246122658-3693405117-2476756634-1002.F..desktop.ini.........% ......D..S-1-5-21-2246122658-3693405117-2476756634-1003.F..desktop.ini........=L.......D..$WinREAgent.D..Scratch.D..Documents and Settings.D..user.F...curlrc...........-....D...ms-ad.D..3D Objects.F..desktop.ini.......(Z.......D..AppData.D..Local.F...curlrc........aJ.-....D..Adobe.D..Acrobat.D..DC.F..AdobeCMapFnt23.lst.........&.:.....F..AdobeSysFnt23.lst........M%.M.....D..Cache.F..AcroFnt23.lst........&.:.....F..IconCacheAcro65536.dat.....v...+O.....F..SharedDataEvents.....0....-O.....D..SOPHIA.D..Acrobat.D..Files.F..ACROBAT_READER_MASTER_SURFACEID....'...?..b.....F..DC_FirstMile_Home_View_Surface....&......b.....F..DC_FirstMile_Right_Sec_Surface....&...4..b.....F..DC_Reader_Convert_LHP_Banner...........b.....F..DC_Reader_

C:\Users\user\AppData\Local\Temp\~E52D1ACF.tmp

Download File

Process:	C:\Users\user\Desktop\Label.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=store
Category:	dropped
Size (bytes):	5210232
Entropy (8bit):	7.999963265858713
Encrypted:	true
SSDEEP:	98304:jICnc/LUeqT15hUaIq3CmeEuzEHvlfQ6H4q2w2uvWkVkkVExk:ctmTPeaIq3CuqmvW6H4uHWOOk
MD5:	98F2CC920C7650DB145034B3306FFC0E
SHA1:	E2B97C98C3EDF69DEC0B5E58898987E0B9677E37
SHA-256:	C5FBD968641A6856268EE62F9019DF0687D64D6F8F2297D8B4741BF272DDEDE4
SHA-512:	01F85DE0A27350A8B47133A583919D1CB88BC39BE916CCCBB51840AA1A3AA2A906243E8AF24537987D93A0609809040D470689529C575C4E7778EC4E55449F8D
Malicious:	false
Reputation:	low
Preview:	PK........@.DY................~E52D1ACF.tmp/UT....^.f.^.f.^.fPK........@.DY................~E52D1ACF.tmp/192.168.2.5/UT....^.f.^.f.^.fPK........\:DY........C\|O.....~E52D1ACF.tmp/192.168.2.5/c.tmpUT.....f..f..fG....7a.K.v.8..vX.B-..LR1.k.k.=e.ch..G.P...._s.l.VG..K}'_Q...KUIH&..^.'.....!2P8..(...K..L y..........d..\|.h.. ..Y-..aB.=kz.>....../S.{99%.....+...ytB;.1.xK.S..E>..j..^~..t,Y.:./...p.=.O......:m...'l1.^"e......"...h.\.....Z.D...d...f..^"....W.........M.5O....\|.6...'...!.F...;Tyg...<...c..+.....Q.%.RB$T..w..o>..W...L9z.OK.....3.kj}9.V.S.....M8]..A.K.....Pq..1.[#...^.u..`0m..]...3...L.......S!........I..}....N...@>/z...).....ZP..Q...LE.^..e.>.UA..}A....._.....9..Kc.o.p.Q.....~.^.T.D..'..h.Xm./..%..v...t.... .L..z.W..1.*.....D...`7...4...o....f.].CZR.cU.....H ..?..D....sA.......0..............I0? ..x....S>+...^u......_.:.........l./.Gj.8f....2..nb...bI...o."n.Q}..K.9....u(S..nW.G..s.S...)K......rB...y..._......;.F.Z.\|..:ja.1Oc(?.Pp.[.A.1.0iO

C:\Users\user\Desktop\Label.exe

Download File

Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	1.6644977792004616
Encrypted:	false
SSDEEP:	3:xyn:gn
MD5:	A0D776B42F75469801072FB25BCF8117
SHA1:	E6EA266288CB636D33EA2BA9CED2C123EB7C1077
SHA-256:	7AB3F076E70350F06AD19863FDD9E794648020F621C0B1BD20AD4D80F0745142
SHA-512:	0BCA7A9AEB4A9532B1F24C0EFB1D40836F969CB559CC445FCF422670BB1D16BB9B1EC7E3FC20188189C37B863834555C4F6B7DD116BD6187C12814DB9EE6B04A
Malicious:	true
Reputation:	low
Preview:	EEEE ..

\Device\Null

Download File

Process:	C:\Windows\System32\PING.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	380
Entropy (8bit):	4.937448817509359
Encrypted:	false
SSDEEP:	6:PzLSLzMRfmWxHLThx2LThx2LThx0sW26wGv+wAFeMmvVOIHJFxMVlmJHaVFEG1vv:PKMRJpTeTeT0sKvtAFSkIrxMVlmJHaVz
MD5:	63A3D026F6E4381585F5AEFACE172263
SHA1:	3EA8FDD98AA9F20167008F57DAA6F8ED3ECA9738
SHA-256:	4C31393CE8AE5EA969A049B3FF5DD0EA18E6C29E0E59841BEC1D7AFB7C64DE4C
SHA-512:	FB88787000A6D258A1E3AAB97C46B8D92E68071B8E55C8F98278CB474AE6AFB31256A58BF198132D251F8EC666F28C085A88A103C8DB029B3B188F77163BE793
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	..Pinging 127.0.0.1 with 32 bytes of data:..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128..Reply from 127.0.0.1: bytes=32 time<1ms TTL=128....Ping statistics for 127.0.0.1:.. Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.41578623250506
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Label.exe
File size:	2'814'800 bytes
MD5:	e12f93d462a622f32a4ff1e646549c42
SHA1:	540853beffb0ba9b26cf305bcf92fad82599eb3c
SHA256:	f64dab23c50e3d131abcc1bdbb35ce9d68a34920dd77677730568c24a84411c5
SHA512:	1def378e0ca7d2e861ad2e3443e471fa797b01fa92f9c539850912307546c4deef54e53e13b8bc23dce2b2156d7d8795e8c51c16e9ea03a5525574a497b44999
SSDEEP:	49152:shQu5h/rBAEcMWGPODLKDakFxxQsEnhrAWKu6j112C4WR:shL/rOA2aDVdEnh8WKu6j11sm
TLSH:	CCD58D57A7F860E4E5A6D034CA169A4BD7F2B9B10930C35F1069079E2FB3A634D1F722
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$.........a....@...@...@#r.@...@#r.@0..@#r.@...@...@...@...@...@...@...@...@...@...@...@r..A...@r..A...@r..A...@e..A...@e..@...@...@...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x14018428c
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66206374 [Thu Apr 18 00:04:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	2
File Version Major:	5
File Version Minor:	2
Subsystem Version Major:	5
Subsystem Version Minor:	2
Import Hash:	a534d17950d1f47f4f54eaad221c89b9

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Tableau Software Inc.
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	27/05/2023 20:15:00 01/01/2040 00:59:59
Subject Chain	CN=Tableau Software Inc.
Version:	3
Thumbprint MD5:	1DC7895A0C06936950D50A29047999BE
Thumbprint SHA-1:	6624C7B8FAAC176D1C1CB10B03E7EE58A4853F91
Thumbprint SHA-256:	F76D6AE999702C40C74D2575A2923F571359B90743A80BB5445C442C7C558EF6
Serial:	76CB5D1E6C2B6895428115705D9AC765

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F986D453478h
dec eax
add esp, 28h
jmp 00007F986D4526E7h
int3
int3
int3
int3
int3
int3
int3
int3
nop word ptr [eax+eax+00000000h]
dec eax
cmp ecx, dword ptr [000CC651h]
jne 00007F986D452885h
dec eax
rol ecx, 10h
test cx, FFFFh
jne 00007F986D452875h
ret
dec eax
ror ecx, 10h
jmp 00007F986D4531D4h
int3
int3
int3
dec eax
sub esp, 28h
call 00007F986D4539BCh
test eax, eax
je 00007F986D452893h
dec eax
mov eax, dword ptr [00000030h]
dec eax
mov ecx, dword ptr [eax+08h]
jmp 00007F986D452877h
dec eax
cmp ecx, eax
je 00007F986D452886h
xor eax, eax
dec eax
cmpxchg dword ptr [000DB890h], ecx
jne 00007F986D452860h
xor al, al
dec eax
add esp, 28h
ret
mov al, 01h
jmp 00007F986D452869h
int3
int3
int3
inc eax
push ebx
dec eax
sub esp, 20h
movzx eax, byte ptr [000DB8ABh]
test ecx, ecx
mov ebx, 00000001h
cmove eax, ebx
mov byte ptr [000DB89Bh], al
call 00007F986D4537A3h
call 00007F986D4565EAh
test al, al
jne 00007F986D452876h
xor al, al
jmp 00007F986D452886h
call 00007F986D466499h
test al, al
jne 00007F986D45287Bh
xor ecx, ecx
call 00007F986D45660Ah
jmp 00007F986D45285Ch
mov al, bl

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[C++] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x24ea00	0x168
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x278000	0x4eec	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x262000	0x14c28	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2aee00	0x550
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x27d000	0xe9ac	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x215630	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x215708	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x215670	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1ad150	0x1ad200	4be930738102f846c54a672d99a79a68	False	0.5295966993154675	zlib compressed data	6.4327759160342355	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1af000	0x9f8a8	0x9fe00	5156067d27246d9f4b16f143bc293e13	False	0.27048719702892887	OpenPGP Secret Key	4.447896011976656	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x24f000	0x12230	0x7000	8827661362822a66a4bb9aa6840584de	False	0.19649832589285715	data	4.079716207632309	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x262000	0x14c28	0x14e00	4cfc2f504eb9366845bba5495062b439	False	0.5026197604790419	data	6.147173678052106	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x277000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x278000	0x4eec	0x5000	597e8bdf6e836f5f3e1f9d82e253278e	False	0.249658203125	data	3.790377888275123	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x27d000	0xe9ac	0xea00	ee08a85204b75eb7f518298f70e7edd0	False	0.09328258547008547	Targa image data - RLE 41720 x 41728 x 8 +41696 +41704 - 3-bit alpha - top - four way interleave	5.449872048239219	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x278a60	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x278b94	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x278c48	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x278d7c	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x278eb0	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x278fe4	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x279118	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x27924c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x279380	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x2794b4	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x2795e8	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x27971c	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x279850	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x279984	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x279ab8	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x279bec	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x279d20	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x279dd8	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_DIALOG	0x279f1c	0x1c8	data	English	United States	0.5416666666666666
RT_DIALOG	0x27a0e4	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x27a1cc	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x27a200	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x27a284	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x27a2b0	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x27a434	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x27a924	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x27ab88	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x27ae64	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x27aef0	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x27af9c	0xde	data	English	United States	0.536036036036036
RT_STRING	0x27b07c	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x27b524	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x27b74c	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x27b778	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0x27bcb8	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9705882352941176
RT_GROUP_CURSOR	0x27bcdc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bcf0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd04	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd18	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd2c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd40	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd54	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd68	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd7c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bd90	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bda4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bdb8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bdcc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x27bde0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x27bdf4	0x6ec	data			0.34706546275395034
RT_VERSION	0x27c4e0	0x6ec	data	English	United States	0.34706546275395034
RT_MANIFEST	0x27cbcc	0x31e	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (738), with CRLF line terminators	English	United States	0.5225563909774437

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCPInfo, GetOEMCP, IsValidCodePage, FindNextFileW, FindFirstFileExW, SetFilePointerEx, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetStringTypeW, LCMapStringW, GetACP, ExitProcess, GetStdHandle, GetFileType, SetStdHandle, VirtualQuery, VirtualAlloc, GetSystemInfo, QueryPerformanceFrequency, HeapQueryInformation, FreeLibraryAndExitThread, ExitThread, CreateThread, GetCommandLineW, GetCommandLineA, RtlUnwindEx, RtlPcToFileHeader, OutputDebugStringW, WriteConsoleW, TlsSetValue, LockResource, LoadResource, FindResourceW, MultiByteToWideChar, HeapFree, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, HeapSize, GetLastError, HeapReAlloc, RaiseException, HeapAlloc, DecodePointer, DeleteCriticalSection, GetProcessHeap, GetCurrentThread, GetCurrentThreadId, GetVersionExW, FreeLibrary, GetModuleFileNameW, LoadLibraryExW, GlobalAlloc, GlobalLock, GlobalDeleteAtom, lstrcmpA, lstrcmpW, WideCharToMultiByte, lstrcpyW, GetModuleHandleW, GetProcAddress, GetPrivateProfileIntW, GetPrivateProfileStringW, WritePrivateProfileStringW, OutputDebugStringA, SetLastError, FreeResource, GetModuleHandleExW, GlobalUnlock, GlobalFree, LoadLibraryW, CreateActCtxW, ActivateActCtx, DeactivateActCtx, FindActCtxSectionStringW, QueryActCtxW, GetCurrentProcessId, GlobalSize, LocalFree, MulDiv, FormatMessageW, CopyFileW, CloseHandle, SetEvent, WaitForSingleObject, CreateEventW, SetThreadPriority, ResumeThread, GlobalAddAtomW, EncodePointer, GetSystemDirectoryW, GlobalFindAtomW, InitializeCriticalSection, TlsAlloc, TlsGetValue, SizeofResource, TlsFree, GlobalReAlloc, GlobalHandle, LocalAlloc, LocalReAlloc, GetCurrentDirectoryW, CompareStringW, GetLocaleInfoW, GetSystemDefaultUILanguage, GetUserDefaultUILanguage, GlobalFlags, DeleteFileW, GlobalGetAtomNameW, FileTimeToSystemTime, CreateFileW, FindClose, FindFirstFileW, FlushFileBuffers, GetFileSize, GetFullPathNameW, GetVolumeInformationW, LockFile, ReadFile, SetEndOfFile, SetFilePointer, UnlockFile, WriteFile, DuplicateHandle, GetCurrentProcess, lstrcmpiW, VerSetConditionMask, VerifyVersionInfoW, VirtualProtect, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesW, GetFileAttributesExW, GetFileSizeEx, GetFileTime, SystemTimeToTzSpecificLocalTime, GetWindowsDirectoryW, SearchPathW, GetTickCount, GetProfileIntW, Sleep, GetTempFileNameW, GetTempPathW, FindResourceExW, ResetEvent, WaitForSingleObjectEx, RtlCaptureContext, RtlLookupFunctionEntry, RtlVirtualUnwind, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, IsProcessorFeaturePresent, QueryPerformanceCounter, GetSystemTimeAsFileTime, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW
USER32.dll	EnumDisplayMonitors, SetLayeredWindowAttributes, DestroyIcon, MonitorFromPoint, UnionRect, EnableScrollBar, DestroyMenu, UpdateLayeredWindow, IsRectEmpty, SetMenuDefaultItem, GetMenuDefaultItem, GetMenuItemInfoW, CreatePopupMenu, NotifyWinEvent, MessageBeep, SetWindowRgn, GetSystemMenu, GetAsyncKeyState, CharUpperW, IsZoomed, TrackMouseEvent, GetSysColorBrush, LoadMenuW, IntersectRect, InflateRect, KillTimer, SetTimer, RealChildWindowFromPoint, DeleteMenu, SystemParametersInfoW, CopyImage, LoadCursorW, WindowFromPoint, ReleaseCapture, SetCapture, WaitMessage, OffsetRect, SetRectEmpty, SendDlgItemMessageA, IsDialogMessageW, SetWindowTextW, CheckDlgButton, MoveWindow, ShowWindow, GetMonitorInfoW, MonitorFromWindow, WinHelpW, GetScrollInfo, SetScrollInfo, GetWindow, GetTopWindow, GetClassLongPtrW, SetWindowLongPtrW, GetWindowLongPtrW, SetWindowLongW, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthW, GetWindowTextW, RemovePropW, GetPropW, SetPropW, ShowScrollBar, GetScrollRange, SetScrollRange, GetScrollPos, SetScrollPos, ScrollWindow, RedrawWindow, SetForegroundWindow, GetForegroundWindow, TrackPopupMenu, MapDialogRect, GetMenu, GetCapture, SetFocus, GetDlgCtrlID, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowPos, IsChild, IsMenu, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, CallWindowProcW, LoadImageW, BringWindowToTop, LoadAcceleratorsW, CreateDialogIndirectParamW, EndDialog, GetDlgItem, GetNextDlgTabItem, GetActiveWindow, DefWindowProcW, GetMessageTime, GetMessagePos, GetClassNameW, InvalidateRect, UpdateWindow, DrawStateW, SetCursor, ShowOwnedPopups, ValidateRect, GetKeyState, IsWindowVisible, PeekMessageW, DispatchMessageW, TranslateMessage, TranslateAcceleratorW, InsertMenuItemW, UnpackDDElParam, ReuseDDElParam, OpenClipboard, CloseClipboard, SetClipboardData, EmptyClipboard, DrawIconEx, SetRect, RegisterClipboardFormatW, DrawEdge, DrawFrameControl, GetMessageW, LoadBitmapW, DrawFocusRect, SetClassLongPtrW, SetParent, CharUpperBuffW, LockWindowUpdate, ModifyMenuW, ToUnicodeEx, DestroyAcceleratorTable, IsWindowEnabled, SetActiveWindow, GetWindowLongW, GetDesktopWindow, GetParent, GetKeyNameTextW, MapVirtualKeyW, GetDC, ReleaseDC, CopyRect, MessageBoxW, GetWindowThreadProcessId, GetLastActivePopup, GetMenuStringW, GetMenuState, GetSubMenu, GetMenuItemID, GetMenuItemCount, InsertMenuW, AppendMenuW, RemoveMenu, DrawTextW, DrawTextExW, GrayStringW, TabbedTextOutW, GetWindowDC, BeginPaint, EndPaint, ClientToScreen, ScreenToClient, GetSysColor, FillRect, GetFocus, GetWindowRect, GetCursorPos, PtInRect, SetWindowsHookExW, UnhookWindowsHookEx, CallNextHookEx, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoW, GetKeyboardLayout, GetKeyboardState, CreateAcceleratorTableW, EnableWindow, LoadIconW, SendMessageW, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, UnregisterClassW, PostMessageW, PostQuitMessage, RegisterWindowMessageW, IsWindow, GetWindowRgn, SubtractRect, CreateMenu, GetUpdateRect, GetComboBoxInfo, MapVirtualKeyExW, IsCharLowerW, TranslateMDISysAccel, DefMDIChildProcW, DefFrameProcW, DrawMenuBar, DestroyCursor, GetDoubleClickTime, IsClipboardFormatAvailable, InvertRect, HideCaret, GetIconInfo, GetNextDlgGroupItem, PostThreadMessageW, FrameRect, CopyIcon, SetCursorPos, CopyAcceleratorTableW, SetMenu, DestroyWindow
GDI32.dll	GetTextFaceW, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, PtInRegion, GetBoundsRect, FrameRgn, FillRgn, RoundRect, SetPaletteEntries, ExtFloodFill, LPtoDP, GetSystemPaletteEntries, GetPaletteEntries, GetNearestPaletteIndex, CreatePalette, EnumFontFamiliesExW, Rectangle, Polyline, Polygon, CreatePolygonRgn, GetBkColor, Ellipse, CreateEllipticRgn, OffsetRgn, GetRgnBox, GetTextColor, SetDIBColorTable, StretchBlt, SetPixel, RealizePalette, GetTextCharsetInfo, EnumFontFamiliesW, CreateDIBitmap, CreateDIBSection, CreateCompatibleBitmap, CreateRoundRectRgn, DPtoLP, SetRectRgn, CombineRgn, GetTextMetricsW, GetTextExtentPoint32W, CreateFontIndirectW, ScaleWindowExtEx, ScaleViewportExtEx, OffsetWindowOrgEx, OffsetViewportOrgEx, SetWindowOrgEx, SetWindowExtEx, SetViewportOrgEx, SetViewportExtEx, ExtTextOutW, TextOutW, MoveToEx, GetObjectW, SetTextAlign, SetTextColor, SetROP2, SetPolyFillMode, GetLayout, SetLayout, SetMapMode, SetBkMode, SetBkColor, SelectPalette, SelectObject, ExtSelectClipRgn, SelectClipRgn, SaveDC, RestoreDC, RectVisible, PtVisible, LineTo, IntersectClipRect, GetWindowExtEx, GetViewportExtEx, GetStockObject, GetPixel, GetObjectType, GetClipBox, ExcludeClipRect, Escape, DeleteObject, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateCompatibleDC, CreateBitmap, BitBlt, GetDeviceCaps, CreateDCW, CopyMetaFileW, PatBlt, CreateRectRgnIndirect, DeleteDC
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	DocumentPropertiesW, OpenPrinterW, ClosePrinter
ADVAPI32.dll	SystemFunction036, RegOpenKeyExW, RegQueryValueExW, RegEnumKeyExW, RegEnumValueW, RegQueryValueW, RegEnumKeyW, RegSetValueExW, RegDeleteValueW, RegDeleteKeyW, RegCreateKeyExW, RegCloseKey
SHELL32.dll	SHGetMalloc, SHGetPathFromIDListW, SHGetSpecialFolderLocation, SHBrowseForFolderW, SHAppBarMessage, ShellExecuteW, DragFinish, DragQueryFileW, SHGetFileInfoW, SHGetDesktopFolder
COMCTL32.dll	InitCommonControlsEx
SHLWAPI.dll	PathFindFileNameW, PathIsUNCW, StrFormatKBSizeW, PathRemoveFileSpecW, PathStripToRootW, PathFindExtensionW
UxTheme.dll	GetThemePartSize, GetThemeSysColor, GetWindowTheme, IsThemeBackgroundPartiallyTransparent, IsAppThemed, DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName
ole32.dll	OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, OleLockRunning, RevokeDragDrop, RegisterDragDrop, CoLockObjectExternal, OleGetClipboard, CoInitializeEx, CreateStreamOnHGlobal, DoDragDrop, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CoInitialize, CoCreateInstance, CoCreateGuid, CoUninitialize
OLEAUT32.dll	VariantChangeType, LoadTypeLib, SysStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, VariantClear, VariantCopy, VarBstrFromDate, VariantInit, SysAllocStringLen, SysFreeString, SysAllocString
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdiplusShutdown, GdipAlloc
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
WINMM.dll	PlaySoundW
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
kernel32.dll	LoadLibraryA, GetModuleHandleA, CreateFileA, GetModuleFileNameA, VirtualFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	03:18:00
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\Label.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Label.exe"
Imagebase:	0x140000000
File size:	2'814'800 bytes
MD5 hash:	E12F93D462A622F32A4FF1E646549C42
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	03:18:48
Start date:	04/10/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\cmd.exe" /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "C:\Users\user\Desktop\Label.exe"
Imagebase:	0x7ff6fee60000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	03:18:49
Start date:	04/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	03:18:49
Start date:	04/10/2024
Path:	C:\Windows\System32\PING.EXE
Wow64 process (32bit):	false
Commandline:	ping -n 3 127.0.0.1
Imagebase:	0x7ff7cbe80000
File size:	22'528 bytes
MD5 hash:	2F46799D79D22AC72C241EC0322B011D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	7
Total number of Limit Nodes:	2

Executed Functions

Function 0000000140198110 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapAlloc.KERNEL32(?,?,00000000,0000000140198930,?,?,?,000000014018AB31,?,?,?,?,000000014018B09F), ref: 0000000140198165

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AllocHeap
String ID:
API String ID: 4292702814-0
Opcode ID: d02d087fc921b302a65da7bd80de0645251e4ff7eda4defc3c238aff92228e2b
Instruction ID: 8877fdb0a934c4467cdfa90adbe3f405f422b3044745e17565038edcde974e06
Opcode Fuzzy Hash: d02d087fc921b302a65da7bd80de0645251e4ff7eda4defc3c238aff92228e2b
Instruction Fuzzy Hash: E5F0BE7530220089FF6BABA798403E502815F9DF80F4C14394F0A873F2DE3CC682CA20

Non-executed Functions

Function 0000000140041118 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 426
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0000000140004D30: UnDecorator::getVbTableType.LIBCMTD ref: 0000000140004D7A

GetMenuItemInfoW.USER32 ref: 00000001400411B6
GetMenuItemInfoW.USER32 ref: 000000014004121B
CopyRect.USER32 ref: 0000000140041276
GetObjectW.GDI32 ref: 00000001400412A9
GetSystemMetrics.USER32 ref: 00000001400412C2
GetSystemMetrics.USER32 ref: 00000001400412D0
GetSysColor.USER32 ref: 0000000140041316
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140041323
CreateCompatibleDC.GDI32 ref: 000000014004132B
GetTextExtentPoint32W.GDI32 ref: 0000000140041362
CopyRect.USER32 ref: 000000014004137A
GetSysColor.USER32 ref: 000000014004138E
GetSysColor.USER32 ref: 00000001400413BF
GetSysColor.USER32 ref: 00000001400413CC
GetSysColor.USER32 ref: 000000014004140B
GetSysColor.USER32 ref: 000000014004142A

Part of subcall function 0000000140022868: SetBkColor.GDI32 ref: 000000014002288E
Part of subcall function 0000000140022868: ExtTextOutW.GDI32 ref: 00000001400228B9

GetSysColor.USER32 ref: 000000014004146B

Part of subcall function 000000014000D1DC: SetBkMode.GDI32 ref: 000000014000D1F7
Part of subcall function 000000014000D1DC: SetBkMode.GDI32 ref: 000000014000D208

ExtTextOutW.GDI32 ref: 00000001400414DE
GetSysColor.USER32 ref: 00000001400414EC
GetSysColor.USER32 ref: 000000014004152F
GetSysColor.USER32 ref: 000000014004153C
GetSysColor.USER32 ref: 0000000140041583
ExtTextOutW.GDI32 ref: 00000001400415DC
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014004163E
CreateCompatibleDC.GDI32 ref: 0000000140041646
InflateRect.USER32 ref: 0000000140041677
BitBlt.GDI32 ref: 00000001400416AE

Strings

, xrefs: 000000014004167D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Color$HashText$Rect$CompatibleCopyCreateImplImpl::InfoItemMenuMetricsModeSystem$Decorator::getExtentInflateObjectPoint32TableType
String ID:
API String ID: 3531063139-3916222277
Opcode ID: dc311eb82743f0f3d62def9571603765b7709d9585935d8966bd3fc396215f29
Instruction ID: 9c8c4a983e89c01f8f8c57a390b62abec0f9e2f324e14f578c46c652d49d38ac
Opcode Fuzzy Hash: dc311eb82743f0f3d62def9571603765b7709d9585935d8966bd3fc396215f29
Instruction Fuzzy Hash: 21129B36310A808BE715CF6AE4447DD77A1F78CB98F154229EB4A83BA8CF78D944CB40

Function 000000014002C3A8 Relevance: 42.5, APIs: 28, Instructions: 491
keyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32 ref: 000000014002C43A
GetParent.USER32 ref: 000000014002C460
UpdateWindow.USER32 ref: 000000014002C4B5
SetCursor.USER32 ref: 000000014002C503
GetAsyncKeyState.USER32 ref: 000000014002C575
UpdateWindow.USER32 ref: 000000014002C684
InflateRect.USER32 ref: 000000014002C6F3
SetCapture.USER32 ref: 000000014002C6FD
SetCursor.USER32 ref: 000000014002C735
IsWindow.USER32 ref: 000000014002C7E6
GetCursorPos.USER32 ref: 000000014002C824
ScreenToClient.USER32 ref: 000000014002C832
PtInRect.USER32 ref: 000000014002C84D
RedrawWindow.USER32 ref: 000000014002C8D2
GetParent.USER32 ref: 000000014002C8EB
GetParent.USER32 ref: 000000014002C908
RedrawWindow.USER32 ref: 000000014002C922
RedrawWindow.USER32 ref: 000000014002C949
GetParent.USER32 ref: 000000014002C953
GetParent.USER32 ref: 000000014002C978
GetParent.USER32 ref: 000000014002C98A
InvalidateRect.USER32 ref: 000000014002C9D1
RedrawWindow.USER32 ref: 000000014002CB9A

Part of subcall function 00000001400298AC: InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,0000000140027535), ref: 000000014002992F
Part of subcall function 00000001400298AC: InflateRect.USER32 ref: 00000001400299BE
Part of subcall function 00000001400298AC: RedrawWindow.USER32 ref: 00000001400299D5

Part of subcall function 0000000140053A14: CopyRect.USER32 ref: 0000000140053A76
Part of subcall function 0000000140053A14: DoDragDrop.OLE32 ref: 0000000140053B48

UpdateWindow.USER32 ref: 000000014002CA6D
UpdateWindow.USER32 ref: 000000014002CAF8
NotifyWinEvent.USER32 ref: 000000014002CB37
NotifyWinEvent.USER32 ref: 000000014002CB4C
SetCapture.USER32 ref: 000000014002CB58

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Parent$Rect$Redraw$Update$Cursor$CaptureEventInflateInvalidateNotify$AsyncClientCopyDragDropScreenState
String ID:
API String ID: 2651609841-0
Opcode ID: 96c3397a0e0ee838c6f01bf7952e9ad23c804b274dca71e2c71f589ed53db4da
Instruction ID: 8768a9af4c42882ed5a54d4e511957fb5b444444f489f7cf99bf7473ec359d3f
Opcode Fuzzy Hash: 96c3397a0e0ee838c6f01bf7952e9ad23c804b274dca71e2c71f589ed53db4da
Instruction Fuzzy Hash: 0632397A311A4082EB1ADB27D954BE923A1F78DFC4F04412AEB1A477B5DF39C865C740

Function 000000014000BEE4 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 276
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateCompatibleDC.GDI32 ref: 000000014000BF72
CreateCompatibleDC.GDI32 ref: 000000014000BF8E
CreateCompatibleDC.GDI32 ref: 000000014000BFAA
GetObjectW.GDI32 ref: 000000014000BFD0
CreateBitmap.GDI32 ref: 000000014000BFFF
CreateBitmap.GDI32 ref: 000000014000C033
CreatePatternBrush.GDI32 ref: 000000014000C04B
CreateBitmap.GDI32 ref: 000000014000C07A
SelectObject.GDI32 ref: 000000014000C095
SelectObject.GDI32 ref: 000000014000C0AF
GetPixel.GDI32 ref: 000000014000C0DB

Part of subcall function 000000014000D19C: SetBkColor.GDI32 ref: 000000014000D1B8
Part of subcall function 000000014000D19C: SetBkColor.GDI32 ref: 000000014000D1C9

BitBlt.GDI32 ref: 000000014000C11D
BitBlt.GDI32 ref: 000000014000C160
SelectObject.GDI32 ref: 000000014000C180
FillRect.USER32 ref: 000000014000C1D4
BitBlt.GDI32 ref: 000000014000C220
BitBlt.GDI32 ref: 000000014000C255
BitBlt.GDI32 ref: 000000014000C286
SelectObject.GDI32 ref: 000000014000C297
SelectObject.GDI32 ref: 000000014000C2AD
SelectObject.GDI32 ref: 000000014000C2C3

Strings

, xrefs: 000000014000C0EE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CreateObject$Select$BitmapCompatible$Color$BrushFillPatternPixelRect
String ID:
API String ID: 1390051538-3916222277
Opcode ID: b08cf20d9be46fc2b9351910645986dcf8855b1ab5ba017183b31e9a2a0a1035
Instruction ID: 5df4ddc113f36066376803f992e0e8059ef95779042e0cf68a16968f83ee682e
Opcode Fuzzy Hash: b08cf20d9be46fc2b9351910645986dcf8855b1ab5ba017183b31e9a2a0a1035
Instruction Fuzzy Hash: 8FD16976B15A508AEB11DBA6E8407DE77B1F78CB94F00412AEF4A93B69DF38C445CB00

Function 000000014004EBC8 Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 471
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetPathFromIDListW.SHELL32 ref: 000000014004ECDF
SHGetPathFromIDListW.SHELL32 ref: 000000014004ED16
SHGetFileInfoW.SHELL32 ref: 000000014004ED9C
SHGetFileInfoW.SHELL32 ref: 000000014004EDBE
lstrcmpiW.KERNEL32 ref: 000000014004EDD7
SendMessageW.USER32 ref: 000000014004EED2
SendMessageW.USER32 ref: 000000014004EF14
ClientToScreen.USER32 ref: 000000014004EF53
ScreenToClient.USER32 ref: 000000014004EF6B
SendMessageW.USER32 ref: 000000014004EF88
SendMessageW.USER32 ref: 000000014004EFF2
SendMessageW.USER32 ref: 000000014004F024
SendMessageW.USER32 ref: 000000014004F045
CreatePopupMenu.USER32 ref: 000000014004F0D5
TrackPopupMenu.USER32 ref: 000000014004F13B
GetMenuDefaultItem.USER32 ref: 000000014004F159
GetParent.USER32 ref: 000000014004F1AC
GetParent.USER32 ref: 000000014004F206
GetParent.USER32 ref: 000000014004F21D
SendMessageW.USER32 ref: 000000014004F23B

Strings

8, xrefs: 000000014004F1A3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$MenuParent$ClientFileFromInfoListPathPopupScreen$CreateDefaultItemTracklstrcmpi
String ID: 8
API String ID: 3998805096-4194326291
Opcode ID: 6ee00febc6805d7b0d93d6604aa376c2037c33790da72b55ed05152649a7837f
Instruction ID: 74f3eb3b87cf0b6cdb1427e148eb244294455e21fe4994238bd52ed0f940576d
Opcode Fuzzy Hash: 6ee00febc6805d7b0d93d6604aa376c2037c33790da72b55ed05152649a7837f
Instruction Fuzzy Hash: A7127A32600A9486EB22CF66E9447ED67A0FB88BC8F154126EF4947BB8DF79C585C704

Function 0000000140047AD0 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 579
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameW.USER32 ref: 0000000140047B94
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140047CB5

Part of subcall function 000000014000BA50: GetDC.USER32 ref: 000000014000BA8F

SendMessageW.USER32 ref: 0000000140047CF5
SendMessageW.USER32 ref: 0000000140047D10
GetClassNameW.USER32 ref: 0000000140047D60
SendMessageW.USER32 ref: 0000000140047E10
SendMessageW.USER32 ref: 0000000140047E36
IntersectRect.USER32 ref: 0000000140047E51
SendMessageW.USER32 ref: 0000000140047E85
CreatePopupMenu.USER32 ref: 0000000140047EC0
CreateCompatibleDC.GDI32 ref: 0000000140047ED6
CopyRect.USER32 ref: 0000000140047FD9
OffsetRect.USER32 ref: 0000000140048004
CreateCompatibleBitmap.GDI32 ref: 0000000140048038
GetSysColor.USER32 ref: 000000014004809E
InsertMenuItemW.USER32 ref: 0000000140048185

Part of subcall function 0000000140022868: SetBkColor.GDI32 ref: 000000014002288E
Part of subcall function 0000000140022868: ExtTextOutW.GDI32 ref: 00000001400228B9

Part of subcall function 000000014004A924: OutputDebugStringA.KERNEL32 ref: 000000014004A970
Part of subcall function 000000014004A924: ActivateActCtx.KERNEL32 ref: 000000014004A995

CopyRect.USER32 ref: 00000001400481C2

Strings

ReBarWindow32, xrefs: 0000000140047B49, 0000000140047BCC
ToolbarWindow32, xrefs: 0000000140047D16, 0000000140047D9C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$Rect$Create$ClassColorCompatibleCopyHashMenuName$ActivateBitmapDebugImplImpl::InsertIntersectItemOffsetOutputPopupStringText
String ID: ReBarWindow32$ToolbarWindow32
API String ID: 4200770845-2283011909
Opcode ID: 65f6a5d4eeba23f3b522d88cd865466af08e00894d6f527c930ecb3ae102d8a1
Instruction ID: 8e83c21de36da96da24615ce6d49c5be81c7e11695a30222c88330553d6dda95
Opcode Fuzzy Hash: 65f6a5d4eeba23f3b522d88cd865466af08e00894d6f527c930ecb3ae102d8a1
Instruction Fuzzy Hash: 78428972301A4086EB22DF66E8547EE63A0FB88B98F014626EF1D47BBADF34C545C744

Function 0000000140055D1C Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 331
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetObjectW.GDI32 ref: 0000000140055DDF
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140055F20
CreateCompatibleDC.GDI32 ref: 0000000140055F28
GetObjectW.GDI32 ref: 0000000140055F48
SelectObject.GDI32 ref: 0000000140055F67
CreateCompatibleBitmap.GDI32 ref: 0000000140055F95
SelectObject.GDI32 ref: 0000000140055FAF
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140055FBE
CreateCompatibleDC.GDI32 ref: 0000000140055FC9
SelectObject.GDI32 ref: 0000000140055FE2
SelectObject.GDI32 ref: 0000000140055FF9
DeleteObject.GDI32 ref: 0000000140056002
BitBlt.GDI32 ref: 000000014005603A
GetPixel.GDI32 ref: 00000001400560AE
SetPixel.GDI32 ref: 0000000140056177
SelectObject.GDI32 ref: 00000001400561A5
SelectObject.GDI32 ref: 00000001400561B3
DeleteObject.GDI32 ref: 00000001400561C0

Strings

, xrefs: 000000014005600D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$Select$Hash$CompatibleCreate$DeleteImplImpl::Pixel$Bitmap
String ID:
API String ID: 158085832-3916222277
Opcode ID: efb5c42627cedbd955019462f6d05fbb9a4aaa42148b74d5df544785b73abe0b
Instruction ID: 99eeaf9b8895d104d218ef974018243be08d9faaa0a8b0a884a57a4064c53aba
Opcode Fuzzy Hash: efb5c42627cedbd955019462f6d05fbb9a4aaa42148b74d5df544785b73abe0b
Instruction Fuzzy Hash: F9E19B32604E8489EB13EB76D8513EAA3A0FB5D7D9F045312EB5A276B5DF35C486C700

Function 0000000140022458 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 233
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateRectRgnIndirect.GDI32 ref: 00000001400224C2
CopyRect.USER32 ref: 00000001400224DB
InflateRect.USER32 ref: 00000001400224F0
IntersectRect.USER32 ref: 0000000140022501
CreateRectRgnIndirect.GDI32 ref: 000000014002250B
CreateRectRgn.GDI32 ref: 0000000140022527
CombineRgn.GDI32 ref: 000000014002254D
CreateRectRgn.GDI32 ref: 00000001400225A5
SetRectRgn.GDI32 ref: 00000001400225D2
CopyRect.USER32 ref: 00000001400225DF
InflateRect.USER32 ref: 00000001400225F5
IntersectRect.USER32 ref: 0000000140022606
SetRectRgn.GDI32 ref: 0000000140022622
CombineRgn.GDI32 ref: 0000000140022637
CreateRectRgn.GDI32 ref: 0000000140022651
CombineRgn.GDI32 ref: 0000000140022672
PatBlt.GDI32 ref: 00000001400226D5

Part of subcall function 00000001400228DC: CreateBitmap.GDI32 ref: 0000000140022944
Part of subcall function 00000001400228DC: CreatePatternBrush.GDI32(?,?,?,?,?,?,?,?,00000003,000000014002255D), ref: 0000000140022955
Part of subcall function 00000001400228DC: DeleteObject.GDI32 ref: 0000000140022965

Part of subcall function 000000014000D0B0: SelectObject.GDI32 ref: 000000014000D0E0
Part of subcall function 000000014000D0B0: SelectObject.GDI32 ref: 000000014000D0FB

Part of subcall function 000000014000CF5C: SelectClipRgn.GDI32 ref: 000000014000CF8C
Part of subcall function 000000014000CF5C: SelectClipRgn.GDI32 ref: 000000014000CFA7

PatBlt.GDI32 ref: 0000000140022741

Strings

I, xrefs: 0000000140022731

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Create$Select$CombineObject$ClipCopyIndirectInflateIntersect$BitmapBrushDeletePattern
String ID: I
API String ID: 1332805902-3707901625
Opcode ID: ef8fb0cda91756c42cfa8309c5ab8f1e6fa52bf173a2abade8255a97459771f3
Instruction ID: fd93339bdc6381e9be9c52a3bc1fae778c8152891c3e626e122623c571ea1298
Opcode Fuzzy Hash: ef8fb0cda91756c42cfa8309c5ab8f1e6fa52bf173a2abade8255a97459771f3
Instruction Fuzzy Hash: D4A12976B05A109AEB11DBB2E8647ED33B1B749B88F404529EF0E67B68DF34C50AC740

Function 0000000140054154 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 330
windowkeyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetKeyState.USER32 ref: 00000001400541BE
GetKeyState.USER32 ref: 00000001400541D2
GetKeyState.USER32 ref: 00000001400541E6
GetParent.USER32 ref: 000000014005421B
GetParent.USER32 ref: 0000000140054274
SendMessageW.USER32 ref: 0000000140054306
ScreenToClient.USER32 ref: 0000000140054336
GetCursorPos.USER32 ref: 00000001400543A9
SendMessageW.USER32 ref: 00000001400543CD
SendMessageW.USER32 ref: 000000014005445E
SendMessageW.USER32 ref: 0000000140054487
SendMessageW.USER32 ref: 00000001400544A6
SetWindowPos.USER32 ref: 00000001400544CA
SendMessageW.USER32 ref: 00000001400544DF
SendMessageW.USER32 ref: 0000000140054519
GetParent.USER32 ref: 00000001400545DE

Strings

@, xrefs: 000000014005434B
H, xrefs: 0000000140054310

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$ParentState$ClientCursorScreenWindow
String ID: @$H
API String ID: 1877249070-104103126
Opcode ID: 440ef4a3d3bf0ff2101bb83e44ddcc2c4d6dbb2aa7ff4181bcfc50e207cda9b9
Instruction ID: 5b75fd50eb17d02226115c2e1bbe668e93884052b1953ff518a82af5c7fdf507
Opcode Fuzzy Hash: 440ef4a3d3bf0ff2101bb83e44ddcc2c4d6dbb2aa7ff4181bcfc50e207cda9b9
Instruction Fuzzy Hash: C1E1C132600AA086FB56DF66E8443ED63A0FB89BE8F044215EF6A477F5EF39C5558700

Function 000000014000C33C Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 230
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32 ref: 000000014000C3AB

Part of subcall function 000000014000BA04: CreateSolidBrush.GDI32 ref: 000000014000BA2B

GetSysColor.USER32 ref: 000000014000C3C2
CreateCompatibleDC.GDI32 ref: 000000014000C3D6
CreateCompatibleDC.GDI32 ref: 000000014000C3F2
GetObjectW.GDI32 ref: 000000014000C419
CreateBitmap.GDI32 ref: 000000014000C43C
CreateBitmap.GDI32 ref: 000000014000C468
SelectObject.GDI32 ref: 000000014000C48A
SelectObject.GDI32 ref: 000000014000C4A3
GetPixel.GDI32 ref: 000000014000C4CF

Part of subcall function 000000014000D19C: SetBkColor.GDI32 ref: 000000014000D1B8
Part of subcall function 000000014000D19C: SetBkColor.GDI32 ref: 000000014000D1C9

BitBlt.GDI32 ref: 000000014000C512
BitBlt.GDI32 ref: 000000014000C555
SelectObject.GDI32 ref: 000000014000C56B
BitBlt.GDI32 ref: 000000014000C5F3
BitBlt.GDI32 ref: 000000014000C632
SelectObject.GDI32 ref: 000000014000C658
SelectObject.GDI32 ref: 000000014000C66E

Strings

, xrefs: 000000014000C4E3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$CreateSelect$Color$BitmapCompatible$BrushPixelSolid
String ID:
API String ID: 3358463585-3916222277
Opcode ID: 2198aa873d2518fe3ff0bef42531d011e94986511fd6c8283cf396c8d376b27b
Instruction ID: ea82424eeb0138a3799dfdb687bff841602ca29b7d329ca7bb0f2a76aa86a2d8
Opcode Fuzzy Hash: 2198aa873d2518fe3ff0bef42531d011e94986511fd6c8283cf396c8d376b27b
Instruction Fuzzy Hash: 28B13776705A408AE711DBA2E454BDD73B1F78DB98F004226AF4A67BA9DF38C905CB40

Function 0000000140058E50 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 260COMMONLIBRARYCODE

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140058EDF
CreateCompatibleDC.GDI32 ref: 0000000140058EE7
GetObjectW.GDI32 ref: 0000000140058F0E
SelectObject.GDI32 ref: 0000000140058F35
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140058F50
CreateCompatibleDC.GDI32 ref: 0000000140058F5B
CreateDIBSection.GDI32 ref: 0000000140058FB5
SelectObject.GDI32 ref: 0000000140058FCB

Strings

, xrefs: 0000000140059008

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Hash$CreateObject$CompatibleImplImpl::Select$Section
String ID:
API String ID: 3132754825-3916222277
Opcode ID: 9adad9477308f0ea49bb8110871884134b4a85d55ea3b7a108f5509707271de5
Instruction ID: a623c9f3b234312bb9267fb468890d3ffea3eebb709374cc70ba855399e4904c
Opcode Fuzzy Hash: 9adad9477308f0ea49bb8110871884134b4a85d55ea3b7a108f5509707271de5
Instruction Fuzzy Hash: 5CC1CE72601A809AEB06DF66E8447DD77A0F78CB98F40422AEF4A57BB4DF39C545CB00

Function 00000001400A5B34 Relevance: 28.8, APIs: 19, Instructions: 278windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 00000001400A5BAB
InvalidateRect.USER32 ref: 00000001400A5BBF
UpdateWindow.USER32 ref: 00000001400A5BC9
GetMessageW.USER32 ref: 00000001400A5C0D
DispatchMessageW.USER32 ref: 00000001400A5C1B
PeekMessageW.USER32 ref: 00000001400A5C32
GetCapture.USER32 ref: 00000001400A5C3C
SetCapture.USER32 ref: 00000001400A5C4B
GetCapture.USER32 ref: 00000001400A5C59
GetWindowRect.USER32 ref: 00000001400A5C83
SetCursorPos.USER32 ref: 00000001400A5CA9
GetCapture.USER32 ref: 00000001400A5CAF
GetMessageW.USER32 ref: 00000001400A5CD2
DispatchMessageW.USER32 ref: 00000001400A5CFA
ReleaseCapture.USER32 ref: 00000001400A5D4B
IsWindow.USER32 ref: 00000001400A5D54
SendMessageW.USER32 ref: 00000001400A5D71
ReleaseCapture.USER32 ref: 00000001400A5ECE
ReleaseCapture.USER32 ref: 00000001400A5F04

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Capture$Message$RectReleaseWindow$Dispatch$CursorInflateInvalidatePeekSendUpdate
String ID:
API String ID: 46364927-0
Opcode ID: d97510085b4eedc005b4885405790316c52be17d2978c9a17015ac6694efa3c2
Instruction ID: 0a1a38dc343bce237dc53d313c16fa463430197bcad9c22bf3bc6b6656d31a97
Opcode Fuzzy Hash: d97510085b4eedc005b4885405790316c52be17d2978c9a17015ac6694efa3c2
Instruction Fuzzy Hash: 0FB1A23171164086FB2AEF67D4547E923A1BBACBC5F084525AF0A0BBB5EF38C585CB40

Function 0000000140043F6C Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140043FAA
GetDlgItem.USER32 ref: 0000000140043FE5
GetWindowRect.USER32 ref: 0000000140043FFD
MapDialogRect.USER32 ref: 0000000140044024
SetWindowPos.USER32 ref: 000000014004405E
GetDlgItem.USER32 ref: 0000000140044070
GetWindowRect.USER32 ref: 0000000140044085
SetWindowPos.USER32 ref: 00000001400440B9
GetWindowRect.USER32 ref: 00000001400440D6
GetWindowRect.USER32 ref: 0000000140044142
GetDlgItem.USER32 ref: 0000000140044159
GetWindowRect.USER32 ref: 000000014004416B
GetDlgItem.USER32 ref: 00000001400441A6
ShowWindow.USER32 ref: 00000001400441B9
EnableWindow.USER32 ref: 00000001400441C4

Strings

, xrefs: 0000000140044122

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: aca1edf9e723c3995af0cf7c133c6e740c3cb8c0b32e3eee46c4cc66b995bcc5
Instruction ID: c12ae9fa98fe6974df5b1e0fb766d38b3a8523942f1976a1cbb18dd410dad488
Opcode Fuzzy Hash: aca1edf9e723c3995af0cf7c133c6e740c3cb8c0b32e3eee46c4cc66b995bcc5
Instruction Fuzzy Hash: D9716A72B206108AFB15CF76E854BAD77A1FB8CB88F455125EE0A17B69DF38D445CB00

Function 00000001400A33EC Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 348windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A3482
GetWindowRect.USER32 ref: 00000001400A34AC
SetRect.USER32 ref: 00000001400A34D5
CreateCompatibleDC.GDI32 ref: 00000001400A34DF
CreateCompatibleBitmap.GDI32 ref: 00000001400A3507
GetWindowRect.USER32 ref: 00000001400A3553
GetClientRect.USER32 ref: 00000001400A3561
OffsetRect.USER32 ref: 00000001400A358F
IsRectEmpty.USER32 ref: 00000001400A35BD
CreateRectRgnIndirect.GDI32 ref: 00000001400A35CA
SetRectEmpty.USER32 ref: 00000001400A3642
InflateRect.USER32 ref: 00000001400A37CD
BitBlt.GDI32 ref: 00000001400A387E

Strings

, xrefs: 00000001400A385C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Create$CompatibleEmptyHashWindow$BitmapClientImplImpl::IndirectInflateOffset
String ID:
API String ID: 908604644-3916222277
Opcode ID: 0e8f1f777a4f7354015892749bcc0ec75c9e2760c74a607c49d26f08d0867d5e
Instruction ID: dc3b60399c2566012df5335b51939818d4bd67b0bfc6c8d4630e19e2f98bba4c
Opcode Fuzzy Hash: 0e8f1f777a4f7354015892749bcc0ec75c9e2760c74a607c49d26f08d0867d5e
Instruction Fuzzy Hash: 7AF18A72610A809AEB11DF66D8447ED77B1F788B98F418216EF5A57BA8DF38C584CB00

Function 00000001400434F8 Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 228memorywindowCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 00000001400435EC
GlobalLock.KERNEL32 ref: 00000001400435F8
GlobalUnlock.KERNEL32 ref: 000000014004360C
SetPropW.USER32 ref: 0000000140043620
GlobalFree.KERNEL32 ref: 000000014004362D
IsWindowEnabled.USER32 ref: 00000001400436ED
EnableWindow.USER32 ref: 00000001400436FC
GetCapture.USER32 ref: 0000000140043708
SendMessageW.USER32 ref: 0000000140043720
EnableWindow.USER32 ref: 0000000140043816
GetActiveWindow.USER32 ref: 0000000140043821
SetActiveWindow.USER32 ref: 0000000140043830
EnableWindow.USER32 ref: 000000014004386F

Strings

, xrefs: 000000014004353C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Global$Enable$Active$AllocCaptureEnabledFreeLockMessagePropSendUnlock
String ID:
API String ID: 2841214920-3916222277
Opcode ID: 8c3ca40c8a242277523197acc9990ac38a067073b2271e4114e9cb9ea99b96d0
Instruction ID: ea92d0495f02a3a80562307eee3233a876197af90ec1d6cb9931815e07c1c077
Opcode Fuzzy Hash: 8c3ca40c8a242277523197acc9990ac38a067073b2271e4114e9cb9ea99b96d0
Instruction Fuzzy Hash: 26A1A13270468086FB5AAF23E5443ED62A0FB88FD4F099138EB5A477B5DF79C4568B04

Function 000000014002CBC8 Relevance: 24.3, APIs: 16, Instructions: 260windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014002CC57
RedrawWindow.USER32 ref: 000000014002CC7A
ReleaseCapture.USER32 ref: 000000014002CC80
SetCapture.USER32 ref: 000000014002CC96
ReleaseCapture.USER32 ref: 000000014002CD10
SetCapture.USER32 ref: 000000014002CD26
GetParent.USER32 ref: 000000014002CDF7
SendMessageW.USER32 ref: 000000014002CE17
UpdateWindow.USER32 ref: 000000014002CE8B
GetParent.USER32 ref: 000000014002CED5
SendMessageW.USER32 ref: 000000014002CEF2
IsWindow.USER32 ref: 000000014002CEFD
IsIconic.USER32 ref: 000000014002CF0A
IsZoomed.USER32 ref: 000000014002CF17
IsWindow.USER32 ref: 000000014002CF2D
UpdateWindow.USER32 ref: 000000014002CF82

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Capture$MessageParentReleaseSendUpdate$EmptyIconicRectRedrawZoomed
String ID:
API String ID: 2018715887-0
Opcode ID: 840b2d57ef783d19045f191a6c50fda9d96da0e9b2c6de4edcd02d6bf6af0697
Instruction ID: 9fd3f791537e7d248473566b2107c5ba605ce09036645352d43beb31acfa37b5
Opcode Fuzzy Hash: 840b2d57ef783d19045f191a6c50fda9d96da0e9b2c6de4edcd02d6bf6af0697
Instruction Fuzzy Hash: 12B14A36211A8086EB56DF67D8547E927A1FB88FD4F14403AEF0A877B5DF39C8468740

Function 01F9ED30 Relevance: 24.1, APIs: 9, Strings: 4, Instructions: 1310COMMONLIBRARYCODE

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 01F9ED79
_invalid_parameter_noinfo.LIBCMT ref: 01F9F3F2
memcpy_s.LIBCMT ref: 01F9FD9F
memcpy_s.LIBCMT ref: 01F9FE46

Part of subcall function 01FA009C: _invalid_parameter_noinfo.LIBCMT ref: 01FA00CE

memcpy_s.LIBCMT ref: 01F9FF0F

Part of subcall function 01F964E0: _invalid_parameter_noinfo.LIBCMT ref: 01F96505

Strings

1#IND, xrefs: 01F9FF8A
1#SNAN, xrefs: 01F9FFA9
1#INF, xrefs: 01F9FFE7
1#QNAN, xrefs: 01F9FFC8

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 281475176-2761157908
Opcode ID: cbd938d453940545fe735cf3892703029be36798bb48348ad821bbe42d93bb3d
Instruction ID: 1cc0e63e58f7e984d31f88b0e537148ba7a69aedc09f1d398c3d5813b11ddaac
Opcode Fuzzy Hash: cbd938d453940545fe735cf3892703029be36798bb48348ad821bbe42d93bb3d
Instruction Fuzzy Hash: 55A2F2B3B102818BEB26EE69D840BED3FA5F78878CF545125DB169BB08DB36C545CB40

Function 0000000140037DE0 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 383windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140037E25
SetRectEmpty.USER32 ref: 0000000140037E76
MapWindowPoints.USER32 ref: 0000000140037ED7
MapWindowPoints.USER32 ref: 0000000140037F73
GetWindowRect.USER32 ref: 0000000140037F95
BitBlt.GDI32 ref: 0000000140037FD3

Part of subcall function 00000001400B2C28: UnionRect.USER32 ref: 00000001400B2CB7
Part of subcall function 00000001400B2C28: EqualRect.USER32 ref: 00000001400B2CC5
Part of subcall function 00000001400B2C28: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400B2CE7
Part of subcall function 00000001400B2C28: CreateCompatibleDC.GDI32 ref: 00000001400B2CFE
Part of subcall function 00000001400B2C28: CreateCompatibleBitmap.GDI32 ref: 00000001400B2D35

OffsetRect.USER32 ref: 000000014003808E
InflateRect.USER32 ref: 00000001400380D9
IsRectEmpty.USER32 ref: 00000001400381E4
IsRectEmpty.USER32 ref: 0000000140038343

Strings

, xrefs: 0000000140037FAD
d, xrefs: 0000000140038052
A, xrefs: 000000014003804A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$EmptyWindow$CompatibleCreateHashPoints$BitmapClientEqualImplImpl::InflateOffsetUnion
String ID: $A$d
API String ID: 2947425956-3806085984
Opcode ID: 86cba7d9890d53ef98223401bce7fbabde46de7a915f6ae31f03c91d13e11f79
Instruction ID: e2a6bb914b6dbca53446dd7b11fd88bfac12d73b5715e4620225f9241256bf53
Opcode Fuzzy Hash: 86cba7d9890d53ef98223401bce7fbabde46de7a915f6ae31f03c91d13e11f79
Instruction Fuzzy Hash: C4027F72B00A818AEB22CF66D4547DD73A5F78DB88F05822AEF4957B68EF34C645C740

Function 00000001400E8E28 Relevance: 22.7, APIs: 15, Instructions: 196windowstringCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400E8E8D
SendMessageW.USER32 ref: 00000001400E8EA4
SendMessageW.USER32 ref: 00000001400E8F68
SendMessageW.USER32 ref: 00000001400E8F83
SendMessageW.USER32 ref: 00000001400E8F9E
SHGetFileInfoW.SHELL32 ref: 00000001400E8FDB
SHGetFileInfoW.SHELL32 ref: 00000001400E8FFD
lstrcmpiW.KERNEL32 ref: 00000001400E9013
SendMessageW.USER32 ref: 00000001400E9036

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$FileInfo$lstrcmpi
String ID:
API String ID: 1078704388-0
Opcode ID: 545ed5be1320c0572bb43a5f9dea9c1754ff8b5e088a5340c35e5ce2ee32e28c
Instruction ID: 1d2029dd6222e4d1e30a87af6bfe81f1e397c0bd846c7a0d063545e453583d3a
Opcode Fuzzy Hash: 545ed5be1320c0572bb43a5f9dea9c1754ff8b5e088a5340c35e5ce2ee32e28c
Instruction Fuzzy Hash: 4D816C72310A9086EB16DB63E8547EA63A1F789FD4F408026EF0957BB4DF39C946CB40

Function 00000001400353CC Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 424keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000000140035449
GetAsyncKeyState.USER32 ref: 00000001400354B7
IsRectEmpty.USER32 ref: 0000000140035596
IsRectEmpty.USER32 ref: 000000014003565C
SendMessageW.USER32 ref: 0000000140035793
GetParent.USER32 ref: 0000000140035880
SendMessageW.USER32 ref: 00000001400358A0
GetClientRect.USER32 ref: 0000000140035908
InvalidateRect.USER32 ref: 0000000140035942
InvalidateRect.USER32 ref: 0000000140035953
UpdateWindow.USER32 ref: 000000014003595D

Strings

(, xrefs: 0000000140035437

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientParentUpdateWindow
String ID: (
API String ID: 85486465-3887548279
Opcode ID: 3df486c60659d65cff9381ee050f859540029e1387fc3c9f861e443fa0b9e36f
Instruction ID: eb02caac13aaa803827fd02787acad702bc565dce28d0df136c09224067e1b72
Opcode Fuzzy Hash: 3df486c60659d65cff9381ee050f859540029e1387fc3c9f861e443fa0b9e36f
Instruction Fuzzy Hash: 3D027D72A01A5186FB67AF27D4543EE23A0B74DFDAF484126EF0A677B4DB34C8818740

Function 000000014003A9A0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 188timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014003A9EF
ScreenToClient.USER32 ref: 000000014003A9FE
PtInRect.USER32 ref: 000000014003AA32
PtInRect.USER32 ref: 000000014003AA58
KillTimer.USER32 ref: 000000014003AA9F
InvalidateRect.USER32 ref: 000000014003AAB8
InvalidateRect.USER32 ref: 000000014003AACB
KillTimer.USER32 ref: 000000014003AC08
ValidateRect.USER32 ref: 000000014003AC3D
RedrawWindow.USER32 ref: 000000014003AC83

Strings

_, xrefs: 000000014003AC1C
d, xrefs: 000000014003ABCF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
String ID: _$d
API String ID: 1459077570-597095544
Opcode ID: 32bc64324c01dfdbacdb9dba35f3749f19567d86dc10af6dc8392a4f90b4524d
Instruction ID: d27cacdcabcff83e76af28bc53cfa0f3110760ee2e45aaf83617e7a4dfb5a7fb
Opcode Fuzzy Hash: 32bc64324c01dfdbacdb9dba35f3749f19567d86dc10af6dc8392a4f90b4524d
Instruction Fuzzy Hash: 68916C7660068486EB56DF36D9553EE77A1F78AFC4F08813AEF0A87669CB39C541CB00

Function 000000014003C6D0 Relevance: 19.7, APIs: 13, Instructions: 243windowCOMMON

Download Yara Rule

APIs

GetMessageW.USER32 ref: 000000014003C725
DispatchMessageW.USER32 ref: 000000014003C737
PeekMessageW.USER32 ref: 000000014003C74D
GetCapture.USER32 ref: 000000014003C757
SetCapture.USER32 ref: 000000014003C76A
GetWindowRect.USER32 ref: 000000014003C78B
GetCapture.USER32 ref: 000000014003C7E9
GetMessageW.USER32 ref: 000000014003C80C
DispatchMessageW.USER32 ref: 000000014003C831
GetScrollPos.USER32 ref: 000000014003C947
RedrawWindow.USER32 ref: 000000014003C96F
ReleaseCapture.USER32 ref: 000000014003CA17
IsWindow.USER32 ref: 000000014003CA20

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$Capture$Window$Dispatch$PeekRectRedrawReleaseScroll
String ID:
API String ID: 1873598099-0
Opcode ID: bd6a7f64ec61b3be084c4304230f870ea6e861f32d06a76e28e03853866592c8
Instruction ID: 3fad9c492560414471fcda514a2627918d7e9857f0a426b58975cc21658da4fe
Opcode Fuzzy Hash: bd6a7f64ec61b3be084c4304230f870ea6e861f32d06a76e28e03853866592c8
Instruction Fuzzy Hash: 4DB14836311A408AEB1ADF76D594BEE63A1FB88BC4F05402AEF1A937A4DF34D5658700

Function 00000001400383C4 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 310windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140038411
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140038439
CreateCompatibleDC.GDI32 ref: 000000014003844C
CreateCompatibleBitmap.GDI32 ref: 00000001400384BA
CreateDIBSection.GDI32 ref: 0000000140038530
CreateDIBSection.GDI32 ref: 0000000140038575
CreateDIBSection.GDI32 ref: 00000001400385B7
BitBlt.GDI32 ref: 0000000140038633
GetWindowRect.USER32 ref: 000000014003869E
BitBlt.GDI32 ref: 0000000140038861

Strings

, xrefs: 0000000140038839

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Create$Section$CompatibleHashRect$BitmapClientImplImpl::Window
String ID:
API String ID: 338417164-3916222277
Opcode ID: 91d5c828a88f246f85c766838bbb24848ea88250a317586885f0cfd740110548
Instruction ID: e713f42b66f4f40f3ab376caf7f030577182eb5be556329c4f1c5d71f887ec8f
Opcode Fuzzy Hash: 91d5c828a88f246f85c766838bbb24848ea88250a317586885f0cfd740110548
Instruction Fuzzy Hash: 40E14476701B808AEB22DB66E4407DE77B1F788BC8F14411AAF4A57B68DF38C545CB40

Function 000000014001A0EC Relevance: 18.1, APIs: 12, Instructions: 140windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001A07C: LoadCursorW.USER32 ref: 000000014001A096
Part of subcall function 000000014001A07C: LoadCursorW.USER32 ref: 000000014001A0B6

PeekMessageW.USER32 ref: 000000014001A135
PostMessageW.USER32 ref: 000000014001A1AA
SendMessageW.USER32 ref: 000000014001A1CA
GetCursorPos.USER32 ref: 000000014001A1F0
PeekMessageW.USER32 ref: 000000014001A22D
WaitMessage.USER32 ref: 000000014001A268
ReleaseCapture.USER32 ref: 000000014001A284
SetCapture.USER32 ref: 000000014001A28E
ReleaseCapture.USER32 ref: 000000014001A29C
SendMessageW.USER32 ref: 000000014001A2B1
SendMessageW.USER32 ref: 000000014001A2E9
PostMessageW.USER32 ref: 000000014001A314

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$CaptureCursorSend$LoadPeekPostRelease$Wait
String ID:
API String ID: 2899155438-0
Opcode ID: 1f21d368ec8e2af2c142ec0b9d6607f6143359d373fd9af3af305c4f6adfda1c
Instruction ID: 394b7d74709b21be59f7dbc8c18816629fd9b17fda5d75144e8947ee4f80576e
Opcode Fuzzy Hash: 1f21d368ec8e2af2c142ec0b9d6607f6143359d373fd9af3af305c4f6adfda1c
Instruction Fuzzy Hash: B2516E3630068086EB628F66D4547ED27A1FB8DF89F158125EF4A4B7A8DF3AC445C700

Function 000000014003404C Relevance: 17.9, APIs: 7, Strings: 3, Instructions: 409windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014003411C
SendMessageW.USER32 ref: 0000000140034182
GetMenuItemCount.USER32 ref: 000000014003418C

Strings

@, xrefs: 00000001400345D7
P, xrefs: 000000014003423D
7, xrefs: 000000014003424E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CountItemMenuMessageParentSend
String ID: 7$@$P
API String ID: 3902472779-275420784
Opcode ID: 37ac9e5bc08877b698ed11050529d543d99855b51fe71f2188a4eeb8a05c2041
Instruction ID: 479ca43c7a6472089dd8b2bb4a83e811beb20ba7cef3ed937b8a3fc6087428ab
Opcode Fuzzy Hash: 37ac9e5bc08877b698ed11050529d543d99855b51fe71f2188a4eeb8a05c2041
Instruction Fuzzy Hash: F8028E32701A418AEB5BDFA6D4503EA63A1FB88BD4F144129EB1A477E5EF38D941CB00

Function 000000014005948C Relevance: 16.7, APIs: 11, Instructions: 240COMMONLIBRARYCODE

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 000000014005952C
wcsstr.LIBVCRUNTIME ref: 000000014005955A
wcsstr.LIBVCRUNTIME ref: 0000000140059588
GetModuleFileNameW.KERNEL32 ref: 00000001400595B5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: wcsstr$FileModuleName
String ID:
API String ID: 4197323741-0
Opcode ID: 43ef2104160db3284588fe98d8f9832c79f6e955c330a127082c5347898bea1d
Instruction ID: bcd367a7d35c0698ad8721c801ff5362737d2900b5d3019841608921fcbb0b73
Opcode Fuzzy Hash: 43ef2104160db3284588fe98d8f9832c79f6e955c330a127082c5347898bea1d
Instruction Fuzzy Hash: B3A1A032300B8086EB26DF26E8507DE73A1F788BE4F540216EB9947BA5DF39C555CB00

Function 00000001400373BC Relevance: 16.1, APIs: 8, Strings: 1, Instructions: 310windowtimeCOMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 0000000140037479
GetClientRect.USER32 ref: 00000001400374C9
GetParent.USER32 ref: 00000001400375D0
GetParent.USER32 ref: 00000001400375F8
IsWindowVisible.USER32 ref: 000000014003774B
SetTimer.USER32 ref: 0000000140037772
InvalidateRect.USER32 ref: 00000001400377EF
UpdateWindow.USER32 ref: 00000001400377F9

Strings

S, xrefs: 00000001400377B5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ParentRectWindow$ClientCursorInvalidateLoadTimerUpdateVisible
String ID: S
API String ID: 3271334996-543223747
Opcode ID: 9573f4f3c24a48d172b3b60fce542401dd25cbb20809ec77bb7c833b67e0e69e
Instruction ID: f7571817cd280b66c9a57d390288b5a3cef7a135f7c25ad2d409533074c1137b
Opcode Fuzzy Hash: 9573f4f3c24a48d172b3b60fce542401dd25cbb20809ec77bb7c833b67e0e69e
Instruction Fuzzy Hash: A2D15E72601A4086EB6ADF67E850BEE77A0F748B94F04462AEF6E537A5DF38C441C700

Function 0000000140020280 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 445windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140020506
SendMessageW.USER32 ref: 00000001400206BE
InvalidateRect.USER32 ref: 00000001400206DF
UpdateWindow.USER32 ref: 00000001400206FB
SendMessageW.USER32 ref: 00000001400207D5
InvalidateRect.USER32 ref: 00000001400207F7
UpdateWindow.USER32 ref: 0000000140020813

Strings

:/\, xrefs: 0000000140020559

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$InvalidateRectUpdateWindow
String ID: :/\
API String ID: 464723990-2793184486
Opcode ID: 5c2fc81c2bcdb5af23a34dfc6a2adbbd963fef3510dc0ff0fb1bb60ce27dfd33
Instruction ID: 92098700e4355b7c98ff330e91a1cb83e6e3b7e60ac9b66f6ea71ff1b2fa83fe
Opcode Fuzzy Hash: 5c2fc81c2bcdb5af23a34dfc6a2adbbd963fef3510dc0ff0fb1bb60ce27dfd33
Instruction Fuzzy Hash: 13124B72301B4582EB05DB2AD4503DE67A0FB89FE4F458226EB5E477A6DF38C989C740

Function 00000001400453F4 Relevance: 14.0, Strings: 11, Instructions: 202COMMON

Download Yara Rule

Strings

MFCEditBrowse, xrefs: 0000000140045495
MFCLink, xrefs: 000000014004550B
MFCPropertyGrid, xrefs: 00000001400455BC
MFCColorButton, xrefs: 000000014004545A
MFCFontComboBox, xrefs: 00000001400454D0
MFCVSListBox, xrefs: 0000000140045667
MFCButton, xrefs: 000000014004541F
MFCMaskedEdit, xrefs: 0000000140045546
MFCShellList, xrefs: 00000001400455F7
MFCMenuButton, xrefs: 0000000140045581
MFCShellTree, xrefs: 000000014004562F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Decorator::getTableType
String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
API String ID: 4116345634-2110171958
Opcode ID: 8ad33ab063794da2fad0ebcee4f886fe2b80bbec5d6f4d27e48d0a6a5192573c
Instruction ID: 48a40ad64c89a4c7de97c4d99d0782f31d8150c30e3e3ade3439990b7eb3db58
Opcode Fuzzy Hash: 8ad33ab063794da2fad0ebcee4f886fe2b80bbec5d6f4d27e48d0a6a5192573c
Instruction Fuzzy Hash: 91810C71202F0185FA57BB6794613E922D19B8DBD9F460539BB1E4B3F7EF38C5408298

Function 000000014002D6B0 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BB88: GetWindowDC.USER32(?,?,?,?,?,0000000140040940), ref: 000000014000BBC7

GetClientRect.USER32 ref: 000000014005F4DB
GetWindowRect.USER32 ref: 000000014005F4F5

Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF1D
Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF2E

OffsetRect.USER32 ref: 000000014005F518

Part of subcall function 000000014000C9C8: ExcludeClipRect.GDI32 ref: 000000014000C9F5
Part of subcall function 000000014000C9C8: ExcludeClipRect.GDI32 ref: 000000014000CA15

GetWindowRect.USER32 ref: 000000014005F579
GetRgnBox.GDI32 ref: 000000014005F594
OffsetRect.USER32 ref: 000000014005F5AE
CreateRectRgnIndirect.GDI32 ref: 000000014005F5C7

Part of subcall function 000000014000CFC0: ExtSelectClipRgn.GDI32 ref: 000000014000CFF8
Part of subcall function 000000014000CFC0: ExtSelectClipRgn.GDI32 ref: 000000014000D016

OffsetRgn.GDI32 ref: 000000014005F612
OffsetRect.USER32 ref: 000000014005F63A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClipOffset$ClientWindow$ExcludeScreenSelect$CreateIndirect
String ID:
API String ID: 3873550030-0
Opcode ID: faa349b0afe143a64bf96fe814c247681ce3e023c90bd03e9fbe8581de177a92
Instruction ID: d4371d1973dd4d747df52c83eda0bf82844ccc95c60bde1135f6b0e1d7f196b6
Opcode Fuzzy Hash: faa349b0afe143a64bf96fe814c247681ce3e023c90bd03e9fbe8581de177a92
Instruction Fuzzy Hash: B4913672710A859AEB01DFB6D4917EC3371F789B8CF508216EB0967AA8EF34C545C380

Function 0000000140056A50 Relevance: 13.7, APIs: 9, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BB88: GetWindowDC.USER32(?,?,?,?,?,0000000140040940), ref: 000000014000BBC7

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140056A98
CreateCompatibleDC.GDI32 ref: 0000000140056AA0
CreateCompatibleBitmap.GDI32 ref: 0000000140056AD4
FillRect.USER32 ref: 0000000140056B94
OpenClipboard.USER32 ref: 0000000140056C3B

Part of subcall function 000000014000BC3C: DeleteDC.GDI32 ref: 000000014000BC63

Part of subcall function 000000014000BCC4: ReleaseDC.USER32 ref: 000000014000BCED

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CompatibleCreateHash$BitmapClipboardDeleteFillImplImpl::OpenRectReleaseWindow
String ID:
API String ID: 260565351-0
Opcode ID: 34038532780f34cd025fe33936e7e63e17e1d28084cf5a86deb84537d3a8e286
Instruction ID: b653e2b17f38186505b667d3b7acad3389e1a284cc89dcfce3fdc11e037db332
Opcode Fuzzy Hash: 34038532780f34cd025fe33936e7e63e17e1d28084cf5a86deb84537d3a8e286
Instruction Fuzzy Hash: B2818F72215A8086E722EB62E4517EE63A1F7897D0F405626EB8D43BFADF39C504CB00

Function 0000000140009FF0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,00000001400095C7), ref: 000000014000A03D
ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,00000001400095C7), ref: 000000014000A062
GetLastError.KERNEL32(?,?,?,?,?,?,?,00000001400095C7), ref: 000000014000A0C7
DeactivateActCtx.KERNEL32(?,?,?,?,?,?,?,00000001400095C7), ref: 000000014000A0DA
SetLastError.KERNEL32(?,?,?,?,?,?,?,00000001400095C7), ref: 000000014000A0E6

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000A036
ImageList_Create, xrefs: 000000014000A07F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_Create$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-362805969
Opcode ID: 2a05923f2dba389d1f7c761849a31054097a31a9e264a6f022cdc543d13f9c8e
Instruction ID: dfcd47bab0834e25570a06be83970d484f7ab850f0cd8368954765151cbdf7bc
Opcode Fuzzy Hash: 2a05923f2dba389d1f7c761849a31054097a31a9e264a6f022cdc543d13f9c8e
Instruction Fuzzy Hash: E2317C72711B5582FB52DB67B84479A62E4BB8CBD0F09412AEF4A837B4DF78C841CB44

Function 000000014001C3CC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,000000014000674E), ref: 000000014001C405
GetProcAddress.KERNEL32(?,000000014000674E), ref: 000000014001C41A
EncodePointer.KERNEL32(?,000000014000674E), ref: 000000014001C426
DecodePointer.KERNEL32(00000000,?,?,000000014000674E), ref: 000000014001C435
GetLocaleInfoW.KERNEL32(?,000000014000674E), ref: 000000014001C486

Strings

kernel32.dll, xrefs: 000000014001C3FE
GetLocaleInfoEx, xrefs: 000000014001C410

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
String ID: GetLocaleInfoEx$kernel32.dll
API String ID: 1461536855-1547310189
Opcode ID: 13dd2e54332ab7c2048426425e52702dff17ed7a23609e0b9d2a6e5e29ce8b67
Instruction ID: 47ed3f158073762e726bfdaea2a4811f3c6e42d971ef3175e31d7cda1f5e2575
Opcode Fuzzy Hash: 13dd2e54332ab7c2048426425e52702dff17ed7a23609e0b9d2a6e5e29ce8b67
Instruction Fuzzy Hash: 6F216D74719B5083EA169F93B854BA9B6A0B78DFD0F444429EF4A07B75EF39C4428604

Function 000000014000ADB4 Relevance: 12.2, APIs: 8, Instructions: 236filecommemoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014000AE4B
CopyMetaFileW.GDI32 ref: 000000014000AE5A
GlobalUnlock.KERNEL32 ref: 000000014000AE6C
GlobalFree.KERNEL32 ref: 000000014000AE75
GlobalUnlock.KERNEL32 ref: 000000014000AE7D
CoTaskMemAlloc.OLE32 ref: 000000014000AF00
OleDuplicateData.OLE32 ref: 000000014000AF6E
CopyFileW.KERNEL32 ref: 000000014000B081

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$CopyFileUnlock$AllocDataDuplicateFreeLockMetaTask
String ID:
API String ID: 2948460001-0
Opcode ID: bc7d56cd94a6043e31c8d858802cdebdae241862db9542c370b83e7de60226a2
Instruction ID: 6fbd846b068c7ded436b0306639c76601c3f5343e4e5ea0fa3182d64fd028905
Opcode Fuzzy Hash: bc7d56cd94a6043e31c8d858802cdebdae241862db9542c370b83e7de60226a2
Instruction Fuzzy Hash: 8DA140B6211A4182EB66DF2BE4557AD73A0F78DFD0F048625AF5A43BA4DF39C494C700

Function 0000000140082020 Relevance: 10.8, APIs: 7, Instructions: 270COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400820A3
EqualRect.USER32 ref: 00000001400820CE
BeginDeferWindowPos.USER32 ref: 00000001400820DB
EndDeferWindowPos.USER32 ref: 0000000140082107

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Part of subcall function 0000000140082778: SetRectEmpty.USER32 ref: 000000014008278B
Part of subcall function 0000000140082778: GetWindowRect.USER32(?,?,00000000,00000001400823FD,?,?,00000000,0000000140026780), ref: 00000001400827A1

GetWindowRect.USER32 ref: 0000000140082392
InflateRect.USER32 ref: 00000001400823BD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Window$Defer$BeginEmptyEqualExceptionInflateThrow
String ID:
API String ID: 2311600727-0
Opcode ID: 30f278f615bfbfe56d196cc95eb49bdd2787b0333af78f887e91e745952819d8
Instruction ID: 57a10aa903bc415909f41d5f8a3ce2bdb7725bb30456b9b950aa53b95de25ccb
Opcode Fuzzy Hash: 30f278f615bfbfe56d196cc95eb49bdd2787b0333af78f887e91e745952819d8
Instruction Fuzzy Hash: 9AB15C33614A4486EB66DB67E8447AE73A0F78CBC4F184225FF9917A69DF38D641CB00

Function 0000000140047788 Relevance: 10.7, APIs: 7, Instructions: 220windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400477FD
SendMessageW.USER32 ref: 000000014004781C
GetDesktopWindow.USER32 ref: 0000000140047822
SendMessageW.USER32 ref: 0000000140047850

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

GetWindow.USER32 ref: 000000014004785E
SendMessageW.USER32 ref: 000000014004791F
PostMessageW.USER32 ref: 0000000140047A6B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$Send$Window$DesktopExceptionPostThrow
String ID:
API String ID: 3673608945-0
Opcode ID: 022d448822308bfca79a089cd32eb266ef2676c8d36c772d008a78b6f8c056e9
Instruction ID: 950831fc7661cf28cd0e235cd58f9a9ba5a2fca497781c2a4f8ccfe46044ac8f
Opcode Fuzzy Hash: 022d448822308bfca79a089cd32eb266ef2676c8d36c772d008a78b6f8c056e9
Instruction Fuzzy Hash: C9818F32704B8482EA669B63E5547ED63A0EB8CFC4F4A8135EF4E07BA9DF39C4458744

Function 0000000140015FF8 Relevance: 10.6, APIs: 7, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140016040
PeekMessageW.USER32 ref: 000000014001606A
UpdateWindow.USER32 ref: 0000000140016087
SendMessageW.USER32 ref: 00000001400160AC
SendMessageW.USER32 ref: 00000001400160C7
UpdateWindow.USER32 ref: 000000014001610F
PeekMessageW.USER32 ref: 0000000140016148

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$PeekSendUpdateWindow$Parent
String ID:
API String ID: 2799049384-0
Opcode ID: 3334fec76029ddf88cb4ab3a0f963083dc55cf43a5c0d0a04d6761ad9d2e27f6
Instruction ID: 9dfd5830ac685575291f5292817f7fa08943f7c5ef1e5a707356792b76139a63
Opcode Fuzzy Hash: 3334fec76029ddf88cb4ab3a0f963083dc55cf43a5c0d0a04d6761ad9d2e27f6
Instruction Fuzzy Hash: B441D43261065082FB679FB7AC457AB6290BB8DFC9F488015BF454B6B5DF3ACC828700

Function 000000014004E138 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014004E198
SendMessageW.USER32 ref: 000000014004E1C9
SendMessageW.USER32 ref: 000000014004E21B
RedrawWindow.USER32 ref: 000000014004E230
GetParent.USER32 ref: 000000014004E279
GetParent.USER32 ref: 000000014004E290
SendMessageW.USER32 ref: 000000014004E2AE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$Parent$RedrawWindow
String ID:
API String ID: 601679388-0
Opcode ID: 4f4a91adcf430e0970bafca307fd03c057aa2b63c5908815f256f1ac8dd3775e
Instruction ID: dca5f3e95a575802b0ea26771a6722c36ed0b1afdb253114a7b3ad1605e3e147
Opcode Fuzzy Hash: 4f4a91adcf430e0970bafca307fd03c057aa2b63c5908815f256f1ac8dd3775e
Instruction Fuzzy Hash: D2418A36210A9082EB269F67EA547E927A0FB8DFD4F094131EF0A477B9DE79C8418704

Function 0000000140027588 Relevance: 9.6, APIs: 6, Instructions: 606COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140027616

Part of subcall function 000000014003ED04: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014003ED4D
Part of subcall function 000000014003ED04: GetClientRect.USER32 ref: 000000014003ED7B

GetClientRect.USER32 ref: 00000001400276E9
SetRectEmpty.USER32 ref: 0000000140027AED
IntersectRect.USER32 ref: 0000000140027B6A
InflateRect.USER32 ref: 0000000140027E96
IntersectRect.USER32 ref: 0000000140027B24

Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FC04
Part of subcall function 000000014003FB98: VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
Part of subcall function 000000014003FB98: GetSystemMetrics.USER32 ref: 000000014003FC28

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Client$ConditionHashIntersectMask$EmptyImplImpl::InflateInfoMetricsSystemVerifyVersion
String ID:
API String ID: 1165222285-0
Opcode ID: fe59cf1c9e77cf6f0eb68a3c2a80e06b1e145d161998a9269a459efe5df62290
Instruction ID: 8525df5ae14f949d1db6d7a753b25d3a94c8239a1802831817dff6d2ec884044
Opcode Fuzzy Hash: fe59cf1c9e77cf6f0eb68a3c2a80e06b1e145d161998a9269a459efe5df62290
Instruction Fuzzy Hash: 4A529D72611A5496EB56DB26D844BED73B0FB4DBC4F40822AEF0E17AB4DB79C894C700

Function 000000014002649C Relevance: 9.3, APIs: 6, Instructions: 273COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140026525
GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140025DFD), ref: 000000014002653B
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140025DFD), ref: 0000000140026587
GetParent.USER32 ref: 0000000140026591
GetParent.USER32 ref: 000000014002681A
RedrawWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140025DFD), ref: 0000000140026848

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 6e47a9b2fdc5208ac4f7bb5fbe68087d76b8e3e8a7ec3623498a8681cd50910c
Instruction ID: 29384d7d4a60db6f6cd6d73db1d62393d3978f20269690bd32230ea7599aa186
Opcode Fuzzy Hash: 6e47a9b2fdc5208ac4f7bb5fbe68087d76b8e3e8a7ec3623498a8681cd50910c
Instruction Fuzzy Hash: 39C11832B146508AFB65CB76E4947ED67B0E78CB88F144129EF4A57BA8DF38D841CB00

Function 000000014003E654 Relevance: 9.2, APIs: 6, Instructions: 212fileCOMMON

Download Yara Rule

APIs

PathIsUNCW.SHLWAPI ref: 000000014003E79B
GetVolumeInformationW.KERNEL32 ref: 000000014003E7D1
CharUpperW.USER32 ref: 000000014003E815
FindFirstFileW.KERNEL32 ref: 000000014003E82F
FindClose.KERNEL32 ref: 000000014003E842
GetFullPathNameW.KERNEL32 ref: 000000014003E6CB

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: FindPath$CharCloseExceptionFileFirstFullInformationNameThrowUpperVolume
String ID:
API String ID: 2923705660-0
Opcode ID: c00fc559f94535ef126cc0aad242e25ff01d8b91cef09d248d17149595c298a5
Instruction ID: 0790d5a11c85892136c4fc3d24c247606543f7a6bee57b2a99b222406952f12c
Opcode Fuzzy Hash: c00fc559f94535ef126cc0aad242e25ff01d8b91cef09d248d17149595c298a5
Instruction Fuzzy Hash: 2471A17170468042FA67AB6BA8453EE6391BB89BE4F544712FF2987AF5DF38C9418700

Function 0000000140096E18 Relevance: 9.2, APIs: 6, Instructions: 194windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0000000140096EAB
GetMenuItemID.USER32 ref: 0000000140096EC2
GetMenuItemCount.USER32 ref: 0000000140096F02
GetMenuItemID.USER32 ref: 0000000140096F26
SendMessageW.USER32 ref: 0000000140096F85
GetMenuState.USER32 ref: 0000000140096FF7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$Item$Count$MessageSendState
String ID:
API String ID: 1967460588-0
Opcode ID: 2484e6b923619e230d70a39272f2155e785d9204016edbd679025db823ab5a46
Instruction ID: 60ad5f70496ab6e6b6eda37e542d82b7c94433859871b4b11cbdb568bb67c32f
Opcode Fuzzy Hash: 2484e6b923619e230d70a39272f2155e785d9204016edbd679025db823ab5a46
Instruction Fuzzy Hash: 7471D437201A8082FB669B27D850BEA6391F789BE4F045225BF2A477F5DF78C981C740

Function 000000014018A7FC Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlCaptureContext.KERNEL32 ref: 000000014018A875
RtlLookupFunctionEntry.KERNEL32 ref: 000000014018A88D
RtlVirtualUnwind.KERNEL32 ref: 000000014018A8C8
IsDebuggerPresent.KERNEL32 ref: 000000014018A901
SetUnhandledExceptionFilter.KERNEL32 ref: 000000014018A90B
UnhandledExceptionFilter.KERNEL32 ref: 000000014018A916

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
String ID:
API String ID: 1239891234-0
Opcode ID: e301866b8c970f46446eaf796422c3f3e662e7a2f9dd2b584bf9d3e6e7943977
Instruction ID: 7843d5eda403d0103237347a3bd521153c4c8d3e9dc09a1683223f56aeae6fe3
Opcode Fuzzy Hash: e301866b8c970f46446eaf796422c3f3e662e7a2f9dd2b584bf9d3e6e7943977
Instruction Fuzzy Hash: 7E314037214B8086EB61CF66E8443DE73A4FB89B54F50011AEB9D43BA9DF38C655CB00

Function 000000014003E924 Relevance: 7.6, APIs: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008FA8: OutputDebugStringA.KERNEL32 ref: 0000000140008FC6
Part of subcall function 0000000140008FA8: ActivateActCtx.KERNEL32 ref: 0000000140008FE7

LoadLibraryW.KERNEL32(?,?,?,?,?,000000014003EA72,?,00000000), ref: 000000014003E96A
GetProcAddress.KERNEL32(?,?,?,?,?,000000014003EA72,?,00000000), ref: 000000014003E981
GetLastError.KERNEL32(?,?,?,?,?,000000014003EA72,?,00000000), ref: 000000014003E998
DeactivateActCtx.KERNEL32(?,?,?,?,?,000000014003EA72,?,00000000), ref: 000000014003E9AB
SetLastError.KERNEL32(?,?,?,?,?,000000014003EA72,?,00000000), ref: 000000014003E9B8

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateDebugLibraryLoadOutputProcString
String ID:
API String ID: 1219406697-0
Opcode ID: 1d61b7d8a2a2ae118bf4c5d5f2a0fc7321ce9c1dbe2ba0941cf32bcbf749bdb5
Instruction ID: ab1723ca6a0e376a96f96e895a4b8afa63c27fd8304238b0041af3fbb7a11ff3
Opcode Fuzzy Hash: 1d61b7d8a2a2ae118bf4c5d5f2a0fc7321ce9c1dbe2ba0941cf32bcbf749bdb5
Instruction Fuzzy Hash: 93113A32201B4182EB979F17A8443AAA3E5BB8CFD0F19453AEB5D473B4EF38C8418740

Function 0000000140038BAC Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 433windowCOMMON

Download Yara Rule

APIs

IsMenu.USER32 ref: 0000000140038C0D

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Part of subcall function 0000000140184D04: __report_securityfailure.LIBCMT ref: 0000000140184D0D

GetCurrentDirectoryW.KERNEL32 ref: 0000000140038D75

Strings

Recent File, xrefs: 0000000140038D23
&%d %Ts, xrefs: 0000000140038E6E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CurrentDirectoryExceptionMenuThrow__report_securityfailure
String ID: &%d %Ts$Recent File
API String ID: 1610570167-993655659
Opcode ID: 1e37ebec9a009d25bd4fa31625b714174c1fa5eb7ff48d9e86a2bd413de50577
Instruction ID: e3659ecfe2b9af00759359c50d510fd2254fb3c9ba89e1e13bcf13c92bbad107
Opcode Fuzzy Hash: 1e37ebec9a009d25bd4fa31625b714174c1fa5eb7ff48d9e86a2bd413de50577
Instruction Fuzzy Hash: AA02DD76221B8186EB66DB27D8447EE63A0FB8CBC4F445125EF5A47BA5DF39C880C700

Function 0000000140185454 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140004EB0: InitializeCriticalSectionAndSpinCount.KERNEL32(?,?,?,?,0000000140005003,?,?,?,?,0000000140004F23,?,?,?,?,0000000140059411), ref: 0000000140004ECB

GetLastError.KERNEL32 ref: 00000001401854B5
IsDebuggerPresent.KERNEL32 ref: 00000001401854CD
OutputDebugStringW.KERNEL32 ref: 00000001401854DE

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00000001401854D7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CountCriticalDebugDebuggerErrorInitializeLastOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 450123788-631824599
Opcode ID: b009b23479649688819734972a7e37324340a7e5e2c469289db644cb74e44f0d
Instruction ID: 7bcd85555942c9966054b58648fd1408a41091f39134e6afdf2404d7c90b42df
Opcode Fuzzy Hash: b009b23479649688819734972a7e37324340a7e5e2c469289db644cb74e44f0d
Instruction Fuzzy Hash: 86117C32210B40A7F716DB27EA543EA33E5FB08B55F444129CB4A83AA1EF78D5B8C750

Function 0000000140039CE0 Relevance: 6.3, APIs: 4, Instructions: 287keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 0000000140039E23
GetClientRect.USER32 ref: 0000000140039FB8
SetScrollPos.USER32 ref: 000000014003A0A3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AsyncClientRectScrollState
String ID:
API String ID: 1386077005-0
Opcode ID: 5aa097e2c5b35d092ebad3fd439430606eaee2640a6ce91e5c84144d49f63fb1
Instruction ID: 0d9e57c01855abcc4ab5427a6305b3f44a5ff772ed8d627d00bbbc505485dc97
Opcode Fuzzy Hash: 5aa097e2c5b35d092ebad3fd439430606eaee2640a6ce91e5c84144d49f63fb1
Instruction Fuzzy Hash: 5BB1AF3270165486EB6B9B2785547EE73D1EB8DBC4F088135EF1A87BA4DF39C8508741

Function 000000014000807C Relevance: 6.1, APIs: 4, Instructions: 60COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00000001400080C9
LoadResource.KERNEL32 ref: 00000001400080D5
LockResource.KERNEL32 ref: 00000001400080E6
FreeResource.KERNEL32 ref: 000000014000813C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: f100bab8e5875109455284f3c6f24014f2d35a2b67f49d0fef4c339309207136
Instruction ID: 9c4f0f530fa5ba955a5ae987d5144bb0d75a1868334418231a6cef6b058b6a24
Opcode Fuzzy Hash: f100bab8e5875109455284f3c6f24014f2d35a2b67f49d0fef4c339309207136
Instruction Fuzzy Hash: F8213C76201A8586E6699F03E5443EA63B4F74CFC0F088025EF9657BA5DF38D9A29740

Function 0000000140014234 Relevance: 6.0, APIs: 4, Instructions: 49keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014001427B
GetKeyState.USER32 ref: 000000014001428B
GetKeyState.USER32 ref: 000000014001429B
SendMessageW.USER32 ref: 00000001400142B8

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: State$MessageSend
String ID:
API String ID: 1440529007-0
Opcode ID: 0010eae138e41432bb9e1520f929655c46c85aa1500467a5fc8e5dc614a318aa
Instruction ID: ba677d2848fcd28e484151f3237a199cd21a0a9dd5ecd1503290085b294c2b70
Opcode Fuzzy Hash: 0010eae138e41432bb9e1520f929655c46c85aa1500467a5fc8e5dc614a318aa
Instruction Fuzzy Hash: 70115E3470469482FB165FA3A4843ED5260AB8CFC0F884528FF4A1BBB5CE3AC4D19710

Function 01F9BF74 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 164COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9BFA4

Strings

*?, xrefs: 01F9BFCB
., xrefs: 01F9C3C4

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *?$.
API String ID: 3215553584-3972193922
Opcode ID: 6e4f02ea06511d3fcad9a4e8be9203d0238c094cf9699f481be7a7723c277416
Instruction ID: fc7c15290bad98e2acdf86a64d2fac3c9de7dfacda05e2c532aa18b52acac303
Opcode Fuzzy Hash: 6e4f02ea06511d3fcad9a4e8be9203d0238c094cf9699f481be7a7723c277416
Instruction Fuzzy Hash: 5051D2A2B11B9586FF11EFA6D9004AD77A4FB98BD8B854526DF5D57F08EB3AC042C300

Function 01F9E860 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 01F9E8EB

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction ID: 3375a77a5a383f4979fe42a0541bdf5a1030bca7ba2d170682dd3adbc7b81a80
Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction Fuzzy Hash: B6C1C072B146C5C7EB34DF19E184BAAB761F388784F048524DB8A57B16DB3ED941CB00

Function 0000000140089A44 Relevance: 4.7, APIs: 3, Instructions: 165COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140089ABE
SetCapture.USER32 ref: 0000000140089C7A
GetCursorPos.USER32 ref: 0000000140089C92

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CaptureCursorRedrawWindow
String ID:
API String ID: 177702788-0
Opcode ID: 09f1775e0f065a5339823a82b8251ba87831f0d10b5674ba160255d95ad472ef
Instruction ID: b01d575ef57dd7bd2128ca2ee4664ce2de4b235da207193489b618cc24297848
Opcode Fuzzy Hash: 09f1775e0f065a5339823a82b8251ba87831f0d10b5674ba160255d95ad472ef
Instruction Fuzzy Hash: 7C718F72601A84C6EB5ADF26E5947D973A1F78CFD8F184132EB590B7A5CF39C1928700

Function 0000000140005240 Relevance: 4.7, APIs: 3, Instructions: 157threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 000000014000539B
GetCurrentThreadId.KERNEL32 ref: 00000001400053A5
GetVersionExW.KERNEL32 ref: 000000014000546E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CurrentThread$Version
String ID:
API String ID: 3559073820-0
Opcode ID: 0cb6c96fae2c0a1ab90eae690f4385afd9bdca0c499c9e7dd40aae02b9cab5df
Instruction ID: 32a122690f95074869567a8dacaadab9054189b449f1a7758717fa0f641d4c00
Opcode Fuzzy Hash: 0cb6c96fae2c0a1ab90eae690f4385afd9bdca0c499c9e7dd40aae02b9cab5df
Instruction Fuzzy Hash: 95616772611B8486E756DF22A8443DE73A8F749FC5F18423AAB880BBA9DF34C451C710

Function 0000000140025E50 Relevance: 3.4, APIs: 2, Instructions: 420COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140025ECB

Part of subcall function 000000014000BA50: GetDC.USER32 ref: 000000014000BA8F

OffsetRect.USER32 ref: 0000000140026311

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClientOffset
String ID:
API String ID: 3549191583-0
Opcode ID: 3320b38856a73bb204b5bda74935782d2f69da7906136e6b575f0958bd043174
Instruction ID: ba535c74072bef10cb179a3dd649a50100d49650041f8b1045c7884c37a2a9c0
Opcode Fuzzy Hash: 3320b38856a73bb204b5bda74935782d2f69da7906136e6b575f0958bd043174
Instruction Fuzzy Hash: 49123B726047408AEB56DF7AD4847AE77B0F78CB84F144129EF8A43BA4DB39D985CB00

Function 00000001400304C4 Relevance: 3.3, APIs: 2, Instructions: 285windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400307E6
SendMessageW.USER32 ref: 0000000140030811

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageParentSend
String ID:
API String ID: 928151917-0
Opcode ID: 3a777c607494e49f65598bbcea35b707df1ca0d7569390df2205a82eaed9ced2
Instruction ID: 584322f053eae3b83083051518971594d98d9fac04fe5d8532d420e13e137716
Opcode Fuzzy Hash: 3a777c607494e49f65598bbcea35b707df1ca0d7569390df2205a82eaed9ced2
Instruction Fuzzy Hash: FCB1BF32716A8086EB5ADB23E5547EA63A0FB8DBD4F004126FF5A07BA5DF38C455C740

Function 000000014002F934 Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 000000014002FA8E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: 6d34bd30d92ce8f78bed90b9f6f0bfeb8fed454c8e31831df5a326ed7a0b88be
Instruction ID: 073268d47e4851f7eafa676288890670a7870d8d8955be3507605c63de5a2419
Opcode Fuzzy Hash: 6d34bd30d92ce8f78bed90b9f6f0bfeb8fed454c8e31831df5a326ed7a0b88be
Instruction Fuzzy Hash: 0D419D77714A8086E754CB26E294BAEB3A1F78DFD5F108125EF4903B68CF39C4958B00

Function 0000000140046A00 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 0000000140046A18
IsIconic.USER32 ref: 0000000140046A2B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: IconicVisibleWindow
String ID:
API String ID: 1797901696-0
Opcode ID: f6cd55a7af096d072b4d693d144b18d48757fc387d2f26cc021019ff8756c670
Instruction ID: 8742261264c90412d1a60a58d2706a71079faa5ef2e969890c883ec5011aa8ab
Opcode Fuzzy Hash: f6cd55a7af096d072b4d693d144b18d48757fc387d2f26cc021019ff8756c670
Instruction Fuzzy Hash: 10F0623131490042EB559B77E5C03BD6292A7CDBD0F558234EB2A872F5EE34C8978B06

Function 0000000140007258 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 0000000140007290
CoCreateInstance.OLE32 ref: 00000001400072BD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CreateInitializeInstance
String ID:
API String ID: 3519745914-0
Opcode ID: 4b10a80b18142da305d228488e6699e57c8778f328752a973f20ebc1a450e547
Instruction ID: bbb060ee07061b1a9b08e1fcdf8c0f9161be13a6016c6bcebea215f757b81911
Opcode Fuzzy Hash: 4b10a80b18142da305d228488e6699e57c8778f328752a973f20ebc1a450e547
Instruction Fuzzy Hash: FD014F71605B85C6EB52CF26E448BDD63B0E75CB89F588535EB0C4A2B0DB79C49ACB00

Function 01FA27A8 Relevance: 1.7, APIs: 1, Instructions: 227COMMONLIBRARYCODE

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 01FA29F5

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: 77175103e4086f1c59809c8e109de36b5b2b6c50914a3407cf8ddbfa114083a7
Instruction ID: d772d36beb0ec1e504e4142e94765a0f7ec6173882c37ceebf782b769ab626d2
Opcode Fuzzy Hash: 77175103e4086f1c59809c8e109de36b5b2b6c50914a3407cf8ddbfa114083a7
Instruction Fuzzy Hash: 2CA1EBB7611B88CBEB19CF2DC8453587BA0F384F98B558916DB5D87768CB3AD451C700

Function 01FA0494 Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

_get_daylight.LIBCMT ref: 01FA04F9

Part of subcall function 01F95B48: _invalid_parameter_noinfo.LIBCMT ref: 01F95B5C

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _get_daylight_invalid_parameter_noinfo
String ID:
API String ID: 474895018-0
Opcode ID: d3c9d7c6625f6217ee2b232ed01a80426c7e29233e39ada4c30175885ec3b2ae
Instruction ID: b789a5a952445e8e1cb074199cf8094c905beab4eea6ee7730ea38a78422009e
Opcode Fuzzy Hash: d3c9d7c6625f6217ee2b232ed01a80426c7e29233e39ada4c30175885ec3b2ae
Instruction Fuzzy Hash: 2351E9F2B04281CAEB358E2DB45072A7651A7C0378FA84629FBA5877D5EE7FC4418B00

Function 01F87B70 Relevance: 1.7, Strings: 1, Instructions: 426COMMON

Download Yara Rule

Strings

K, xrefs: 01F87B9C

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 4837881fc66e5ac87c185c97159d9278deda85bd740d7b6d26c7e3d2639aa98d
Instruction ID: 0bb64397a8d785223413c4be02fb996b4ab7074a321dcc2266ddaeab622d267d
Opcode Fuzzy Hash: 4837881fc66e5ac87c185c97159d9278deda85bd740d7b6d26c7e3d2639aa98d
Instruction Fuzzy Hash: 4822D73722CB8486D720CB5AE49065EFB61F7D9B90F440116FA8D87B69CEADC648CF01

Function 01F87410 Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

K, xrefs: 01F8743C

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: e854ad21783e5c77e7ba2f1020899c60eae83bbc02a159d91a3f99fb6cf53c2d
Instruction ID: 320502679b1c810a3b3f60f894cdc40a273b0a982a3a746df648df5072b01968
Opcode Fuzzy Hash: e854ad21783e5c77e7ba2f1020899c60eae83bbc02a159d91a3f99fb6cf53c2d
Instruction Fuzzy Hash: 90D1C73722CB8486D720DB5AE48025EFB61F7D9B94F444116EA8D87B69CFADC648CF01

Function 0000000140004430 Relevance: 1.5, APIs: 1, Instructions: 7windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32 ref: 0000000140004442

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: c91304bfc1d5bb3acf9ce590c0c0acb90c32010e6f10a9d95b115b9637f6c128
Instruction ID: a209cda21530a44943b1ff85287bf482cf4bcc0abdabdf2ba10760525be86908
Opcode Fuzzy Hash: c91304bfc1d5bb3acf9ce590c0c0acb90c32010e6f10a9d95b115b9637f6c128
Instruction Fuzzy Hash: DBC04C36A25A44C2CA44AB56E8852596760F7C9B45F905055DB4903724CE38C0A58B00

Function 01F91E8C Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 01F92043

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 7ad7201004051277970433990105a8d9b27a5e749e1702eddbf04a425918aee0
Instruction ID: 0f3096060c38f26f4f7d832209d4159ef0b4a97ff791b176d229f3d247b8788d
Opcode Fuzzy Hash: 7ad7201004051277970433990105a8d9b27a5e749e1702eddbf04a425918aee0
Instruction Fuzzy Hash: 24616722B1820AD6FF39BF29858066E37A1E761B6CF541622DE09C7729C73BC447C741

Function 00000001401898BC Relevance: 1.5, Strings: 1, Instructions: 219COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 0000000140189A73

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: f7676632f9631bfbf4870d0be7b4effa1e339b9aae6a1b165ef69071f2d96131
Instruction ID: 813583569fb4698cc1946e9766a80f7054cff759939c25d51cd9989de7e4d9af
Opcode Fuzzy Hash: f7676632f9631bfbf4870d0be7b4effa1e339b9aae6a1b165ef69071f2d96131
Instruction Fuzzy Hash: 0B81D33371064046FBAA8A2794807ED63A0E78DF48F5C151AEF05976B9D736CB46D701

Function 01F91C10 Relevance: 1.4, Strings: 1, Instructions: 199COMMONLIBRARYCODE

Download Yara Rule

Strings

0, xrefs: 01F91DAA

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 970d73fab400261f1a9f480e8eac2603a4b4ff4fac8d113b3a51384537865cbc
Instruction ID: 5e3d0bcfe7ae0061351199a01f4ed2f38a38b8e178e24d3f21e85eeb4292e49c
Opcode Fuzzy Hash: 970d73fab400261f1a9f480e8eac2603a4b4ff4fac8d113b3a51384537865cbc
Instruction Fuzzy Hash: A4510D22B0C687C6FF39BA2D94603AE6BA1E742BA4F141937DF418B759C727C446C781

Function 01F95F70 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 01F95FAC

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 78e8e22972b2d56851ea0bf1d652176dacc7745c108d2d6be2263876ed60a89f
Instruction ID: f0cbcbdea91e797a927b3cbe2ab8f1c08dedb512e8efdc5c815fad1f6a0ff467
Opcode Fuzzy Hash: 78e8e22972b2d56851ea0bf1d652176dacc7745c108d2d6be2263876ed60a89f
Instruction Fuzzy Hash: 80416D72310A4486EF08DF2AE9543A977A1B758FD4F59A026DF1E8B764EA3DC046C300

Function 0000000140197B80 Relevance: 1.4, Strings: 1, Instructions: 139COMMONLIBRARYCODE

Download Yara Rule

Strings

@, xrefs: 0000000140197BBC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: d1c06daca79565774a3702cd75324aecb6364738c16189c50e03e6705be671f4
Instruction ID: e72740a68a51f7469733341fb1448d2be47eb6fe65ef5a0ac50480d91a448ea9
Opcode Fuzzy Hash: d1c06daca79565774a3702cd75324aecb6364738c16189c50e03e6705be671f4
Instruction Fuzzy Hash: 0C41A072310A4886EE45CF2AE9647E973A1B74CFD4F499026EF4E877A4EA3DC446C300

Function 01F87910 Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

K, xrefs: 01F8793C

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: K
API String ID: 0-856455061
Opcode ID: 97e11e4c6cff75d263b73ba19d52fbb3f215e53aad29cf4b2ad65c516e39f25c
Instruction ID: a3752230a734d25c6aaa1e68779ed7857f45f882aa0a660e11c7e20460cacd3d
Opcode Fuzzy Hash: 97e11e4c6cff75d263b73ba19d52fbb3f215e53aad29cf4b2ad65c516e39f25c
Instruction Fuzzy Hash: 3D51F73722CA8486D720CB59E48065EBB70F7DAB94F540125EBCD87F59CAAEC648CF01

Function 0000000140029BF8 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a1da008787b33740ae496f605112e15b8bf2e18b2fb2561b432a6af93fea94f
Instruction ID: b711dec5c83e0fe37395b695474c356fe837a285c649873f7f6ac3f32cdf6841
Opcode Fuzzy Hash: 5a1da008787b33740ae496f605112e15b8bf2e18b2fb2561b432a6af93fea94f
Instruction Fuzzy Hash: F9717E3531015152FB26DB2BA851FD623A1F7EC7C4F98A419AF0987AE6DB32CC05CB40

Function 01F885F0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77b8e2508e59e9422a31526b143803fbcb465c93780744e5ff0ed94e70240dae
Instruction ID: b9696e134a82473106d4054d6cf1f99af759498ee6ea4b827663b48498c4dc65
Opcode Fuzzy Hash: 77b8e2508e59e9422a31526b143803fbcb465c93780744e5ff0ed94e70240dae
Instruction Fuzzy Hash: D271FD72219B859AC744CB19E88072ABBE1F7CD784F508929E69DC3BA9DB3CC451CF10

Function 0000000140190C40 Relevance: .1, Instructions: 93COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4de571da8658af815ebe4b058a50a853cfd178db81ff76eb659cbad5c7a701ca
Instruction ID: 7a617eb821f88e57373d89dd8c43408b94c4aca95b45fdcc04a52c0977ef81d6
Opcode Fuzzy Hash: 4de571da8658af815ebe4b058a50a853cfd178db81ff76eb659cbad5c7a701ca
Instruction Fuzzy Hash: 97318D327142508EF6BB9AFF89547EE1292E78EF40F24C611D70506EFAC532E986DA01

Function 01FA25F0 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9737cf90b42d820e9d598b7073d19d00ee6a44ff1da283a333cee36f7d72add3
Instruction ID: da8902dd0134bce9abd00066613c4e710a1e50e9c76435c7f358764f7b256973
Opcode Fuzzy Hash: 9737cf90b42d820e9d598b7073d19d00ee6a44ff1da283a333cee36f7d72add3
Instruction Fuzzy Hash: A3F036B17196958BDBA5CF2DF85276977D4F3483C4F90C069D69983B14D73C80619F04

Function 00000001400408BC Relevance: 63.3, APIs: 42, Instructions: 315
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32 ref: 00000001400408DD
GetSysColor.USER32 ref: 00000001400408F4
GetSysColor.USER32 ref: 000000014004090F
GetSysColor.USER32 ref: 000000014004091B
GetDeviceCaps.GDI32 ref: 000000014004094B
GetSysColor.USER32 ref: 0000000140040959
GetSysColor.USER32 ref: 000000014004096C
GetSysColor.USER32 ref: 000000014004097B
GetSysColor.USER32 ref: 000000014004098A
GetSysColor.USER32 ref: 0000000140040999
GetSysColor.USER32 ref: 00000001400409A8
GetSysColor.USER32 ref: 00000001400409B7
GetSysColor.USER32 ref: 00000001400409C3
GetSysColor.USER32 ref: 00000001400409CF
GetSysColor.USER32 ref: 00000001400409DB
GetSysColor.USER32 ref: 00000001400409E7
GetSysColor.USER32 ref: 00000001400409F6
GetSysColor.USER32 ref: 0000000140040A02
GetSysColor.USER32 ref: 0000000140040A11
GetSysColor.USER32 ref: 0000000140040A20
GetSysColor.USER32 ref: 0000000140040A2F
GetSysColor.USER32 ref: 0000000140040A3E
GetSysColor.USER32 ref: 0000000140040A4D
GetSysColor.USER32 ref: 0000000140040A5C
GetSysColor.USER32 ref: 0000000140040A6B
GetSysColor.USER32 ref: 0000000140040A7A
GetSysColor.USER32 ref: 0000000140040A9F
GetSysColorBrush.USER32 ref: 0000000140040AB8
GetSysColorBrush.USER32 ref: 0000000140040AD9
GetSysColorBrush.USER32 ref: 0000000140040AFA
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040B28
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040B4B
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040B71
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040B97
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040BBA
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040BDD
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040C00
CreatePen.GDI32 ref: 0000000140040C2B
CreatePen.GDI32 ref: 0000000140040C56
CreatePen.GDI32 ref: 0000000140040C81
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040D0B
CreatePatternBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000014003FC3C), ref: 0000000140040D61

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDevicePattern
String ID:
API String ID: 3066057030-0
Opcode ID: d5cdb3b408b6e5081d4f54e60be6958924312764b60fedaee2ab8550e664d520
Instruction ID: cf45f9b27a55905d60d32bc0e617179678c0d7ba50042b5be9cec62bcaaaba58
Opcode Fuzzy Hash: d5cdb3b408b6e5081d4f54e60be6958924312764b60fedaee2ab8550e664d520
Instruction Fuzzy Hash: C1E12A766416449BE74ADF32E9547ED73A0FB4DB90F04413AE71A836A1DF38D4A8DB00

Function 00000001400404E7 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 220
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcpyW.KERNEL32 ref: 00000001400404FF
EnumFontFamiliesW.GDI32 ref: 0000000140040529
lstrcpyW.KERNEL32 ref: 000000014004053F
EnumFontFamiliesW.GDI32 ref: 0000000140040561
lstrcpyW.KERNEL32 ref: 000000014004057E
CreateFontIndirectW.GDI32 ref: 0000000140040589
CreateFontIndirectW.GDI32 ref: 00000001400405D8
SystemParametersInfoW.USER32 ref: 0000000140040618
CreateFontIndirectW.GDI32 ref: 0000000140040637
CreateFontIndirectW.GDI32 ref: 000000014004066A
CreateFontIndirectW.GDI32 ref: 0000000140040691
GetSystemMetrics.USER32 ref: 00000001400406B8
lstrcpyW.KERNEL32 ref: 00000001400406D0
CreateFontIndirectW.GDI32 ref: 00000001400406DB
GetStockObject.GDI32 ref: 0000000140040709
GetObjectW.GDI32 ref: 0000000140040729
lstrcpyW.KERNEL32 ref: 000000014004076E
CreateFontIndirectW.GDI32 ref: 0000000140040779
CreateFontIndirectW.GDI32 ref: 0000000140040793
GetStockObject.GDI32 ref: 00000001400407A9
GetObjectW.GDI32 ref: 00000001400407C5
CreateFontIndirectW.GDI32 ref: 00000001400407D5
CreateFontIndirectW.GDI32 ref: 00000001400407F8

Strings

Tahoma, xrefs: 000000014004054C, 000000014004056E
MS Sans Serif, xrefs: 0000000140040577
Segoe UI, xrefs: 0000000140040514, 0000000140040533
Arial, xrefs: 0000000140040762
Marlett, xrefs: 00000001400406C4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Font$CreateIndirect$lstrcpy$Object$EnumFamiliesStockSystem$InfoMetricsParameters
String ID: Arial$MS Sans Serif$Marlett$Segoe UI$Tahoma
API String ID: 989642944-1395034203
Opcode ID: 402467a975bae7ed3a9a288986ea8b5a104bbe6f51c8ae414e4a4413e05a7472
Instruction ID: 4f27fcd8b4f34601edc1e80228a00ed3586f2247d5e008b90411c317dae19871
Opcode Fuzzy Hash: 402467a975bae7ed3a9a288986ea8b5a104bbe6f51c8ae414e4a4413e05a7472
Instruction Fuzzy Hash: 25B19076205A8086EB06DF26E8547DE73A1F78CB84F40412AEB4947AB9EF38D549CF40

Function 00000001400021A8 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45
registryclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegisterClipboardFormatW.USER32 ref: 0000000140183F6C
RegisterClipboardFormatW.USER32 ref: 0000000140183F7B
RegisterClipboardFormatW.USER32 ref: 0000000140183F8B
RegisterClipboardFormatW.USER32 ref: 0000000140183F9B
RegisterClipboardFormatW.USER32 ref: 0000000140183FAB
RegisterClipboardFormatW.USER32 ref: 0000000140183FBB
RegisterClipboardFormatW.USER32 ref: 0000000140183FCB
RegisterClipboardFormatW.USER32 ref: 0000000140183FDB
RegisterClipboardFormatW.USER32 ref: 0000000140183FEB
RegisterClipboardFormatW.USER32 ref: 0000000140183FFB
RegisterClipboardFormatW.USER32 ref: 000000014018400B
RegisterClipboardFormatW.USER32 ref: 000000014018401B

Strings

RichEdit Text and Objects, xrefs: 0000000140184011
FileName, xrefs: 0000000140183FE1
Rich Text Format, xrefs: 0000000140184001
Link Source Descriptor, xrefs: 0000000140183FD1
Native, xrefs: 0000000140183F65
Embedded Object, xrefs: 0000000140183F91
Embed Source, xrefs: 0000000140183FA1
FileNameW, xrefs: 0000000140183FF1
Object Descriptor, xrefs: 0000000140183FC1
Link Source, xrefs: 0000000140183FB1
OwnerLink, xrefs: 0000000140183F72
ObjectLink, xrefs: 0000000140183F81

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClipboardFormatRegister
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1228543026-2889995556
Opcode ID: 90367cfbea0cd611c74209b291278d14cdc3d7c74cea6836e403688715cde66f
Instruction ID: 4bb9e7e571158c921d06bdce3421043580bce2b50f05f4c4f2911292f3fcd208
Opcode Fuzzy Hash: 90367cfbea0cd611c74209b291278d14cdc3d7c74cea6836e403688715cde66f
Instruction Fuzzy Hash: 252185B5901B0696EB02DFB2EC5C79937B1F79CB09F404416CB4A832B4EA78C189DB40

Function 000000014003D0B0 Relevance: 40.8, APIs: 27, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClientRect.USER32 ref: 000000014003D12D
CopyRect.USER32 ref: 000000014003D152

Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF1D
Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF2E

IntersectRect.USER32 ref: 000000014003D19E
SetRectEmpty.USER32 ref: 000000014003D1AC
IntersectRect.USER32 ref: 000000014003D1E1
SetRectEmpty.USER32 ref: 000000014003D1EF
IsRectEmpty.USER32 ref: 000000014003D1F9
IsRectEmpty.USER32 ref: 000000014003D207
GetWindowRect.USER32 ref: 000000014003D225
GetWindowRect.USER32 ref: 000000014003D244
UnionRect.USER32 ref: 000000014003D25E
EqualRect.USER32 ref: 000000014003D26C
GetWindowRect.USER32 ref: 000000014003D2F1
IsRectEmpty.USER32 ref: 000000014003D362
MapWindowPoints.USER32 ref: 000000014003D37C
RedrawWindow.USER32 ref: 000000014003D393
IsRectEmpty.USER32 ref: 000000014003D3A6
EqualRect.USER32 ref: 000000014003D3B8
MapWindowPoints.USER32 ref: 000000014003D3D2
RedrawWindow.USER32 ref: 000000014003D3E9
UpdateWindow.USER32 ref: 000000014003D3F3
IsRectEmpty.USER32 ref: 000000014003D43C
InvalidateRect.USER32 ref: 000000014003D452
IsRectEmpty.USER32 ref: 000000014003D45C
EqualRect.USER32 ref: 000000014003D46E
InvalidateRect.USER32 ref: 000000014003D484
UpdateWindow.USER32 ref: 000000014003D48E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyUnion
String ID:
API String ID: 3022271513-0
Opcode ID: 28fc9a557ba3dc994ec1852bfd8919c37eeff580f623db9699206b61358e9cd4
Instruction ID: e9c4b851459887a8c5765d5f00b73a2e394f80c1528878723cdd473a5ea3b3b2
Opcode Fuzzy Hash: 28fc9a557ba3dc994ec1852bfd8919c37eeff580f623db9699206b61358e9cd4
Instruction Fuzzy Hash: 61D11B72B00A459AEB12DFB6E4507DD37B1F748B98F404126DF0AA7A68EF34D585CB80

Function 01F81F90 Relevance: 40.5, APIs: 11, Strings: 12, Instructions: 236
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

swprintf_s.LIBCONCRTD ref: 01F82140

Part of subcall function 01F81DC0: _vswprintf_s_l.LIBCONCRTD ref: 01F81E03

swprintf_s.LIBCONCRTD ref: 01F8216A
swprintf_s.LIBCONCRTD ref: 01F82191
swprintf_s.LIBCONCRTD ref: 01F821AF
swprintf_s.LIBCONCRTD ref: 01F821CD
swprintf_s.LIBCONCRTD ref: 01F82255
strrchr.LIBCMTD ref: 01F8230E
fwprintf.LIBCONCRTD ref: 01F82353
swprintf_s.LIBCONCRTD ref: 01F82414

Strings

%s\%s, xrefs: 01F82400
%s\%s, xrefs: 01F82156
ComSpec, xrefs: 01F82268
%s\netstat.res, xrefs: 01F821B9
~, xrefs: 01F820E2
%s\%s.tmp, xrefs: 01F823BC
/c ipconfig /all > "%s" & tasklist > "%s" & netstat -naop tcp > "%s", xrefs: 01F82241
%s\task.list, xrefs: 01F8219B
%s\temp, xrefs: 01F8212F
%s\res.ip, xrefs: 01F8217D
%s\%s.tmp, xrefs: 01F82344
.tmp, xrefs: 01F820FF

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: swprintf_s$_vswprintf_s_lfwprintfstrrchr
String ID: %s\%s$%s\%s$%s\%s.tmp$%s\%s.tmp$%s\netstat.res$%s\res.ip$%s\task.list$%s\temp$.tmp$/c ipconfig /all > "%s" & tasklist > "%s" & netstat -naop tcp > "%s"$ComSpec$~
API String ID: 1794498803-1878674759
Opcode ID: ee44b12befc43ca33820cd820b93061eff87d632b6b4e46fb5de2b56a32eacaf
Instruction ID: 9ff044e108b6f8a5543202d54ac96858fe371f87c7fe8069d68c7f8816a0a1dc
Opcode Fuzzy Hash: ee44b12befc43ca33820cd820b93061eff87d632b6b4e46fb5de2b56a32eacaf
Instruction Fuzzy Hash: DAC15176218AC6D5EB20EB14E8643EAB7A6F794384FC00136D68D43B98DF7DC649CB41

Function 0000000140059D00 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 173windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140059D55
CreateCompatibleDC.GDI32 ref: 0000000140059D5D
GetObjectW.GDI32 ref: 0000000140059D7B
SelectObject.GDI32 ref: 0000000140059D95
CreateCompatibleBitmap.GDI32 ref: 0000000140059DC8
SelectObject.GDI32 ref: 0000000140059DE1

Strings

, xrefs: 0000000140059E3D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$CompatibleCreateHashSelect$BitmapImplImpl::
String ID:
API String ID: 702443907-3916222277
Opcode ID: 704b2d7a355bf148b6a1ff5641310ddc3680d4294ff5f0b7bbfd5a59f1183f70
Instruction ID: 39c79778b18eb62faa2eec395cceff0f44b197dacb1d4a5167c16af2fad474dc
Opcode Fuzzy Hash: 704b2d7a355bf148b6a1ff5641310ddc3680d4294ff5f0b7bbfd5a59f1183f70
Instruction Fuzzy Hash: 5E714A76705A408AEB12DFA6D8447DD23B1B78CBD8F10452AEF1A97BA4DF35C84AC740

Function 0000000140034B5C Relevance: 26.6, APIs: 13, Strings: 2, Instructions: 324timewindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140034B88
GetCursorPos.USER32 ref: 0000000140034BA5
ScreenToClient.USER32 ref: 0000000140034BB4
GetParent.USER32 ref: 0000000140034C59
SetTimer.USER32 ref: 0000000140034CC5
InvalidateRect.USER32 ref: 0000000140034CD9
UpdateWindow.USER32 ref: 0000000140034CE3
KillTimer.USER32 ref: 0000000140034CF4
KillTimer.USER32 ref: 0000000140034DC8
GetParent.USER32 ref: 0000000140034DE0
GetParent.USER32 ref: 0000000140034E5F
SendMessageW.USER32 ref: 0000000140034EEE

Strings

Control Panel\Desktop, xrefs: 0000000140034F7D
MenuShowDelay, xrefs: 0000000140034FCC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID: Control Panel\Desktop$MenuShowDelay
API String ID: 2010726786-702829638
Opcode ID: 48a913e31e1cad78de43a6f42418694e3df7dbf773d1e5594857a08abd7e52f1
Instruction ID: fac5236b44d171228d1e663464b25086008e3b9aa2bf415acbc44c3946c684c1
Opcode Fuzzy Hash: 48a913e31e1cad78de43a6f42418694e3df7dbf773d1e5594857a08abd7e52f1
Instruction Fuzzy Hash: 30E14B72301A4182EB6B9B67D4543EA63A0FB8DFD0F054229EB1A4BBF5DF39D8558700

Function 0000000140056DC4 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 208windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 0000000140056E2E
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140056E52
CreateCompatibleDC.GDI32 ref: 0000000140056E5A
SelectObject.GDI32 ref: 0000000140056E7E
GetObjectW.GDI32 ref: 0000000140056EBC
CreateDIBSection.GDI32 ref: 0000000140056F1F
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140056F48
CreateCompatibleDC.GDI32 ref: 0000000140056F53
SelectObject.GDI32 ref: 0000000140056F6C
BitBlt.GDI32 ref: 0000000140056FA7
SelectObject.GDI32 ref: 0000000140056FB4

Strings

, xrefs: 0000000140056F7A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$Hash$CreateSelect$CompatibleImplImpl::$Section
String ID:
API String ID: 800711305-3916222277
Opcode ID: 548abdd57e13598ae7464b97971c171abb0ee08e5383d93b601b0dd08f824066
Instruction ID: 7a5a72c06cae22e99bee6b112500515522b7b3105f4aa01e7583e8024db1a20f
Opcode Fuzzy Hash: 548abdd57e13598ae7464b97971c171abb0ee08e5383d93b601b0dd08f824066
Instruction Fuzzy Hash: BEA14476600A409AE756DF66E8447EE73A0F78CB94F004126EF5D97BA8DB38D895CB00

Function 01F88A10 Relevance: 26.3, APIs: 8, Strings: 7, Instructions: 94COMMON

Download Yara Rule

APIs

type_info::_name_internal_method.LIBCMTD ref: 01F88AAA
type_info::_name_internal_method.LIBCMTD ref: 01F88AC6

Strings

.zip, xrefs: 01F88ABA
.tgz, xrefs: 01F88B53
.lzh, xrefs: 01F88B08
.zoo, xrefs: 01F88AD6
.gz, xrefs: 01F88B3A
.arc, xrefs: 01F88AEF
.arj, xrefs: 01F88B21

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: type_info::_name_internal_method
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 3713626258-51310709
Opcode ID: 7526971aa8b95f68c331797db1768640d7a25d3bf4bc26a9b92b4d21d7a3df80
Instruction ID: e95f156cb221c41e15b13559d432fed7dd138acef1881c0e976b051ef173f070
Opcode Fuzzy Hash: 7526971aa8b95f68c331797db1768640d7a25d3bf4bc26a9b92b4d21d7a3df80
Instruction Fuzzy Hash: 5F313077618A46D5DA30EF15E8503AAB360F7D97D4FC41212EA9D87764EF7EC1008B05

Function 0000000140016D3C Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 154COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 0000000140016DAE

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

GetClassNameW.USER32 ref: 0000000140016E3A
GetClassLongPtrW.USER32 ref: 0000000140016E6D
GetWindowLongPtrW.USER32 ref: 0000000140016E88
GetPropW.USER32 ref: 0000000140016EA7
SetPropW.USER32 ref: 0000000140016EBF
GetPropW.USER32 ref: 0000000140016ECB
GlobalAddAtomW.KERNEL32 ref: 0000000140016EDD
SetWindowLongPtrW.USER32 ref: 0000000140016EF2

Part of subcall function 0000000140018670: OutputDebugStringA.KERNEL32 ref: 00000001400186AA
Part of subcall function 0000000140018670: ActivateActCtx.KERNEL32 ref: 00000001400186CF

SetWindowLongPtrW.USER32 ref: 0000000140016F41
CallNextHookEx.USER32 ref: 0000000140016F6C
UnhookWindowsHookEx.USER32 ref: 0000000140016F7E

Strings

#32768, xrefs: 0000000140016E0F, 0000000140016E4D
AfxOldWndProc423, xrefs: 0000000140016E9A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Long$HookPropWindow$CallClassNext$ActivateAtomDebugExceptionGlobalNameOutputStringThrowUnhookWindows
String ID: #32768$AfxOldWndProc423
API String ID: 4188554474-2141921550
Opcode ID: 1dd14e6c82131f3dfe60fb9853396964e3cf8e992d8e13a5656c7cc4eaec26de
Instruction ID: acf2cab91689cf28db86b4705b86c7d00a340bf93c07e917b088bcb6c1da156f
Opcode Fuzzy Hash: 1dd14e6c82131f3dfe60fb9853396964e3cf8e992d8e13a5656c7cc4eaec26de
Instruction Fuzzy Hash: F7518136201A5186EA669F67EC547E923A0BB8DFD0F444129AF5E4B7F4DF39C986C300

Function 0000000140011F20 Relevance: 24.2, APIs: 16, Instructions: 167windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140011F6D
SendMessageW.USER32 ref: 0000000140011F96
GetWindowRect.USER32 ref: 0000000140011FB3
GetWindowLongW.USER32 ref: 0000000140011FE1
MonitorFromWindow.USER32 ref: 000000014001202D
GetMonitorInfoW.USER32 ref: 000000014001203A
CopyRect.USER32 ref: 0000000140012048
GetWindowRect.USER32 ref: 0000000140012057
MonitorFromWindow.USER32 ref: 0000000140012065
GetMonitorInfoW.USER32 ref: 0000000140012072
CopyRect.USER32 ref: 0000000140012080
GetParent.USER32 ref: 000000014001208C
GetClientRect.USER32 ref: 000000014001209C
GetClientRect.USER32 ref: 00000001400120A9
MapWindowPoints.USER32 ref: 00000001400120BF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: RectWindow$Monitor$ClientCopyFromInfoParent$LongMessagePointsSend
String ID:
API String ID: 2848406570-0
Opcode ID: d6195095d024eb9b9dea59954e7234ed4b3aab9d01076d889b6bf28e2f2bc10e
Instruction ID: 2d3ee775d505b29204975749b47915e26e06bbc5f3c3353f7bfc4f65cb29a9a4
Opcode Fuzzy Hash: d6195095d024eb9b9dea59954e7234ed4b3aab9d01076d889b6bf28e2f2bc10e
Instruction Fuzzy Hash: 23717C32710A409AEB16CF76D5487ED33B1F748BC8F444125EF0A5BA69DF39DA458700

Function 000000014001A45C Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 000000014001A4ED
GetCapture.USER32 ref: 000000014001A500
ReleaseCapture.USER32 ref: 000000014001A50B
PeekMessageW.USER32 ref: 000000014001A52A
PeekMessageW.USER32 ref: 000000014001A545
GetMessageW.USER32 ref: 000000014001A55F
TranslateMessage.USER32 ref: 000000014001A57F
PeekMessageW.USER32 ref: 000000014001A5F1
SendMessageW.USER32 ref: 000000014001A614
PeekMessageW.USER32 ref: 000000014001A64D
ReleaseCapture.USER32 ref: 000000014001A67B
GetMessageW.USER32 ref: 000000014001A68F
DispatchMessageW.USER32 ref: 000000014001A698
GetCursorPos.USER32 ref: 000000014001A6A6
PeekMessageW.USER32 ref: 000000014001A6D4
DispatchMessageW.USER32 ref: 000000014001A6DD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$Peek$Capture$DispatchRelease$CursorSendTranslate
String ID:
API String ID: 605349011-0
Opcode ID: 1c30bb102709b6ea9050b26ebe7e4cbe9375ffa96a045673eab0422e1a28b82f
Instruction ID: 3c41f6f513eaddadc588f4dca1ef95cc547eeabd5433cbd61afff63040f62763
Opcode Fuzzy Hash: 1c30bb102709b6ea9050b26ebe7e4cbe9375ffa96a045673eab0422e1a28b82f
Instruction Fuzzy Hash: DC617E3131464086F7768F63E8047AD33A1EB8EFD5F184225EA4A4BAA4DF3EC4859B40

Function 01F9A004 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 197COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9A28C

Strings

, xrefs: 01F9A1F9
a, xrefs: 01F9A03E
=, xrefs: 01F9A1FE
r, xrefs: 01F9A043
, xrefs: 01F9A1B7
w, xrefs: 01F9A048
, xrefs: 01F9A206
, xrefs: 01F9A277
UTF-16LEUNICODE, xrefs: 01F9A234
, xrefs: 01F9A039
ccs, xrefs: 01F9A1D9
UTF-8, xrefs: 01F9A211

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $ $ $ $ $=$UTF-16LEUNICODE$UTF-8$a$ccs$r$w
API String ID: 3215553584-2974328796
Opcode ID: 9fccd9ef4330f0d7d8d6828c9b5d8276c7142b73c9c31124d657ceca13e5ccd5
Instruction ID: c3974bee9ba8390f4dc1543dce8a386aeccca5094a44b8dee5cd374b2bca9aab
Opcode Fuzzy Hash: 9fccd9ef4330f0d7d8d6828c9b5d8276c7142b73c9c31124d657ceca13e5ccd5
Instruction Fuzzy Hash: 9C61AEF2E04251D6FF2B6F3DEA543393F90A752388F08A455DB5647662C32BC1A0CB02

Function 0000000140036E54 Relevance: 22.7, APIs: 15, Instructions: 212timeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140036EA6
InflateRect.USER32 ref: 0000000140036EDB
SetRectEmpty.USER32 ref: 0000000140036F7E
SetRectEmpty.USER32 ref: 0000000140036F87
GetSystemMetrics.USER32 ref: 0000000140036FAE
KillTimer.USER32 ref: 0000000140037061
EqualRect.USER32 ref: 000000014003707A
EqualRect.USER32 ref: 000000014003708B
EqualRect.USER32 ref: 00000001400370EE
InvalidateRect.USER32 ref: 0000000140037107
InvalidateRect.USER32 ref: 0000000140037117
EqualRect.USER32 ref: 0000000140037127
InvalidateRect.USER32 ref: 000000014003713C
InvalidateRect.USER32 ref: 000000014003714C
UpdateWindow.USER32 ref: 000000014003715D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: 86e65e8f60cd83b997aaced73a52e04d8f128ea3e900e785f44c62620f3c2a30
Instruction ID: fd3679204f740ba9773c1aae977ee3fe51719b815693ac3d03e0a47b89ae62e0
Opcode Fuzzy Hash: 86e65e8f60cd83b997aaced73a52e04d8f128ea3e900e785f44c62620f3c2a30
Instruction Fuzzy Hash: 07A11836A00650CAE716CF7AE8947ED77B1F788B88F188129EF0A57668DF35C585CB10

Function 00000001400496F8 Relevance: 22.7, APIs: 15, Instructions: 207windowCOMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 0000000140049792
GetDlgItem.USER32 ref: 0000000140049836
ShowWindow.USER32 ref: 0000000140049844
GetMenu.USER32 ref: 0000000140049857
InvalidateRect.USER32 ref: 0000000140049878
GetDlgItem.USER32 ref: 00000001400498C2
SetWindowLongW.USER32 ref: 00000001400498E2
GetDlgItem.USER32 ref: 00000001400498FE
GetDlgItem.USER32 ref: 0000000140049917
SetWindowLongW.USER32 ref: 0000000140049930
SetWindowLongW.USER32 ref: 0000000140049941
InvalidateRect.USER32 ref: 0000000140049957
SetMenu.USER32 ref: 0000000140049970
GetDlgItem.USER32 ref: 00000001400499B9
ShowWindow.USER32 ref: 00000001400499CA

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ItemWindow$Long$InvalidateMenuRectShow$Ctrl
String ID:
API String ID: 599340499-0
Opcode ID: 4846c8f08beebfc1922a370669c79c01bb2b31c1bbd09984df10f2e30d438029
Instruction ID: 71690a7673c4866f05ad20176bdf805cda555a875b9434ee9096e77fac9bdfc1
Opcode Fuzzy Hash: 4846c8f08beebfc1922a370669c79c01bb2b31c1bbd09984df10f2e30d438029
Instruction Fuzzy Hash: D9913836200A8186EB56DF67D4443A923A1FB8DFD4F1A8539EF5A0B7A8DF38C855C704

Function 0000000140021BB0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 212COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140021BE3
GlobalUnlock.KERNEL32 ref: 0000000140021D18

Strings

System, xrefs: 0000000140021BBD, 0000000140021D7B, 0000000140021D9C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$LockUnlock
String ID: System
API String ID: 2502338518-3470857405
Opcode ID: f069fa359b9f0986cb44472eddfa8d21eec54a4f64513227b0145339eb35c67b
Instruction ID: 2f3b157b9c6c3efcb8c62dca753b02ff2bce524cafb8dcba8d227148dcaeb7b7
Opcode Fuzzy Hash: f069fa359b9f0986cb44472eddfa8d21eec54a4f64513227b0145339eb35c67b
Instruction Fuzzy Hash: E181A33620065486EB2A9FA3A4107EA73A0FB9CBD4F544529EF56477F5DB38C945CB00

Function 0000000140009004 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 92libraryCOMMON

Download Yara Rule

APIs

QueryActCtxW.KERNEL32 ref: 000000014000905F
GetModuleHandleExW.KERNEL32 ref: 000000014000908A
GetModuleFileNameW.KERNEL32 ref: 00000001400090AB
SetLastError.KERNEL32 ref: 00000001400090C3
CreateActCtxW.KERNEL32 ref: 0000000140009109
GetLastError.KERNEL32 ref: 000000014000911A
ActivateActCtx.KERNEL32 ref: 0000000140009154
FindActCtxSectionStringW.KERNEL32 ref: 000000014000917F
LoadLibraryW.KERNEL32 ref: 0000000140009190
DeactivateActCtx.KERNEL32 ref: 000000014000919E

Strings

Comctl32.dll, xrefs: 0000000140009170, 0000000140009189
p, xrefs: 000000014000915E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLastModule$ActivateCreateDeactivateFileFindHandleLibraryLoadNameQuerySectionString
String ID: Comctl32.dll$p
API String ID: 550771814-195350848
Opcode ID: d10eb2d4d39da2b4815e86e3d93762ca3784dd0f47ed58844a30d0d121d0ec05
Instruction ID: 18364ff95bc40627d6ad3fc295502e6d87759b5e61846cc025b3bad40e0bc448
Opcode Fuzzy Hash: d10eb2d4d39da2b4815e86e3d93762ca3784dd0f47ed58844a30d0d121d0ec05
Instruction Fuzzy Hash: 55413C72205B4582EB61CF66F8487DA73A4F788BA0F400229E79D476F4DF79C588CB00

Function 000000014005A294 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 189COMMONLIBRARYCODE

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 000000014005A2F4

Strings

, xrefs: 000000014005A2E8

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-3916222277
Opcode ID: 42f2af1318688e3066c2765c5ea8b3c1323b9cb5d627917417b8fd5497acbf6e
Instruction ID: c870ed32f765ae456b3d3b16fd1b707a3eb7114215be547cc532bf57edadfd3f
Opcode Fuzzy Hash: 42f2af1318688e3066c2765c5ea8b3c1323b9cb5d627917417b8fd5497acbf6e
Instruction Fuzzy Hash: B971AC76315A4086E722CF6BE84479A67A0F78DBD8F004126FF4A877A4DA7EC945CB00

Function 00000001400711F4 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140071310

Part of subcall function 000000014006E780: GetWindowRect.USER32(?,?,?,000000014007131D), ref: 000000014006E79B

Strings

RecentRowIndex, xrefs: 00000001400713B7
PinState, xrefs: 00000001400713F8
RectRecentDocked, xrefs: 0000000140071389
MRUWidth, xrefs: 00000001400713E1
IsFloating, xrefs: 00000001400713CA
RectRecentFloat, xrefs: 0000000140071372
RecentFrameAlignment, xrefs: 00000001400713A0
%TsPane-%d%x, xrefs: 000000014007129E
Panes, xrefs: 000000014007122A
%TsPane-%d, xrefs: 000000014007128B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: RectWindow
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 861336768-2628993547
Opcode ID: 2b47a84608a8ca00aaf9dfbc1e00d1f5d3f64d8dbe0f1838df2b298b73acbea2
Instruction ID: 646b4181d00b0c17a989ea8d6b547fb0b71898a53459d187f87a7d32e60ac897
Opcode Fuzzy Hash: 2b47a84608a8ca00aaf9dfbc1e00d1f5d3f64d8dbe0f1838df2b298b73acbea2
Instruction Fuzzy Hash: 11714276301A4192EB0ADB2AD8847DC27A1F78DFE8F458216EF2A537A5DF38C955C340

Function 00000001400B2C28 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 267windowCOMMON

Download Yara Rule

APIs

UnionRect.USER32 ref: 00000001400B2CB7
EqualRect.USER32 ref: 00000001400B2CC5
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400B2CE7
CreateCompatibleDC.GDI32 ref: 00000001400B2CFE
CreateCompatibleBitmap.GDI32 ref: 00000001400B2D35
SelectObject.GDI32 ref: 00000001400B2DAD
BitBlt.GDI32 ref: 00000001400B2DEF
BitBlt.GDI32 ref: 00000001400B2F61
DeleteObject.GDI32 ref: 00000001400B2F83

Strings

, xrefs: 00000001400B2F37

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CompatibleCreateHashObjectRect$BitmapDeleteEqualImplImpl::SelectUnion
String ID:
API String ID: 3550419231-3916222277
Opcode ID: 74c8ac485176689af17ab942631f15e84cdd26d0c41abe9c69172ba513935668
Instruction ID: ae69ee41cf88b830aaa6ad8fd6ee03e1d7ef78c7d5dca9ca6d53448ded3ed60c
Opcode Fuzzy Hash: 74c8ac485176689af17ab942631f15e84cdd26d0c41abe9c69172ba513935668
Instruction Fuzzy Hash: 69B18C72704A818AEB11CFA6E4407ED77B5F748B98F054129EF0DA7BA8DB34D915CB40

Function 01F8BA70 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 168COMMON

Download Yara Rule

APIs

fwprintf.LIBCONCRTD ref: 01F8BB53

Part of subcall function 01F81950: _fread_nolock.LIBCMTD ref: 01F81989

Strings

%s\*.*, xrefs: 01F8BB44
%s\%s, xrefs: 01F8BD24
%s\%s, xrefs: 01F8BC67
%s\%s, xrefs: 01F8BD03
%s\%s, xrefs: 01F8BC88

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _fread_nolockfwprintf
String ID: %s\%s$%s\%s$%s\%s$%s\%s$%s\*.*
API String ID: 3985892758-3419207611
Opcode ID: ec983e83d3010fc26a9b592c5ec733ce55ff8c8e87139ee4b1bd13055c9b5f5f
Instruction ID: 055a2308745ec6bb3ed3e976b9d77c303e5b683b6c81e57bd8c52dd952d3a1ed
Opcode Fuzzy Hash: ec983e83d3010fc26a9b592c5ec733ce55ff8c8e87139ee4b1bd13055c9b5f5f
Instruction Fuzzy Hash: C3712C72218AC6D5DB21DB25E8503EAB765F7C9794F844226DB9E43BA8EF3DC105CB00

Function 000000014001B6E8 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 71libraryloadercomCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(?,?,?,?,0000BC19,000000014001B57B), ref: 000000014001B718
GetProcAddress.KERNEL32(?,?,?,?,0000BC19,000000014001B57B), ref: 000000014001B74F
GetProcAddress.KERNEL32(?,?,?,?,0000BC19,000000014001B57B), ref: 000000014001B783
GetProcAddress.KERNEL32(?,?,?,?,0000BC19,000000014001B57B), ref: 000000014001B7AC
CoCreateInstance.OLE32(?,?,?,?,0000BC19,000000014001B57B), ref: 000000014001B7E3

Strings

DWrite.dll, xrefs: 000000014001B789
D2D1CreateFactory, xrefs: 000000014001B745
D2D1.dll, xrefs: 000000014001B730
D2D1MakeRotateMatrix, xrefs: 000000014001B77C
DWriteCreateFactory, xrefs: 000000014001B7A2

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressProc$CreateInitializeInstance
String ID: D2D1.dll$D2D1CreateFactory$D2D1MakeRotateMatrix$DWrite.dll$DWriteCreateFactory
API String ID: 3073215455-1403614551
Opcode ID: a823e8bdf635e13f9fdb2ec2932fb67a2fd4f7758edd58b07637f97b0f96efbd
Instruction ID: 5a22f2a62ba0acffa76ae26881b680a88901f74607a74abb8a0407eeed64adb2
Opcode Fuzzy Hash: a823e8bdf635e13f9fdb2ec2932fb67a2fd4f7758edd58b07637f97b0f96efbd
Instruction Fuzzy Hash: 79313431205F0295EB16DF26E4847E933A0FB8CB88F485429EB494B2B4EF7AC599C740

Function 01F810A0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 288stringCOMMON

Download Yara Rule

APIs

fwprintf.LIBCONCRTD ref: 01F8119C

Part of subcall function 01F81950: _fread_nolock.LIBCMTD ref: 01F81989

fwprintf.LIBCONCRTD ref: 01F811B8
strrchr.LIBCMTD ref: 01F8132F
strrchr.LIBCMTD ref: 01F81480
strrchr.LIBCMTD ref: 01F814A6

Part of subcall function 01F93644: _invalid_parameter_noinfo.LIBCMT ref: 01F935A3

Part of subcall function 01F939E4: _invalid_parameter_noinfo.LIBCMT ref: 01F93A06

Part of subcall function 01F90990: _invalid_parameter_noinfo.LIBCMT ref: 01F909C5

Part of subcall function 01F93D60: _invalid_parameter_noinfo.LIBCMT ref: 01F93D74

_fread_nolock.LIBCMT ref: 01F81600

Part of subcall function 01F9400C: fread_s.LIBCMT ref: 01F9401F

Strings

dat, xrefs: 01F814AE
%s-, xrefs: 01F8118D
%s~, xrefs: 01F811A9

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo$strrchr$_fread_nolockfwprintf$fread_s
String ID: %s-$%s~$dat
API String ID: 1652813780-2455840278
Opcode ID: 42136baa95bf7ca03e23ae757eb67f763ca6ff80f688d9ccb051d41e28375670
Instruction ID: 8652b6b0756bcbdd539b50965a85d2db8640ad5059133277cf3714aa029e40ca
Opcode Fuzzy Hash: 42136baa95bf7ca03e23ae757eb67f763ca6ff80f688d9ccb051d41e28375670
Instruction Fuzzy Hash: 41D14F72218AC595DB21EB65E8943DBB7A1F7D9790F800226DB8D83BA8DF7DC145CB00

Function 0000000140041850 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 152windowCOMMON

Download Yara Rule

APIs

GetObjectW.GDI32 ref: 0000000140041893
GetSystemMetrics.USER32 ref: 00000001400418AE
GetSystemMetrics.USER32 ref: 00000001400418BC
GetMenuItemInfoW.USER32 ref: 0000000140041925
GetMenuItemInfoW.USER32 ref: 000000014004197E
GetTextExtentPoint32W.GDI32 ref: 00000001400419D6
GetSystemMetrics.USER32 ref: 0000000140041A0E
GetSystemMetrics.USER32 ref: 0000000140041A1A

Strings

P, xrefs: 00000001400418F7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MetricsSystem$InfoItemMenu$ExtentObjectPoint32Text
String ID: P
API String ID: 2391097208-3110715001
Opcode ID: 4903fcb799b2714e4a4ec8092d3d30f4a4f4b8944001f3f95bc50c04969c835d
Instruction ID: 62b11b726101602c89cefb0e3780a1576f5d0f90278ed55f8b9115d2dbce1226
Opcode Fuzzy Hash: 4903fcb799b2714e4a4ec8092d3d30f4a4f4b8944001f3f95bc50c04969c835d
Instruction Fuzzy Hash: 77519B36700A409AE706DF76D8547ED33A1FB88B98F158126EF1A877A9DF34C946CB40

Function 01F997B0 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 117COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9992D

Strings

NAN, xrefs: 01F99811
INF, xrefs: 01F99823
nan(snan), xrefs: 01F99850
NAN(IND), xrefs: 01F9985B
NAN(SNAN), xrefs: 01F99845
nan(ind), xrefs: 01F99866
nan, xrefs: 01F99818
inf, xrefs: 01F99836

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: INF$NAN$NAN(IND)$NAN(SNAN)$inf$nan$nan(ind)$nan(snan)
API String ID: 3215553584-2617248754
Opcode ID: 7123771f9341a338b452bdcdecef37cf3a13e575651944f00f0950f32b389082
Instruction ID: 5b93fbc471c38ff0783fef8a5650ab4ad7fc4dc5d2d4ee0d9ceaa78e0d350fdc
Opcode Fuzzy Hash: 7123771f9341a338b452bdcdecef37cf3a13e575651944f00f0950f32b389082
Instruction Fuzzy Hash: C84199B2A01B44C9EB04CF25E8507DD37A9FB18398F81413AEE9C87B64EE3AC025C340

Function 000000014016E9D4 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 000000014016EA03
EqualRect.USER32 ref: 000000014016EA17
CreateRectRgn.GDI32 ref: 000000014016EA63
CreateRectRgn.GDI32 ref: 000000014016EA9A
CreateRectRgnIndirect.GDI32 ref: 000000014016EAA5
CombineRgn.GDI32 ref: 000000014016EAC8
SetWindowRgn.USER32 ref: 000000014016EAD9
RedrawWindow.USER32 ref: 000000014016EB68

Strings

X, xrefs: 000000014016EB08

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Create$EqualWindow$CombineIndirectRedraw
String ID: X
API String ID: 1400420921-3081909835
Opcode ID: 21466ef4099ae73f1e202873bd138ddf89b5ea0655c8475683c559b10abdb0c3
Instruction ID: db54c7ea1a70451668e19c951a1d56cc3d1621c709d486b347266454619dc8d2
Opcode Fuzzy Hash: 21466ef4099ae73f1e202873bd138ddf89b5ea0655c8475683c559b10abdb0c3
Instruction Fuzzy Hash: F4513B726206508AE715CF76E944BED77B0F758F98F048228DF5A17AA8CF38D585CB40

Function 0000000140011CE0 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 64libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140011D15
GetProcAddress.KERNEL32 ref: 0000000140011D2A
EncodePointer.KERNEL32 ref: 0000000140011D36
DecodePointer.KERNEL32 ref: 0000000140011D45
LoadLibraryExW.KERNEL32 ref: 0000000140011D5E
GetSystemDirectoryW.KERNEL32 ref: 0000000140011D72

Strings

\, xrefs: 0000000140011D85
kernel32.dll, xrefs: 0000000140011D0E
SetDefaultDllDirectories, xrefs: 0000000140011D20

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeDirectoryEncodeHandleLibraryLoadModuleProcSystem
String ID: SetDefaultDllDirectories$\$kernel32.dll
API String ID: 4227638471-3881611067
Opcode ID: 392db1e714919f6ac9e3cb717fdd8a83439941746f322d8ad7978ec4da9fac28
Instruction ID: 5b48fb74d14eb3d64d5ea603e97c25f31b17efeb50a8bb72a7ae19612a9737c9
Opcode Fuzzy Hash: 392db1e714919f6ac9e3cb717fdd8a83439941746f322d8ad7978ec4da9fac28
Instruction Fuzzy Hash: E3211031705A4091FA66DB63F8983E963E0FB8CB84F8445299B4E876B6EF3DC644C740

Function 000000014002AD44 Relevance: 15.3, APIs: 10, Instructions: 289windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006FFEC: ReleaseCapture.USER32 ref: 0000000140070024
Part of subcall function 000000014006FFEC: IsWindow.USER32 ref: 000000014007004B
Part of subcall function 000000014006FFEC: DestroyWindow.USER32 ref: 000000014007005C

SetRectEmpty.USER32 ref: 000000014002AD75
ReleaseCapture.USER32 ref: 000000014002AD7B
SetCapture.USER32 ref: 000000014002AD91
GetCapture.USER32 ref: 000000014002ADD6
ReleaseCapture.USER32 ref: 000000014002ADE9
SetCapture.USER32 ref: 000000014002ADFF
GetFocus.USER32 ref: 000000014002AF3D
NotifyWinEvent.USER32 ref: 000000014002AF7C
NotifyWinEvent.USER32 ref: 000000014002B176
UpdateWindow.USER32 ref: 000000014002B1A6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Capture$ReleaseWindow$EventNotify$DestroyEmptyFocusRectUpdate
String ID:
API String ID: 323764185-0
Opcode ID: 277eba27565658780e47d772cbfb39fdc4d2745c1385fbe65da8a843f49e0855
Instruction ID: dcaa92d55d2fab6051ee3c89527b6275602da3d730dc7321d26e80244b43548e
Opcode Fuzzy Hash: 277eba27565658780e47d772cbfb39fdc4d2745c1385fbe65da8a843f49e0855
Instruction Fuzzy Hash: AED14832201A4186EB5A9F27D9947E973A1FB8DFC4F184139AF1A4B6B9DF39C851C700

Function 0000000140008648 Relevance: 15.2, APIs: 10, Instructions: 150COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 00000001400086B1
LoadResource.KERNEL32 ref: 00000001400086BD

Part of subcall function 0000000140011208: UnhookWindowsHookEx.USER32 ref: 000000014001123D

LockResource.KERNEL32 ref: 00000001400086D3
GetDesktopWindow.USER32 ref: 0000000140008728
IsWindowEnabled.USER32 ref: 0000000140008736
EnableWindow.USER32 ref: 0000000140008745
EnableWindow.USER32 ref: 0000000140008858
GetActiveWindow.USER32 ref: 0000000140008863
SetActiveWindow.USER32 ref: 0000000140008872
FreeResource.KERNEL32 ref: 0000000140008899

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeHookLoadLockUnhookWindows
String ID:
API String ID: 3362358738-0
Opcode ID: 80989f1e541ad7c4bfb65859d6c82512fc37d84f54c52de01fada025acdce8cf
Instruction ID: c8dd5c8ad6564c6b16484e3a2099e8a16b929fb606f56351a9c39741170b4d24
Opcode Fuzzy Hash: 80989f1e541ad7c4bfb65859d6c82512fc37d84f54c52de01fada025acdce8cf
Instruction Fuzzy Hash: CB514D72204B8181EA7ADB23A9443EE63A1FB8DFD4F144225EF9A077E9DF39C4458701

Function 0000000140035F44 Relevance: 15.1, APIs: 10, Instructions: 130timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140035F76
ScreenToClient.USER32 ref: 0000000140035F84
KillTimer.USER32 ref: 0000000140035F9C
PtInRect.USER32 ref: 0000000140035FD0
KillTimer.USER32 ref: 0000000140036055
GetParent.USER32 ref: 000000014003606D
PtInRect.USER32 ref: 000000014003609C
KillTimer.USER32 ref: 00000001400360FA
GetClientRect.USER32 ref: 0000000140036112
PtInRect.USER32 ref: 0000000140036120

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$KillTimer$Client$CursorParentScreen
String ID:
API String ID: 4210440331-0
Opcode ID: 375ed48d41337648fb5642bdf8053c8890cf456225215dfea88fb5ee9eb2809c
Instruction ID: 21bd2d175510cf80d5a44742a0bd98ed6642a7a11c899436e5708ecef9499bb1
Opcode Fuzzy Hash: 375ed48d41337648fb5642bdf8053c8890cf456225215dfea88fb5ee9eb2809c
Instruction Fuzzy Hash: 8B510832700A4985EB569F76D8543EE63A1F78AFC8F488125EF0E5B7A9DF78C5458300

Function 000000014001AC08 Relevance: 15.1, APIs: 10, Instructions: 115memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001AC2B
GlobalAlloc.KERNEL32 ref: 000000014001ACA8
GlobalHandle.KERNEL32 ref: 000000014001ACB0
GlobalUnlock.KERNEL32 ref: 000000014001ACBC
GlobalReAlloc.KERNEL32 ref: 000000014001ACE2
GlobalLock.KERNEL32 ref: 000000014001AD02
LeaveCriticalSection.KERNEL32 ref: 000000014001AD54
GlobalHandle.KERNEL32 ref: 000000014001AD8D
GlobalLock.KERNEL32 ref: 000000014001AD96
LeaveCriticalSection.KERNEL32 ref: 000000014001AD9F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 19a1fc9cc2e111d1686e4a2e07d3228facc4360fef276e5ddfffa95bb0d4ea74
Instruction ID: b5035d0129184646acfb6b59cb2e05f974d495fde8d34ff5eb5c231b65dcf284
Opcode Fuzzy Hash: 19a1fc9cc2e111d1686e4a2e07d3228facc4360fef276e5ddfffa95bb0d4ea74
Instruction Fuzzy Hash: AA419F71700A8087EA19DF66A1543A863A1FB8DBC1F048525DB6B47BA1DF3DD8918740

Function 000000014001A6E8 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 000000014001A717
WindowFromPoint.USER32 ref: 000000014001A725
GetActiveWindow.USER32 ref: 000000014001A74D
GetCurrentThreadId.KERNEL32 ref: 000000014001A769
GetWindowThreadProcessId.USER32 ref: 000000014001A77C
GetDesktopWindow.USER32 ref: 000000014001A78D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 453dcf383ca6373832349ced0711ecdd3b19b305e031a34e6d9a9b24a6d9e5b6
Instruction ID: 10330bdf1a96358593f2c120f5f52142d9e736aa82fca87e0090f3f281071f1f
Opcode Fuzzy Hash: 453dcf383ca6373832349ced0711ecdd3b19b305e031a34e6d9a9b24a6d9e5b6
Instruction Fuzzy Hash: B7316F3520960186FE57ABA3AC443E963E0B74EBD4F040525EF0A4B7F1EE7EC5969710

Function 0000000140053BE0 Relevance: 15.1, APIs: 10, Instructions: 85keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000000140053C06
GetKeyState.USER32 ref: 0000000140053C20
GetTickCount.KERNEL32 ref: 0000000140053C33
SetCapture.USER32 ref: 0000000140053C3F
GetCapture.USER32 ref: 0000000140053C52
PeekMessageW.USER32 ref: 0000000140053C82
PeekMessageW.USER32 ref: 0000000140053CA5
PtInRect.USER32 ref: 0000000140053CE0
GetTickCount.KERNEL32 ref: 0000000140053CF0
ReleaseCapture.USER32 ref: 0000000140053D10

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Capture$CountMessagePeekStateTick$RectRelease
String ID:
API String ID: 667235451-0
Opcode ID: 797b9c5356b3e985e8ef62faba01c2900f27a758b4f8d273c035c04c31fb9bac
Instruction ID: 111c1799a1c6247559d7bfe72ac1e2e3e704409738c404404cbbdf902dcc334d
Opcode Fuzzy Hash: 797b9c5356b3e985e8ef62faba01c2900f27a758b4f8d273c035c04c31fb9bac
Instruction Fuzzy Hash: B3419F3220478486EB66DFA6E4487DD3BB1F748F84F544029EB46936B4DF3AC985DB40

Function 01F805E0 Relevance: 15.0, Strings: 12, Instructions: 48COMMON

Download Yara Rule

Strings

Ws2_32.dll, xrefs: 01F8060F
shell32.dll, xrefs: 01F805E4
gethostbyname, xrefs: 01F80653
ShellExecuteA, xrefs: 01F805F6
FindClose, xrefs: 01F806E2
gethostname, xrefs: 01F8063A
FindFirstFileW, xrefs: 01F806B0
FindNextFileW, xrefs: 01F806C9
kernel32.dll, xrefs: 01F8069E
WSACleanup, xrefs: 01F80685
inet_ntoa, xrefs: 01F8066C
WSAStartup, xrefs: 01F80621

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: FindClose$FindFirstFileW$FindNextFileW$ShellExecuteA$WSACleanup$WSAStartup$Ws2_32.dll$gethostbyname$gethostname$inet_ntoa$kernel32.dll$shell32.dll
API String ID: 0-4125223272
Opcode ID: 0469788ceee793dc6bfb39aad61bb1679ed9cc82f1120161a37ce752c8c362b6
Instruction ID: f08c3db203137d61fed28918e028d5167be490e0336ee1682b1b25d1b15b9c84
Opcode Fuzzy Hash: 0469788ceee793dc6bfb39aad61bb1679ed9cc82f1120161a37ce752c8c362b6
Instruction Fuzzy Hash: 68315EB9119F4696E6209F15F8943EA73B8FB88785F901236D98E42734EF3CC618C741

Function 000000014001C4A8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001C4E9
GetProcAddress.KERNEL32 ref: 000000014001C4FE
EncodePointer.KERNEL32 ref: 000000014001C50A
DecodePointer.KERNEL32 ref: 000000014001C519
GetUserDefaultUILanguage.KERNEL32 ref: 000000014001C53C
GetSystemDefaultUILanguage.KERNEL32 ref: 000000014001C5B8

Strings

kernel32.dll, xrefs: 000000014001C4E2
GetThreadPreferredUILanguages, xrefs: 000000014001C4F4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
String ID: GetThreadPreferredUILanguages$kernel32.dll
API String ID: 4277466594-1646127487
Opcode ID: 72a60b85e187ae01dfefa1d02f5e05a5dd3f4098e148ade24bf3d1f69120f508
Instruction ID: 3eb268b2b2cdf5d2efe5252cc0611a008157cb1916cd08b09d802dea137d409f
Opcode Fuzzy Hash: 72a60b85e187ae01dfefa1d02f5e05a5dd3f4098e148ade24bf3d1f69120f508
Instruction Fuzzy Hash: 2951B173720A5496EF02DF62D859BEC23B1B70CBC8F854026DF1A5B6A5EE39C608C750

Function 0000000140016B74 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetPropW.USER32 ref: 0000000140016BC8
CallWindowProcW.USER32 ref: 0000000140016C45

Part of subcall function 0000000140017200: GetWindowRect.USER32 ref: 0000000140017248
Part of subcall function 0000000140017200: GetWindow.USER32 ref: 0000000140017268

SetWindowLongPtrW.USER32 ref: 0000000140016C73
RemovePropW.USER32 ref: 0000000140016C83
GlobalFindAtomW.KERNEL32 ref: 0000000140016C90
GlobalDeleteAtom.KERNEL32 ref: 0000000140016C99

Part of subcall function 00000001400172BC: GetWindowRect.USER32 ref: 00000001400172D0

CallWindowProcW.USER32 ref: 0000000140016D05

Strings

AfxOldWndProc423, xrefs: 0000000140016BC1, 0000000140016C79, 0000000140016C89

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
String ID: AfxOldWndProc423
API String ID: 3892049428-1060338832
Opcode ID: 435e73bd8af8a5baddd68ab1be9477c5a388a19e924f576f14374811a57ecbe6
Instruction ID: 1a8c88cd5cbf3846f0e401cbfd480f066ece045d8e5df5e04e6d51862ad37fcb
Opcode Fuzzy Hash: 435e73bd8af8a5baddd68ab1be9477c5a388a19e924f576f14374811a57ecbe6
Instruction Fuzzy Hash: 8E419F31208B9042EA269B67B8547FA63A0F78DFD0F044119BF9A0BBB9DF3DC5458740

Function 000000014007EC70 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 112sleepthreadCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,000000014002F048), ref: 000000014007ED03
SetThreadPriority.KERNEL32(?,?,?,000000014002F048), ref: 000000014007ED3A
LeaveCriticalSection.KERNEL32(?,?,?,000000014002F048), ref: 000000014007ED56

Part of subcall function 0000000140184890: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F0E,?,?,?,?,0000000140059411), ref: 00000001401848A0

Part of subcall function 0000000140055550: InitializeCriticalSectionAndSpinCount.KERNEL32 ref: 000000014005557E
Part of subcall function 0000000140055550: GetLastError.KERNEL32 ref: 0000000140055588

Part of subcall function 0000000140184564: _onexit.LIBCMT ref: 0000000140184568

Part of subcall function 0000000140184830: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184840
Part of subcall function 0000000140184830: LeaveCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184880

PlaySoundW.WINMM(?,?,?,?,?,?,?,000000014002F048), ref: 000000014007EDBC
Sleep.KERNEL32(?,?,?,?,?,?,?,000000014002F048), ref: 000000014007EDEC
PlaySoundW.WINMM(?,?,?,?,?,?,?,000000014002F048), ref: 000000014007EE04

Strings

MenuCommand, xrefs: 000000014007EDCD
MenuPopup, xrefs: 000000014007EDAD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$Enter$LeavePlaySound$CountErrorInitializeLastPrioritySleepSpinThread_onexit
String ID: MenuCommand$MenuPopup
API String ID: 3442122441-2036262055
Opcode ID: 6499a755c092a161dffe9c9a4b6d1b6c8ef137a82b52a7ae99096ec22e82579f
Instruction ID: 6ff2a4f73b81d62141c79b026b4d40416d62e919ee6c50e0231e587ccd620394
Opcode Fuzzy Hash: 6499a755c092a161dffe9c9a4b6d1b6c8ef137a82b52a7ae99096ec22e82579f
Instruction Fuzzy Hash: BB516036601A84D6F667DB27E8987E87361F78C760F500329E72A036F5DBB9C945C700

Function 0000000140048CAC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 0000000140048CD6
GetParent.USER32 ref: 0000000140048CE5
GetWindowThreadProcessId.USER32 ref: 0000000140048D06
GetCurrentProcessId.KERNEL32 ref: 0000000140048D0C
GetActiveWindow.USER32 ref: 0000000140048D62
SendMessageW.USER32 ref: 0000000140048D7B
SendMessageW.USER32 ref: 0000000140048D9A

Strings

, xrefs: 0000000140048D81

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageProcessSendWindow$ActiveCurrentFocusParentThread
String ID:
API String ID: 4099184364-3916222277
Opcode ID: 32754556bfcc017d9af4f80e209f47c3d3f8bedb9990ca6fcf97bb643ca19b47
Instruction ID: 5738b93ce73dc95e6bfa33d6d71a6e90eec0dcdbd511918f573faccda02a1983
Opcode Fuzzy Hash: 32754556bfcc017d9af4f80e209f47c3d3f8bedb9990ca6fcf97bb643ca19b47
Instruction Fuzzy Hash: 2731913260168082EBA69F67D4447DD37A1F798FC9F198435EF4A476B8CF39C8899700

Function 0000000140021D6C Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000140021DAE
GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000140021DBC
GetObjectW.GDI32 ref: 0000000140021DD4
GetDC.USER32 ref: 0000000140021DE5
GetDeviceCaps.GDI32 ref: 0000000140021E04
MulDiv.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0000000140021E16
ReleaseDC.USER32 ref: 0000000140021E24

Strings

System, xrefs: 0000000140021BBD, 0000000140021D7B, 0000000140021D9C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: a7cb4ab8bdafb1c328fb2865dafe99bb9daf91bf91d207e1fa43b954be9a26fd
Instruction ID: ffc8d42150eb162d54940990b20e8f1f2648dffbf670c937a2b156a5ce6622cf
Opcode Fuzzy Hash: a7cb4ab8bdafb1c328fb2865dafe99bb9daf91bf91d207e1fa43b954be9a26fd
Instruction Fuzzy Hash: 1E214C35304B5086EB269B62F8547DA73A1F79CF81F44412AEE8A43BA4DF3CC945DB00

Function 0000000140018830 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140018860
ActivateActCtx.KERNEL32 ref: 0000000140018885
LoadLibraryW.KERNEL32 ref: 00000001400188A0
GetLastError.KERNEL32 ref: 00000001400188BB
DeactivateActCtx.KERNEL32 ref: 00000001400188CE
SetLastError.KERNEL32 ref: 00000001400188DA

Strings

hhctrl.ocx, xrefs: 000000014001883B
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140018859

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugLibraryLoadOutputString
String ID: IsolationAware function called after IsolationAwareCleanup$hhctrl.ocx
API String ID: 154522064-68518318
Opcode ID: dfc1f0c00bd403ad4bb666a48e919eebde76d1851258af0233d8cdc53343499d
Instruction ID: 68c6a7e292d7d51960ebe2f4a51b5408fc2d0af26d18cb2128b3b417b526c291
Opcode Fuzzy Hash: dfc1f0c00bd403ad4bb666a48e919eebde76d1851258af0233d8cdc53343499d
Instruction Fuzzy Hash: 16214F36704B0082F7629B67E8443A963E0BB8CFD0F954128DF0A873B4DF79C9459750

Function 0000000140034680 Relevance: 13.7, APIs: 9, Instructions: 218windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400346AB
GetParent.USER32 ref: 00000001400346F2
SendMessageW.USER32 ref: 0000000140034712
GetParent.USER32 ref: 00000001400347BB
GetParent.USER32 ref: 0000000140034871
PostMessageW.USER32 ref: 0000000140034895
GetParent.USER32 ref: 0000000140034907
InvalidateRect.USER32 ref: 0000000140034996
UpdateWindow.USER32 ref: 00000001400349A7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$Message$InvalidatePostRectSendUpdateWindow
String ID:
API String ID: 896913059-0
Opcode ID: d81c2f3a2c281bdbea1505b248008ad98a650b3f57fcba3137376978bd378e6b
Instruction ID: fb17c6a6394d62b61da30080468363ad6ff1762882fb9c66e57d9a3a522fc061
Opcode Fuzzy Hash: d81c2f3a2c281bdbea1505b248008ad98a650b3f57fcba3137376978bd378e6b
Instruction Fuzzy Hash: 67915B31702A8082EF5BDB63D5557EA23A1BB8DFC4F094125AF0A4B7B6EF38D4558300

Function 000000014002B380 Relevance: 13.7, APIs: 9, Instructions: 194windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 000000014002B3CA
ScreenToClient.USER32 ref: 000000014002B437
UpdateWindow.USER32 ref: 000000014002B4A9
UpdateWindow.USER32 ref: 000000014002B4F6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: UpdateWindow$BeepClientMessageScreen
String ID:
API String ID: 1712693409-0
Opcode ID: 52e0f13dea3d8be3e6e709d866ec3a1ea3aad7c43462207f50804052ba7f0171
Instruction ID: 57bb3dc4f24b502c7fa9c0228cb76be4df910d7fdfe9009463ef6ae117fff59f
Opcode Fuzzy Hash: 52e0f13dea3d8be3e6e709d866ec3a1ea3aad7c43462207f50804052ba7f0171
Instruction Fuzzy Hash: C3813936601A5086EB269F62D8543EC33A0F789BD4F14412AEF1A1B7B9DF38C885C700

Function 00000001400283E4 Relevance: 13.7, APIs: 9, Instructions: 185windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140028458
EnableMenuItem.USER32 ref: 0000000140028477
CheckMenuItem.USER32 ref: 00000001400284AE
EnableMenuItem.USER32 ref: 00000001400284CA
EnableMenuItem.USER32 ref: 00000001400284EF
EnableMenuItem.USER32 ref: 0000000140028501
EnableMenuItem.USER32 ref: 0000000140028513
EnableMenuItem.USER32 ref: 0000000140028571
CheckMenuItem.USER32 ref: 000000014002858E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: f4678b564ee8ba8bd04d64032a2e4349f234f455282b0029d621cda8330aee02
Instruction ID: ff2bd3c4ba59164359e8a08657b3564589f90c8b6a83ec5560c80217417904ec
Opcode Fuzzy Hash: f4678b564ee8ba8bd04d64032a2e4349f234f455282b0029d621cda8330aee02
Instruction Fuzzy Hash: B5817D76301A8086EB6A9B27D4543E963A0F78DFD4F548529AF6947BF4CF38C891C700

Function 0000000140048FBC Relevance: 13.7, APIs: 9, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001CC14: GetFocus.USER32 ref: 000000014001CC21
Part of subcall function 000000014001CC14: GetParent.USER32 ref: 000000014001CC48
Part of subcall function 000000014001CC14: GetWindowLongW.USER32 ref: 000000014001CC74
Part of subcall function 000000014001CC14: GetParent.USER32 ref: 000000014001CC83
Part of subcall function 000000014001CC14: GetDesktopWindow.USER32 ref: 000000014001CC8C
Part of subcall function 000000014001CC14: SendMessageW.USER32 ref: 000000014001CCA5

GetMenu.USER32 ref: 0000000140049058
GetMenuItemCount.USER32 ref: 0000000140049096
GetSubMenu.USER32 ref: 00000001400490AC
GetMenuItemCount.USER32 ref: 00000001400490D2
GetMenuItemID.USER32 ref: 00000001400490EC
GetSubMenu.USER32 ref: 0000000140049109
GetMenuItemID.USER32 ref: 000000014004912A
GetMenuItemCount.USER32 ref: 000000014004914D
GetMenuItemID.USER32 ref: 0000000140049189

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
String ID:
API String ID: 4186786570-0
Opcode ID: 7882077abd9c35479f88442cd39f3ad079a2dec953ac48be03e87625bb61796b
Instruction ID: 2ea12206cec24aae6d09421ab36923637d4e5ea043747ee40f9bb97d7388d5d5
Opcode Fuzzy Hash: 7882077abd9c35479f88442cd39f3ad079a2dec953ac48be03e87625bb61796b
Instruction Fuzzy Hash: D47147327016518AFB56CB63D9887ED23A1E788BC4F158535EF0A57BB9CF35D8828704

Function 000000014000A780 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 000000014000A7D8
GetSubMenu.USER32 ref: 000000014000A803
GetMenuState.USER32 ref: 000000014000A81A
GetSubMenu.USER32 ref: 000000014000A871
GetMenuStringW.USER32 ref: 000000014000A896
AppendMenuW.USER32 ref: 000000014000A917
GetMenuItemCount.USER32 ref: 000000014000A956
GetMenuItemID.USER32 ref: 000000014000A97E
InsertMenuW.USER32 ref: 000000014000A99F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$Item$Count$AppendInsertStateString
String ID:
API String ID: 420201382-0
Opcode ID: 1b3e3a0cdcadff0fde472844afc9461bea9c250156deba05be31f87bd5146ab4
Instruction ID: 07b524175d0e47ccb62542f4dd80bc9fcc01105d93b410dc311f1058a65ab4c8
Opcode Fuzzy Hash: 1b3e3a0cdcadff0fde472844afc9461bea9c250156deba05be31f87bd5146ab4
Instruction Fuzzy Hash: D36182B2314A8086E761CF16F84479AB7A1F789BD8F104115EB9A43BB9DF7CC485CB00

Function 000000014004BDCC Relevance: 13.6, APIs: 9, Instructions: 148timeCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32 ref: 000000014004BE61
GetFileSizeEx.KERNEL32 ref: 000000014004BE7A
GetFileAttributesW.KERNEL32 ref: 000000014004BEBC

Part of subcall function 000000014004BA40: GetModuleHandleW.KERNEL32 ref: 000000014004BA72
Part of subcall function 000000014004BA40: GetProcAddress.KERNEL32 ref: 000000014004BA87

FileTimeToLocalFileTime.KERNEL32 ref: 000000014004BED3
FileTimeToSystemTime.KERNEL32 ref: 000000014004BEE5
FileTimeToLocalFileTime.KERNEL32 ref: 000000014004BF13
FileTimeToSystemTime.KERNEL32 ref: 000000014004BF25
FileTimeToLocalFileTime.KERNEL32 ref: 000000014004BF55
FileTimeToSystemTime.KERNEL32 ref: 000000014004BF67

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Time$File$LocalSystem$AddressAttributesHandleModuleProcSize
String ID:
API String ID: 461657242-0
Opcode ID: 7f58b7905361dd1749fa7c5307b6a90165a0c21654c4f34fbfc5b81255859d22
Instruction ID: 63cc23aff1864684384df15f248eae469e838254c948b87228ac7983f80b6de3
Opcode Fuzzy Hash: 7f58b7905361dd1749fa7c5307b6a90165a0c21654c4f34fbfc5b81255859d22
Instruction Fuzzy Hash: 25614932310A0596EB229FA6D8903ED23B4E74CB98F414636EB1D87AE9EF30C559C744

Function 00000001400127D4 Relevance: 13.6, APIs: 9, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140012865
SendMessageW.USER32 ref: 0000000140012899
ValidateRect.USER32 ref: 00000001400128AD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$RectValidate
String ID:
API String ID: 1630184311-0
Opcode ID: 58ec4b83beed52533a92a5f1b8696df5b2aaf050571c63b8a871302bf71dd8b8
Instruction ID: cd2ccba8a3f13dee83d339e9909350fe3cb8d33a0587581031ace9bba9f53c59
Opcode Fuzzy Hash: 58ec4b83beed52533a92a5f1b8696df5b2aaf050571c63b8a871302bf71dd8b8
Instruction Fuzzy Hash: 2A514732710A408AFB16DB66D4547EC23A1E78DBD8F004116EF0A5BBA9DF79C596C740

Function 000000014000A9F8 Relevance: 13.6, APIs: 9, Instructions: 104windowCOMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.LIBVCRUNTIME ref: 000000014000AA53
GetMenuItemCount.USER32 ref: 000000014000AA84
GetMenuItemCount.USER32 ref: 000000014000AA90
GetSubMenu.USER32 ref: 000000014000AAA2
GetMenuItemCount.USER32 ref: 000000014000AAB8
GetSubMenu.USER32 ref: 000000014000AACB
RemoveMenu.USER32 ref: 000000014000AAE9
GetSubMenu.USER32 ref: 000000014000AB00
RemoveMenu.USER32 ref: 000000014000AB1F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$CountItem$Remove$ExceptionThrow
String ID:
API String ID: 1900339754-0
Opcode ID: 14e7c1fb1fbd0aa3fa1d8e1599c10989464f9093c5638579436bb2c4ef267ef3
Instruction ID: 9b4cb03fe4b6d04a3a01d3c3b66d39eb5600a7c3ba596eda1d713598ee00db32
Opcode Fuzzy Hash: 14e7c1fb1fbd0aa3fa1d8e1599c10989464f9093c5638579436bb2c4ef267ef3
Instruction Fuzzy Hash: 1731A37230474086EA26CF57B5403AA62E2B78EBD0F644525EF5A477F5DFBCC5868700

Function 0000000140044830 Relevance: 13.6, APIs: 9, Instructions: 73windowkeyboardCOMMON

Download Yara Rule

APIs

GetPropW.USER32 ref: 000000014004486A
GlobalLock.KERNEL32 ref: 0000000140044876
SendMessageW.USER32 ref: 0000000140044895
GlobalUnlock.KERNEL32 ref: 00000001400448A3
RemovePropW.USER32 ref: 00000001400448B4
GlobalFree.KERNEL32 ref: 00000001400448C2
GlobalUnlock.KERNEL32 ref: 00000001400448DC
GetAsyncKeyState.USER32 ref: 00000001400448F0
SendMessageW.USER32 ref: 000000014004491E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
String ID:
API String ID: 723318029-0
Opcode ID: 54248fa24df3ceb81e5064020faff77e87e6ffd4ab5ceb8427f0513db7347d48
Instruction ID: 65d3dcf9f5270cc408c75f4a3697035c9de06016d531d18f81018f939312bda9
Opcode Fuzzy Hash: 54248fa24df3ceb81e5064020faff77e87e6ffd4ab5ceb8427f0513db7347d48
Instruction Fuzzy Hash: 26311635604A4082FB569F63E8543AD23A0FB8DFD9F095529EB6A477F8DE38C8819704

Function 0000000140044570 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 000000014004459E
GetWindowLongW.USER32 ref: 00000001400445B4
IsWindowEnabled.USER32 ref: 00000001400445C3
GetDlgItem.USER32 ref: 00000001400445DF
GetWindowLongW.USER32 ref: 00000001400445F0
IsWindowEnabled.USER32 ref: 00000001400445FF
GetFocus.USER32 ref: 0000000140044639
IsWindowEnabled.USER32 ref: 0000000140044642
SetFocus.USER32 ref: 000000014004464F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: cebdddc7dda55812a818a9428b0ed6ec7d4f85fdfd9b91a8756af78f76964975
Instruction ID: 0eb1faacb7dddb5a920b095cbf51591db4976c6ca7378633de4a1c348aa7a989
Opcode Fuzzy Hash: cebdddc7dda55812a818a9428b0ed6ec7d4f85fdfd9b91a8756af78f76964975
Instruction Fuzzy Hash: 9F218132200A4086FB029F57A8483A963A0FB8EFD9F1A0534EF1A47779DF39C4869704

Function 0000000140005F78 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 334memoryCOMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 0000000140006103
wcsstr.LIBVCRUNTIME ref: 000000014000624C
SysAllocString.OLEAUT32 ref: 00000001400062C6
SysAllocString.OLEAUT32 ref: 0000000140006344
SysFreeString.OLEAUT32 ref: 0000000140006394

Strings

%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 0000000140006192
RestartByRestartManager, xrefs: 00000001400061E4, 00000001400061F3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: String$Alloc$CreateFreeGuidwcsstr
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
API String ID: 2411738410-5890034
Opcode ID: bdd4c6fcc269e93580f314af974d1095eadd7878182d5591301fadf1362a2032
Instruction ID: c0bb03022d14978d05b1fc4fdd584838fb96296ff199275d77dbeecc1faeead5
Opcode Fuzzy Hash: bdd4c6fcc269e93580f314af974d1095eadd7878182d5591301fadf1362a2032
Instruction Fuzzy Hash: B7E1BCB2700A4186EB16DF36E4503ED73A1FB89BE8F444626AF1A57BA5EF38C544C740

Function 0000000140013E7C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 192libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140013EDE

Part of subcall function 0000000140184830: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184840
Part of subcall function 0000000140184830: LeaveCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184880

GetProcAddress.KERNEL32 ref: 0000000140013F35
GetProcAddress.KERNEL32 ref: 0000000140013F7D
ScreenToClient.USER32 ref: 0000000140014028

Part of subcall function 0000000140184890: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F0E,?,?,?,?,0000000140059411), ref: 00000001401848A0

Strings

CloseGestureInfoHandle, xrefs: 0000000140013F76
user32.dll, xrefs: 0000000140013ED7
GetGestureInfo, xrefs: 0000000140013F2E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$ClientHandleLeaveModuleScreen
String ID: CloseGestureInfoHandle$GetGestureInfo$user32.dll
API String ID: 2494424956-2905070798
Opcode ID: 4a2479120af25bde2ee890896ab6d5baa5d4d19315662959e7b1593070ae1f68
Instruction ID: e039d1c8918a140cecf7e1891462fb14e075fd2c41b81f820ebc4542c8bbb11c
Opcode Fuzzy Hash: 4a2479120af25bde2ee890896ab6d5baa5d4d19315662959e7b1593070ae1f68
Instruction Fuzzy Hash: 77911336201A5096EB52DF37E8547E827A5F788FD4F044226EB1A4B7B9DF3AC485C740

Function 00000001400036A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Concurrency::details::_CurrentScheduler::_Get.LIBCMTD ref: 00000001400036DE

Part of subcall function 0000000140018AE0: GetDlgItem.USER32 ref: 0000000140018AF7

Part of subcall function 000000014001326C: GetWindowTextLengthW.USER32 ref: 0000000140013298
Part of subcall function 000000014001326C: GetWindowTextW.USER32 ref: 00000001400132B5

strrchr.LIBCMTD ref: 0000000140003731
UnDecorator::getVbTableType.LIBCMTD ref: 0000000140003780
UnDecorator::getVbTableType.LIBCMTD ref: 00000001400037A7

Part of subcall function 0000000140003F90: SendMessageW.USER32 ref: 0000000140003FBE

Part of subcall function 0000000140003F60: SendMessageW.USER32 ref: 0000000140003F7D

strrchr.LIBCMTD ref: 0000000140003833

Strings

No Item Found !!!, xrefs: 000000014000390C
No Number Entered !!!, xrefs: 0000000140003962

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Decorator::getMessageSendTableTextTypeWindowstrrchr$Concurrency::details::_CurrentItemLengthScheduler::_
String ID: No Item Found !!!$No Number Entered !!!
API String ID: 1818702269-3076552327
Opcode ID: f0476bc2a111bc597d83d057619c59525a3609f9d627e4b3a8ce9fafd30820f6
Instruction ID: f2be30cac0959961caed96ce82dc88f4066d3f105753f6e70f6058dd14d22cbd
Opcode Fuzzy Hash: f0476bc2a111bc597d83d057619c59525a3609f9d627e4b3a8ce9fafd30820f6
Instruction Fuzzy Hash: 94717C7161968182EA62EB16F4917DEA360F7C97C0F404522BB9E4BBFADE7CC541CB00

Function 0000000140049220 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145keyboardwindowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 00000001400492C1
UpdateWindow.USER32 ref: 00000001400492DC
GetKeyState.USER32 ref: 00000001400492FC
GetKeyState.USER32 ref: 000000014004930F
GetParent.USER32 ref: 00000001400493DB
PostMessageW.USER32 ref: 00000001400493FD

Strings

@, xrefs: 00000001400493C2

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageState$ParentPostSendUpdateWindow
String ID: @
API String ID: 3941036086-2766056989
Opcode ID: 6557c24f6f4f8bb6c6fc6cd80c2e4654b878af3727fb390e87daca2ee2c63e57
Instruction ID: 51e5199c360354b4ba0d4b0970d3d272f5961411e3da46529ea0aa21ef020c00
Opcode Fuzzy Hash: 6557c24f6f4f8bb6c6fc6cd80c2e4654b878af3727fb390e87daca2ee2c63e57
Instruction Fuzzy Hash: AA517A32600A8186EB66CF62D4847E937A0F789FC9F1A4435EF491B7A9CF79C9818704

Function 0000000140006870 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143registrylibraryCOMMON

Download Yara Rule

APIs

_snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 00000001400068CD
LoadLibraryExW.KERNEL32 ref: 000000014000691F
LoadLibraryExW.KERNEL32 ref: 0000000140006935
RegOpenKeyExW.ADVAPI32 ref: 00000001400069E3
RegQueryValueExW.ADVAPI32 ref: 0000000140006A13
RegCloseKey.ADVAPI32 ref: 0000000140006A5B

Strings

LOC, xrefs: 00000001400068B1

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: LibraryLoad$CloseOpenQueryValue_snwprintf_s
String ID: LOC
API String ID: 922863214-519433814
Opcode ID: ddb2c73c1a3b5969f3117425766e31e7d45662d0c1e9c23f8be0b2d8b5304456
Instruction ID: 91d9c16556ec19f64d2c622e0b76dada5aece89f07f0d0268e1ee42fcca9402d
Opcode Fuzzy Hash: ddb2c73c1a3b5969f3117425766e31e7d45662d0c1e9c23f8be0b2d8b5304456
Instruction Fuzzy Hash: E2517C73214644CBFB66DF22E8443D933A5F788B99F554126FB0D57AA5DB38C984CB00

Function 000000014000E2E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32 ref: 000000014000E31A

Part of subcall function 000000014001CD8C: GetWindowTextW.USER32 ref: 000000014001CDFA
Part of subcall function 000000014001CD8C: lstrcmpW.KERNEL32 ref: 000000014001CE0C
Part of subcall function 000000014001CD8C: SetWindowTextW.USER32 ref: 000000014001CE1C

SendMessageW.USER32 ref: 000000014000E33A
SendMessageW.USER32 ref: 000000014000E35A
SetMenuItemBitmaps.USER32 ref: 000000014000E3DD
SetMenuItemInfoW.USER32 ref: 000000014000E437

Strings

@, xrefs: 000000014000E425
P, xrefs: 000000014000E41B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: @$P
API String ID: 72408025-358147200
Opcode ID: 40e51f29f2322ab3f79e0a67a99ffe9db5e9a7943654d54a12bbd3891330a565
Instruction ID: d6678318f8af44d109eac817d352ce7437ff2a353a9b00ec548111d4b8abee42
Opcode Fuzzy Hash: 40e51f29f2322ab3f79e0a67a99ffe9db5e9a7943654d54a12bbd3891330a565
Instruction Fuzzy Hash: 2641B3B230058486EB66DF67E4497AD23A0FB88FC8F248415EB5D4BAB5CF39C542CB40

Function 000000014000A1FC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014000A249
ActivateActCtx.KERNEL32 ref: 000000014000A26E
GetLastError.KERNEL32 ref: 000000014000A2EC
DeactivateActCtx.KERNEL32 ref: 000000014000A2FF
SetLastError.KERNEL32 ref: 000000014000A30B

Strings

ImageList_LoadImageW, xrefs: 000000014000A28E
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000A242

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_LoadImageW$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-2081196033
Opcode ID: 4ab41b2f6314588e46642e273ccc7d4afe1893fde05cd2d0aa727666b51b0981
Instruction ID: b869e1aec7dc1e2bbc6a7a55e48e2b630c5f12f993b3d59f57e2a62b36ee3866
Opcode Fuzzy Hash: 4ab41b2f6314588e46642e273ccc7d4afe1893fde05cd2d0aa727666b51b0981
Instruction Fuzzy Hash: 28315772200B5186EB62DB67A84479A72E5F78DBD0F594029EF49837B4EF79C8818B00

Function 000000014004A924 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014004A970
ActivateActCtx.KERNEL32 ref: 000000014004A995
GetLastError.KERNEL32 ref: 000000014004AA02
DeactivateActCtx.KERNEL32 ref: 000000014004AA15
SetLastError.KERNEL32 ref: 000000014004AA21

Strings

ImageList_Draw, xrefs: 000000014004A9B2
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014004A969

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_Draw$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3594377472
Opcode ID: 690d1729d3ce6132a685a07d77f19de6038ba37aab10dfd23f362e52d6174036
Instruction ID: 42218fcd05a30c02cea6c418146d3768c2b0ff4cd73ef4bd36a7ea5af5ac2a07
Opcode Fuzzy Hash: 690d1729d3ce6132a685a07d77f19de6038ba37aab10dfd23f362e52d6174036
Instruction Fuzzy Hash: AB315032614B5186EB52CF67A84479A77E4B78DBD0F0A412AEF4A837B4DF78C841C704

Function 0000000140018524 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140018566
ActivateActCtx.KERNEL32 ref: 000000014001858B
CreateWindowExW.USER32 ref: 0000000140018612
GetLastError.KERNEL32 ref: 000000014001862C
DeactivateActCtx.KERNEL32 ref: 000000014001863F
SetLastError.KERNEL32 ref: 000000014001864B

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014001855F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateCreateDeactivateDebugOutputStringWindow
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 2940716307-2690750368
Opcode ID: c251c9b4ec2535762223dd0d590fc0e6744ad11643e33de47a53f716f3c61c5e
Instruction ID: 450d9d5d9b9684732c5d77fef177bba169d37840e5256f250b935e6eddaf950b
Opcode Fuzzy Hash: c251c9b4ec2535762223dd0d590fc0e6744ad11643e33de47a53f716f3c61c5e
Instruction Fuzzy Hash: 1D310A76204B8086E7A18B56E88479A77E5F78CBD0F154129EF8D83B74DF79C945CB00

Function 000000014003C0E0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014003C111
OffsetRect.USER32 ref: 000000014003C131
SendMessageW.USER32 ref: 000000014003C145
IsWindowVisible.USER32 ref: 000000014003C14F
SendMessageW.USER32 ref: 000000014003C205
RedrawWindow.USER32 ref: 000000014003C21A

Strings

S, xrefs: 000000014003C1AD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID: S
API String ID: 2707749077-543223747
Opcode ID: 6a3d5dde7db02d41134ae34e8987b5d4db6c53a5bedc9affd6e1c5abfcad83af
Instruction ID: 4d698a902e252f43a8a6a30ea2bae11fd380760f3dc29b583ca3e891abb4e53d
Opcode Fuzzy Hash: 6a3d5dde7db02d41134ae34e8987b5d4db6c53a5bedc9affd6e1c5abfcad83af
Instruction Fuzzy Hash: 02315B3362468087E761CF26E854B9A7BB0F7C9B88F504225EF4947A68DF7AC541CF00

Function 000000014003E9D4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,00000000), ref: 000000014003EA22
ActivateActCtx.KERNEL32(?,00000000), ref: 000000014003EA47
GetLastError.KERNEL32(?,00000000), ref: 000000014003EAA2
DeactivateActCtx.KERNEL32(?,00000000), ref: 000000014003EAB5
SetLastError.KERNEL32(?,00000000), ref: 000000014003EAC1

Strings

GetFileTitleW, xrefs: 000000014003EA66
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014003EA1B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: GetFileTitleW$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-2870843118
Opcode ID: a7f536a50af86a5db8263ffe8d91a623aa943f90ee22b9d8a73af46d56534e79
Instruction ID: 0e58bbe5ee62d7eb0dd1a1c2bfd95288a1ec575667751e49d4163c7829ac5f1d
Opcode Fuzzy Hash: a7f536a50af86a5db8263ffe8d91a623aa943f90ee22b9d8a73af46d56534e79
Instruction Fuzzy Hash: A8317136700A6082FA639B67A8447AB67E0B74CBD5F190225AF4A473F0DF78D445C705

Function 0000000140009744 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014000A14B
ActivateActCtx.KERNEL32 ref: 000000014000A170

Strings

ImageList_Destroy, xrefs: 000000014000A18D
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000A144

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ActivateDebugOutputString
String ID: ImageList_Destroy$IsolationAware function called after IsolationAwareCleanup
API String ID: 396653078-542355955
Opcode ID: 0b38bfaa626306fbb24936dc753ae7fb70a3eac5c993add556e00d46c764d88d
Instruction ID: 6e94da0c5bc397388f8cecb1574821e0580290d156e0ec34bdfa1661dd317068
Opcode Fuzzy Hash: 0b38bfaa626306fbb24936dc753ae7fb70a3eac5c993add556e00d46c764d88d
Instruction Fuzzy Hash: 72317E72605B1186FB52DF67A8403EA63E4AB8DBD0F590029EF09873B4DFBCC9818740

Function 0000000140044BA0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140044BDC
ActivateActCtx.KERNEL32 ref: 0000000140044C01
GetLastError.KERNEL32 ref: 0000000140044C78
DeactivateActCtx.KERNEL32 ref: 0000000140044C8B
SetLastError.KERNEL32 ref: 0000000140044C97

Strings

CreatePropertySheetPageW, xrefs: 0000000140044C21
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140044BD5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: CreatePropertySheetPageW$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-1381109510
Opcode ID: a54ce8a875907f8a9c4336e47974459e1e993bb4b57cbe3db6d02f04dbbe57ba
Instruction ID: d0de8d78ebbc3d9f3b2be2aeeb3e1d18eafed35d0b04c1230da8dea32663fe69
Opcode Fuzzy Hash: a54ce8a875907f8a9c4336e47974459e1e993bb4b57cbe3db6d02f04dbbe57ba
Instruction Fuzzy Hash: F5313032201B5086E7968F57E9843A963E4F78CB84F0A4139DF4E837B4EF79D8558748

Function 000000014004AA48 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,00000000,-00000001,00000000,0000000140047FC3), ref: 000000014004AA8D
ActivateActCtx.KERNEL32(?,?,00000000,-00000001,00000000,0000000140047FC3), ref: 000000014004AAB2
GetLastError.KERNEL32(?,?,00000000,-00000001,00000000,0000000140047FC3), ref: 000000014004AB06
DeactivateActCtx.KERNEL32(?,?,00000000,-00000001,00000000,0000000140047FC3), ref: 000000014004AB19
SetLastError.KERNEL32(?,?,00000000,-00000001,00000000,0000000140047FC3), ref: 000000014004AB25

Strings

ImageList_GetImageInfo, xrefs: 000000014004AACF
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014004AA86

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_GetImageInfo$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-976529777
Opcode ID: 2434b71e4eb19dfbb0472030449abf76b15767fc8790d4a7d4147b939306d2cc
Instruction ID: 35be08c77271f33d83af97fd7df266088849c31fd8f6d0d8898a155138488587
Opcode Fuzzy Hash: 2434b71e4eb19dfbb0472030449abf76b15767fc8790d4a7d4147b939306d2cc
Instruction Fuzzy Hash: 07316232300B1186FB529F67A8943AA62E5BB9CFD0F4A4435AF0A873B4DF78C845C744

Function 0000000140045C88 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140045CCF
ActivateActCtx.KERNEL32 ref: 0000000140045CF4
GetLastError.KERNEL32 ref: 0000000140045D4A
DeactivateActCtx.KERNEL32 ref: 0000000140045D5D
SetLastError.KERNEL32 ref: 0000000140045D69

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140045CC8
ImageList_AddMasked, xrefs: 0000000140045D12

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_AddMasked$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-4170123302
Opcode ID: 7c7b5e644dd3fac42aee3d058f15ed9b6fc8255cdf71845da76b996943625aea
Instruction ID: 3b43edf10dde9a8c12582e04209687ab1d415670192af53781fb0fb786f8c505
Opcode Fuzzy Hash: 7c7b5e644dd3fac42aee3d058f15ed9b6fc8255cdf71845da76b996943625aea
Instruction Fuzzy Hash: 89314436610B1182EB62AF67A85439962E0BB4CFE1F094125AF1A873F5DF74C445C744

Function 0000000140045D8C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140045DD2
ActivateActCtx.KERNEL32 ref: 0000000140045DF7
GetLastError.KERNEL32 ref: 0000000140045E4E
DeactivateActCtx.KERNEL32 ref: 0000000140045E61
SetLastError.KERNEL32 ref: 0000000140045E6D

Strings

ImageList_GetIcon, xrefs: 0000000140045E14
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140045DCB

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_GetIcon$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-494412531
Opcode ID: 191b2379baa95848ace632ed2c74472292d73b6e14dab1504ce26ab3771c655b
Instruction ID: a279caebadd92258c1942a6272402e61893443ba5d89c961d355d1074aec8ac2
Opcode Fuzzy Hash: 191b2379baa95848ace632ed2c74472292d73b6e14dab1504ce26ab3771c655b
Instruction Fuzzy Hash: C2318032301B1182FB56AB63A84439962E4BB8CFD1F0A4439EF4A877B5DF78C941C748

Function 000000014001BD8C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 74libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014001D0D2), ref: 000000014001BDC5
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014001D0D2), ref: 000000014001BDDA
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014001D0D2), ref: 000000014001BDE6
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014001D0D2), ref: 000000014001BDF5
CompareStringW.KERNEL32(?,?,?,?,?,?,?,?,00000000,000000014001D0D2), ref: 000000014001BE85

Strings

kernel32.dll, xrefs: 000000014001BDBE
CompareStringEx, xrefs: 000000014001BDD0

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressCompareDecodeEncodeHandleModuleProcString
String ID: CompareStringEx$kernel32.dll
API String ID: 866791306-948622644
Opcode ID: 625fc6722a5d73b3610f640893fe2680086a21593c8ddc40bb156d75ebcd989d
Instruction ID: 43b836cf9cf7b2136fa901b55a961eaf09614599cec4f0c5f6b995adcc583120
Opcode Fuzzy Hash: 625fc6722a5d73b3610f640893fe2680086a21593c8ddc40bb156d75ebcd989d
Instruction Fuzzy Hash: 41314735605B8086EA228F53B444799B7E0F78CBD4F484129EF8E47B38EF39C4468B00

Function 0000000140013860 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140013894
FindResourceW.KERNEL32(?,?,?,0000000140008BC3,?,?,?,0000000140003293), ref: 00000001400138C8
SizeofResource.KERNEL32(?,?,?,0000000140008BC3,?,?,?,0000000140003293), ref: 00000001400138DC
LoadResource.KERNEL32(?,?,?,0000000140008BC3,?,?,?,0000000140003293), ref: 00000001400138EB
LockResource.KERNEL32(?,?,?,0000000140008BC3,?,?,?,0000000140003293), ref: 00000001400138FC
FreeResource.KERNEL32(?,?,?,0000000140008BC3,?,?,?,0000000140003293), ref: 0000000140013922

Strings

AFX_DIALOG_LAYOUT, xrefs: 00000001400138B7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 4180966417-2436846380
Opcode ID: 4b05fe91319f434fe1553671ca6796625ed79db80187fe3f46deeec257e789b5
Instruction ID: 53e098cc44319093479cf74280a1fbb8a0ea75d7988cda93eea5b6ea5c2e5cab
Opcode Fuzzy Hash: 4b05fe91319f434fe1553671ca6796625ed79db80187fe3f46deeec257e789b5
Instruction Fuzzy Hash: 3F21C375706B8051FE57DB6368143AAA6A0BB4DFD0F484424AF8A5FB74DF79C4428700

Function 0000000140018744 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014001877F
ActivateActCtx.KERNEL32 ref: 00000001400187A4
GetLastError.KERNEL32 ref: 00000001400187F2
DeactivateActCtx.KERNEL32 ref: 0000000140018805
SetLastError.KERNEL32 ref: 0000000140018811

Strings

InitCommonControlsEx, xrefs: 00000001400187C1
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140018778

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: InitCommonControlsEx$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-604687545
Opcode ID: 92aa785d56a7bb7703c00fb0dc61f976ac6b9f490d482be57c410044d7dca5cf
Instruction ID: 0d5c29647c6f447135eac630fac8b1fd76b477d5ba67e6037e8772accc1388b8
Opcode Fuzzy Hash: 92aa785d56a7bb7703c00fb0dc61f976ac6b9f490d482be57c410044d7dca5cf
Instruction Fuzzy Hash: D0216532604B1186FB629F67E84439963E4BB8CBD0F594129DF09873F4DF79C9418744

Function 0000000140044CB8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,0000000140042F92), ref: 0000000140044CF3
ActivateActCtx.KERNEL32(?,?,?,?,?,0000000140042F92), ref: 0000000140044D18
GetLastError.KERNEL32(?,?,?,?,?,0000000140042F92), ref: 0000000140044D66
DeactivateActCtx.KERNEL32(?,?,?,?,?,0000000140042F92), ref: 0000000140044D79
SetLastError.KERNEL32(?,?,?,?,?,0000000140042F92), ref: 0000000140044D85

Strings

DestroyPropertySheetPage, xrefs: 0000000140044D35
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140044CEC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: DestroyPropertySheetPage$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3999949316
Opcode ID: 45517c2cb14dfeba0741afa9a2994c2121eb7f2abd22b52b0b02624fc4dac4d8
Instruction ID: 358b337382978cbfff535e5263f19cf69a040b444d38da7aea5495b65decca7c
Opcode Fuzzy Hash: 45517c2cb14dfeba0741afa9a2994c2121eb7f2abd22b52b0b02624fc4dac4d8
Instruction Fuzzy Hash: F1213232600B1182FB569F67E84039A63E4BB8CBD4F0A0535EF5A877B4EF78C8418744

Function 0000000140044DA4 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140044DE3
ActivateActCtx.KERNEL32 ref: 0000000140044E08
GetLastError.KERNEL32 ref: 0000000140044E5C
DeactivateActCtx.KERNEL32 ref: 0000000140044E6F
SetLastError.KERNEL32 ref: 0000000140044E7B

Strings

PropertySheetW, xrefs: 0000000140044E27
IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140044DDC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: IsolationAware function called after IsolationAwareCleanup$PropertySheetW
API String ID: 2188249819-107078933
Opcode ID: 5e4173b0aeca51800a11dcecbb44b94a967c50b5976dbb5870b212d10f0193c4
Instruction ID: 396bf67094f8de8362441bf153716d5ba30fd96ab74ef5d574a00189d23e187f
Opcode Fuzzy Hash: 5e4173b0aeca51800a11dcecbb44b94a967c50b5976dbb5870b212d10f0193c4
Instruction Fuzzy Hash: 82215E32601B5082FB529B67A84039963E4B74CBF4F5A07259F7A437F4DF78C8458744

Function 0000000140008EB4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140008EF6
ActivateActCtx.KERNEL32 ref: 0000000140008F1B
CreateDialogIndirectParamW.USER32 ref: 0000000140008F49
GetLastError.KERNEL32 ref: 0000000140008F63
DeactivateActCtx.KERNEL32 ref: 0000000140008F76
SetLastError.KERNEL32 ref: 0000000140008F82

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140008EEF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateCreateDeactivateDebugDialogIndirectOutputParamString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 475891805-2690750368
Opcode ID: ac2da6e018c90fe576a936fa26e446c17fd6a9f6c9f19c13246962e42c259379
Instruction ID: 56c09ac2dba31d57dca20baf15595c6ed87d364ccd12a2e6515d2c880a684ef5
Opcode Fuzzy Hash: ac2da6e018c90fe576a936fa26e446c17fd6a9f6c9f19c13246962e42c259379
Instruction Fuzzy Hash: 7D211B72711B4186E751DBA3A8843A963E5B79CFD0F444129EF8A837B4DF78C5458740

Function 000000014001BEA8 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 67libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001BEE0
GetProcAddress.KERNEL32 ref: 000000014001BEF9
EncodePointer.KERNEL32 ref: 000000014001BF05
DecodePointer.KERNEL32 ref: 000000014001BF14
DrawThemeText.UXTHEME ref: 000000014001BFB0

Strings

DrawThemeTextEx, xrefs: 000000014001BEEF
uxtheme.dll, xrefs: 000000014001BED9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeDrawEncodeHandleModuleProcTextTheme
String ID: DrawThemeTextEx$uxtheme.dll
API String ID: 1727381832-3035683158
Opcode ID: 8d11f2716dbc52d3a92a267de7b043f4afb15496c7592857bd0b93dfc794519e
Instruction ID: 4559e49d44ba63537edb874d1621073f7a5d334d48fb61adc92a0d0c965ebf92
Opcode Fuzzy Hash: 8d11f2716dbc52d3a92a267de7b043f4afb15496c7592857bd0b93dfc794519e
Instruction Fuzzy Hash: 5B31F636615B808ADA61DF16F84479AB7E0F78CF94F444129EF8D87B28EF39C0458B00

Function 0000000140018670 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00000001400186AA
ActivateActCtx.KERNEL32 ref: 00000001400186CF
GetClassInfoExW.USER32 ref: 00000001400186F0
GetLastError.KERNEL32 ref: 0000000140018707
DeactivateActCtx.KERNEL32 ref: 000000014001871A
SetLastError.KERNEL32 ref: 0000000140018726

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00000001400186A3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateDebugInfoOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 2706167345-2690750368
Opcode ID: 1a45034a93c83deb177a5f4698f6da4011eff65cec6a82a1165fa136e6914e11
Instruction ID: a445583e072b6d78343654df9ff43a3d25c6bb32d0c36238503066b67c8b2736
Opcode Fuzzy Hash: 1a45034a93c83deb177a5f4698f6da4011eff65cec6a82a1165fa136e6914e11
Instruction Fuzzy Hash: 62215B36300B4186F7619FA7A88439A63E4BB8CFD1F154029DF4A877B4DFB9C9458700

Function 00000001400188F4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,0000000140010E7E), ref: 000000014001892C
ActivateActCtx.KERNEL32(?,?,?,?,?,0000000140010E7E), ref: 0000000140018951
RegisterClassW.USER32 ref: 000000014001896E
GetLastError.KERNEL32(?,?,?,?,?,0000000140010E7E), ref: 000000014001898A
DeactivateActCtx.KERNEL32(?,?,?,?,?,0000000140010E7E), ref: 000000014001899E
SetLastError.KERNEL32(?,?,?,?,?,0000000140010E7E), ref: 00000001400189AA

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140018925

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateDebugOutputRegisterString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 312599135-2690750368
Opcode ID: 91f559a6aa3fea94e3b7876d1cf5fe99a02e5aa60b2b650e817438ac9780fdec
Instruction ID: db2548277d32c868f7d9bb0555953f2f8f00e97d2493bd665b39d8764f4e0935
Opcode Fuzzy Hash: 91f559a6aa3fea94e3b7876d1cf5fe99a02e5aa60b2b650e817438ac9780fdec
Instruction Fuzzy Hash: 66218E36604B8082E7628F63E4403B963E0BB8CFE0F190019EF8A977B4DF79C9419700

Function 0000000140019FB8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140019FEA
ActivateActCtx.KERNEL32 ref: 000000014001A00F
UnregisterClassW.USER32 ref: 000000014001A02D
GetLastError.KERNEL32 ref: 000000014001A044
DeactivateActCtx.KERNEL32 ref: 000000014001A057
SetLastError.KERNEL32 ref: 000000014001A063

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140019FE3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateDebugOutputStringUnregister
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 3108389664-2690750368
Opcode ID: 3fdbb0de2edf4aa04267e201edd6696397a39c4f690350a5608954d8438bdc69
Instruction ID: 7cdf4c9b4420379589ab99bb033333ca5f62002a283720bb05323de8e6537b2b
Opcode Fuzzy Hash: 3fdbb0de2edf4aa04267e201edd6696397a39c4f690350a5608954d8438bdc69
Instruction Fuzzy Hash: 14216D32300B0186F7529FA7E8843AA63E0BB8DFD5F054129EB0A877B4DFB9C8458600

Function 00000001400F63B0 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003D894: EnterCriticalSection.KERNEL32 ref: 000000014003D8CC
Part of subcall function 000000014003D894: InitializeCriticalSection.KERNEL32 ref: 000000014003D8EB
Part of subcall function 000000014003D894: LeaveCriticalSection.KERNEL32 ref: 000000014003D8FF

GetProfileIntW.KERNEL32 ref: 00000001400F6419
GetProfileIntW.KERNEL32 ref: 00000001400F6439
GetProfileIntW.KERNEL32 ref: 00000001400F6459

Strings

windows, xrefs: 00000001400F6412, 00000001400F6432, 00000001400F6452
DragScrollInterval, xrefs: 00000001400F644B
DragScrollInset, xrefs: 00000001400F640B
DragScrollDelay, xrefs: 00000001400F642B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalProfileSection$EnterInitializeLeave
String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
API String ID: 827076077-1024936294
Opcode ID: 1f65d79734f64114ee72926ab13a7f966e19d90892e70f2266e619d10deeac7f
Instruction ID: 68c41375daa3200cfe305bd6d35e97fe08ae8a17347291d90b06993b4dbf9704
Opcode Fuzzy Hash: 1f65d79734f64114ee72926ab13a7f966e19d90892e70f2266e619d10deeac7f
Instruction Fuzzy Hash: 92111C70110A0596E7139FA6E8483D837E1F30DB64F500219DB19476F5DB7ED589CB80

Function 000000014004D91C Relevance: 12.3, APIs: 8, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Decorator::getExceptionTableThrowType
String ID:
API String ID: 1398701123-0
Opcode ID: 7ae69548bf74e880e14c53e6180047f2130bdc83bd18d81fddb7ab0050e4b5ed
Instruction ID: 6569c570cedeb5521fcd5edc015bda8381bd0fa40f96567f973220b622cf6242
Opcode Fuzzy Hash: 7ae69548bf74e880e14c53e6180047f2130bdc83bd18d81fddb7ab0050e4b5ed
Instruction Fuzzy Hash: D8B16D32600A5592EB56AF6AD4543ED37A1F789FC4F168523EF1A07BB8CB74C806C348

Function 000000014004E434 Relevance: 12.1, APIs: 8, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014004E476
SHGetDesktopFolder.SHELL32 ref: 000000014004E4B8
CreatePopupMenu.USER32 ref: 000000014004E54B
GetMenuDefaultItem.USER32 ref: 000000014004E594
GetParent.USER32 ref: 000000014004E5B7
GetParent.USER32 ref: 000000014004E60D
GetParent.USER32 ref: 000000014004E624
SendMessageW.USER32 ref: 000000014004E642

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup
String ID:
API String ID: 4265152492-0
Opcode ID: efe3cb4dc750ccd2202ba65ad996f31ef6490be2282baf6395b64c82b476e903
Instruction ID: 54212215f8bc54af5cb78d370c327fdcd19aec729da1c1811a9c1923123c429c
Opcode Fuzzy Hash: efe3cb4dc750ccd2202ba65ad996f31ef6490be2282baf6395b64c82b476e903
Instruction Fuzzy Hash: AB610572301A808AEB15CFA6D5547ED37A1F788B88F064125EF0D47BA8DF79D558C704

Function 0000000140015DEC Relevance: 12.1, APIs: 8, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140015E5C
BeginDeferWindowPos.USER32 ref: 0000000140015E76
GetTopWindow.USER32 ref: 0000000140015E8A
GetDlgCtrlID.USER32 ref: 0000000140015EA1
SendMessageW.USER32 ref: 0000000140015EDA
GetWindow.USER32 ref: 0000000140015EE8
CopyRect.USER32 ref: 0000000140015F0E
EndDeferWindowPos.USER32 ref: 0000000140015F94

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
String ID:
API String ID: 1228040700-0
Opcode ID: 2cac27826ffdafcdade924a558172c2155a287957af6244e09f649b5dd2c5e04
Instruction ID: 8bc0d3c3495f84f70bdd77a6793a883f7733602c1892fcb927f7deafb661ebad
Opcode Fuzzy Hash: 2cac27826ffdafcdade924a558172c2155a287957af6244e09f649b5dd2c5e04
Instruction Fuzzy Hash: FE512B32A11A50CAFB56DFA6D8507AC37B1F74CB99F144419EF0A2BB68DB35C942CB00

Function 0000000140070368 Relevance: 12.1, APIs: 8, Instructions: 136windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00000001400703AA
IsWindow.USER32 ref: 00000001400703CB
DestroyWindow.USER32 ref: 00000001400703DC
GetParent.USER32 ref: 00000001400703FC
IsRectEmpty.USER32 ref: 00000001400704BB
IsWindowVisible.USER32 ref: 0000000140070508
MapWindowPoints.USER32 ref: 0000000140070524
SendMessageW.USER32 ref: 0000000140070546

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
String ID:
API String ID: 3509494761-0
Opcode ID: 2b82d3d3f95844025196f2fa88507c4219959a1efb99a1057ff42dcf51fd11dc
Instruction ID: fe8fa9c63821fc8eae530f3018d191108ef94241046e400892f77d568376e8df
Opcode Fuzzy Hash: 2b82d3d3f95844025196f2fa88507c4219959a1efb99a1057ff42dcf51fd11dc
Instruction Fuzzy Hash: 95510732601A84C6FB569FA6D8547ED27A0FB88F88F084235EF0A477A9DF38C5858750

Function 0000000140033C80 Relevance: 12.1, APIs: 8, Instructions: 83COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 0000000140033CAD
GetParent.USER32 ref: 0000000140033CC1
GetClientRect.USER32 ref: 0000000140033D06
MapWindowPoints.USER32 ref: 0000000140033D1E
PtInRect.USER32 ref: 0000000140033D2C
GetClientRect.USER32 ref: 0000000140033D61
MapWindowPoints.USER32 ref: 0000000140033D79
PtInRect.USER32 ref: 0000000140033D87

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Client$PointsWindow$ParentScreen
String ID:
API String ID: 1944725958-0
Opcode ID: 0bd57a1783931601ab538a30b0ff974aad641c278155f0492f06b6318130850d
Instruction ID: 45eca57e2ba4a4d0dc5418f761570b62b19eafca670f0290a83c8c98ad20d6da
Opcode Fuzzy Hash: 0bd57a1783931601ab538a30b0ff974aad641c278155f0492f06b6318130850d
Instruction Fuzzy Hash: 7931E476311A0596EF129B66E8983EA23B0F74CFD8F044425EF0E477A9EF38C1458750

Function 000000014003FCAC Relevance: 12.1, APIs: 8, Instructions: 62COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014003FCCA
GetSystemMetrics.USER32 ref: 000000014003FCDB
SetRectEmpty.USER32 ref: 000000014003FCF1
EnumDisplayMonitors.USER32 ref: 000000014003FD05
SystemParametersInfoW.USER32 ref: 000000014003FD1A
SystemParametersInfoW.USER32 ref: 000000014003FD51
SystemParametersInfoW.USER32 ref: 000000014003FD69
SystemParametersInfoW.USER32 ref: 000000014003FD94

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
String ID:
API String ID: 2614369430-0
Opcode ID: a25dc747a7776110fb11a749cfa68e117ac6fca02fcea841740903ae019ad747
Instruction ID: a7ed114db54abd82bde3f152e315ef8dcb3d932ca67c77d1806efc5a5c988e75
Opcode Fuzzy Hash: a25dc747a7776110fb11a749cfa68e117ac6fca02fcea841740903ae019ad747
Instruction Fuzzy Hash: B8218E3270178097F34A8FB2E9087EAB7A1F788B85F448029C759436A4DF7CD1A9DB00

Function 000000014000ACF8 Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

GlobalSize.KERNEL32 ref: 000000014000AD1A
GlobalAlloc.KERNEL32 ref: 000000014000AD30
GlobalSize.KERNEL32 ref: 000000014000AD45
GlobalLock.KERNEL32 ref: 000000014000AD53
GlobalLock.KERNEL32 ref: 000000014000AD5F
GlobalSize.KERNEL32 ref: 000000014000AD6D
GlobalUnlock.KERNEL32 ref: 000000014000AD87
GlobalUnlock.KERNEL32 ref: 000000014000AD90

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$Size$LockUnlock$Alloc
String ID:
API String ID: 2344174106-0
Opcode ID: 439be5261a3582c5dba8a65a97356617f089bf59d6bea30a7a33a5f88fa9ed58
Instruction ID: d08a6a0e68f68b067ffbb64078350658f047fb0266d8b7904e273368c86382cc
Opcode Fuzzy Hash: 439be5261a3582c5dba8a65a97356617f089bf59d6bea30a7a33a5f88fa9ed58
Instruction Fuzzy Hash: 36111874711B4089EA5A9F53B8543A966E0F78DFC1F484429EF0A47775DE3CD4859700

Function 01F80AD0 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 293COMMON

Download Yara Rule

Strings

%s%s, xrefs: 01F80C70
*%s, xrefs: 01F80E94
F, xrefs: 01F80FDF
%s*.*, xrefs: 01F80C04

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: %s%s$%s*.*$*%s$F
API String ID: 0-19481749
Opcode ID: 1f92b53731fcd3e615ce7a4d7911dbf995f1e742f7e2fc357fbca25574d2bdec
Instruction ID: f0930aba82b88eb58ffc3066b0708c586eaf41361d72f67f5cf2073fec4c48a8
Opcode Fuzzy Hash: 1f92b53731fcd3e615ce7a4d7911dbf995f1e742f7e2fc357fbca25574d2bdec
Instruction Fuzzy Hash: 09D178323189C599EB20EB15F8507EFB765F794784F804122EA9D87A98DF7EC549CB00

Function 0000000140039950 Relevance: 10.7, APIs: 7, Instructions: 227windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014003999B
GetCursorPos.USER32 ref: 0000000140039AA7
GetWindowRect.USER32 ref: 0000000140039AC0
PtInRect.USER32 ref: 0000000140039AE0
SendMessageW.USER32 ref: 0000000140039AF6
SendMessageW.USER32 ref: 0000000140039B5C
GetFocus.USER32 ref: 0000000140039C67

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageRectSend$CursorFocusParentWindow
String ID:
API String ID: 547796336-0
Opcode ID: e0838f13896ea452cdae825295cb68cac137c5d6aa0d7337721f08618431754c
Instruction ID: defd5d98b5ef3d0f252b1b3affc358846cc9c22e5dbbe510e1b16ea664c127c0
Opcode Fuzzy Hash: e0838f13896ea452cdae825295cb68cac137c5d6aa0d7337721f08618431754c
Instruction Fuzzy Hash: 05A13B76206B4086EE5B9B53A6543EA73A0FB8DFC0F08452AEB4A47BB5DF38C451C341

Function 000000014002FB18 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 204COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014002FC95

Strings

%TsMFCToolBar-%d%x, xrefs: 000000014002FBCF
Name, xrefs: 000000014002FCE5
Buttons, xrefs: 000000014002FD1B
%TsMFCToolBar-%d, xrefs: 000000014002FBBC
MFCToolBars, xrefs: 000000014002FB50

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
API String ID: 2353593579-190999575
Opcode ID: 334278d27b6a4466f9d1b3c855fa78ccb890128e5967398a509ce5780b68d575
Instruction ID: 2c6c4deee3d10e518945e8c2c1d076d3df65cfbb7f01561df5599b7e6c61485d
Opcode Fuzzy Hash: 334278d27b6a4466f9d1b3c855fa78ccb890128e5967398a509ce5780b68d575
Instruction Fuzzy Hash: E8819472211A4082EB16DB2AE4507EE6761FB89FE4F405226EB6E477F5DF38C945C700

Function 0000000140049A50 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 193windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140049ACB
SendMessageW.USER32 ref: 0000000140049AE8
GetDlgCtrlID.USER32 ref: 0000000140049BB9
WideCharToMultiByte.KERNEL32 ref: 0000000140049C54
SetWindowPos.USER32 ref: 0000000140049CB8

Strings

P, xrefs: 0000000140049C3E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$ByteCharCtrlMultiWideWindow
String ID: P
API String ID: 3897242731-3110715001
Opcode ID: e8a082d3d926c129f3d8fe9c907b4b0d5e11d243c914e20d0710bfdb08a4f267
Instruction ID: 0354c401211988d1fd8551588f616658e7b3553960b999e109bcde573404887a
Opcode Fuzzy Hash: e8a082d3d926c129f3d8fe9c907b4b0d5e11d243c914e20d0710bfdb08a4f267
Instruction Fuzzy Hash: 8F71E57220064182FB6ADB3AE4847ED2790EB88BE4F154735EB6947AF9DF78C850C744

Function 0000000140014964 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 130libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400149DA

Part of subcall function 0000000140184830: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184840
Part of subcall function 0000000140184830: LeaveCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184880

GetProcAddress.KERNEL32 ref: 0000000140014A2E
GetProcAddress.KERNEL32 ref: 0000000140014A75

Part of subcall function 0000000140184890: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F0E,?,?,?,?,0000000140059411), ref: 00000001401848A0

Strings

GetTouchInputInfo, xrefs: 0000000140014A27
CloseTouchInputHandle, xrefs: 0000000140014A6E
user32.dll, xrefs: 00000001400149D3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$HandleLeaveModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 2874807561-1853737257
Opcode ID: 14106c7eceaeeb7ab5df17dd05595514c37cd11a41b9f47e5cbc98aa2a597f45
Instruction ID: b1f97b2d0148aa756a7893ef83756f5386f3a1dd90621dc4bbdf6d8962184ea1
Opcode Fuzzy Hash: 14106c7eceaeeb7ab5df17dd05595514c37cd11a41b9f47e5cbc98aa2a597f45
Instruction Fuzzy Hash: 02515C31201A5582FB12EF53E8947E923A8B78DBD1F840125EB1A4B7F5DF7AC989C704

Function 000000014000DB94 Relevance: 10.6, APIs: 7, Instructions: 128windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140038AFC: IsWindow.USER32 ref: 0000000140038B10

SendMessageW.USER32 ref: 000000014000DD5B

Part of subcall function 0000000140037194: GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,000000014000DBDB), ref: 00000001400371C7
Part of subcall function 0000000140037194: PtInRect.USER32 ref: 00000001400371E0

ScreenToClient.USER32 ref: 000000014000DC29
PtInRect.USER32 ref: 000000014000DC38
SendMessageW.USER32 ref: 000000014000DC64
GetParent.USER32 ref: 000000014000DC89
SendMessageW.USER32 ref: 000000014000DD04
GetFocus.USER32 ref: 000000014000DD0A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageRectSend$Client$FocusParentScreenWindow
String ID:
API String ID: 1639644240-0
Opcode ID: f77a67e601d61cf3b58afd3d54a8511f787e8830fc67a7dfff1c81ede83c108a
Instruction ID: b271576f284ad361514d18bad78fd9b325c70dfee87d0f82009f24f16283b447
Opcode Fuzzy Hash: f77a67e601d61cf3b58afd3d54a8511f787e8830fc67a7dfff1c81ede83c108a
Instruction Fuzzy Hash: 21515AB6201A4182FA56DB67E8547E973A0EB8DBD0F044426EF098B7B9EF78C546C710

Function 000000014000A5B8 Relevance: 10.6, APIs: 7, Instructions: 113windowthreadCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000A4B8: GetWindowLongW.USER32 ref: 000000014000A521
Part of subcall function 000000014000A4B8: GetParent.USER32 ref: 000000014000A530
Part of subcall function 000000014000A4B8: GetParent.USER32 ref: 000000014000A54F
Part of subcall function 000000014000A4B8: GetLastActivePopup.USER32 ref: 000000014000A567
Part of subcall function 000000014000A4B8: IsWindowEnabled.USER32 ref: 000000014000A57D
Part of subcall function 000000014000A4B8: EnableWindow.USER32(?,?,?,0000000140008DBB), ref: 000000014000A594

EnableWindow.USER32 ref: 000000014000A60D
GetWindowThreadProcessId.USER32 ref: 000000014000A626
GetCurrentProcessId.KERNEL32 ref: 000000014000A631
SendMessageW.USER32 ref: 000000014000A64B
MessageBoxW.USER32 ref: 000000014000A6BF
EnableWindow.USER32 ref: 000000014000A6E0
GetModuleFileNameW.KERNEL32 ref: 000000014000A727

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Enable$MessageParentProcess$ActiveCurrentEnabledFileLastLongModuleNamePopupSendThread
String ID:
API String ID: 2633877278-0
Opcode ID: 03d784290ab5530baa0aae67b41c6a6f89dc1e0613c26ec0b92e4623a55c2347
Instruction ID: 7ff3b653da2c8f7abff0f59d11513957223e5b6379e0e99af07b4250e1d0eaba
Opcode Fuzzy Hash: 03d784290ab5530baa0aae67b41c6a6f89dc1e0613c26ec0b92e4623a55c2347
Instruction Fuzzy Hash: E941B4B231468046FA77DB23B8547DA62E0B78EBD4F4D4525AF0A47BB4EB7DC4818700

Function 000000014002BC54 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

UpdateWindow.USER32 ref: 000000014002BCFC
EqualRect.USER32 ref: 000000014002BD33
InflateRect.USER32 ref: 000000014002BD54
InvalidateRect.USER32 ref: 000000014002BD67
InflateRect.USER32 ref: 000000014002BD81
InvalidateRect.USER32 ref: 000000014002BD92
UpdateWindow.USER32 ref: 000000014002BD9C

Part of subcall function 00000001400298AC: InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,0000000140027535), ref: 000000014002992F
Part of subcall function 00000001400298AC: InflateRect.USER32 ref: 00000001400299BE
Part of subcall function 00000001400298AC: RedrawWindow.USER32 ref: 00000001400299D5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualRedraw
String ID:
API String ID: 4176466011-0
Opcode ID: 3707ede596bd542405cc36995d72bd5798c3e5d518934f19c812b0175638ec5a
Instruction ID: 0165fa47b934e028bed61edebed202ebbdc57e09d6c341ccf6810584642a29ac
Opcode Fuzzy Hash: 3707ede596bd542405cc36995d72bd5798c3e5d518934f19c812b0175638ec5a
Instruction Fuzzy Hash: 42417072704A8483EB169B22D9443E973A0F78CFD4F048225DF9A577A4EF38D995CB40

Function 00000001400070A4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 102registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 0000000140007116
RegCreateKeyExW.ADVAPI32 ref: 000000014000719B
RegCreateKeyExW.ADVAPI32 ref: 000000014000721C
RegCloseKey.ADVAPI32 ref: 000000014000722B
RegCloseKey.ADVAPI32 ref: 000000014000723A

Part of subcall function 0000000140007990: GetModuleHandleW.KERNEL32 ref: 00000001400079BD
Part of subcall function 0000000140007990: GetProcAddress.KERNEL32 ref: 00000001400079D2

Strings

software, xrefs: 00000001400070D7, 0000000140007108

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CloseCreate$AddressHandleModuleOpenProc
String ID: software
API String ID: 550756860-2010147023
Opcode ID: 2e55ac9a0c11d655c0d6b09f28446c92a707dafd340a726c0d3e8ea57257923a
Instruction ID: 331bf60fcf1f96b42b6a2d45a8520fa91210be1912aa740fc821631e9dacf57b
Opcode Fuzzy Hash: 2e55ac9a0c11d655c0d6b09f28446c92a707dafd340a726c0d3e8ea57257923a
Instruction Fuzzy Hash: 90413A72204B9086E7618F61F880BDA77A4FB887D8F445215FF8E17F69DB38C1949B00

Function 0000000140015BB8 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 95libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 0000000140015C1F

Part of subcall function 0000000140184830: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184840
Part of subcall function 0000000140184830: LeaveCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184880

GetProcAddress.KERNEL32 ref: 0000000140015C75
GetProcAddress.KERNEL32 ref: 0000000140015CBD

Part of subcall function 0000000140184890: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F0E,?,?,?,?,0000000140059411), ref: 00000001401848A0

Strings

user32.dll, xrefs: 0000000140015C18
RegisterTouchWindow, xrefs: 0000000140015C6E
UnregisterTouchWindow, xrefs: 0000000140015CB6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$HandleLeaveModule
String ID: RegisterTouchWindow$UnregisterTouchWindow$user32.dll
API String ID: 2874807561-2470269259
Opcode ID: c01a8a4ec923a2e54e56791d16c4801c6a6c62e7bd9efbd5a02a2cd9693e5f89
Instruction ID: 525f87297cb0a6191f54ac8a954c76db86b1b78a5e238fa0d74713d2ef8dac81
Opcode Fuzzy Hash: c01a8a4ec923a2e54e56791d16c4801c6a6c62e7bd9efbd5a02a2cd9693e5f89
Instruction Fuzzy Hash: E3414831611A54CAEB22EF67F888BD833A4F34DB91F500115EB1A4B2F1DB7AC589C744

Function 01F8C1CC Relevance: 10.6, APIs: 7, Instructions: 93COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 01F8C1DB
__scrt_fastfail.LIBCMT ref: 01F8C1E9
__scrt_acquire_startup_lock.LIBCMT ref: 01F8C1F7
__scrt_fastfail.LIBCMT ref: 01F8C20E
__scrt_release_startup_lock.LIBCMT ref: 01F8C26B
__scrt_is_managed_app.LIBCMT ref: 01F8C2F3
__scrt_uninitialize_crt.LIBCMT ref: 01F8C311

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: __scrt_fastfail$__scrt_acquire_startup_lock__scrt_initialize_crt__scrt_is_managed_app__scrt_release_startup_lock__scrt_uninitialize_crt
String ID:
API String ID: 1744857980-0
Opcode ID: e8d0e3d7a2261a6a32391bcace6cffee68c2442c100c322ffd0a98e29386b05a
Instruction ID: 4ec909fb8aaba82de27a71b38e15c59b4d8254b622bedc400dcee167724753a0
Opcode Fuzzy Hash: e8d0e3d7a2261a6a32391bcace6cffee68c2442c100c322ffd0a98e29386b05a
Instruction Fuzzy Hash: 1D317E7161424386EF24FBB9E8603FD3751ABA5784F8450298A4E4B695DF3FC1058371

Function 0000000140079E8C Relevance: 10.6, APIs: 7, Instructions: 74keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 0000000140079ECB
GetAsyncKeyState.USER32 ref: 0000000140079EE8
GetKeyboardState.USER32 ref: 0000000140079F18
GetKeyboardLayout.USER32 ref: 0000000140079F2E
MapVirtualKeyW.USER32 ref: 0000000140079F3B
ToUnicodeEx.USER32 ref: 0000000140079F64
CharUpperW.USER32 ref: 0000000140079F74

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual
String ID:
API String ID: 298839909-0
Opcode ID: c5e3da7e6f59612b20246c27594d464bc77445b758f32cd79d3c351e434928a4
Instruction ID: 5c67d9abb415212460031605745554bc6b097a06c8eaf55a3f006b89ea8f189e
Opcode Fuzzy Hash: c5e3da7e6f59612b20246c27594d464bc77445b758f32cd79d3c351e434928a4
Instruction Fuzzy Hash: E2319132204A84C7E722DB52E8447EE73A1F78CB80F580129EB4A83AA5DF7DC945CB40

Function 00000001400110FC Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140011123
GetWindowRect.USER32 ref: 000000014001114F
ScreenToClient.USER32 ref: 000000014001115D
ScreenToClient.USER32 ref: 000000014001116B
EqualRect.USER32 ref: 0000000140011179
DeferWindowPos.USER32 ref: 00000001400111B8
SetWindowPos.USER32 ref: 00000001400111E2

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: d6ee9e43283699705ea89de19731f859144bb07e73aa47b2a4e68a364b7fe61e
Instruction ID: f2be488b08eb6683706464c130436d07f63b0f08ea2cc183edbb89ca1930fa59
Opcode Fuzzy Hash: d6ee9e43283699705ea89de19731f859144bb07e73aa47b2a4e68a364b7fe61e
Instruction Fuzzy Hash: 9B313C32214A808AEB568F6AE454799B7A0F78DFD8F044119EF494BB68DF3DC544CB00

Function 00000001400133C8 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001343C
SetActiveWindow.USER32 ref: 0000000140013449
SendMessageW.USER32 ref: 0000000140013466
IsWindow.USER32 ref: 000000014001346F
SetActiveWindow.USER32 ref: 000000014001347C
IsWindow.USER32 ref: 0000000140013485
SetFocus.USER32 ref: 0000000140013492

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID:
API String ID: 1556911595-0
Opcode ID: a6d1156f6027b994152688f9672edfcb2a1afcde7c5f5a53e34bd4e14d20f279
Instruction ID: 82ce1e620f5996ad05a7d4ae5e5d0feec1c57fbda57fceb3cc36fe0456cdbb21
Opcode Fuzzy Hash: a6d1156f6027b994152688f9672edfcb2a1afcde7c5f5a53e34bd4e14d20f279
Instruction Fuzzy Hash: 4C211031314A8087FA6B9B67A8047E967A4A78DFC4F180025EF865BBB6DE3AD5459300

Function 000000014001A37C Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 000000014001A389
SendMessageW.USER32 ref: 000000014001A39F
GetFocus.USER32(?,?,?,000000014001A373,?,?,00000000,0000000140005231), ref: 000000014001A3BE
SendMessageW.USER32 ref: 000000014001A3D4

Part of subcall function 0000000140010C38: GetParent.USER32 ref: 0000000140010C61

GetLastActivePopup.USER32 ref: 000000014001A400
SendMessageW.USER32 ref: 000000014001A416

Part of subcall function 0000000140010C38: GetWindowLongW.USER32 ref: 0000000140010C85
Part of subcall function 0000000140010C38: GetParent.USER32 ref: 0000000140010C94

SendMessageW.USER32 ref: 000000014001A443

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$Parent$ActiveCaptureFocusLastLongPopupWindow
String ID:
API String ID: 3194460488-0
Opcode ID: 906b8a4de8ef0f3d5b6f05058954aba8e7283d670ec787695f239753469a644c
Instruction ID: 804c6b74787885f4fb18b5ab2a0d2ead4e9da65aa61ac5b6e77d1c6fe0a835f4
Opcode Fuzzy Hash: 906b8a4de8ef0f3d5b6f05058954aba8e7283d670ec787695f239753469a644c
Instruction Fuzzy Hash: 15215C3131161142FE6B5BA3B915BED1290AB8EFC4F486129AF0A0FBA6EE3EC4415700

Function 000000014003AF30 Relevance: 10.6, APIs: 7, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014003AF6A
IsRectEmpty.USER32 ref: 000000014003AF87
IsRectEmpty.USER32 ref: 000000014003AF98
GetCursorPos.USER32 ref: 000000014003AFB1
ScreenToClient.USER32 ref: 000000014003AFC0
PtInRect.USER32 ref: 000000014003AFCE
PtInRect.USER32 ref: 000000014003AFE4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: 8f673fa109972740a7306c60060004409f0797ea6df7c21e4404c89fbad0e465
Instruction ID: a3b77369949cc9ea08df0c7a257f28b967fb4eb408534c90907ba562cfd1201b
Opcode Fuzzy Hash: 8f673fa109972740a7306c60060004409f0797ea6df7c21e4404c89fbad0e465
Instruction Fuzzy Hash: 11213276224A4086EB56DB57E8443DB63A0FB89FC9F445135EB0A476B8DF39C545CB00

Function 000000014001D0F8 Relevance: 10.6, APIs: 7, Instructions: 56COMMON

Download Yara Rule

APIs

RealChildWindowFromPoint.USER32(?,?,?,?,?,?,?,000000014001483F), ref: 000000014001D11E
ClientToScreen.USER32(?,?,?,?,?,?,?,000000014001483F), ref: 000000014001D13F
GetWindow.USER32 ref: 000000014001D1A6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$ChildClientFromPointRealScreen
String ID:
API String ID: 2518355518-0
Opcode ID: 34d1e7b90fcfb1cf3a2e2c6a93280bffbf6b5d1c6d9eda19c4edef2ae0109fe8
Instruction ID: c9029b425fc88194c8f260080c44039138aa491974dec8718f507bf08831906f
Opcode Fuzzy Hash: 34d1e7b90fcfb1cf3a2e2c6a93280bffbf6b5d1c6d9eda19c4edef2ae0109fe8
Instruction Fuzzy Hash: F4215431209B4091FA218B16F9543AA73A1FB8DFD4F540115EA8E47B78DF3CC5818B00

Function 0000000140005A3C Relevance: 10.6, APIs: 7, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140005A5C
lstrcmpW.KERNEL32 ref: 0000000140005A6E
DocumentPropertiesW.WINSPOOL.DRV ref: 0000000140005ABD
GlobalAlloc.KERNEL32 ref: 0000000140005ACA
GlobalLock.KERNEL32 ref: 0000000140005ADA
DocumentPropertiesW.WINSPOOL.DRV ref: 0000000140005AFB
ClosePrinter.WINSPOOL.DRV ref: 0000000140005B1E

Part of subcall function 000000014001CD48: GlobalFlags.KERNEL32(?,?,?,?,?,?,?,000000014005AB2E), ref: 000000014001CD5A
Part of subcall function 000000014001CD48: GlobalUnlock.KERNEL32 ref: 000000014001CD6A
Part of subcall function 000000014001CD48: GlobalFree.KERNEL32 ref: 000000014001CD78

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreePrinter.Unlocklstrcmp
String ID:
API String ID: 992435789-0
Opcode ID: eb4a28eb4fb322bf18bf7337c7de7b4915c0c5a7b437e0f93650541e901672a8
Instruction ID: c8290f35e72fba5f1266ead4aba81e45150c557ac7734a5f1ab04b3a0bd5db1f
Opcode Fuzzy Hash: eb4a28eb4fb322bf18bf7337c7de7b4915c0c5a7b437e0f93650541e901672a8
Instruction Fuzzy Hash: E721D17261168082EB56EB62F4553EE63A0EB8DFC9F044529EF0E47AA5DF3CC5448700

Function 0000000140059844 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,000000014005A9C0), ref: 0000000140059882
LoadResource.KERNEL32(?,000000014005A9C0), ref: 000000014005989A
LockResource.KERNEL32(?,000000014005A9C0), ref: 00000001400598AB
SizeofResource.KERNEL32(?,000000014005A9C0), ref: 00000001400598BF
FreeResource.KERNEL32(?,000000014005A9C0), ref: 00000001400598D8

Strings

PNG, xrefs: 0000000140059875

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeof
String ID: PNG
API String ID: 4159136517-364855578
Opcode ID: 998fa95aef58d8c89bf2c9e9f5c9873631e9051f6da6c2dc2a296037d5a2ecaf
Instruction ID: 14668581c9a089b5cccc0720aa3b7cdcd9b936305267aab9575b3df9e3254669
Opcode Fuzzy Hash: 998fa95aef58d8c89bf2c9e9f5c9873631e9051f6da6c2dc2a296037d5a2ecaf
Instruction Fuzzy Hash: C0117C31705B4081EE06DB9768443BA63E0BB4EFD0F044425EF0D47B79EE39C4868700

Function 000000014001BB7C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001BBB4
GetProcAddress.KERNEL32 ref: 000000014001BBC9
EncodePointer.KERNEL32 ref: 000000014001BBD5
DecodePointer.KERNEL32 ref: 000000014001BBE4

Strings

BeginBufferedPaint, xrefs: 000000014001BBBF
uxtheme.dll, xrefs: 000000014001BBAD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BeginBufferedPaint$uxtheme.dll
API String ID: 2061474489-1632326970
Opcode ID: 7922869b8f72477ddc0b108155b2af40f367b054f20e42e7bbb1cb971b26b798
Instruction ID: 7d5a0468c88222be825bfde00b2ef1021b27a5493dbdef9e413e16ae9528d7f3
Opcode Fuzzy Hash: 7922869b8f72477ddc0b108155b2af40f367b054f20e42e7bbb1cb971b26b798
Instruction Fuzzy Hash: 85115039615B5085EA069F43A848399A7E0FB8CFC0F48042AEF4E87B74EF79C050CB80

Function 000000014001C764 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,0000000140006458), ref: 000000014001C79C
GetProcAddress.KERNEL32(?,?,?,0000000140006458), ref: 000000014001C7B1
EncodePointer.KERNEL32(?,?,?,0000000140006458), ref: 000000014001C7BD
DecodePointer.KERNEL32(?,?,?,0000000140006458), ref: 000000014001C7CC

Strings

RegisterApplicationRecoveryCallback, xrefs: 000000014001C7A7
kernel32.dll, xrefs: 000000014001C795

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-202725706
Opcode ID: 66919acd29241dd559242b60609ac0eb6b9a8d783db9c345c2be6607d1fb1346
Instruction ID: ba307c27d34656871ad648ef2e68f348b50d5eaae898d6966a88a98c33cae9ee
Opcode Fuzzy Hash: 66919acd29241dd559242b60609ac0eb6b9a8d783db9c345c2be6607d1fb1346
Instruction Fuzzy Hash: B4115736625B5085EA569F43A814798A7E4FB8CFC0F484429EF0A8B7B0EF7AC440CB04

Function 000000014001C890 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001C8C8
GetProcAddress.KERNEL32 ref: 000000014001C8DD
EncodePointer.KERNEL32 ref: 000000014001C8E9
DecodePointer.KERNEL32 ref: 000000014001C8F8

Strings

shell32.dll, xrefs: 000000014001C8C1
SHCreateItemFromParsingName, xrefs: 000000014001C8D3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: e948d8d9e0d22604244bb7a07a6aa701309c63a4bd813cefcf36f41aca362b64
Instruction ID: 3cd5b120f03117cca12f19c4a04dbcf84dd36756a68052f631bfcb94ab71dc0b
Opcode Fuzzy Hash: e948d8d9e0d22604244bb7a07a6aa701309c63a4bd813cefcf36f41aca362b64
Instruction Fuzzy Hash: 9E116571622B4185EA06DF83A848798A6E4FB8CFC0F484029EF4A4B774EF39C591CB44

Function 000000014001C938 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001C96F
GetProcAddress.KERNEL32 ref: 000000014001C984
EncodePointer.KERNEL32 ref: 000000014001C990
DecodePointer.KERNEL32 ref: 000000014001C99F

Strings

shell32.dll, xrefs: 000000014001C968
SHGetKnownFolderPath, xrefs: 000000014001C97A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 2061474489-2936008475
Opcode ID: 2b9edf5ea64a7252556342b8cdc087e36b99797026978647bd48a9f8a29228bb
Instruction ID: 7446eff3b6d68fd9c118a2204f0242f8401a43599c9462d0d57a67ca7d02e49b
Opcode Fuzzy Hash: 2b9edf5ea64a7252556342b8cdc087e36b99797026978647bd48a9f8a29228bb
Instruction Fuzzy Hash: D5111731611B4481EA169F87B858B99B6E4F78CFC0F585429EF4A4B774EF39C891C704

Function 000000014001C9DC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001CA14
GetProcAddress.KERNEL32 ref: 000000014001CA29
EncodePointer.KERNEL32 ref: 000000014001CA35
DecodePointer.KERNEL32 ref: 000000014001CA44

Strings

comctl32.dll, xrefs: 000000014001CA0D
TaskDialogIndirect, xrefs: 000000014001CA1F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: fc2253f2189c151ff3a6e626c07c729ec64a761f5f7a5ee16a1ac7e41b2982b8
Instruction ID: 330b7be3084ff5d1e3392e4736b4ffd11fe24d05f4e62a33fbb44c2453a437b9
Opcode Fuzzy Hash: fc2253f2189c151ff3a6e626c07c729ec64a761f5f7a5ee16a1ac7e41b2982b8
Instruction Fuzzy Hash: C9116935622B5485EA06CF43A858B9466E0FB8CFC4F884029EF4A4B774EF39C591C700

Function 000000014001C348 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001C36F
GetProcAddress.KERNEL32 ref: 000000014001C384
EncodePointer.KERNEL32 ref: 000000014001C390
DecodePointer.KERNEL32 ref: 000000014001C39F

Strings

EndBufferedPaint, xrefs: 000000014001C37A
uxtheme.dll, xrefs: 000000014001C368

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: e64a22482d7885008e3ca5f794a29679dc313d8e0f73e295a23556fb3ac465a5
Instruction ID: 8341721d3e4d9ecaae7cefc6d65b9010ab9d676c6efab79812b443bed15adcd5
Opcode Fuzzy Hash: e64a22482d7885008e3ca5f794a29679dc313d8e0f73e295a23556fb3ac465a5
Instruction Fuzzy Hash: BF014F30715B4082FE1ACF53B4447D862E0AB8CF80F188429AB1E4B374EF3DC5919704

Function 0000000140023618 Relevance: 10.5, APIs: 7, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014002362A
GetSystemMetrics.USER32 ref: 0000000140023638
GetSystemMetrics.USER32 ref: 0000000140023646
GetSystemMetrics.USER32 ref: 0000000140023659
GetDC.USER32 ref: 0000000140023669
GetDeviceCaps.GDI32 ref: 000000014002367A
GetDeviceCaps.GDI32 ref: 000000014002368B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MetricsSystem$CapsDevice
String ID:
API String ID: 4163108049-0
Opcode ID: 14c4d92c5c8a2b4eefe95c05e0a345f0043e713d412bd066031bb439d2b1464c
Instruction ID: 251c17953c3230cbba38054fa54678ad54038158c094981db2d73df2763c347a
Opcode Fuzzy Hash: 14c4d92c5c8a2b4eefe95c05e0a345f0043e713d412bd066031bb439d2b1464c
Instruction Fuzzy Hash: A8012C72A006408BEB0A9FB2E95835932A1F74DB41F04803DD716877A4DF3DC4998F00

Function 000000014001C80C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,0000000140006438), ref: 000000014001C833
GetProcAddress.KERNEL32(?,?,?,0000000140006438), ref: 000000014001C848
EncodePointer.KERNEL32(?,?,?,0000000140006438), ref: 000000014001C854
DecodePointer.KERNEL32(?,?,?,0000000140006438), ref: 000000014001C863

Strings

RegisterApplicationRestart, xrefs: 000000014001C83E
kernel32.dll, xrefs: 000000014001C82C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRestart$kernel32.dll
API String ID: 2061474489-1259503209
Opcode ID: 26007eae4656fbfce50a0e1ec325d69852dc3b3352018036b671ac5976053151
Instruction ID: 4722ba10d6190c999b3dd67c16b6162f847b405a198117580c56b6b717cf270b
Opcode Fuzzy Hash: 26007eae4656fbfce50a0e1ec325d69852dc3b3352018036b671ac5976053151
Instruction Fuzzy Hash: 69012C31A15B4091FE069B83B4947D462E0EB8CF80F585028EB0E4B374EF38C4918700

Function 000000014001BD0C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001BD32
GetProcAddress.KERNEL32 ref: 000000014001BD47
EncodePointer.KERNEL32 ref: 000000014001BD53
DecodePointer.KERNEL32 ref: 000000014001BD62

Strings

user32.dll, xrefs: 000000014001BD2B
ChangeWindowMessageFilter, xrefs: 000000014001BD3D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ChangeWindowMessageFilter$user32.dll
API String ID: 2061474489-2498399450
Opcode ID: a6136566b2c9946cb6a5d212eab0c15ad1a10ee4cb60820ee25ce02c37bec2d8
Instruction ID: 2a27ba3e565d706d2dc988a70878e73b752a4ad0009dd150a73ff9c18882737a
Opcode Fuzzy Hash: a6136566b2c9946cb6a5d212eab0c15ad1a10ee4cb60820ee25ce02c37bec2d8
Instruction Fuzzy Hash: 5A01F631A16B4082EE5A9B57B8583E963E0AB8CF84F585429AB0E87374FF39C4958700

Function 000000014001BB04 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BB24
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BB39
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BB45
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BB54

Strings

ApplicationRecoveryInProgress, xrefs: 000000014001BB2F
kernel32.dll, xrefs: 000000014001BB1D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryInProgress$kernel32.dll
API String ID: 2061474489-2899047487
Opcode ID: accb8b45cf1949262cc47b5eaa0766fc1f68f058e16fc6cf1203964099d2b330
Instruction ID: 9f335e8cea2bde609d3f74d3a13b56e18cd33fcac9d1c8b347dd50565c38d339
Opcode Fuzzy Hash: accb8b45cf1949262cc47b5eaa0766fc1f68f058e16fc6cf1203964099d2b330
Instruction Fuzzy Hash: 21F0FF30706A0095FE569F93B8987E463E0AB4CFC0F485029AB0A4B774EF7DC4949704

Function 000000014001C690 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,00000000,0000000140010E1D,?,?,?,?,?,?,?,?,?,?,?,0000000140008DC6), ref: 000000014001C6A9
GetProcAddress.KERNEL32(?,?,00000000,0000000140010E1D,?,?,?,?,?,?,?,?,?,?,?,0000000140008DC6), ref: 000000014001C6BE
EncodePointer.KERNEL32(?,?,00000000,0000000140010E1D,?,?,?,?,?,?,?,?,?,?,?,0000000140008DC6), ref: 000000014001C6CA
DecodePointer.KERNEL32(?,?,00000000,0000000140010E1D,?,?,?,?,?,?,?,?,?,?,?,0000000140008DC6), ref: 000000014001C6D9

Strings

shell32.dll, xrefs: 000000014001C6A2
InitNetworkAddressControl, xrefs: 000000014001C6B4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: InitNetworkAddressControl$shell32.dll
API String ID: 2061474489-1950653938
Opcode ID: 9dbdcec2e815c2532c84af40764180babe7ac1bb5bdd1e9170b7b1c731a59911
Instruction ID: 32323d1005bb5aa98930d9cdeb4a88b7234375860754a25b9a83e7bd67ff1981
Opcode Fuzzy Hash: 9dbdcec2e815c2532c84af40764180babe7ac1bb5bdd1e9170b7b1c731a59911
Instruction Fuzzy Hash: 59F0B734612B0485EE179B97A8687E413E0AB4CF91F48142D9A0E4B3B0EF3DC4999A10

Function 000000014001BA98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BAB7
GetProcAddress.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BACC
EncodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BAD8
DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0000000140010EC6), ref: 000000014001BAE7

Strings

ApplicationRecoveryFinished, xrefs: 000000014001BAC2
kernel32.dll, xrefs: 000000014001BAB0

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: ApplicationRecoveryFinished$kernel32.dll
API String ID: 2061474489-1962646049
Opcode ID: 334383a6846f40e99acc1d4cbe88b03bfcb32be997bac0416abe0bc600de74e5
Instruction ID: eebd13e3f1ca95c8ad64e20dcc6eabbbfed6fbe5eb78778028cae8a54df10552
Opcode Fuzzy Hash: 334383a6846f40e99acc1d4cbe88b03bfcb32be997bac0416abe0bc600de74e5
Instruction Fuzzy Hash: 3CF01D30602B4091EE1A9F93B8583F862E0AB4CF80F88402DDB0E47370EF78C4948604

Function 000000014001BC2C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001BC45
GetProcAddress.KERNEL32 ref: 000000014001BC5A
EncodePointer.KERNEL32 ref: 000000014001BC66
DecodePointer.KERNEL32 ref: 000000014001BC75

Strings

BufferedPaintInit, xrefs: 000000014001BC50
uxtheme.dll, xrefs: 000000014001BC3E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintInit$uxtheme.dll
API String ID: 2061474489-1331937065
Opcode ID: aa9f70737758347e9639634f6ccf50fd2a7e96ed382a3ca158aed4b60b9ad8fb
Instruction ID: 016d105d6193e00d22e90f9e79750fbcb387215a9410a069e92374cff5136659
Opcode Fuzzy Hash: aa9f70737758347e9639634f6ccf50fd2a7e96ed382a3ca158aed4b60b9ad8fb
Instruction Fuzzy Hash: 05F0DA71A02A0596FE579FA3A8593E462E4AB5CF81F4804299F0E4B3B4EF3DC494DB50

Function 000000014001BC9C Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001BCB5
GetProcAddress.KERNEL32 ref: 000000014001BCCA
EncodePointer.KERNEL32 ref: 000000014001BCD6
DecodePointer.KERNEL32 ref: 000000014001BCE5

Strings

BufferedPaintUnInit, xrefs: 000000014001BCC0
uxtheme.dll, xrefs: 000000014001BCAE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: BufferedPaintUnInit$uxtheme.dll
API String ID: 2061474489-1501038116
Opcode ID: e6d6ec8e89aeeb633c5a77e0bbd5f006e4cc686fd633207447554ed54347af89
Instruction ID: 3edea54cdf149a900f5b1ab205f76251fe0fc1d521705389d5203b94c4b99c6f
Opcode Fuzzy Hash: e6d6ec8e89aeeb633c5a77e0bbd5f006e4cc686fd633207447554ed54347af89
Instruction Fuzzy Hash: 52F03A70A02A0591FE579FA3A8583E012E0AB1CF81F08142C9F0E8B3B0EF3DC4949B10

Function 00000001400235A4 Relevance: 10.5, APIs: 7, Instructions: 27COMMONLIBRARYCODE

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00000001400235B2
GetSysColor.USER32 ref: 00000001400235C0
GetSysColor.USER32 ref: 00000001400235CE
GetSysColor.USER32 ref: 00000001400235DC
GetSysColor.USER32 ref: 00000001400235EA
GetSysColorBrush.USER32 ref: 00000001400235F8
GetSysColorBrush.USER32 ref: 0000000140023607

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 2e3c3eab4cea11d10e13369db14fa707cfe61db22f5fe31a7632bdde3fc63208
Instruction ID: 320ccc014ac00ccbc0f82db180d9452dc0363e7addc6e6a3304b51520e28cafb
Opcode Fuzzy Hash: 2e3c3eab4cea11d10e13369db14fa707cfe61db22f5fe31a7632bdde3fc63208
Instruction Fuzzy Hash: 04F03F7A901B058BE7595FB2A4583A826E5E74DF25F1015298B4A473A4EE3AC4D4EB00

Function 000000014001C6FC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 27libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,000000014001F275), ref: 000000014001C715
GetProcAddress.KERNEL32(?,?,?,000000014001F275), ref: 000000014001C72A
EncodePointer.KERNEL32(?,?,?,000000014001F275), ref: 000000014001C736
DecodePointer.KERNEL32 ref: 000000014001C745

Strings

comctl32.dll, xrefs: 000000014001C70E
TaskDialogIndirect, xrefs: 000000014001C720

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: TaskDialogIndirect$comctl32.dll
API String ID: 2061474489-2809879075
Opcode ID: fd799d02c3a10004ac334018df26dc6913a98e56fcec84ed68513afbc84b3856
Instruction ID: 1edcbe223a3c6067478a8058065001b9c2fc28b35ad68005f4e822faa92e9456
Opcode Fuzzy Hash: fd799d02c3a10004ac334018df26dc6913a98e56fcec84ed68513afbc84b3856
Instruction Fuzzy Hash: 96F0D034626B0091FE579BA3A8587E412D0AB4CB91F4404289B0E4B3B0EF7DC494DA10

Function 01F94730 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 488COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F94768
_invalid_parameter_noinfo.LIBCMT ref: 01F94A8D
_invalid_parameter_noinfo.LIBCMT ref: 01F94D12

Strings

-, xrefs: 01F947DF
+, xrefs: 01F947EA

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: +$-
API String ID: 3215553584-2137968064
Opcode ID: b5ac638faf464cf3ce7480af9f9f6e1c7b94f0965c4f2d11343d8967103fbc8c
Instruction ID: 554062309e2029a99b1bf0c495f1eb391d815015d575290d3705d74a5433b5fb
Opcode Fuzzy Hash: b5ac638faf464cf3ce7480af9f9f6e1c7b94f0965c4f2d11343d8967103fbc8c
Instruction Fuzzy Hash: ADF10876F0458689FF24FE29D2502B97B96E374774BCC4222D7A247A80D72BC6538708

Function 000000014003FEF4 Relevance: 9.2, APIs: 6, Instructions: 211COMMON

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 000000014003FF82
wcsstr.LIBVCRUNTIME ref: 000000014003FF9C
wcsstr.LIBVCRUNTIME ref: 0000000140040048
memcpy_s.LIBCMT ref: 00000001400400D3
wcsstr.LIBVCRUNTIME ref: 0000000140040127
_invalid_parameter_noinfo.LIBCMT ref: 00000001400401B6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: wcsstr$_invalid_parameter_noinfomemcpy_s
String ID:
API String ID: 3729488822-0
Opcode ID: 32003e77e2ac2eb0c813e0919fa6558fd0d44eb169cba956896b8f515bc40eba
Instruction ID: 346699c8e98cd3d6f1c54db8085d2ebcf6296b0897cd6c45929119801398bc11
Opcode Fuzzy Hash: 32003e77e2ac2eb0c813e0919fa6558fd0d44eb169cba956896b8f515bc40eba
Instruction Fuzzy Hash: D771E236305B4486FA66AB27A4843EEA3A1BB8DBC4F144426BF4D577B6DF3CC5418304

Function 000000014003F500 Relevance: 9.2, APIs: 6, Instructions: 173windowCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014003F5E3

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

CreateRectRgnIndirect.GDI32 ref: 000000014003F648
GetParent.USER32 ref: 000000014003F66A
DrawThemeParentBackground.UXTHEME ref: 000000014003F68E
MapWindowPoints.USER32 ref: 000000014003F6BE
SendMessageW.USER32 ref: 000000014003F6EE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$BackgroundCreateDrawExceptionIndirectMessagePointsRectSendThemeThrowWindow_invalid_parameter_noinfo
String ID:
API String ID: 3651033661-0
Opcode ID: a0e67d7302fea03f546ad41534b79f4421ac8756d2bc8c336422664ce68d1d74
Instruction ID: 1780a46c973262da12e5963bc0c5344e45f567ec7081925e969c0ce13a4110ce
Opcode Fuzzy Hash: a0e67d7302fea03f546ad41534b79f4421ac8756d2bc8c336422664ce68d1d74
Instruction Fuzzy Hash: 3C618872701A5086EB12DF6BE984BED37A0BB88BD4F554126EF1947BA9CF39C941C340

Function 0000000140079B54 Relevance: 9.2, APIs: 6, Instructions: 168keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32 ref: 0000000140079B7F
GetKeyboardLayout.USER32 ref: 0000000140079BA3
MapVirtualKeyW.USER32 ref: 0000000140079BB0
ToUnicodeEx.USER32 ref: 0000000140079BD5
LoadAcceleratorsW.USER32 ref: 0000000140079C97
LoadAcceleratorsW.USER32 ref: 0000000140079D9B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AcceleratorsKeyboardLoad$LayoutStateUnicodeVirtual
String ID:
API String ID: 1654504579-0
Opcode ID: afe7a68b7c302450d87d225ed85c3287222825b25f7b91cb1505ae21e93f670c
Instruction ID: 8f38fb9d39c158d02d82e7b1538e6db51abebb3e9c3f31716defd6e34cc8dcd9
Opcode Fuzzy Hash: afe7a68b7c302450d87d225ed85c3287222825b25f7b91cb1505ae21e93f670c
Instruction Fuzzy Hash: 6A614F72201B8081EE669B63E4547DA63A0FB8DFC0F498126EB4E477B9DE3CC945C700

Function 000000014002BE00 Relevance: 9.2, APIs: 6, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91a5005224b8560d0f9318952f110a7cf9f88ed6faa89396a97d33f23ad1eac
Instruction ID: 4d235ab81203ec64650dfab5f3f7e41eadc0b82bfece5ef8ebcba4d8d7933711
Opcode Fuzzy Hash: e91a5005224b8560d0f9318952f110a7cf9f88ed6faa89396a97d33f23ad1eac
Instruction Fuzzy Hash: 6D615A36204A4582EB55AF27E8547E977A1F78DFC0F49403AEF0A477B5EE39C8868740

Function 0000000140025C18 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140025CBD
SendMessageW.USER32 ref: 0000000140025D00
SendMessageW.USER32 ref: 0000000140025D30
SetRectEmpty.USER32 ref: 0000000140025D8A
SendMessageW.USER32 ref: 0000000140025DED
RedrawWindow.USER32 ref: 0000000140025E18

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 7aafaaac33d74768236752a69a8b0c0f8836b829ed62860ace2961fbfd613078
Instruction ID: 4e00743ad691fc5ddb76991ad2d7652f01d7886b5044854038b027f229248176
Opcode Fuzzy Hash: 7aafaaac33d74768236752a69a8b0c0f8836b829ed62860ace2961fbfd613078
Instruction Fuzzy Hash: 03615732701B508AEB19DF6AD494BED27A1F78CB88F45402AEF0E47B64DF35D8528744

Function 0000000140056248 Relevance: 9.2, APIs: 6, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000BB88: GetWindowDC.USER32(?,?,?,?,?,0000000140040940), ref: 000000014000BBC7

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400562A0
CreateCompatibleDC.GDI32 ref: 00000001400562A8
CreateDIBSection.GDI32 ref: 0000000140056342
CreateCompatibleBitmap.GDI32 ref: 000000014005635E
FillRect.USER32 ref: 00000001400563C0
DrawStateW.USER32 ref: 00000001400563F7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Create$CompatibleHash$BitmapDrawFillImplImpl::RectSectionStateWindow
String ID:
API String ID: 1031390013-0
Opcode ID: 8ec90a220725cf507b3c06940f78e0165d09e90b8c62b0ce9cbf64cd6cde17bd
Instruction ID: befdb3485bf9a8bcd169c349bf46aa0ccbe4321c9030b2ba3baec5517783bdd2
Opcode Fuzzy Hash: 8ec90a220725cf507b3c06940f78e0165d09e90b8c62b0ce9cbf64cd6cde17bd
Instruction Fuzzy Hash: BD613376700A409AEB12DFA6E8407DE73B1F788798F40412AEF4957BA9CF78C559CB40

Function 000000014000D98C Relevance: 9.1, APIs: 6, Instructions: 135windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014000DA5F
SendMessageW.USER32 ref: 000000014000DAE4
IsWindow.USER32 ref: 000000014000DB12
ClientToScreen.USER32 ref: 000000014000DB25
IsWindow.USER32 ref: 000000014000DB43
ClientToScreen.USER32 ref: 000000014000DB7C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClientMessageScreenSendWindow
String ID:
API String ID: 2093367132-0
Opcode ID: de7251674153372b30289f6b84063c9fb77c0085e3cc5efe75fed3289911b420
Instruction ID: d3afe111043645bfbc380c34f756323831041930f6c051c0b5e086284dd199c5
Opcode Fuzzy Hash: de7251674153372b30289f6b84063c9fb77c0085e3cc5efe75fed3289911b420
Instruction Fuzzy Hash: 0C51FFF2A0874085FBA6DB17E4843ED76A0E78DBC0F145523FB56C36B5DA78C891C622

Function 0000000140019AB4 Relevance: 9.1, APIs: 6, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018B18: GetDlgItem.USER32 ref: 0000000140018B34

GetWindowLongW.USER32 ref: 0000000140019AE7
GetWindowTextLengthW.USER32 ref: 0000000140019B18
GetWindowTextW.USER32 ref: 0000000140019B61
SendMessageW.USER32 ref: 0000000140019BA3
SendMessageW.USER32 ref: 0000000140019C1D
SendMessageW.USER32 ref: 0000000140019C3F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSendWindow$Text$ItemLengthLong
String ID:
API String ID: 538016872-0
Opcode ID: 4cfcd314357b8526963ea15a79ec2ac530a0c7137be7b4e619e9a1d1bbcb92e5
Instruction ID: e270f2c566361e94236cf23655ec59d4aca6f3aeed449da704414a59b82c1f06
Opcode Fuzzy Hash: 4cfcd314357b8526963ea15a79ec2ac530a0c7137be7b4e619e9a1d1bbcb92e5
Instruction Fuzzy Hash: 31518F32718A4082EB519F66F5943AE73A0E78CBD4F148225FB6A4B7E9CF39C451C780

Function 000000014002CFC0 Relevance: 9.1, APIs: 6, Instructions: 106windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014002D024
GetParent.USER32 ref: 000000014002D041
GetParent.USER32 ref: 000000014002D07A
UpdateWindow.USER32 ref: 000000014002D0FD
GetParent.USER32 ref: 000000014002D131
SendMessageW.USER32 ref: 000000014002D151

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$FocusMessageSendUpdateWindow
String ID:
API String ID: 2438739141-0
Opcode ID: 922674f6b1ea5943126d98b073c6a68f51675e3ce12bf0b2b314fb4e190053f6
Instruction ID: 99bc59474825b2822c58569ed36f13d9eefbd43c88c12b87ee6995947f579662
Opcode Fuzzy Hash: 922674f6b1ea5943126d98b073c6a68f51675e3ce12bf0b2b314fb4e190053f6
Instruction Fuzzy Hash: 49417135205B8085EE5A9B63E5843E833A0FB88BD4F04412AEB6A477F5DF7DC8A5C700

Function 0000000140046AD8 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0000000140046B42
GetWindow.USER32 ref: 0000000140046B4E
IsWindowEnabled.USER32 ref: 0000000140046B63
SendMessageW.USER32 ref: 0000000140046B98
EnableWindow.USER32 ref: 0000000140046BA8
GetWindow.USER32 ref: 0000000140046BCB

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$DesktopEnableEnabledExceptionMessageSendThrow
String ID:
API String ID: 3417298820-0
Opcode ID: e59a5fe0f0867942b7006e2c8aa1388df1a11c797de86aff356ede0f502aba21
Instruction ID: ec70f683a06843ee7756f559f50d76e67ac05059fd718bd455a51a472838b51c
Opcode Fuzzy Hash: e59a5fe0f0867942b7006e2c8aa1388df1a11c797de86aff356ede0f502aba21
Instruction Fuzzy Hash: B2418272205B4482FA569B23E8143E963A0EB8DFE4F194239BF5947BF5EF38C5458B04

Function 000000014001B1D8 Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001B208
TlsGetValue.KERNEL32 ref: 000000014001B221
LocalAlloc.KERNEL32 ref: 000000014001B2A3
LocalReAlloc.KERNEL32 ref: 000000014001B2C7
LeaveCriticalSection.KERNEL32 ref: 000000014001B2D8
TlsSetValue.KERNEL32 ref: 000000014001B30F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 18bc2cb92d79176bdf0ac9712478dcbfd54db727ed25e1701fdf2f8b0f262ebe
Instruction ID: 6867d1b7c3821fe9762de0330f0da48c64e1a98a32b2f8eb137011190b97f6b1
Opcode Fuzzy Hash: 18bc2cb92d79176bdf0ac9712478dcbfd54db727ed25e1701fdf2f8b0f262ebe
Instruction Fuzzy Hash: 84417932601B0482EB1ADF66D4943AC73A0F78CFA4F184529EB290B7B5DF39D9668740

Function 0000000140053A14 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400538FC: GetProfileIntW.KERNEL32 ref: 0000000140053970
Part of subcall function 00000001400538FC: GetProfileIntW.KERNEL32 ref: 0000000140053990

CopyRect.USER32 ref: 0000000140053A76
GetCursorPos.USER32 ref: 0000000140053A88
SetRect.USER32 ref: 0000000140053AA6
IsRectEmpty.USER32 ref: 0000000140053ACB
InflateRect.USER32 ref: 0000000140053AE1
DoDragDrop.OLE32 ref: 0000000140053B48

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyInflate
String ID:
API String ID: 1351899944-0
Opcode ID: cfa59c90dc433693fc6a7cc3ee076e08952c3c206ef660028b21f2c4a04b9cc0
Instruction ID: 5b34556ee579aefd1e3fecdaca42637c326a89bc1776e722b49d0be72550fd85
Opcode Fuzzy Hash: cfa59c90dc433693fc6a7cc3ee076e08952c3c206ef660028b21f2c4a04b9cc0
Instruction Fuzzy Hash: 90415172215A8086EA66DF17E8447DAB3A0F799BD0F449125BF8A07BB4DF39C545CB00

Function 000000014001326C Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32 ref: 0000000140013298
GetWindowTextW.USER32 ref: 00000001400132B5
GetObjectW.GDI32 ref: 0000000140013372
SetBkColor.GDI32 ref: 000000014001337F
GetSysColor.USER32 ref: 0000000140013393
SetTextColor.GDI32 ref: 000000014001339E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ColorText$Window$LengthObject
String ID:
API String ID: 4059885849-0
Opcode ID: 3e37de75749459d70704fb04cc77dab82474f91b2d9298f010768d8c77601aee
Instruction ID: d15b3ab346d1c4e4517ceff59ffa0389d0a9cad7eacba65abe8b9a6608ee206c
Opcode Fuzzy Hash: 3e37de75749459d70704fb04cc77dab82474f91b2d9298f010768d8c77601aee
Instruction Fuzzy Hash: 4D418F36704A4086EA56DB67E4543A973E0EB8CFD0F144126EF9A8B7B5DF3AC9418B00

Function 0000000140071DAC Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071E80
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071E9A
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071EA7
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071EB4
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071EC1
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140071ECE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: 9a64edb99d01b8c1c7dd94d72367c84b06f58e40bed30b03753cab3555b120db
Instruction ID: a2f3b0ed2d7c2ec565b61ba3103c27aef62481df48b4c6a078ea0a0a46dd3924
Opcode Fuzzy Hash: 9a64edb99d01b8c1c7dd94d72367c84b06f58e40bed30b03753cab3555b120db
Instruction Fuzzy Hash: F0313E72242A8092EB119F6AC8503DD23A0F789FA4F585536AB1D873F6DF38C985C350

Function 000000014000A4B8 Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014000A521
GetParent.USER32 ref: 000000014000A530
GetParent.USER32 ref: 000000014000A54F
GetLastActivePopup.USER32 ref: 000000014000A567
IsWindowEnabled.USER32 ref: 000000014000A57D
EnableWindow.USER32(?,?,?,0000000140008DBB), ref: 000000014000A594

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: afec0ebc46ddd487345f1bb497ba36b16f171c77ec0ecc3b812bcad297e3849a
Instruction ID: 5e30fb4840bb38c400b9d1b46575cdf6e232dbb3bfa483ccfbfbe2e4decc6b88
Opcode Fuzzy Hash: afec0ebc46ddd487345f1bb497ba36b16f171c77ec0ecc3b812bcad297e3849a
Instruction Fuzzy Hash: C031FBB2301E8185FE6ADB57B9543E962D0AB5EFD2F0C4534AF0A0B7A5EE3CC4414600

Function 000000014003A1BC Relevance: 9.1, APIs: 6, Instructions: 67timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 000000014003A1E1
ReleaseCapture.USER32 ref: 000000014003A1EF
PtInRect.USER32 ref: 000000014003A240
InvalidateRect.USER32 ref: 000000014003A2A6
SetTimer.USER32 ref: 000000014003A2CE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 891a8349eba2d7af160a28796d1fb8bd81c78b473170e5ff382e545ab3d92b20
Instruction ID: 27667ad8527e2e76429a56c2d5280403bc2209648c7d5b2004cac29413247c41
Opcode Fuzzy Hash: 891a8349eba2d7af160a28796d1fb8bd81c78b473170e5ff382e545ab3d92b20
Instruction Fuzzy Hash: 2A312D7620464286EB668F67D4443EB73A0F74AFC5F088135EB094B6A8CF3EC445DB10

Function 000000014018B3E4 Relevance: 9.1, APIs: 6, Instructions: 56threadCOMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014018B400
CreateThread.KERNEL32 ref: 000000014018B444
GetLastError.KERNEL32 ref: 000000014018B452
CloseHandle.KERNEL32(?,?,?,?,00000000,000000014007ED23,?,?,?,000000014002F048), ref: 000000014018B471
FreeLibrary.KERNEL32(?,?,?,?,00000000,000000014007ED23,?,?,?,000000014002F048), ref: 000000014018B480
ResumeThread.KERNEL32 ref: 000000014018B4A3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Thread$CloseCreateErrorFreeHandleLastLibraryResume_invalid_parameter_noinfo
String ID:
API String ID: 2082702847-0
Opcode ID: f2777bc344f34923d42e320a278e4597f036cb57e92952cb1c510ecd8aa41516
Instruction ID: 5aa45f3dd20457649696c4fbaff3fab5a3be05cda1aa9ecca640a06da61fc574
Opcode Fuzzy Hash: f2777bc344f34923d42e320a278e4597f036cb57e92952cb1c510ecd8aa41516
Instruction Fuzzy Hash: C6216032201B4082FE169BA694957E96290AB4CFB4F1807259F7A077F6DF3CC7548600

Function 01F8C0EC Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

_set_fmode.LIBCMT ref: 01F8C103
__scrt_initialize_onexit_tables.LIBCMT ref: 01F8C11C
_RTC_Initialize.LIBCMT ref: 01F8C125

Part of subcall function 01F8C784: _onexit.LIBCMT ref: 01F8C788

Part of subcall function 01F95678: _invalid_parameter_noinfo.LIBCMT ref: 01F956A2

__scrt_fastfail.LIBCMT ref: 01F8C18D
__scrt_fastfail.LIBCMT ref: 01F8C198
__scrt_initialize_default_local_stdio_options.LIBCMT ref: 01F8C1A4

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: __scrt_fastfail$Initialize__scrt_initialize_default_local_stdio_options__scrt_initialize_onexit_tables_invalid_parameter_noinfo_onexit_set_fmode
String ID:
API String ID: 2236104978-0
Opcode ID: bdb7e4fe9ed62621f708dac1ce87153a9d9ef5e633323ea373caed4b9f1ae094
Instruction ID: ae06720a724d5e850ff89ab4b3ee6af45a145eecfd226dbec73df195c38b7fd1
Opcode Fuzzy Hash: bdb7e4fe9ed62621f708dac1ce87153a9d9ef5e633323ea373caed4b9f1ae094
Instruction Fuzzy Hash: FD011900FB010782FF1AF3F99C683EC3295CFB4320F84042686498AAA1EF7F84854672

Function 000000014001CC14 Relevance: 9.0, APIs: 6, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 000000014001CC21
GetParent.USER32 ref: 000000014001CC48

Part of subcall function 000000014001D054: GetWindowLongW.USER32 ref: 000000014001D087
Part of subcall function 000000014001D054: GetClassNameW.USER32 ref: 000000014001D0A2

GetWindowLongW.USER32 ref: 000000014001CC74
GetParent.USER32 ref: 000000014001CC83
GetDesktopWindow.USER32 ref: 000000014001CC8C
SendMessageW.USER32 ref: 000000014001CCA5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSend
String ID:
API String ID: 3020784601-0
Opcode ID: ae21b23015141b5b17db6a79777038a8f58c286186c35ea1b830cb8dd77275ff
Instruction ID: e89cff85f140df4282ee46027f6d1f3f4a6c2e08a8251d7b44f2b71fe6154e27
Opcode Fuzzy Hash: ae21b23015141b5b17db6a79777038a8f58c286186c35ea1b830cb8dd77275ff
Instruction Fuzzy Hash: 96014C3132168542FE565763B558BE913D19B8DFD5F081834EF0A0BBB6EE3EC8868640

Function 000000014001CF30 Relevance: 9.0, APIs: 6, Instructions: 45COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 000000014001CF52
GetWindow.USER32 ref: 000000014001CF60
GetDlgCtrlID.USER32 ref: 000000014001CF71
GetWindowLongW.USER32 ref: 000000014001CF86
GetWindowRect.USER32 ref: 000000014001CFA6
PtInRect.USER32 ref: 000000014001CFB6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: c4464cb2e76ea967eb739658a8195656d1f745ae32622975ecc0599efd4057ab
Instruction ID: bbdfdf929576efa7bf969e8474aea56ac095eb9205d894a9761ef48f23bb6e24
Opcode Fuzzy Hash: c4464cb2e76ea967eb739658a8195656d1f745ae32622975ecc0599efd4057ab
Instruction Fuzzy Hash: FD118672324A4582FA528F17E8547AA63A1E78DBD4F141538AB4E4B7B9DF3CC1868B04

Function 00000001400A6F20 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 208fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400A6F84
GetTempPathW.KERNEL32 ref: 00000001400A6FF4
GetTempFileNameW.KERNEL32 ref: 00000001400A7085
CreateFileW.KERNEL32 ref: 00000001400A70D4

Strings

AFX, xrefs: 00000001400A707B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: FileTemp$CloseCreateHandleNamePath
String ID: AFX
API String ID: 777972874-1300893600
Opcode ID: bcdeba4cbd59770f38937ddfa6ebbd103f829abe1e2d93603cf4fb58bbd7405b
Instruction ID: e720543506bd07353710b9ca6fdcac05779cba1e449c90752f287cd9b11afbb3
Opcode Fuzzy Hash: bcdeba4cbd59770f38937ddfa6ebbd103f829abe1e2d93603cf4fb58bbd7405b
Instruction Fuzzy Hash: FC819172305A4182EB15DB26E854BDE63A1F798BE4F048216EF59877F9DF78C885CB00

Function 00000001400142E8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 177windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 0000000140014509
GetWindowLongPtrW.USER32 ref: 0000000140014518
GetWindowLongPtrW.USER32 ref: 0000000140014532
SetWindowLongPtrW.USER32 ref: 000000014001455A

Strings

@, xrefs: 00000001400144F9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: @
API String ID: 2178440468-2766056989
Opcode ID: f25b3b8817b23487fe01937d1e3cb9b4325ebfea2a985bb23f4f25ad4f45e361
Instruction ID: 12c2ea2bdf2fbd675013e2445d1076bc2553721c23cba48406ef5572c4bae4f1
Opcode Fuzzy Hash: f25b3b8817b23487fe01937d1e3cb9b4325ebfea2a985bb23f4f25ad4f45e361
Instruction Fuzzy Hash: 8B718972201A4482EB6AEF26E5543ED23A0FB8CBC4F484125EB5D4B7B6DF3AC955C700

Function 00000001400F607C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400F5FBC: OleGetClipboard.OLE32 ref: 00000001400F5FD6

ReleaseStgMedium.OLE32 ref: 00000001400F6123
ReleaseStgMedium.OLE32 ref: 00000001400F61B5

Strings

', xrefs: 00000001400F60D2

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MediumRelease$Clipboard
String ID: '
API String ID: 3486090133-1997036262
Opcode ID: 27fda6bf54b5f96f4efcd57f59c89dbbbad9945e84d06266830c121a77e831fd
Instruction ID: fe6eb6a675d5642be3f5bf540de7ff54d85d2c6c77eae9fb1b82aae53b21df16
Opcode Fuzzy Hash: 27fda6bf54b5f96f4efcd57f59c89dbbbad9945e84d06266830c121a77e831fd
Instruction Fuzzy Hash: 79615332605B8081EA669B27E4243EE63A0F78DBD4F144129EB8947BB9DF78C9459740

Function 000000014006E9DC Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 000000014006EB38

Part of subcall function 000000014000C7BC: ClientToScreen.USER32 ref: 000000014000C7D5
Part of subcall function 000000014000C7BC: ClientToScreen.USER32 ref: 000000014000C7E6

IsRectEmpty.USER32 ref: 000000014006EB54
IsRectEmpty.USER32 ref: 000000014006EB70
IsRectEmpty.USER32 ref: 000000014006EB86

Strings

Afx:ControlBar, xrefs: 000000014006EA80

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Empty$ClientScreen$Copy
String ID: Afx:ControlBar
API String ID: 3826871945-4244778371
Opcode ID: 3953512f1f639eafd0c0fc9988dcb1a4eabab60057fdd3338ddaf082749f1aed
Instruction ID: 71d049944f2e7ab780c8c138bc54fd014761a4a35536e7072501d3d4f351a23a
Opcode Fuzzy Hash: 3953512f1f639eafd0c0fc9988dcb1a4eabab60057fdd3338ddaf082749f1aed
Instruction Fuzzy Hash: 7E61A972B05A8086EB169F76E8407ED23A0F749B98F504226EF5E57BE5EF38C546C300

Function 000000014000F630 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014000F7BF
RegEnumKeyW.ADVAPI32 ref: 000000014000F7DB
RegCloseKey.ADVAPI32 ref: 000000014000F7FD
RegQueryValueW.ADVAPI32 ref: 000000014000F815

Strings

Software\, xrefs: 000000014000F705

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CloseEnumOpenQueryValue
String ID: Software\
API String ID: 3984146545-964853688
Opcode ID: dbb74976569afc5307153a1cae43cf87ac509d1debfec73105aa5b2c807ab0e6
Instruction ID: 88da1379b00134230df086cdf169ad067d923ac9148b3a81e96bcb93672e7273
Opcode Fuzzy Hash: dbb74976569afc5307153a1cae43cf87ac509d1debfec73105aa5b2c807ab0e6
Instruction Fuzzy Hash: 6861B072314A4082EB51DB6AE4407EE63A1FB89BE4F448226EB6E47BF4DF38C445D700

Function 01F8D854 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150COMMONLIBRARYCODE

Download Yara Rule

APIs

_CallSETranslator.LIBVCRUNTIME ref: 01F8D8EA
_GetRangeOfTrysToCheck.LIBVCRUNTIME ref: 01F8D931
CatchIt.LIBVCRUNTIME ref: 01F8DA6A

Part of subcall function 01F8F268: abort.LIBCMT ref: 01F8F27B

Strings

RCC, xrefs: 01F8D8BF
MOC, xrefs: 01F8D8B7

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: CallCatchCheckRangeTranslatorTrysabort
String ID: MOC$RCC
API String ID: 3773807320-2084237596
Opcode ID: 44fb3774141bcadce2cefc167fdfb5a596613f7d20a0ddff1eae4f1c518957c3
Instruction ID: e7cc13dfcafcfdebb7d749ba6363daf384962df492af6cb12323cdc947f50793
Opcode Fuzzy Hash: 44fb3774141bcadce2cefc167fdfb5a596613f7d20a0ddff1eae4f1c518957c3
Instruction Fuzzy Hash: FB51AF72604BC1DADF24EF59E8907AEB761FB80B88F184526CB9E47A58DB79C151C700

Function 00000001400E1604 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140167EF8: SetRectEmpty.USER32 ref: 0000000140167F44

SetRectEmpty.USER32 ref: 00000001400E17DF
SetRectEmpty.USER32 ref: 00000001400E17EF
SetRectEmpty.USER32 ref: 00000001400E17F8

Strings

True, xrefs: 00000001400E1839, 00000001400E1848
False, xrefs: 00000001400E1857, 00000001400E1866

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRect
String ID: False$True
API String ID: 2270935405-1895882422
Opcode ID: 96e7f8a7a3054a11d90cfb2d3857e1ad23102024ac21d14c3fc968cf981ab267
Instruction ID: 37622226174abdfc693ac4cc7816c086396a265f25186a9b591cc9efc3ad75dd
Opcode Fuzzy Hash: 96e7f8a7a3054a11d90cfb2d3857e1ad23102024ac21d14c3fc968cf981ab267
Instruction Fuzzy Hash: 8971E472101F808AE769DF25F850BDAB7A9F788751F804119DBEA433A1DF39E1A1DB04

Function 0000000140010EF8 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000140010F76
_snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000140010FFA
GetClassInfoW.USER32 ref: 000000014001104A

Strings

Afx:%p:%x:%p:%p:%p, xrefs: 0000000140010FD0
Afx:%p:%x, xrefs: 0000000140010F5D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: _snwprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1957674926-2801496823
Opcode ID: 1693327ed1560dac98f88dbebfe37eadf55600b0f1428ee3ca6f0659136d9365
Instruction ID: 4ef910b016ca354a8629323af994eeaf4709be87019346079d96e6803232b4c2
Opcode Fuzzy Hash: 1693327ed1560dac98f88dbebfe37eadf55600b0f1428ee3ca6f0659136d9365
Instruction Fuzzy Hash: CC5171326047448AE72BAF63A4013DC33A5F78CB84F854526FB4817BB6CA79C991C751

Function 000000014000F2C0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32 ref: 000000014000F3B6
RegEnumKeyW.ADVAPI32 ref: 000000014000F3DB
RegCloseKey.ADVAPI32 ref: 000000014000F4A0

Strings

Software\Classes\, xrefs: 000000014000F328

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CloseEnumOpen
String ID: Software\Classes\
API String ID: 1332880857-1121929649
Opcode ID: 3cda73512a15e6b011a4efe2526e0ebe3a6da6f5f22c7067a143809d272551c6
Instruction ID: 6b958a8a01d553116fad0cbc0942605790f43e6a09c51c830493c98ca62bc5ce
Opcode Fuzzy Hash: 3cda73512a15e6b011a4efe2526e0ebe3a6da6f5f22c7067a143809d272551c6
Instruction Fuzzy Hash: 7E5163B2214A8081EA51DB2AF4447AAA3A1F789BF4F544211FFAD43BF9DF38C545D700

Function 00000001401285F8 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardLayout.USER32 ref: 000000014012868E
MapVirtualKeyExW.USER32 ref: 000000014012869B
GetKeyNameTextW.USER32 ref: 00000001401286C5
IsCharLowerW.USER32 ref: 0000000140128711

Strings

Pause, xrefs: 0000000140128667, 0000000140128673

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CharKeyboardLayoutLowerNameTextVirtual
String ID: Pause
API String ID: 1722420680-375111145
Opcode ID: f6dac2ff5f3905a283627a0c8f4347a70ac7d25ffed3e0867f655aefc2bd1e9b
Instruction ID: f29fa123ac54905f085b5ee4ddce56a7fa093d1eb6f27857d2f587b5e03b49f8
Opcode Fuzzy Hash: f6dac2ff5f3905a283627a0c8f4347a70ac7d25ffed3e0867f655aefc2bd1e9b
Instruction Fuzzy Hash: 8C419CB2711A4082FB66AB27E8513EE23A1F789F90F50411AEF5A476F6DF38C9418740

Function 0000000140009C94 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140009CCC: SendMessageW.USER32 ref: 0000000140009CEB
Part of subcall function 0000000140009CCC: SendMessageW.USER32 ref: 0000000140009D0D

SendMessageW.USER32 ref: 0000000140014509
GetWindowLongPtrW.USER32 ref: 0000000140014518
GetWindowLongPtrW.USER32 ref: 0000000140014532
SetWindowLongPtrW.USER32 ref: 000000014001455A

Strings

@, xrefs: 00000001400144F9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: LongMessageSendWindow
String ID: @
API String ID: 3360111000-2766056989
Opcode ID: 602ff37dd4186421e1192c2f04b706a87b44b3d248ee6ffa116c6b9dad329328
Instruction ID: f60ba69d3238fb6e341e39663f4c8c0da157bd0063c488fc7467cbc4c95f2f2a
Opcode Fuzzy Hash: 602ff37dd4186421e1192c2f04b706a87b44b3d248ee6ffa116c6b9dad329328
Instruction Fuzzy Hash: 84514872201A4482FB6AEF22E5543E923A1FB89B84F084125EB5D0B7B6DF3AC4958700

Function 01F849D0 Relevance: 8.9, Strings: 7, Instructions: 105COMMON

Download Yara Rule

Strings

bl counts: , xrefs: 01F84A5B
bl code %2d , xrefs: 01F84AE3
too many codes, xrefs: 01F84A45
lit tree: sent %ld, xrefs: 01F84B61
dist tree: sent %ld, xrefs: 01F84B9A
bl tree: sent %ld, xrefs: 01F84B2B
not enough codes, xrefs: 01F84A0B

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: bl code %2d $bl counts: $bl tree: sent %ld$dist tree: sent %ld$lit tree: sent %ld$not enough codes$too many codes
API String ID: 0-1851375461
Opcode ID: 51e4fa6b8f77a94c0b94518c94bb633571f4d386c29c7a374fbbf4bc696573f6
Instruction ID: 7b2f0a1d036343b0556902b2ab43d085ee06ed0b5b2cb0853b9e2baa3f893ef8
Opcode Fuzzy Hash: 51e4fa6b8f77a94c0b94518c94bb633571f4d386c29c7a374fbbf4bc696573f6
Instruction Fuzzy Hash: A5410072618582C6DB20EB59E89036EFBB0F7D5748F500126EB8D87A68DB7EC941CF41

Function 000000014000FCB4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 000000014000FD2C
IsAppThemed.UXTHEME ref: 000000014000FDA6
GetStockObject.GDI32 ref: 000000014000FDC0

Strings

Static, xrefs: 000000014000FD57
Button, xrefs: 000000014000FD42

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClassNameObjectStockThemed
String ID: Button$Static
API String ID: 2060966668-2498952662
Opcode ID: 78afd9d8fc5b74b6f99ec556c70408d775d2164bceb7a2900db6182f54be051a
Instruction ID: d605bb4a77b606c79eb696ce4139792111c5c8928eff61ad0d67f012a7b550ed
Opcode Fuzzy Hash: 78afd9d8fc5b74b6f99ec556c70408d775d2164bceb7a2900db6182f54be051a
Instruction Fuzzy Hash: DD4144B221094081EA669B27E8547E96351FB8CFF4F048226AF6947AF9DF38C545E640

Function 000000014000785C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000788D
GetProcAddress.KERNEL32 ref: 00000001400078A6
RegCreateKeyExW.ADVAPI32 ref: 000000014000796D

Strings

Advapi32.dll, xrefs: 0000000140007886
RegCreateKeyTransactedW, xrefs: 000000014000789C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedW
API String ID: 1964897782-2994018265
Opcode ID: 42180a947a1d78db90396d8e14b2a0ad8a3041cc78fb7b69baf6956f0914cca1
Instruction ID: 2de586dcf0ce2e640be60d76a5b461370529e6a772347aec7a51564651d0276e
Opcode Fuzzy Hash: 42180a947a1d78db90396d8e14b2a0ad8a3041cc78fb7b69baf6956f0914cca1
Instruction Fuzzy Hash: B631F676618B808ADB61CF16F44479AB3A4F789BD4F544129EB8D83B68DF3CC454CB00

Function 0000000140008DD4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

Edit, xrefs: 0000000140008E40

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: f529af8da8e5f33d113b61903d4ad51d120e64898c2ffd96da0bc6c79de175b2
Instruction ID: a6c31f2e68caab5c7ed11ea4a9824b33f64c0e7a4e1253488bf99f6e1fde7bc5
Opcode Fuzzy Hash: f529af8da8e5f33d113b61903d4ad51d120e64898c2ffd96da0bc6c79de175b2
Instruction Fuzzy Hash: E7216A7120068092FBB6DB23E9443E923A1BB8DBC4F184025EF898B6F5CF78C8858311

Function 000000014003DF00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56libraryfileloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014003DF2D
GetProcAddress.KERNEL32 ref: 000000014003DF46
CreateFileW.KERNEL32 ref: 000000014003DFD2

Strings

kernel32.dll, xrefs: 000000014003DF26
CreateFileTransactedW, xrefs: 000000014003DF3C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressCreateFileHandleModuleProc
String ID: CreateFileTransactedW$kernel32.dll
API String ID: 2580138172-2053874626
Opcode ID: 8eabf4d54435c3398b06033abe81d829a067455a20821142875ff25751053ea7
Instruction ID: f4a83021c0de5b967781a7ce54b0996a10d1279336924fa2db9e7b8a792e3f57
Opcode Fuzzy Hash: 8eabf4d54435c3398b06033abe81d829a067455a20821142875ff25751053ea7
Instruction Fuzzy Hash: 2821F1326187808AD765CF16F44439AB7A1F78CB94F54422AEB9983BA8DF3CC445CB44

Function 0000000140007990 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00000001400079BD
GetProcAddress.KERNEL32 ref: 00000001400079D2
RegOpenKeyExW.ADVAPI32 ref: 0000000140007A25

Strings

RegOpenKeyTransactedW, xrefs: 00000001400079C8
Advapi32.dll, xrefs: 00000001400079B6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedW
API String ID: 1337834000-3913318428
Opcode ID: ebedbc852e3c79a2f3918c496b3a7cd55f5a0ae960cf1e1dcd37f99ea0469498
Instruction ID: f3a2293a0231f02073d563539e533f7de5882f09a50b091e328dd43c8e644d7e
Opcode Fuzzy Hash: ebedbc852e3c79a2f3918c496b3a7cd55f5a0ae960cf1e1dcd37f99ea0469498
Instruction Fuzzy Hash: 65110772B19B4086EA11CB56F44479AA7A0F7C9FD4F584129AB8D47B69CF3CC585CB00

Function 000000014001C168 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001C1CF

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32 ref: 000000014001C1B4
EncodePointer.KERNEL32 ref: 000000014001C1C0

Strings

dwmapi.dll, xrefs: 000000014001C199
DwmSetIconicLivePreviewBitmap, xrefs: 000000014001C1AA

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 2269242174-1757063745
Opcode ID: c39ba62fc45206e7b597eef1e3cf3220dd9d7ae771175cdaa90591fd06e6f780
Instruction ID: 764a2d176a454e79491be95cacabfc7974c1796f572664ee856f7c1f89349ef7
Opcode Fuzzy Hash: c39ba62fc45206e7b597eef1e3cf3220dd9d7ae771175cdaa90591fd06e6f780
Instruction Fuzzy Hash: 14116931212B4091EE169B47A844BD867E0FB8DFD4F484029EF4E9B771EF3AC4408704

Function 000000014001C2A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001C30A

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32 ref: 000000014001C2EF
EncodePointer.KERNEL32 ref: 000000014001C2FB

Strings

DwmSetWindowAttribute, xrefs: 000000014001C2E5
dwmapi.dll, xrefs: 000000014001C2D4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetWindowAttribute$dwmapi.dll
API String ID: 2269242174-3105884578
Opcode ID: a11c9200868debea3cea5914b4ee8a604c84481221f9d148d6e278e5df1aa62e
Instruction ID: 4d8abd5135d00086fc1a0dd61ebc05bb9f4129eb675472b2485e6e73f148b7a7
Opcode Fuzzy Hash: a11c9200868debea3cea5914b4ee8a604c84481221f9d148d6e278e5df1aa62e
Instruction Fuzzy Hash: D9116531612B4081EE169F87B804B98B6E0BB8DFC4F488429EF5A4B770EF39C951C700

Function 000000014004BA40 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014004BA72
GetProcAddress.KERNEL32 ref: 000000014004BA87
GetFileAttributesExW.KERNEL32 ref: 000000014004BAAF

Strings

GetFileAttributesTransactedW, xrefs: 000000014004BA7D
kernel32.dll, xrefs: 000000014004BA6B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressAttributesFileHandleModuleProc
String ID: GetFileAttributesTransactedW$kernel32.dll
API String ID: 3217448241-1378992308
Opcode ID: 6637c69fc0ad6b9934151c2d6229485324b158c27344a31d975633b8c2c0c95d
Instruction ID: bdd5dfa66b020c6506043fccfc096c79a2e90005cfa0c5ad5e7afae69fd7a3ec
Opcode Fuzzy Hash: 6637c69fc0ad6b9934151c2d6229485324b158c27344a31d975633b8c2c0c95d
Instruction Fuzzy Hash: 62019E31615B8085EA56CF87E80479922A0E75CFC4F598029EB1943BB9CF78C8A1C744

Function 000000014001E368 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001E39E
GetProcAddress.KERNEL32 ref: 000000014001E3B3

Part of subcall function 000000014000F5A4: GetModuleHandleW.KERNEL32 ref: 000000014000F5C9
Part of subcall function 000000014000F5A4: GetProcAddress.KERNEL32 ref: 000000014000F5DE

Strings

Advapi32.dll, xrefs: 000000014001E397
RegDeleteKeyExW, xrefs: 000000014001E3A9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyExW
API String ID: 1646373207-2191092095
Opcode ID: 5550da189ba71d238e50d55a59154c1d55799b6cdb72a88275624ede517d0d9c
Instruction ID: d27fa67da45328b9ee362ae7d9aa95a8357353ae9aae9bc8e27ab648871595f6
Opcode Fuzzy Hash: 5550da189ba71d238e50d55a59154c1d55799b6cdb72a88275624ede517d0d9c
Instruction Fuzzy Hash: FE115B70605A8091FF269B57E84C7ED22A0AB4EFC4F584519AB2E0B7B5DF7AC588C300

Function 00000001400538FC Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 000000014003D894: EnterCriticalSection.KERNEL32 ref: 000000014003D8CC
Part of subcall function 000000014003D894: InitializeCriticalSection.KERNEL32 ref: 000000014003D8EB
Part of subcall function 000000014003D894: LeaveCriticalSection.KERNEL32 ref: 000000014003D8FF

GetProfileIntW.KERNEL32 ref: 0000000140053970
GetProfileIntW.KERNEL32 ref: 0000000140053990

Strings

DragDelay, xrefs: 0000000140053982
DragMinDist, xrefs: 0000000140053962
windows, xrefs: 0000000140053969, 0000000140053989

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$Profile$EnterInitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 2203521320-2101198082
Opcode ID: 7c811132b4178f9615f227aa658df722b5b72b2a3fe5cf703ce0c59882d5e9e4
Instruction ID: ba486fff59628a8f42e557ecb3b1a0dcb428f5d700face3072b4eee3b6d11eac
Opcode Fuzzy Hash: 7c811132b4178f9615f227aa658df722b5b72b2a3fe5cf703ce0c59882d5e9e4
Instruction Fuzzy Hash: BA115A76510B01CBF712DF26E8183D837A1F39AB6AF404219DB59422F5EBBEC149CB40

Function 000000014001C210 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001C26F

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32 ref: 000000014001C254
EncodePointer.KERNEL32 ref: 000000014001C260

Strings

DwmSetIconicThumbnail, xrefs: 000000014001C24A
dwmapi.dll, xrefs: 000000014001C239

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetIconicThumbnail$dwmapi.dll
API String ID: 2269242174-2331651847
Opcode ID: 3b035d9131fc9307ccfb9a64ac3e5bf1de390265072470e092048d064a64617c
Instruction ID: 53adc73f7b1c63ed94f36d1388c4d72d44b71e682d69c18911752963eca3754b
Opcode Fuzzy Hash: 3b035d9131fc9307ccfb9a64ac3e5bf1de390265072470e092048d064a64617c
Instruction Fuzzy Hash: 87014831616B4082EE46DB97B854BE962E0AB8DFC0F484028EF4A4B775EF39C4408B40

Function 000000014000F5A4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014000F5C9
GetProcAddress.KERNEL32 ref: 000000014000F5DE
RegDeleteKeyW.ADVAPI32 ref: 000000014000F613

Strings

Advapi32.dll, xrefs: 000000014000F5C2
RegDeleteKeyTransactedW, xrefs: 000000014000F5D4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressDeleteHandleModuleProc
String ID: Advapi32.dll$RegDeleteKeyTransactedW
API String ID: 588496660-2168864297
Opcode ID: da2038015c68b8ec7a6c301c46b96ffc57dd7676bd8d58bd72340048458eaab0
Instruction ID: 4f885a14c4cda54935562483b209bb423dca6c7978455cac91cc6e024c76044b
Opcode Fuzzy Hash: da2038015c68b8ec7a6c301c46b96ffc57dd7676bd8d58bd72340048458eaab0
Instruction Fuzzy Hash: F7015E71605A4081FB66CB16F5443AA63A0A78CFC4F588418EF4907BB4CF3DC485E700

Function 000000014001C0F4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001C143

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32 ref: 000000014001C128
EncodePointer.KERNEL32 ref: 000000014001C134

Strings

DwmIsCompositionEnabled, xrefs: 000000014001C11E
dwmapi.dll, xrefs: 000000014001C10D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 2269242174-1198327662
Opcode ID: 4cd5b9ecf3796cfc8e35184b446b669da2b8c37e4be3ed77e762fcdf8f470e39
Instruction ID: 72a85514a77822e17289df42a63ec701bb198e6b91030b4dac2d316e8610e768
Opcode Fuzzy Hash: 4cd5b9ecf3796cfc8e35184b446b669da2b8c37e4be3ed77e762fcdf8f470e39
Instruction Fuzzy Hash: 0BF03C30662A4091FE4A9B57A9987E822E0AB8EBC0F484424AF0E4B371EF39C0908700

Function 000000014001C080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001C0CF

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32 ref: 000000014001C0B4
EncodePointer.KERNEL32 ref: 000000014001C0C0

Strings

dwmapi.dll, xrefs: 000000014001C099
DwmInvalidateIconicBitmaps, xrefs: 000000014001C0AA

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 2269242174-1901905683
Opcode ID: b43ff83029477f0a5e27903bb63de2aec56362f7724eb1e6a8e1994a4d815b58
Instruction ID: 1aa503ef7a39c40cfebcbbcc50b6be72fa676e8f4a5b903078550c4e4f631af6
Opcode Fuzzy Hash: b43ff83029477f0a5e27903bb63de2aec56362f7724eb1e6a8e1994a4d815b58
Instruction Fuzzy Hash: 92F0F931616A40D1FE579B97B958BE862E0AB4CBC4F084429AB0E4B371EF3AC4548604

Function 000000014002870C Relevance: 7.8, APIs: 5, Instructions: 302COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

SetRectEmpty.USER32 ref: 0000000140028776
SetRectEmpty.USER32 ref: 00000001400287F5
GetClientRect.USER32 ref: 0000000140028A0A
GetClientRect.USER32 ref: 0000000140028A2B
SetRectEmpty.USER32 ref: 0000000140028ABE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Empty$Client$ExceptionThrow
String ID:
API String ID: 340761640-0
Opcode ID: beb3f1cfd7916086383fd16f261b0e1d5f84647ff5e9e30692c587f2e9bfd083
Instruction ID: 642aa72daaf88bf73a163a2e18753d5eebb3b3d5d900f2a29f54d09b8caf6fcc
Opcode Fuzzy Hash: beb3f1cfd7916086383fd16f261b0e1d5f84647ff5e9e30692c587f2e9bfd083
Instruction Fuzzy Hash: 51C19276A067448AFB26CF3AD4403EC67A0F79CB94F188619EF5A577A5DB38D880C701

Function 000000014002B734 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 000000014002B7A0
LoadCursorW.USER32 ref: 000000014002B7FB
LoadCursorW.USER32 ref: 000000014002B84D
CreatePen.GDI32 ref: 000000014002B8FE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CursorLoad$Create
String ID:
API String ID: 1516763891-0
Opcode ID: fdc0e5076c5be9fe9bc9642d6b9296911f66481b273f577c2034b8cca81813e5
Instruction ID: e5f1c1d04d7645d4b14a97d272b6ebf6550305fa3a512b1f3241bf8f1648e79a
Opcode Fuzzy Hash: fdc0e5076c5be9fe9bc9642d6b9296911f66481b273f577c2034b8cca81813e5
Instruction Fuzzy Hash: 38613C7060260195FB57AB27E81A7EA73A0AB4DBC4F844429EB0A877F6DF7DC841D704

Function 0000000140051764 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

wcsstr.LIBVCRUNTIME ref: 00000001400517BE
wcsstr.LIBVCRUNTIME ref: 00000001400517E6
wcsstr.LIBVCRUNTIME ref: 000000014005180E
SearchPathW.KERNEL32 ref: 000000014005185D
SHGetFileInfoW.SHELL32 ref: 00000001400518EE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: wcsstr$FileInfoPathSearch
String ID:
API String ID: 2428323654-0
Opcode ID: cd2a17087666762f09f337d32a69194e534295852c7b88165ca8c54c92f10752
Instruction ID: 1fe013bc4e8ca32fa732eae23e1a29b3bc194bf2d54049664a4006dd4a7c3c3d
Opcode Fuzzy Hash: cd2a17087666762f09f337d32a69194e534295852c7b88165ca8c54c92f10752
Instruction Fuzzy Hash: BE515876301B4482EA25DF2AE8543ED63A0F78CBE4F58112AAB5D437A5EF78C584C740

Function 0000000140032000 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 0000000140032020

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Part of subcall function 0000000140079B54: GetKeyboardState.USER32 ref: 0000000140079B7F
Part of subcall function 0000000140079B54: GetKeyboardLayout.USER32 ref: 0000000140079BA3
Part of subcall function 0000000140079B54: MapVirtualKeyW.USER32 ref: 0000000140079BB0
Part of subcall function 0000000140079B54: ToUnicodeEx.USER32 ref: 0000000140079BD5

WindowFromPoint.USER32 ref: 0000000140032044
ScreenToClient.USER32 ref: 000000014003207A
GetParent.USER32 ref: 00000001400320ED
UpdateWindow.USER32 ref: 0000000140032154

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: KeyboardWindow$CallClientExceptionFromHookLayoutNextParentPointScreenStateThrowUnicodeUpdateVirtual
String ID:
API String ID: 2486863563-0
Opcode ID: c9dac1d8086666355506d46e7c76496c0c9d3a30450fdfbf08444f8ca767af77
Instruction ID: 9fa4fba9ba3d77d92f31f39ebbbf9727a8ddee1e38db64be201b3316ca04cd20
Opcode Fuzzy Hash: c9dac1d8086666355506d46e7c76496c0c9d3a30450fdfbf08444f8ca767af77
Instruction Fuzzy Hash: 34514D31205B4081EF17DB67EA953EA67A1EBCDBC0F14402AFB0A477B6DE79C8858700

Function 0000000140199B68 Relevance: 7.6, APIs: 5, Instructions: 114libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetProcAddress.KERNEL32(?,?,00000006,0000000140199F33,?,?,00000000,000000014019894F,?,?,?,000000014018AB31), ref: 0000000140199C8A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 4cacebc6537bb9c345fe7d31b2c09f8c8cd10afabb7cfa8ca624a584b029f329
Instruction ID: df04c69cfe6a0deba9f2c2394821653f570df97d8a4289372caef51ce1604de0
Opcode Fuzzy Hash: 4cacebc6537bb9c345fe7d31b2c09f8c8cd10afabb7cfa8ca624a584b029f329
Instruction Fuzzy Hash: 1341CC72312A4481FE579B5BAC94BE662D5B71CFE0F098529DF1A4B7A8EA3CD441C300

Function 0000000140084BE0 Relevance: 7.6, APIs: 5, Instructions: 109keyboardCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,00000000,?,000000014003A44B), ref: 0000000140084C27
GetSystemMetrics.USER32 ref: 0000000140084C32
GetSystemMetrics.USER32 ref: 0000000140084C3F
GetKeyState.USER32 ref: 0000000140084C6B
InflateRect.USER32 ref: 0000000140084CA5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MetricsRectSystem$InflateStateWindow
String ID:
API String ID: 1515687257-0
Opcode ID: c5946c25bc314306984dba4f586e5fe11e0b7dd1ee103c5a18adc1659e25cc9d
Instruction ID: 4cb9517b84f054d4ffe506aadaa81f0334aeae3c10b967cb2aee78672eae84f0
Opcode Fuzzy Hash: c5946c25bc314306984dba4f586e5fe11e0b7dd1ee103c5a18adc1659e25cc9d
Instruction Fuzzy Hash: DA418933B012008AEB568F66D4047E973A4F38CB84F544426EF1A57BA8DB79DA81CB00

Function 000000014003504C Relevance: 7.6, APIs: 5, Instructions: 99timewindowCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 0000000140035067
KillTimer.USER32 ref: 0000000140035076
IsWindow.USER32 ref: 00000001400350DC
PostMessageW.USER32 ref: 0000000140035100

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

GetParent.USER32 ref: 0000000140035153

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: KillTimer$ExceptionMessageParentPostThrowWindow
String ID:
API String ID: 660535465-0
Opcode ID: 474153c9d8de12d77053d915f167804efaeaac8c482e548e76d7e5e4b855f48f
Instruction ID: d24d8632a4428518049b0180272b90f9393d6d301994ed3c1ce2513971f20166
Opcode Fuzzy Hash: 474153c9d8de12d77053d915f167804efaeaac8c482e548e76d7e5e4b855f48f
Instruction Fuzzy Hash: B6414132711A8082EE5AEB17E4547EA63A0FB8CFC1F184525EF494BBB5DF38C8918340

Function 0000000140037194 Relevance: 7.6, APIs: 5, Instructions: 99COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,000000014000DBDB), ref: 00000001400371C7

Part of subcall function 000000014000C7BC: ClientToScreen.USER32 ref: 000000014000C7D5
Part of subcall function 000000014000C7BC: ClientToScreen.USER32 ref: 000000014000C7E6

PtInRect.USER32 ref: 00000001400371E0
PtInRect.USER32 ref: 0000000140037253

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClientRect$Screen
String ID:
API String ID: 3187875807-0
Opcode ID: 2248f92439843f486509f85659d6cd2a2b3516c2adff903e29e472c235e44b75
Instruction ID: f40a4131f12c6cc543b2c4c7a660e92c66f73bf8fe7e65ea81d32c5bd3c1869c
Opcode Fuzzy Hash: 2248f92439843f486509f85659d6cd2a2b3516c2adff903e29e472c235e44b75
Instruction Fuzzy Hash: 2941EB72B145518AF726CFBAD9507EE23A0B758B88F144129FF0A97668DB34C981C700

Function 000000014002DAA8 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014002DADD
ScreenToClient.USER32 ref: 000000014002DB0C
ScreenToClient.USER32 ref: 000000014002DB6A
PtInRect.USER32 ref: 000000014002DB9A
SetCursor.USER32 ref: 000000014002DC03

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 8e29f2ce277a719a2c03cccc6a0f640c696d3436ee23f3fd048768ff3ab115bd
Instruction ID: fdda823ca35c7c85ac1b4de3cf543768e9912fc90e3fed72d1437258314dbb0e
Opcode Fuzzy Hash: 8e29f2ce277a719a2c03cccc6a0f640c696d3436ee23f3fd048768ff3ab115bd
Instruction Fuzzy Hash: 81411432711A008AEB06DB66E8957EC33B0F34DB85F40002AEB0A576F9DF78C859C740

Function 000000014003CF3C Relevance: 7.6, APIs: 5, Instructions: 89COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014003CFA6
OffsetRect.USER32 ref: 000000014003D00D
UnionRect.USER32 ref: 000000014003D029
EqualRect.USER32 ref: 000000014003D037
UpdateWindow.USER32 ref: 000000014003D084

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Window$EqualOffsetUnionUpdate
String ID:
API String ID: 3779058437-0
Opcode ID: b35a45cae23d6f0d067a135ab6ab770378ea9c55de2ebf889d80531eba1abfc0
Instruction ID: cc083acfb844a2ec28bc0aa17f25823dd0b7f5e7b2a11eebf98b3091b1e1fd3a
Opcode Fuzzy Hash: b35a45cae23d6f0d067a135ab6ab770378ea9c55de2ebf889d80531eba1abfc0
Instruction Fuzzy Hash: 87414972B10A408AEB16CF66E8947DD37B0F348B88F04452AEF499BA68DF34C585CB50

Function 0000000140035C3C Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140035CA5
GetClientRect.USER32 ref: 0000000140035CE1
PtInRect.USER32 ref: 0000000140035CF8
MapWindowPoints.USER32 ref: 0000000140035D28
SendMessageW.USER32 ref: 0000000140035D4A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClientCursorMessagePointsSendWindow
String ID:
API String ID: 1257894355-0
Opcode ID: 7d43932a637e0b43e66fe1099d940d036dcc3061df1c56e535c07f856c1112d2
Instruction ID: 91cea13d6a16a24cdb69ed37a5b0de82bfc6e49791de1523e034e6594684791e
Opcode Fuzzy Hash: 7d43932a637e0b43e66fe1099d940d036dcc3061df1c56e535c07f856c1112d2
Instruction Fuzzy Hash: A9411D72A10B558AFB529F66D8443ED37B0F748B8AF441026EB1957BA8DB38C581CB50

Function 000000014001618C Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001400161BF
GetWindowRect.USER32 ref: 00000001400161ED
SetWindowPos.USER32 ref: 0000000140016227
GetWindow.USER32 ref: 0000000140016235
ScrollWindow.USER32 ref: 0000000140016257

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$RectScrollVisible
String ID:
API String ID: 2639402888-0
Opcode ID: 244dab8aef38eb9622ee7e88a9b6821ecedd1e7af3d23c93ad9a5751acc96e4e
Instruction ID: e0fbed12328297082dfe53b83e0033a8c95c6b50ef5309a9749782d0e0965cc3
Opcode Fuzzy Hash: 244dab8aef38eb9622ee7e88a9b6821ecedd1e7af3d23c93ad9a5751acc96e4e
Instruction Fuzzy Hash: A3218776714A4482FB66CF63E814BA96361F79CFE5F104114EF491BB68DF39C8458B00

Function 000000014002DEB0 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400311AC: GetWindowRect.USER32 ref: 0000000140031217
Part of subcall function 00000001400311AC: CreateRoundRectRgn.GDI32 ref: 0000000140031253
Part of subcall function 00000001400311AC: SetWindowRgn.USER32 ref: 0000000140031270

GetSystemMenu.USER32 ref: 000000014002DF4B
DeleteMenu.USER32 ref: 000000014002DF6D
DeleteMenu.USER32 ref: 000000014002DF7F
DeleteMenu.USER32 ref: 000000014002DF91
EnableMenuItem.USER32 ref: 000000014002DFB4

Part of subcall function 000000014002AD44: SetRectEmpty.USER32 ref: 000000014002AD75
Part of subcall function 000000014002AD44: ReleaseCapture.USER32 ref: 000000014002AD7B
Part of subcall function 000000014002AD44: SetCapture.USER32 ref: 000000014002AD91
Part of subcall function 000000014002AD44: GetCapture.USER32 ref: 000000014002ADD6
Part of subcall function 000000014002AD44: ReleaseCapture.USER32 ref: 000000014002ADE9
Part of subcall function 000000014002AD44: SetCapture.USER32 ref: 000000014002ADFF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CaptureMenu$DeleteRect$ReleaseWindow$CreateEmptyEnableItemRoundSystem
String ID:
API String ID: 2896308491-0
Opcode ID: 60dfcdc7b4f89a48a7f04f0d9e700dd6921eef8dd2cd8ab05def028c0cf93ce9
Instruction ID: b4243bfa455632a70a739885e8b302725a02ca90c9de7a915e938c5205d581af
Opcode Fuzzy Hash: 60dfcdc7b4f89a48a7f04f0d9e700dd6921eef8dd2cd8ab05def028c0cf93ce9
Instruction Fuzzy Hash: C5313C3571065282EB92DB23D4547E977A1FBCDFC4F55802AEB0A47BA9DE38C8429740

Function 0000000140007CE8 Relevance: 7.6, APIs: 5, Instructions: 72registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyW.ADVAPI32 ref: 0000000140007D3A
RegDeleteValueW.ADVAPI32 ref: 0000000140007D60
RegCloseKey.ADVAPI32 ref: 0000000140007DAA

Part of subcall function 00000001400070A4: RegCloseKey.ADVAPI32 ref: 000000014000722B
Part of subcall function 00000001400070A4: RegCloseKey.ADVAPI32 ref: 000000014000723A

WritePrivateProfileStringW.KERNEL32 ref: 0000000140007DC9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 4acd80710c22ff3f6bf24f21f8c2133893e836fc4ea3d04436081c771dc49d0b
Instruction ID: 2f5f16faedaf3082b37d8b31b0b99df9973a40dd93198af268e450c0b384d2e0
Opcode Fuzzy Hash: 4acd80710c22ff3f6bf24f21f8c2133893e836fc4ea3d04436081c771dc49d0b
Instruction Fuzzy Hash: 5421A1B6B0579086EA56DB67B404BE962E1AF8DFC0F184426AF0D07BB5DE3CC1429700

Function 000000014003A5BC Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014003A5E8
ScreenToClient.USER32 ref: 000000014003A5F7
PtInRect.USER32 ref: 000000014003A609
LoadCursorW.USER32 ref: 000000014003A655
SetCursor.USER32 ref: 000000014003A69B

Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FC04
Part of subcall function 000000014003FB98: VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
Part of subcall function 000000014003FB98: GetSystemMetrics.USER32 ref: 000000014003FC28

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Cursor$ConditionMask$ClientInfoLoadMetricsRectScreenSystemVerifyVersion
String ID:
API String ID: 506465941-0
Opcode ID: bd9bb3177543e871f3b46892012942f0d8239a4b3b8b301d055f1309d73f3311
Instruction ID: 6dad2cc6763e2fd43be82e939fa5d96f947f6dbc307215796138a07bc58fbde0
Opcode Fuzzy Hash: bd9bb3177543e871f3b46892012942f0d8239a4b3b8b301d055f1309d73f3311
Instruction Fuzzy Hash: 66313731311A0186EB46AB27E8067DA67A4F79EFC5F484025EB0A877B5DFBDC842C704

Function 0000000140192CC4 Relevance: 7.6, APIs: 5, Instructions: 64COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140192CF1

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID:
API String ID: 3215553584-0
Opcode ID: bcf8b484d26b8107cd33d0256b7302e971d965de188388102ca034955e46f930
Instruction ID: 2f0b4b0b5b6c654e16aaa553179087688451ed3567e3abdac547a0116a59d956
Opcode Fuzzy Hash: bcf8b484d26b8107cd33d0256b7302e971d965de188388102ca034955e46f930
Instruction Fuzzy Hash: 1E21D03220064082FE569BA3E8047DEB7E1AB8DFA0F488A26DB59477F5EB7CC541D700

Function 0000000140048A3C Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameW.KERNEL32 ref: 0000000140048AC3
GlobalAddAtomW.KERNEL32 ref: 0000000140048ACE
GlobalGetAtomNameW.KERNEL32 ref: 0000000140048AE3
GlobalAddAtomW.KERNEL32 ref: 0000000140048AEE
SendMessageW.USER32 ref: 0000000140048B17

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 69139f3e66b08fc81fbf2674ab7a3f3752ffe38e4b0f1014f5f62df4ec6d86e2
Instruction ID: d7e25d5162adeff863ec00e179f2d8748424a86044a5b45b272a62c5a9412257
Opcode Fuzzy Hash: 69139f3e66b08fc81fbf2674ab7a3f3752ffe38e4b0f1014f5f62df4ec6d86e2
Instruction Fuzzy Hash: BC21B072211A9082EB729F12E4587ED73A1F78CFD4F4A0036EF490B664DB38CA85CB50

Function 0000000140049568 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 000000014004958B

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Cursor
String ID:
API String ID: 3268636600-0
Opcode ID: 9727980b42e7d4e9d7f654bc8bc231d5e9f69a90144fac1c403fade896e6c113
Instruction ID: bb7025c3c5caedafc9bededdf813f2138b12d45c010b69b1beca6fd662bd69ae
Opcode Fuzzy Hash: 9727980b42e7d4e9d7f654bc8bc231d5e9f69a90144fac1c403fade896e6c113
Instruction Fuzzy Hash: 9E21D37170664481FE1BEBA3A4593F813A0A79DFD5F190435AF0E4B3B1EE3AC4959704

Function 000000014004A670 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 000000014004A689
GetWindowLongW.USER32 ref: 000000014004A6C9
ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,0000000140047ABF), ref: 000000014004A6E4
GetWindow.USER32 ref: 000000014004A72A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$DesktopLongShow
String ID:
API String ID: 1948769292-0
Opcode ID: e218438b20c0da2b39521381f0f01bce0302c900187994d52edc481140959823
Instruction ID: 21baae05f66a2584757fd59bfb102bc180d87701913df183957b59b3f3299056
Opcode Fuzzy Hash: e218438b20c0da2b39521381f0f01bce0302c900187994d52edc481140959823
Instruction Fuzzy Hash: C721753230478146FA76DB27B81439A62A1E78ABD0F195474EF970B7B5DE3CC8918744

Function 01FA23F0 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 01FA2417
_set_statfp.LIBCMT ref: 01FA2432
_set_statfp.LIBCMT ref: 01FA244E
_set_statfp.LIBCMT ref: 01FA248A

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction ID: 1738ad58b2de30cdeee02dba7df3674a42a9e123544616114d6d03738bbc1ef4
Opcode Fuzzy Hash: 70895f6a6caca5a93f387097b68bfd30b7bf4dd7af3bc8c27b3038974be86bdd
Instruction Fuzzy Hash: 1E01D2F7B54E0292F719152DE8823292531BB593F0FCC4A28AFF6066E7CF2F84805211

Function 00000001400339F8 Relevance: 7.6, APIs: 5, Instructions: 53windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140033A33
EnableMenuItem.USER32 ref: 0000000140033A45
EnableMenuItem.USER32 ref: 0000000140033A74
CheckMenuItem.USER32 ref: 0000000140033AA7
CheckMenuItem.USER32 ref: 0000000140033AB9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ItemMenu$Enable$Check
String ID:
API String ID: 1852492618-0
Opcode ID: 6b1b90ea4d11f517b8186077f252ab0c14a63e2e455d0cdc7e99f04f90d782d5
Instruction ID: 3b3f8108a404008917e6e4eb005852a50dbdf2f76d64c17c619db7f67d6912fc
Opcode Fuzzy Hash: 6b1b90ea4d11f517b8186077f252ab0c14a63e2e455d0cdc7e99f04f90d782d5
Instruction Fuzzy Hash: 4B21B132310640C7F7569B67D48079A63A0F78DB80F549024EF4987BB5CB39C894CB00

Function 0000000140044E9C Relevance: 7.6, APIs: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008FA8: OutputDebugStringA.KERNEL32 ref: 0000000140008FC6
Part of subcall function 0000000140008FA8: ActivateActCtx.KERNEL32 ref: 0000000140008FE7

LoadLibraryW.KERNEL32(?,?,?,?,00000000,0000000140044D41,?,?,?,?,?,0000000140042F92), ref: 0000000140044EE2
GetProcAddress.KERNEL32(?,?,?,?,00000000,0000000140044D41,?,?,?,?,?,0000000140042F92), ref: 0000000140044EF9
GetLastError.KERNEL32(?,?,?,?,00000000,0000000140044D41,?,?,?,?,?,0000000140042F92), ref: 0000000140044F10
DeactivateActCtx.KERNEL32(?,?,?,?,00000000,0000000140044D41,?,?,?,?,?,0000000140042F92), ref: 0000000140044F23
SetLastError.KERNEL32(?,?,?,?,00000000,0000000140044D41,?,?,?,?,?,0000000140042F92), ref: 0000000140044F30

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateDebugLibraryLoadOutputProcString
String ID:
API String ID: 1219406697-0
Opcode ID: 23745014741ddd8c327157e9b327cc1849545f4d83b3dc3f42ca93214dcfb081
Instruction ID: f76f0c7d654c53de4edd529213ad993aee33714412923bf502ba7620e3892ee7
Opcode Fuzzy Hash: 23745014741ddd8c327157e9b327cc1849545f4d83b3dc3f42ca93214dcfb081
Instruction Fuzzy Hash: 6C113A32615B4082EB269F67E8443A9A2E1BB8CFC4F1A4439EB4D473B4EF38C8458704

Function 0000000140047128 Relevance: 7.5, APIs: 5, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32 ref: 0000000140047154
PostMessageW.USER32 ref: 000000014004716D
GetCapture.USER32 ref: 0000000140047173
ReleaseCapture.USER32 ref: 000000014004717F
PostMessageW.USER32 ref: 00000001400471AF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Message$CapturePost$PeekRelease
String ID:
API String ID: 1125932295-0
Opcode ID: 85845e3865c24a10b87e18639a08516a3debe3621ff705c35fa2b8767665211d
Instruction ID: 70916ad958ea14ec5ada52669a61817e600d7f42ec81c207831f4265304ea1bb
Opcode Fuzzy Hash: 85845e3865c24a10b87e18639a08516a3debe3621ff705c35fa2b8767665211d
Instruction Fuzzy Hash: B3118B32611644C3FB669B6AD448BE927A0FB98F89F044025DF0D0BBB4DF39C4858B00

Function 000000014001A82C Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 000000014001A846
SendMessageW.USER32 ref: 000000014001A869
ClientToScreen.USER32 ref: 000000014001A87A
GetWindowLongW.USER32 ref: 000000014001A888
GetParent.USER32 ref: 000000014001A897

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: c8d8df3ca3353c3e6264dad6f55fe7aa1e55d0d7ba49b2c5fa38638e65e52bb7
Instruction ID: a58e206957e34f13654b46899329da7529535aedf18b2f5952ef22f281198bf5
Opcode Fuzzy Hash: c8d8df3ca3353c3e6264dad6f55fe7aa1e55d0d7ba49b2c5fa38638e65e52bb7
Instruction Fuzzy Hash: 8D01B52131464042EB418B67A68437962D1EB8DFE0F445225FE5647BB9DF7CC0858B00

Function 0000000140055944 Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

DeleteObject.GDI32 ref: 000000014005598C
EnterCriticalSection.KERNEL32 ref: 00000001400559A1
EnterCriticalSection.KERNEL32 ref: 00000001400559B0
GdiplusShutdown.GDIPLUS ref: 00000001400559BE
LeaveCriticalSection.KERNEL32 ref: 00000001400559CA

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$Enter$DeleteGdiplusLeaveObjectShutdown
String ID:
API String ID: 1513102227-0
Opcode ID: 50ba56862040296beb3cdca8b6b1182390d64b2df652bd7d2670c3c2649eb686
Instruction ID: 9e4f0dee8c60de697944991e0e74a0c5292218056755110195aa4c4228621cc0
Opcode Fuzzy Hash: 50ba56862040296beb3cdca8b6b1182390d64b2df652bd7d2670c3c2649eb686
Instruction Fuzzy Hash: 56115E72511B00CAEB15DF5AE4583A937B0FB5CFAAF284228CB19062B1DF79C456CB40

Function 000000014018B310 Relevance: 7.5, APIs: 5, Instructions: 31threadCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001401988F0: GetLastError.KERNEL32(?,?,?,000000014018AB31,?,?,?,?,000000014018B09F,?,?,?,000000014018ACB8), ref: 00000001401988FF
Part of subcall function 00000001401988F0: SetLastError.KERNEL32(?,?,?,000000014018AB31,?,?,?,?,000000014018B09F,?,?,?,000000014018ACB8), ref: 0000000140198969

ExitThread.KERNEL32 ref: 000000014018B328
ExitThread.KERNEL32 ref: 000000014018B33D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorExitLastThread
String ID:
API String ID: 1611280651-0
Opcode ID: 7509cb3ecde0b89b6063b90ad746f0539ad59482601aabc9a07bb47130857024
Instruction ID: 84ad95562b6556ce1a0ee22a37339dac5345028f06d88ab58b9353f92a41c301
Opcode Fuzzy Hash: 7509cb3ecde0b89b6063b90ad746f0539ad59482601aabc9a07bb47130857024
Instruction Fuzzy Hash: 45018132301B8092EB069B7694843AC27A1FB4CF74F1417299B7A036F5DF38C999C300

Function 01F82580 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 415COMMON

Download Yara Rule

APIs

type_info::_name_internal_method.LIBCMTD ref: 01F8268D

Strings

MTX_Global\Xo45hTywfwef284, xrefs: 01F825D0

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: type_info::_name_internal_method
String ID: MTX_Global\Xo45hTywfwef284
API String ID: 3713626258-4100912609
Opcode ID: 0fc1ef19997d5544ecd2013aba0325cec001627d48ebd9c17e0283f80dc9e900
Instruction ID: 72653454039e1228d368af6e62e2fbba40d7784ec39b2223df8197021ced8e66
Opcode Fuzzy Hash: 0fc1ef19997d5544ecd2013aba0325cec001627d48ebd9c17e0283f80dc9e900
Instruction Fuzzy Hash: 2A220C36209B8585DB61EB19F8943AEB7A4F3C9B54F404226DADE87B68DF3DC145CB00

Function 000000014005A874 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0000000140059844: FindResourceW.KERNEL32(?,?,?,000000014005A9C0), ref: 0000000140059882

LoadImageW.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001400593E9), ref: 000000014005AA30
GetObjectW.GDI32 ref: 000000014005AA4D
DeleteObject.GDI32 ref: 000000014005AAD1

Strings

, xrefs: 000000014005AA41

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Object$DeleteFindImageLoadResource
String ID:
API String ID: 3536577864-3916222277
Opcode ID: c2f5ce6127857fd3e4b4d655cb88bc47a09e80d95cdf502bb39d40f1aa46f2fa
Instruction ID: 5d52c93c78bd10ad6798a6015ba7a72f84b56e38c90bc34e557b92da546b3c23
Opcode Fuzzy Hash: c2f5ce6127857fd3e4b4d655cb88bc47a09e80d95cdf502bb39d40f1aa46f2fa
Instruction Fuzzy Hash: 5C918F36202B409AF756DB26E9457EE33A5F34DB98F544226EF0A077B1DB3AC496C700

Function 01F91150 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9117D
_invalid_parameter_noinfo.LIBCMT ref: 01F91359

Strings

*, xrefs: 01F91282
, xrefs: 01F912D7

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 6496619ff47fd6c61eb97296e33c2f7e1aed1dc60bb4dc8b864d198c920c0021
Instruction ID: b2ff1fbf94a8561b9d7c07836b8b3c5d73939a8f971417556ec3b744b217a69f
Opcode Fuzzy Hash: 6496619ff47fd6c61eb97296e33c2f7e1aed1dc60bb4dc8b864d198c920c0021
Instruction Fuzzy Hash: C65170B3A0C252CAFF69BF3D845416C3BB5F346F68B14127ACB8656658C726C081CB44

Function 01F91364 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 145COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9138B
_invalid_parameter_noinfo.LIBCMT ref: 01F9155D

Strings

, xrefs: 01F914E6
*, xrefs: 01F91491

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: 9d6bbc05ab7c32477f3c5d417cd56a993ef2d23faff64e7abaa0e587813f9228
Instruction ID: d1f0a3c1cbe4910fcf7f9ac7b8079dd81bbd7b538e8990c7d03a29e965e81eeb
Opcode Fuzzy Hash: 9d6bbc05ab7c32477f3c5d417cd56a993ef2d23faff64e7abaa0e587813f9228
Instruction Fuzzy Hash: E1514A7390C652CAFF2AAE3C845836C3B61F38AB69F19123ACB4746268C736C485C701

Function 000000014004A754 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000014004A801
swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000014004A8B9

Strings

:%d, xrefs: 000000014004A7F1, 000000014004A8A9
- , xrefs: 000000014004A81F, 000000014004A82E, 000000014004A867, 000000014004A876

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: swprintf
String ID: - $:%d
API String ID: 233258989-2359489159
Opcode ID: 892d28be28aa1fa85de966bf1fb79d89f68ec0105860ad7347f31243e17af5ed
Instruction ID: ea5c60829f1925ed2fe0fe71db098fb5cf68e855e48f26af357df18883481c5e
Opcode Fuzzy Hash: 892d28be28aa1fa85de966bf1fb79d89f68ec0105860ad7347f31243e17af5ed
Instruction Fuzzy Hash: CE513F72710A4096FB16EB27E4517ED3360EB49BD4F84412AAF1D57AB6EF39CA05C340

Function 000000014002D6BC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014002D794
ScreenToClient.USER32 ref: 000000014002D7A3
SendMessageW.USER32 ref: 000000014002D857

Part of subcall function 0000000140184890: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F0E,?,?,?,?,0000000140059411), ref: 00000001401848A0

Part of subcall function 0000000140184564: _onexit.LIBCMT ref: 0000000140184568

Part of subcall function 0000000140184830: EnterCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184840
Part of subcall function 0000000140184830: LeaveCriticalSection.KERNEL32(?,?,?,0000000140004F3B,?,?,?,?,0000000140059411), ref: 0000000140184880

Strings

@, xrefs: 000000014002D7C9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$Enter$ClientCursorLeaveMessageScreenSend_onexit
String ID: @
API String ID: 3388613480-2766056989
Opcode ID: 9b65453ed870fee52e161e36227865110847b89f37211eb09cc2cc48746dc6a1
Instruction ID: d9d149fa820353b4cf444edbc9154455f56fa34a8f8ec406fe02a1148febe14f
Opcode Fuzzy Hash: 9b65453ed870fee52e161e36227865110847b89f37211eb09cc2cc48746dc6a1
Instruction Fuzzy Hash: E1513632215A4492EB52DB27E8597D933A0F78CBA4F80012AAB5E477F5DF3DC945CB40

Function 00000001400422C8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92COMMON

Download Yara Rule

APIs

GetClassNameW.USER32 ref: 0000000140042364
GetWindowLongW.USER32 ref: 00000001400423B6

Strings

ComboBoxEx32, xrefs: 000000014004239B
ComboBox, xrefs: 0000000140042388

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 1147815241-1907415764
Opcode ID: 070e57963fa30ebc6d16676f27fc7bad8ac5b5ae09b39def33991e349e9f2312
Instruction ID: d4c5f06c176a4f48b16e2418a7a67e80ae71365f9d785a2db98e93812bbf7975
Opcode Fuzzy Hash: 070e57963fa30ebc6d16676f27fc7bad8ac5b5ae09b39def33991e349e9f2312
Instruction Fuzzy Hash: AA314A72700A4482EB059F26E94439D73A0F788FD5F85422AEF69477A9DB78CA50C744

Function 000000014003784C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FC04
Part of subcall function 000000014003FB98: VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
Part of subcall function 000000014003FB98: GetSystemMetrics.USER32 ref: 000000014003FC28

LoadCursorW.USER32 ref: 00000001400378A9

Part of subcall function 0000000140010EF8: _snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 0000000140010F76

Part of subcall function 0000000140004D30: UnDecorator::getVbTableType.LIBCMTD ref: 0000000140004D7A

GetParent.USER32 ref: 0000000140037900

Strings

2, xrefs: 0000000140037955
ZZZ, xrefs: 0000000140037960

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ConditionMask$CursorDecorator::getInfoLoadMetricsParentSystemTableTypeVerifyVersion_snwprintf_s
String ID: 2$ZZZ
API String ID: 3556914723-2555544256
Opcode ID: 2249155526e292a678733ea5196240eb48994d395824904504b5fee999d1ccaa
Instruction ID: 2a4c8538d51971961e6e818496b88348df88ec3386e1aa1dcf464d9431fe2b90
Opcode Fuzzy Hash: 2249155526e292a678733ea5196240eb48994d395824904504b5fee999d1ccaa
Instruction Fuzzy Hash: 2341BF72211A8082E756DB26E895BDE7360F38DBA5F10032AEB6E437E5CF78C445CB40

Function 00000001400039C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 75stringCOMMON

Download Yara Rule

APIs

Concurrency::details::_CurrentScheduler::_Get.LIBCMTD ref: 00000001400039D7

Part of subcall function 0000000140018AE0: GetDlgItem.USER32 ref: 0000000140018AF7

Part of subcall function 000000014001326C: GetWindowTextLengthW.USER32 ref: 0000000140013298
Part of subcall function 000000014001326C: GetWindowTextW.USER32 ref: 00000001400132B5

strrchr.LIBCMTD ref: 0000000140003A27

Part of subcall function 0000000140003F90: SendMessageW.USER32 ref: 0000000140003FBE

Part of subcall function 0000000140003F20: SendMessageW.USER32 ref: 0000000140003F46

Part of subcall function 0000000140018EC8: IsWindow.USER32 ref: 0000000140018EE1
Part of subcall function 0000000140018EC8: SetWindowTextW.USER32 ref: 0000000140018F08

Part of subcall function 0000000140018DFC: GetParent.USER32 ref: 0000000140018E15
Part of subcall function 0000000140018DFC: GetParent.USER32 ref: 0000000140018E2C
Part of subcall function 0000000140018DFC: GetParent.USER32 ref: 0000000140018E4B
Part of subcall function 0000000140018DFC: SetFocus.USER32 ref: 0000000140018E6D

Strings

No Item Found !!!, xrefs: 0000000140003AAE
No Number Entered !!!, xrefs: 0000000140003ADE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$ParentText$MessageSend$Concurrency::details::_CurrentFocusItemLengthScheduler::_strrchr
String ID: No Item Found !!!$No Number Entered !!!
API String ID: 1335112192-3076552327
Opcode ID: 90d3f7ec5922173442e991a3ed54d92566c7c00abc2e2b79183b8af7fc31f0d1
Instruction ID: eb4ed054392da3bc605e06b464cf2a53840db081c71c6ad303b3e964a127573f
Opcode Fuzzy Hash: 90d3f7ec5922173442e991a3ed54d92566c7c00abc2e2b79183b8af7fc31f0d1
Instruction Fuzzy Hash: 7A312172A1464183EA22EB26F4557DE6364F7C93D4F905212BB9E5BAFADE38C501CB00

Function 01F81E20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

swprintf_s.LIBCONCRTD ref: 01F81E93

Part of subcall function 01F81DC0: _vswprintf_s_l.LIBCONCRTD ref: 01F81E03

Strings

%s\%s, xrefs: 01F81EE6
%s\*.*, xrefs: 01F81E7F

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _vswprintf_s_lswprintf_s
String ID: %s\%s$%s\*.*
API String ID: 2380855934-1665845743
Opcode ID: 73e1624b31a969522501479e2cdde446daf50418e0e8d2df679820ba70617543
Instruction ID: ec5b83a9664374145ed2103f10c0a2b9d2ff6b5100502491bafdc28b613e815e
Opcode Fuzzy Hash: 73e1624b31a969522501479e2cdde446daf50418e0e8d2df679820ba70617543
Instruction Fuzzy Hash: 07314636218AC59AEB61DB14F8543EAB365F7D4754F804232DA9D83B98DF3DC60ACB01

Function 0000000140010D2C Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003D894: EnterCriticalSection.KERNEL32 ref: 000000014003D8CC
Part of subcall function 000000014003D894: InitializeCriticalSection.KERNEL32 ref: 000000014003D8EB
Part of subcall function 000000014003D894: LeaveCriticalSection.KERNEL32 ref: 000000014003D8FF

Part of subcall function 0000000140011CE0: GetModuleHandleW.KERNEL32 ref: 0000000140011D15
Part of subcall function 0000000140011CE0: GetProcAddress.KERNEL32 ref: 0000000140011D2A
Part of subcall function 0000000140011CE0: EncodePointer.KERNEL32 ref: 0000000140011D36
Part of subcall function 0000000140011CE0: LoadLibraryExW.KERNEL32 ref: 0000000140011D5E

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,0000000140008DC6), ref: 0000000140010DA0
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000000140008DC6), ref: 0000000140010DB3

Strings

hhctrl.ocx, xrefs: 0000000140010D7D
HtmlHelpW, xrefs: 0000000140010D96

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$AddressLibraryProc$EncodeEnterFreeHandleInitializeLeaveLoadModulePointer
String ID: HtmlHelpW$hhctrl.ocx
API String ID: 2185989549-3773518134
Opcode ID: 7a060edc3ac4f61e98ce5dd18383e9505a75eac0ff1b3fbc077fb9d21be21ed5
Instruction ID: b632df4bfc28bcc9eac6e12134332cdc7e1c1d708fcf20ffb5031600e3f73db2
Opcode Fuzzy Hash: 7a060edc3ac4f61e98ce5dd18383e9505a75eac0ff1b3fbc077fb9d21be21ed5
Instruction Fuzzy Hash: F3216A31211B1181EB169B53E4403E977A0FB8CFC4F444429EB4A4B7A5EF79D450C340

Function 01F81680 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 55COMMON

Download Yara Rule

APIs

fwprintf.LIBCONCRTD ref: 01F8173B

Part of subcall function 01F81950: _fread_nolock.LIBCMTD ref: 01F81989

Part of subcall function 01F810A0: fwprintf.LIBCONCRTD ref: 01F8119C
Part of subcall function 01F810A0: fwprintf.LIBCONCRTD ref: 01F811B8

Strings

c:\, xrefs: 01F816A4
b, xrefs: 01F8169F
%s\%c.tmp, xrefs: 01F8172F

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: fwprintf$_fread_nolock
String ID: %s\%c.tmp$b$c:\
API String ID: 3048201113-640478839
Opcode ID: be64750aca124f07a37d785262a2b98fad5f97204028f9326d956623887bee64
Instruction ID: ec4ae3001d8b2fc8eca444e6d3f4272668df26a8adfffd19df0d2cdb9a6693ba
Opcode Fuzzy Hash: be64750aca124f07a37d785262a2b98fad5f97204028f9326d956623887bee64
Instruction Fuzzy Hash: CA21417320C6C58AD731A724E8543ABBBA1F389788F840266D6CD47B58DA3EC645CF01

Function 000000014001CE74 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140018830: OutputDebugStringA.KERNEL32 ref: 0000000140018860
Part of subcall function 0000000140018830: ActivateActCtx.KERNEL32 ref: 0000000140018885

GetProcAddress.KERNEL32 ref: 000000014001CEC1
FreeLibrary.KERNEL32 ref: 000000014001CF0B

Part of subcall function 000000014001CE54: GetLastError.KERNEL32 ref: 000000014001CE58

Strings

comctl32.dll, xrefs: 000000014001CE99
DllGetVersion, xrefs: 000000014001CEB7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ActivateAddressDebugErrorFreeLastLibraryOutputProcString
String ID: DllGetVersion$comctl32.dll
API String ID: 2639362922-3857068685
Opcode ID: 6962b17e5919a8515676c02ce444460f7ac17a086b9989ad7a7d83b9a8af01f6
Instruction ID: c9b149d24a165a9d5eeb8cc230b93d7b519b00170f69a8656b57d4d4cf0943e0
Opcode Fuzzy Hash: 6962b17e5919a8515676c02ce444460f7ac17a086b9989ad7a7d83b9a8af01f6
Instruction Fuzzy Hash: A011797222460186FB22DF16A4507EA77E1F78CFD4F444028BB4A4B7A5EF39C9468B00

Function 000000014016E918 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 000000014016E938
SetWindowRgn.USER32 ref: 000000014016E960
RedrawWindow.USER32 ref: 000000014016E9C2

Strings

X, xrefs: 000000014016E982

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$EqualRectRedraw
String ID: X
API String ID: 960909151-3081909835
Opcode ID: 60bbbfe92de82781d71209b4834b6bded68a1d99b320c520075cde625a51a7f1
Instruction ID: fbe9c29d55627dcbc4529224cd4e25f6762468d79ad9d8e2ce10a17bcb98167e
Opcode Fuzzy Hash: 60bbbfe92de82781d71209b4834b6bded68a1d99b320c520075cde625a51a7f1
Instruction Fuzzy Hash: 2E115E7260064087E765CF26D985BDD77A1F788B88F148124DF5507A59DF38D194CF40

Function 01F95458 Relevance: 6.4, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 01F95516
\, xrefs: 01F9554C
", xrefs: 01F9555F
", xrefs: 01F95551
", xrefs: 01F954A0

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: $"$"$"$\
API String ID: 0-3782655950
Opcode ID: 484f66ccdf998f0e4d117eceaba1267b35d85f28bf3f0c038fb45875f357e2e6
Instruction ID: 87cdfef41b83d9bb14ab56f8713409c5b4b93faf74d0ef85435b4248cfd9d33f
Opcode Fuzzy Hash: 484f66ccdf998f0e4d117eceaba1267b35d85f28bf3f0c038fb45875f357e2e6
Instruction Fuzzy Hash: 1F419363D09B85C4FF27AA2DC6143286FA2E785B9CF1D8043CF9546677EB2B8056C711

Function 000000014002A568 Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014002A5AF
LoadResource.KERNEL32 ref: 000000014002A5C7
LockResource.KERNEL32 ref: 000000014002A5DD

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: 73c7bb0668ddf19c09bbaaa6bbe4039088fb5b2f69d03a21ee4f0781f937faae
Instruction ID: a34346f51425f16fbf9595a182329a92aa6bdacb2e7b3f8b1de6a9e83f3341f7
Opcode Fuzzy Hash: 73c7bb0668ddf19c09bbaaa6bbe4039088fb5b2f69d03a21ee4f0781f937faae
Instruction Fuzzy Hash: CD81A671615A5086E767DB27A8507EAA3A0F74DBD4F448129BF0A47BB4EF3DC841CB00

Function 00000001401148E0 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140114925
SetRectEmpty.USER32 ref: 0000000140114A47
SetRect.USER32 ref: 0000000140114A8E
CopyRect.USER32 ref: 0000000140114B11

Part of subcall function 00000001401147EC: GetDesktopWindow.USER32 ref: 000000014011481A
Part of subcall function 00000001401147EC: CopyRect.USER32 ref: 000000014011486F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$CopyWindow$DesktopEmpty
String ID:
API String ID: 1322824190-0
Opcode ID: 18f5ec046985c7de33c04dad865cc6704452251e6bd9bc6a0397f9ce0ae6e804
Instruction ID: 1e6b45303f6f75fe3d3f140f91b5df5aca5f5b40295e96d1a755ee5a8141345a
Opcode Fuzzy Hash: 18f5ec046985c7de33c04dad865cc6704452251e6bd9bc6a0397f9ce0ae6e804
Instruction Fuzzy Hash: 2B915C76B006409BE726DF66D4947ED7770F74CB8CF40461ADB0A67AA8EB78C604CB44

Function 000000014006B0C8 Relevance: 6.2, APIs: 4, Instructions: 175COMMON

Download Yara Rule

APIs

RedrawWindow.USER32(?,?,?,000000014006B3FF), ref: 000000014006B121
RedrawWindow.USER32(?,?,?,000000014006B3FF), ref: 000000014006B153
RedrawWindow.USER32(?,?,?,000000014006B3FF), ref: 000000014006B1A2

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: 64c82d782890e99b810d65a7bcbafbed8408e33a38396874feef5afcea8f811c
Instruction ID: 80a07255965c305e97117497910aa7113b754b1c842c7ae81d692856586c785e
Opcode Fuzzy Hash: 64c82d782890e99b810d65a7bcbafbed8408e33a38396874feef5afcea8f811c
Instruction Fuzzy Hash: FA6180B120560682FAA79B6B99647FD1292EB4D7C0F680921FF0D1BBF5DE39C8C19700

Function 000000014003C300 Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014003C369
InflateRect.USER32 ref: 000000014003C39B
GetSystemMetrics.USER32 ref: 000000014003C421
EnableScrollBar.USER32 ref: 000000014003C55F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClientEnableInflateMetricsScrollSystem
String ID:
API String ID: 2297266595-0
Opcode ID: a6371683ff3d5add2acbd5b2cffbed819f3227289a2c45416e61b5c13cf778f4
Instruction ID: ca21feee1d901d2ea53cb0a11121d6916b1ce284de6e0d5779df62aede9766c2
Opcode Fuzzy Hash: a6371683ff3d5add2acbd5b2cffbed819f3227289a2c45416e61b5c13cf778f4
Instruction Fuzzy Hash: 6D8148726106809EE715CF76D554BED37E1F748B88F08852AEB0A8BB68CB35DA55CB00

Function 000000014004E670 Relevance: 6.2, APIs: 4, Instructions: 166windowmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32 ref: 000000014004E723
SendMessageW.USER32 ref: 000000014004E76D
SendMessageW.USER32 ref: 000000014004E7F6
SendMessageW.USER32 ref: 000000014004E815

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$AllocGlobal
String ID:
API String ID: 1652254935-0
Opcode ID: b5d6c9f151dc3f4c258c7e9ab39198f12bbba1265e8dcc55df2a0af6248aa15f
Instruction ID: 64af588e6f279c6bf3decc92393834630738ac458f02053a87f470c22efa42ba
Opcode Fuzzy Hash: b5d6c9f151dc3f4c258c7e9ab39198f12bbba1265e8dcc55df2a0af6248aa15f
Instruction Fuzzy Hash: 39613576700A948AEB11CFAAD4447DD37A5F788B98F014126EF1D67BA8CE38C446C744

Function 0000000140008290 Relevance: 6.2, APIs: 4, Instructions: 163COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00000001400083E7
DestroyWindow.USER32 ref: 00000001400084B9
GlobalUnlock.KERNEL32 ref: 00000001400084CA
GlobalFree.KERNEL32 ref: 00000001400084D3

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$DestroyFreeLockUnlockWindow
String ID:
API String ID: 986961176-0
Opcode ID: 8f84ff17210b37c433412cb55d5000f5b1d62338817353b93137d856b67b2827
Instruction ID: a33f3700c22e3f535edcfe02c9d0a159c17bb177fd760d85a379431f0e7bb6d9
Opcode Fuzzy Hash: 8f84ff17210b37c433412cb55d5000f5b1d62338817353b93137d856b67b2827
Instruction Fuzzy Hash: D6519172305B5182EA5ADB67E4503EE67A0FB89FD0F048129FF9A477A5DF34C9458700

Function 01FA0728 Relevance: 6.2, APIs: 4, Instructions: 160COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01FA0769
_invalid_parameter_noinfo.LIBCMT ref: 01FA07E6
_invalid_parameter_noinfo.LIBCMT ref: 01FA0837
_get_daylight.LIBCMT ref: 01FA0893

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo$_get_daylight
String ID:
API String ID: 72036449-0
Opcode ID: 41a26322e25f9167ec71d8065d692d8f54d0ec48dc0c736368a1a6f2aedfdee5
Instruction ID: cd3a550a3e11c0994b397d7511a1ce5e7be69301374eff26fd8ba555a01b5c63
Opcode Fuzzy Hash: 41a26322e25f9167ec71d8065d692d8f54d0ec48dc0c736368a1a6f2aedfdee5
Instruction Fuzzy Hash: CF51C1B7E04255C6F729DE2CF80437A6F50EB40B24F898425BB468B695DA7FC440CADA

Function 00000001400E6564 Relevance: 6.2, APIs: 4, Instructions: 158COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400E6682
IsWindow.USER32 ref: 00000001400E66D8
SetRectEmpty.USER32 ref: 00000001400E6772
SetRectEmpty.USER32 ref: 00000001400E677C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRect$Window
String ID:
API String ID: 1945993337-0
Opcode ID: 94b4ac630736cc3a1766548e075735b2f0d46b77c42ee0239718edbb324308d0
Instruction ID: 92f27ec383c5eaca9685df6da1a5a4c58b6bd59a19ece4affa760beb632fefe0
Opcode Fuzzy Hash: 94b4ac630736cc3a1766548e075735b2f0d46b77c42ee0239718edbb324308d0
Instruction Fuzzy Hash: EC714E32A04A548AE75ACF36E9407ED73B0F748BA9F044225EF59677A8DF34D845CB40

Function 0000000140007548 Relevance: 6.2, APIs: 4, Instructions: 153registryCOMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32 ref: 000000014000773D

Part of subcall function 0000000140007778: RegCloseKey.ADVAPI32 ref: 0000000140007826

RegQueryValueExW.ADVAPI32 ref: 000000014000761D
RegQueryValueExW.ADVAPI32 ref: 000000014000767E
RegCloseKey.ADVAPI32 ref: 00000001400076B6

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CloseQueryValue$PrivateProfileString
String ID:
API String ID: 2114517702-0
Opcode ID: adf61cb435dc9e034161ab89af4ae0dc8777e801a3a004dcd6411fb025164df1
Instruction ID: 80445216f5301e147c2529240fe53cf0a1acdd2ca401e1336f659ce018ccc0d0
Opcode Fuzzy Hash: adf61cb435dc9e034161ab89af4ae0dc8777e801a3a004dcd6411fb025164df1
Instruction Fuzzy Hash: 4551BDB6704A4186EB16DB2AE804BEE63A1F788BD8F404116BF5E477A9DF3CC545CB00

Function 000000014001F824 Relevance: 6.1, APIs: 4, Instructions: 138registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400070A4: RegCloseKey.ADVAPI32 ref: 000000014000722B
Part of subcall function 00000001400070A4: RegCloseKey.ADVAPI32 ref: 000000014000723A

Part of subcall function 000000014001F1C4: RegCloseKey.ADVAPI32 ref: 000000014001F22A

RegEnumValueW.ADVAPI32 ref: 000000014001F9A5
RegCloseKey.ADVAPI32 ref: 000000014001F9BF
RegCloseKey.ADVAPI32 ref: 000000014001FA14
RegCloseKey.ADVAPI32 ref: 000000014001FA25

Part of subcall function 000000014001F794: RegQueryValueExW.ADVAPI32 ref: 000000014001F7CE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Close$Value$EnumQuery
String ID:
API String ID: 4149552890-0
Opcode ID: eee134d553512949113463422776176cee9a4dc96458851d8beed550babc5f8a
Instruction ID: bb484613041707ae3174a3090636f9613360c787c8ddc3f7b10096368382b45f
Opcode Fuzzy Hash: eee134d553512949113463422776176cee9a4dc96458851d8beed550babc5f8a
Instruction Fuzzy Hash: 5F517872204A8086EB11DF26E8447DA77A4F789BE4F504216EFAD47BA9DF39C645CB00

Function 000000014000FE64 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014000FEC4
FillRect.USER32 ref: 000000014000FEFF
DrawStateW.USER32 ref: 000000014000FFB2
DrawStateW.USER32 ref: 000000014001001A

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: DrawRectState$ClientFill
String ID:
API String ID: 1358417154-0
Opcode ID: 2194d0b48a74a3dd741aaa98aa524a17eace07a22d231f2185d1737543d923ef
Instruction ID: 02956db8bb3a463777e414c3cf04c888f7d7b588a887ead89d211ba0238b781e
Opcode Fuzzy Hash: 2194d0b48a74a3dd741aaa98aa524a17eace07a22d231f2185d1737543d923ef
Instruction Fuzzy Hash: E2516A726106908AE766CF66E4547FD77B0F78DB88F148129EF495BFA8CB358881DB00

Function 0000000140039230 Relevance: 6.1, APIs: 4, Instructions: 137COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140039348
SetRectEmpty.USER32 ref: 0000000140039355
SetRectEmpty.USER32 ref: 0000000140039431

Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FC04
Part of subcall function 000000014003FB98: VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
Part of subcall function 000000014003FB98: GetSystemMetrics.USER32 ref: 000000014003FC28

SetRectEmpty.USER32 ref: 0000000140039490

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRect$ConditionMask$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 3235142165-0
Opcode ID: 177dc0f947843b5b7be844acb6fe35b4b4806dcd82c683797648c82aa97e8e47
Instruction ID: 3ab0e4a6f562ae6a747bf946be7fbc147148e45eab4c93e8578926476e38af45
Opcode Fuzzy Hash: 177dc0f947843b5b7be844acb6fe35b4b4806dcd82c683797648c82aa97e8e47
Instruction Fuzzy Hash: AE710E72612B90ABE70EDF26ED557DDB7A8F308B80F04021AF76543AA0CB759471CB44

Function 000000014003F740 Relevance: 6.1, APIs: 4, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 000000014003F7A1
SysStringLen.OLEAUT32 ref: 000000014003F7C1
SysStringLen.OLEAUT32 ref: 000000014003F7EB
SysFreeString.OLEAUT32 ref: 000000014003F88E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: String$AllocFree
String ID:
API String ID: 344208780-0
Opcode ID: a3bab1987e4472301a041653378e5886db527a86546bc342882524326756db24
Instruction ID: a5d8893f909bd1c303e3529baf94243c12921eb11f13dba5506986f64e1d0377
Opcode Fuzzy Hash: a3bab1987e4472301a041653378e5886db527a86546bc342882524326756db24
Instruction Fuzzy Hash: FC518F72701A418AE76ACF6AD8407EE33A1F749BE8F144229AF29977E4DF38C4459740

Function 000000014003ED04 Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014003ED4D
GetClientRect.USER32 ref: 000000014003ED7B

Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
Part of subcall function 000000014003FB98: VerSetConditionMask.KERNEL32 ref: 000000014003FC04
Part of subcall function 000000014003FB98: VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
Part of subcall function 000000014003FB98: GetSystemMetrics.USER32 ref: 000000014003FC28

CreateCompatibleDC.GDI32 ref: 000000014003EE56
CreateCompatibleBitmap.GDI32 ref: 000000014003EE82

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CompatibleConditionCreateHashMask$BitmapClientImplImpl::InfoMetricsRectSystemVerifyVersion
String ID:
API String ID: 2548309268-0
Opcode ID: bcafdfd2d0ce11d0d01b7709ff0b747b9be94c43407d590f1631a0eb6b094d93
Instruction ID: 969f3894cb8586f8afc5a062967aa3445310efe289b0e4e8db313b322f3587dd
Opcode Fuzzy Hash: bcafdfd2d0ce11d0d01b7709ff0b747b9be94c43407d590f1631a0eb6b094d93
Instruction Fuzzy Hash: E9516D72202B8096EA27DB23E94479AB3A4F788BD0F5582259F9D47BF1DF39D446C700

Function 0000000140043A8C Relevance: 6.1, APIs: 4, Instructions: 119windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140043AE8
GetWindow.USER32 ref: 0000000140043B14
SendMessageW.USER32 ref: 0000000140043B64
GetWindow.USER32 ref: 0000000140043C0C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$MessageRectSend
String ID:
API String ID: 3783401013-0
Opcode ID: 96f5776ff2d0c411f9b34d0069451598b34ae195a2f0d681b53de9690aefe41d
Instruction ID: 8bd5afe0d3eabc7efcc4a7be6a7b9bff3ddc311f694ebbe7f935a1bef2204567
Opcode Fuzzy Hash: 96f5776ff2d0c411f9b34d0069451598b34ae195a2f0d681b53de9690aefe41d
Instruction Fuzzy Hash: 92414636B10A5086EB06EB63D8957ED27B0FB8CBC4F554026EF0A57B69DF38C4528704

Function 000000014004887C Relevance: 6.1, APIs: 4, Instructions: 118windowCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00000001400488DD
GlobalUnlock.KERNEL32 ref: 0000000140048940
ReuseDDElParam.USER32 ref: 0000000140048986
PostMessageW.USER32 ref: 0000000140048999

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Global$LockMessageParamPostReuseUnlock
String ID:
API String ID: 1233369038-0
Opcode ID: e4fb852364b7cbd13877ce34ff7560460e39939483ed30bc761ed6acada0942a
Instruction ID: dc558cdb6dddaec3056727ae551f3acbac53fdada427a0e8001cb5db66c5d62a
Opcode Fuzzy Hash: e4fb852364b7cbd13877ce34ff7560460e39939483ed30bc761ed6acada0942a
Instruction Fuzzy Hash: CD41BE72310A4082EB26DB27E4447AD67A1FB89FD4F458626EF6E473E6DF38C9418740

Function 0000000140033AD0 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0000000140033B05
AppendMenuW.USER32 ref: 0000000140033C19
SetMenuDefaultItem.USER32 ref: 0000000140033C4F

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$AppendCreateDefaultExceptionItemPopupThrow
String ID:
API String ID: 4038083709-0
Opcode ID: 5c0a23ab359f5879a541e04fe2a6048975d1007ceee213a140d29bcd722286ad
Instruction ID: 13feb1b769952e0773b6159b2edfbe30e8cfda609a3a31c599295851f41a88fa
Opcode Fuzzy Hash: 5c0a23ab359f5879a541e04fe2a6048975d1007ceee213a140d29bcd722286ad
Instruction Fuzzy Hash: 1A417A36710A4085EB56DF67D8447EA23A0F788BE4F155621EF2A17BE9CF34C885C340

Function 000000014000DF40 Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 000000014000E031
GetFocus.USER32 ref: 000000014000E048
GetParent.USER32 ref: 000000014000E058
SendMessageW.USER32 ref: 000000014000E074

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: f9b5d51568a64108afadecc9f4e00b82099c2b8f7d2ad45315f598743c844c16
Instruction ID: ec4475b76f54c78a3d8f5dfd3dd42308149ae924743f572d99b1881ccbe0c9fd
Opcode Fuzzy Hash: f9b5d51568a64108afadecc9f4e00b82099c2b8f7d2ad45315f598743c844c16
Instruction Fuzzy Hash: A741BE76614A8582EB25DF22E4447AD7370F788FD4F248221EB4907BA8CF79C881C740

Function 0000000140013578 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140013600
IsMenu.USER32 ref: 0000000140013642
AdjustWindowRectEx.USER32 ref: 000000014001365E
GetClientRect.USER32 ref: 00000001400136B9

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Client$AdjustMenuWindow
String ID:
API String ID: 2631253777-0
Opcode ID: 383f6798640fb45b99c5f7f017a6d071449212168fcc4743a182d6d255dc2b93
Instruction ID: f7ef61e49222eb3685d12b0e6512f0e8bf8342ca201c81d99ea93e8719b49f80
Opcode Fuzzy Hash: 383f6798640fb45b99c5f7f017a6d071449212168fcc4743a182d6d255dc2b93
Instruction Fuzzy Hash: B0416972B106108AFB51DB76E894BED27B0A78CB88F444125EF495BB69EF39C5428B00

Function 0000000140016820 Relevance: 6.1, APIs: 4, Instructions: 88windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 000000014001686A
GetDlgCtrlID.USER32 ref: 000000014001687C
SendMessageW.USER32 ref: 00000001400168EF
GetWindow.USER32 ref: 0000000140016931

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$CtrlMessageSend
String ID:
API String ID: 75316347-0
Opcode ID: a7776a5daefd5d19ee5262a3e98f3c446b2cc891be0355a1fb401d9b7ab6e8f1
Instruction ID: 83e4a23c24effe4aaa77f92cbd91cfd1193da91694328863a03bb9c7332d9025
Opcode Fuzzy Hash: a7776a5daefd5d19ee5262a3e98f3c446b2cc891be0355a1fb401d9b7ab6e8f1
Instruction Fuzzy Hash: 3931A032310A5082FB12DB63E8447ED63A4F789BD4F500229EF594BBE8DF39C9058740

Function 0000000140019908 Relevance: 6.1, APIs: 4, Instructions: 88COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140019920
GetClientRect.USER32(?,?,?,000000014004267F), ref: 0000000140019945
GetParent.USER32 ref: 0000000140019968
OffsetRect.USER32 ref: 0000000140019A0E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClientEmptyOffsetParent
String ID:
API String ID: 3819956977-0
Opcode ID: dbe53c38f73f686a4ecf4c3e274760d1dcc60285829899ead3e959040421d75a
Instruction ID: c8b26a6a0d940486e98f8b2ce52e7c2eccde0c22135815224d24c43e8d1b71cd
Opcode Fuzzy Hash: dbe53c38f73f686a4ecf4c3e274760d1dcc60285829899ead3e959040421d75a
Instruction Fuzzy Hash: 0F4141726016818BEB59DF5BE590799B3F0FB4CB80F048029EB5A8B765DF39E451CB40

Function 0000000140114BC4 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140114C2A
IsRectEmpty.USER32 ref: 0000000140114C3B
SetRectEmpty.USER32 ref: 0000000140114C9B
SetRectEmpty.USER32 ref: 0000000140114CA4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: cf08f9c2ecee63835e1710a790be5e88f23935b56ab19f52042b045b80c8270f
Instruction ID: deeaee49a016abea878416fd0e5fdc26790d93d6bec5da6f9722892e34cf0fef
Opcode Fuzzy Hash: cf08f9c2ecee63835e1710a790be5e88f23935b56ab19f52042b045b80c8270f
Instruction Fuzzy Hash: DB318032605B4087EB56DF26E4507E973A0F78CF98F544225EF4A4B6A4DF39C481CB80

Function 0000000140035D7C Relevance: 6.1, APIs: 4, Instructions: 85windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140035E17
ScreenToClient.USER32 ref: 0000000140035E26
PtInRect.USER32 ref: 0000000140035E38
PostMessageW.USER32 ref: 0000000140035E5F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClientCursorMessagePostRectScreen
String ID:
API String ID: 1913696736-0
Opcode ID: 735a84658cae218cedc2db12c7f5a9795cfc5f49d95fc2505523d87d332ef8fc
Instruction ID: 8b010e7ac3a4237ad7fb526fb49406e73c07ca5eff65a752e9f9af78b7195f4b
Opcode Fuzzy Hash: 735a84658cae218cedc2db12c7f5a9795cfc5f49d95fc2505523d87d332ef8fc
Instruction Fuzzy Hash: C0314C32204A4182EB66AB27E4543EA37A0FB8DFC6F445125EB0A47BB4DF38C555CB00

Function 000000014005F7BC Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014005F7FB
GetWindowRect.USER32 ref: 000000014005F83C
GetClientRect.USER32 ref: 000000014005F858

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 278f0da1f374149cf1e7b514d16be2a16993c802e7893d9572ade66c9cc7063a
Instruction ID: 3da806d5a3ad35d5bbc2a2d250b6bb51d2e202027a7a083362929f281109a33c
Opcode Fuzzy Hash: 278f0da1f374149cf1e7b514d16be2a16993c802e7893d9572ade66c9cc7063a
Instruction Fuzzy Hash: C8316D32614A8587EB25DF17E5907AEB3A0F78CBC4F108122EF9A47B64DF39D4558B00

Function 0000000140046018 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014004604B
GetClientRect.USER32 ref: 0000000140046091
GetWindowRect.USER32 ref: 00000001400460D8

Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF1D
Part of subcall function 000000014000CF04: ScreenToClient.USER32 ref: 000000014000CF2E

GetSystemMetrics.USER32 ref: 00000001400460EF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Client$RectScreen$MetricsParentSystemWindow
String ID:
API String ID: 3137288495-0
Opcode ID: d796264de6de93e5d3ee77f8f3d961383d2aaa574297281060bed9d952b42ba2
Instruction ID: 0f8b9078688005de3e805bd5d7040763c4e41e80813296af835b267633d71563
Opcode Fuzzy Hash: d796264de6de93e5d3ee77f8f3d961383d2aaa574297281060bed9d952b42ba2
Instruction Fuzzy Hash: A8318D72B006548AFB16DB76E8443ED63B0BB8CB98F140226EF4917BA5EF34D1818740

Function 0000000140035B1C Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140035B50
PtInRect.USER32 ref: 0000000140035B7A

Part of subcall function 0000000140033C80: ScreenToClient.USER32 ref: 0000000140033CAD
Part of subcall function 0000000140033C80: GetParent.USER32 ref: 0000000140033CC1
Part of subcall function 0000000140033C80: GetClientRect.USER32 ref: 0000000140033D61
Part of subcall function 0000000140033C80: MapWindowPoints.USER32 ref: 0000000140033D79
Part of subcall function 0000000140033C80: PtInRect.USER32 ref: 0000000140033D87

MapWindowPoints.USER32 ref: 0000000140035BAC
SendMessageW.USER32 ref: 0000000140035BD0

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: 61ef4c078179449bac8e34d116a2accc30753347d0e351ee3f56b11204879315
Instruction ID: c2ff34143f4e70274a46cedace758016d5f0921259ae033f46fca88bd28815df
Opcode Fuzzy Hash: 61ef4c078179449bac8e34d116a2accc30753347d0e351ee3f56b11204879315
Instruction Fuzzy Hash: 31313A72224640C7EB129F26E4597EA63E0F788FC9F145125EF0A0B6B9DF39C985CB40

Function 00000001400311AC Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140031217
CreateRoundRectRgn.GDI32 ref: 0000000140031253
SetWindowRgn.USER32 ref: 0000000140031270
SetWindowRgn.USER32 ref: 000000014003128F

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Rect$CreateRound
String ID:
API String ID: 4208751637-0
Opcode ID: a5622d5469b3570201b70f6fcc5b7431d45f603495a953e3456962d0b7ba120c
Instruction ID: 224b4752196328ea4e6095de57dfe8367add32bebb49ce410e52a4dfe81bd3bf
Opcode Fuzzy Hash: a5622d5469b3570201b70f6fcc5b7431d45f603495a953e3456962d0b7ba120c
Instruction Fuzzy Hash: D9314A32B20A408AE752CB76E8417EE37B5F78CB94F144226DF1957B68DF35C5818740

Function 000000014004614C Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014004617D
GetWindowRect.USER32 ref: 00000001400461CE
OffsetRect.USER32 ref: 00000001400461EB
GetWindow.USER32 ref: 0000000140046220

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: RectWindow$OffsetParent
String ID:
API String ID: 3516746122-0
Opcode ID: d1c0e5f1b56971138dd83b470b46bd2a3d09074c74713b6793cace5f1a2b8fa9
Instruction ID: 3a82bce5a0db3f6759d67cca801334d3ce49c02e4fc47dfddcb41d639d581336
Opcode Fuzzy Hash: d1c0e5f1b56971138dd83b470b46bd2a3d09074c74713b6793cace5f1a2b8fa9
Instruction Fuzzy Hash: 34218C32304B8082EA21DB62E4543AA73B0F78DBD0F544225EF9D47BA9EF7DD5418B00

Function 0000000140041EEC Relevance: 6.1, APIs: 4, Instructions: 64COMMON

Download Yara Rule

APIs

BeginDeferWindowPos.USER32 ref: 0000000140041F1B
IsWindow.USER32 ref: 0000000140041F37
DeferWindowPos.USER32 ref: 0000000140041F9D
EndDeferWindowPos.USER32(?,?,?,?,?,?,?,?,00000000,00000000,?,00000001400422A4), ref: 0000000140041FAB

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Defer$Begin
String ID:
API String ID: 2880567340-0
Opcode ID: a8ce82f5fa103b94d39691d9afd9b22cc691c4abb5e450da313cf04229087275
Instruction ID: 684095cffed5f94700173ba2d00b93bc58f3b1615627f16bde4ac4f6fab219fa
Opcode Fuzzy Hash: a8ce82f5fa103b94d39691d9afd9b22cc691c4abb5e450da313cf04229087275
Instruction Fuzzy Hash: 42213D327286948AE755DF27E45479A77A0F78DFD0F194125EF4A03B68DF39C4428B00

Function 00000001400157F8 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32 ref: 000000014001582E
SendMessageW.USER32 ref: 0000000140015871
GetCapture.USER32 ref: 0000000140015898
SendMessageW.USER32 ref: 00000001400158AE

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: MessageSend$CaptureExceptionThrow
String ID:
API String ID: 4269541544-0
Opcode ID: a7ed62d58f1a74c667215dfbaf671c058f88015c7c2707292e424400bdde23f9
Instruction ID: 7a4ebad18ba87643d876cf12c1afa9d0f749570d9a1e439984e8f1e235c71e59
Opcode Fuzzy Hash: a7ed62d58f1a74c667215dfbaf671c058f88015c7c2707292e424400bdde23f9
Instruction Fuzzy Hash: DD21933670064086EB259B66E495BAE77A0FBCDFC8F585015EF090BB65DF3AC0418B00

Function 0000000140044738 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,000000014004322B), ref: 000000014004476F
LoadResource.KERNEL32(?,?,?,000000014004322B), ref: 0000000140044789
LockResource.KERNEL32(?,?,?,000000014004322B), ref: 000000014004479F
GlobalFree.KERNEL32 ref: 00000001400447E5

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 603ab6a739df62a1b436511068acc0e3c531c273f823830276a8bc254ceac77b
Instruction ID: f19faddd8c7a57466dfacd1e2b8e4075a8232eb0dd3ff07ceecb4324d62785a7
Opcode Fuzzy Hash: 603ab6a739df62a1b436511068acc0e3c531c273f823830276a8bc254ceac77b
Instruction Fuzzy Hash: 25216275206B8185FB669B5395443EDA6A5EB4CFD8F098025EF490BFA9DF38C4828704

Function 0000000140035A34 Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140035A7E
PtInRect.USER32 ref: 0000000140035A95

Part of subcall function 0000000140033C80: ScreenToClient.USER32 ref: 0000000140033CAD
Part of subcall function 0000000140033C80: GetParent.USER32 ref: 0000000140033CC1
Part of subcall function 0000000140033C80: GetClientRect.USER32 ref: 0000000140033D61
Part of subcall function 0000000140033C80: MapWindowPoints.USER32 ref: 0000000140033D79
Part of subcall function 0000000140033C80: PtInRect.USER32 ref: 0000000140033D87

MapWindowPoints.USER32 ref: 0000000140035ACD
SendMessageW.USER32 ref: 0000000140035AEF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: 92273259071bf8153ec3244c93302b700f1ba5a1f46d5a70052f036a251fc022
Instruction ID: 6ebbc41337916f51b0403b8a4d184d34b17834b7ddcaacbf1a814f018e8cfc11
Opcode Fuzzy Hash: 92273259071bf8153ec3244c93302b700f1ba5a1f46d5a70052f036a251fc022
Instruction Fuzzy Hash: 26214A72710A508AFB019F6AE8957ED27B0F749FC8F045025EF091BBA9DF79C5858780

Function 000000014000D740 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014000D7A7
GetWindowRect.USER32 ref: 000000014000D7CD
PtInRect.USER32 ref: 000000014000D7DD
CallNextHookEx.USER32 ref: 000000014000D807

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: 15c6240ac44d3ef0c747af2ea7d924d0dcf4fe81e6befc9a6faa0b37df476e97
Instruction ID: a30f99489a33fcb9980720992829fbf3258bcc24d2f13e48def220892c5faf2e
Opcode Fuzzy Hash: 15c6240ac44d3ef0c747af2ea7d924d0dcf4fe81e6befc9a6faa0b37df476e97
Instruction Fuzzy Hash: 79215EB7214B8481FA62CB27E8583AAA3A0F78DBD9F444116EB4E477B4DF38C645C711

Function 00000001400162FC Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?,?,00000001,?,?,00000001400198E5), ref: 0000000140016314
SendMessageW.USER32 ref: 0000000140016368
GetTopWindow.USER32(?,?,00000001,?,?,00000001400198E5), ref: 0000000140016375
GetWindow.USER32 ref: 00000001400163A4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 6ba947c0982678b8abd6eee40f781953c18808a8aa1ac8004118058bb76fdb81
Instruction ID: 387df6310ae73e49cfba0c4cbf87266692cf12c0910cf378c12effe8624c3f83
Opcode Fuzzy Hash: 6ba947c0982678b8abd6eee40f781953c18808a8aa1ac8004118058bb76fdb81
Instruction Fuzzy Hash: 591129362057408AEA129B67E81039EB7A0FB8DFD4F180129FF890B769DE39D9518B50

Function 00000001400A689C Relevance: 6.1, APIs: 4, Instructions: 55windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 00000001400A68E5
GetMenuItemID.USER32 ref: 00000001400A68FD
GetMenuState.USER32 ref: 00000001400A6918

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Menu$Item$CountState
String ID:
API String ID: 1426805361-0
Opcode ID: 205b994c47dcec62a0ddeed6039fc0f3914bee16278f029bdb45a36659ed1a3d
Instruction ID: ed767eea554cd387d09b8e69f1b175a30ff65f63ab2a2f43c00f51fe6e6e9ff4
Opcode Fuzzy Hash: 205b994c47dcec62a0ddeed6039fc0f3914bee16278f029bdb45a36659ed1a3d
Instruction Fuzzy Hash: 32115476700B4181EA069B67E4803A962A5A7ACFD0F15C335EB69477F5DF34C8D68B00

Function 0000000140007C28 Relevance: 6.1, APIs: 4, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegSetValueExW.ADVAPI32 ref: 0000000140007C87
RegCloseKey.ADVAPI32 ref: 0000000140007C92
swprintf.LEGACY_STDIO_DEFINITIONS ref: 0000000140007CB3
WritePrivateProfileStringW.KERNEL32 ref: 0000000140007CCA

Part of subcall function 0000000140007778: RegCloseKey.ADVAPI32 ref: 0000000140007826

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 34adcd6d096edb0bfbe45a29c50e29c51ccc02477ec34baf3a386aec53fd64a7
Instruction ID: 971577aaf504a29eb4790ba84c64e38b2852f995957f7ce57966e649c30d185a
Opcode Fuzzy Hash: 34adcd6d096edb0bfbe45a29c50e29c51ccc02477ec34baf3a386aec53fd64a7
Instruction Fuzzy Hash: E2118F72715A9082FA529B57B851BDA63A4E788FD4F840035BF4E07B65EF3CC586CB00

Function 000000014003DFF4 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 000000014003E033
GetCurrentProcess.KERNEL32 ref: 000000014003E03C
DuplicateHandle.KERNEL32 ref: 000000014003E063
GetLastError.KERNEL32 ref: 000000014003E084

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: d5da8cd46f3b25414ae3d1dd43dab44a9a7c7f383759e64f3c8d28891db5d986
Instruction ID: 7a0d17469ac96220685043c792712fadfadc47c585c029df77c8d8bd7d618496
Opcode Fuzzy Hash: d5da8cd46f3b25414ae3d1dd43dab44a9a7c7f383759e64f3c8d28891db5d986
Instruction Fuzzy Hash: 98214A36605B4087EA169B66E54439AB3E1F78CBE0F144229EBAD43BA5DF38D4918B00

Function 0000000140009F40 Relevance: 6.0, APIs: 4, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140008FA8: OutputDebugStringA.KERNEL32 ref: 0000000140008FC6
Part of subcall function 0000000140008FA8: ActivateActCtx.KERNEL32 ref: 0000000140008FE7

GetProcAddress.KERNEL32(?,?,?,?,00000000,000000014000A199), ref: 0000000140009F9D
GetLastError.KERNEL32(?,?,?,?,00000000,000000014000A199), ref: 0000000140009FB4
DeactivateActCtx.KERNEL32(?,?,?,?,00000000,000000014000A199), ref: 0000000140009FC7
SetLastError.KERNEL32(?,?,?,?,00000000,000000014000A199), ref: 0000000140009FD4

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateDebugOutputProcString
String ID:
API String ID: 881766976-0
Opcode ID: db8a982b46341986144ebc570a3e61c21e5f79693e8daf067553d09c3162e9de
Instruction ID: 662bf97834aed6ea945e5d1daddac2eef2ac032c3fbf216dbb109cc084747351
Opcode Fuzzy Hash: db8a982b46341986144ebc570a3e61c21e5f79693e8daf067553d09c3162e9de
Instruction Fuzzy Hash: AA113D72215B0282EB169F17B4443A9A2E1BB8CFC0F194439EB4D873B4EF78C5418700

Function 0000000140012B3C Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32(?,?,?,0000000140008BA4,?,?,?,0000000140003293), ref: 0000000140012B79
LoadResource.KERNEL32(?,?,?,0000000140008BA4,?,?,?,0000000140003293), ref: 0000000140012B8A
LockResource.KERNEL32(?,?,?,0000000140008BA4,?,?,?,0000000140003293), ref: 0000000140012B9B
FreeResource.KERNEL32(?,?,?,0000000140008BA4,?,?,?,0000000140003293), ref: 0000000140012BBE

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 18e6eb22c5b4934c6ba34f70376327f0f8d0ed680ea400f96dac8936e322e755
Instruction ID: 47decce8cadc9a100b79a987d296b99a920a2c3085c6c48315529eb72c36c1d3
Opcode Fuzzy Hash: 18e6eb22c5b4934c6ba34f70376327f0f8d0ed680ea400f96dac8936e322e755
Instruction Fuzzy Hash: 75116D35315B8085EE5A9F579944395A7E1FB8DFC0F084025AF0A4B7A5DF3DC4518700

Function 0000000140048BF8 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32 ref: 0000000140048C20
DragQueryFileW.SHELL32 ref: 0000000140048C3A
DragQueryFileW.SHELL32 ref: 0000000140048C61
DragFinish.SHELL32 ref: 0000000140048C81

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: 00e98a7b59b1ffb47b0a2fc92c2d28b282218aa9ff1950a1b1cb47a9b005ccec
Instruction ID: d38124013e54ac1657ed963102e9fe0ae134441628b70ec6e389ef7250670cdb
Opcode Fuzzy Hash: 00e98a7b59b1ffb47b0a2fc92c2d28b282218aa9ff1950a1b1cb47a9b005ccec
Instruction Fuzzy Hash: 17115E36304A8482EA21ABA7B4D87EA63A1F78DFD8F454025EF5D07775CE3DC1868B00

Function 000000014003FB98 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 000000014003FBF3
VerSetConditionMask.KERNEL32 ref: 000000014003FC04
VerifyVersionInfoW.KERNEL32 ref: 000000014003FC17
GetSystemMetrics.USER32 ref: 000000014003FC28

Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400408DD
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400408F4
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 000000014004090F
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 000000014004091B
Part of subcall function 00000001400408BC: GetDeviceCaps.GDI32 ref: 000000014004094B
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040959
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 000000014004096C
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 000000014004097B
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 000000014004098A
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040999
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409A8
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409B7
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409C3
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409CF
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409DB
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409E7
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 00000001400409F6
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A02
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A11
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A20
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A2F
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A3E
Part of subcall function 00000001400408BC: GetSysColor.USER32 ref: 0000000140040A4D

Part of subcall function 000000014003FCAC: GetSystemMetrics.USER32 ref: 000000014003FCCA
Part of subcall function 000000014003FCAC: GetSystemMetrics.USER32 ref: 000000014003FCDB
Part of subcall function 000000014003FCAC: SetRectEmpty.USER32 ref: 000000014003FCF1
Part of subcall function 000000014003FCAC: EnumDisplayMonitors.USER32 ref: 000000014003FD05
Part of subcall function 000000014003FCAC: SystemParametersInfoW.USER32 ref: 000000014003FD1A
Part of subcall function 000000014003FCAC: SystemParametersInfoW.USER32 ref: 000000014003FD51
Part of subcall function 000000014003FCAC: SystemParametersInfoW.USER32 ref: 000000014003FD69
Part of subcall function 000000014003FCAC: SystemParametersInfoW.USER32 ref: 000000014003FD94

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Color$System$Info$Parameters$Metrics$ConditionMask$CapsDeviceDisplayEmptyEnumMonitorsRectVerifyVersion
String ID:
API String ID: 1471558514-0
Opcode ID: 8847dc1455d0b79c6b1722429dfe5e016a388a9fb606e7311f8177d9bec03b1d
Instruction ID: 4d74ce27e16a0009b6142382694bb2ebc59b84a49db9478957601fa6982b9a70
Opcode Fuzzy Hash: 8847dc1455d0b79c6b1722429dfe5e016a388a9fb606e7311f8177d9bec03b1d
Instruction Fuzzy Hash: 1B11217160464486FB26DF72E8193DA73A0E78DB49F040028EB5E4B7A6DF7DC1458B44

Function 00000001400081FC Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 0000000140008232
LoadResource.KERNEL32 ref: 000000014000823E
LockResource.KERNEL32 ref: 000000014000824F
FreeResource.KERNEL32 ref: 000000014000826E

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: d701e9d452ca8c1960587f7389b7d41596b7cc92d38e32aa0e9dbbd2c4e3bd5c
Instruction ID: 4932fa30a0cae6092e1e216f774a2c5472be933613a57a48e695a90a5d334f6b
Opcode Fuzzy Hash: d701e9d452ca8c1960587f7389b7d41596b7cc92d38e32aa0e9dbbd2c4e3bd5c
Instruction Fuzzy Hash: 9B016271705B8086EA05DF93B84439AA7A1B78DFD0F484435EF5D47B65DE3CC4868700

Function 000000014019885C Relevance: 6.0, APIs: 4, Instructions: 43COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,00000001401890CC,?,?,00000000,000000014018A5CD), ref: 0000000140198866
SetLastError.KERNEL32(?,?,?,00000001401890CC,?,?,00000000,000000014018A5CD), ref: 00000001401988CE
SetLastError.KERNEL32(?,?,?,00000001401890CC,?,?,00000000,000000014018A5CD), ref: 00000001401988E4
abort.LIBCMT ref: 00000001401988EA

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ErrorLast$abort
String ID:
API String ID: 1447195878-0
Opcode ID: 0d799db03708603c1ee8a38b05793daa03a29868e8b7376193fd13e702e7c7d0
Instruction ID: 99deb4ae2ffa7c27254f996b4e31ec8a62c273d92ec6b164d1ac1332e77c47e5
Opcode Fuzzy Hash: 0d799db03708603c1ee8a38b05793daa03a29868e8b7376193fd13e702e7c7d0
Instruction Fuzzy Hash: 85012C3070670042FB5BBB77A9597ED51916B8CF90F580428AF1A477FBEE39C845DA10

Function 000000014000880F Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

EnableWindow.USER32 ref: 0000000140008858
GetActiveWindow.USER32 ref: 0000000140008863
SetActiveWindow.USER32 ref: 0000000140008872
FreeResource.KERNEL32 ref: 0000000140008899

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$Active$EnableFreeResource
String ID:
API String ID: 3751187028-0
Opcode ID: 96a28b757e04384a3e04e1a08c1de0bfb03228dde89146fa95b1cb29de4594a0
Instruction ID: 4aaa145622995e57c61a02638ee15c36e76224758041a7680cfa77fb9e9a0e14
Opcode Fuzzy Hash: 96a28b757e04384a3e04e1a08c1de0bfb03228dde89146fa95b1cb29de4594a0
Instruction Fuzzy Hash: EA114C76204A4182EB7BDB13E5043E96361FB89FE5F488125DF8A077A9CF39C486C701

Function 0000000140054910 Relevance: 6.0, APIs: 4, Instructions: 40COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32 ref: 0000000140054922
GetParent.USER32 ref: 0000000140054933
ScreenToClient.USER32 ref: 000000014005495F
IsWindowEnabled.USER32 ref: 000000014005497D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Window$ClientEnabledFromParentPointScreen
String ID:
API String ID: 1871804413-0
Opcode ID: 62f3b1d2de7d099a8ef8b8ffbc7978dd5a4d0aaba7b456e672294eee77366359
Instruction ID: 06f473598855c7191d304340bbf1b8e76d731b116c73bac7c5f06dd3e1b76791
Opcode Fuzzy Hash: 62f3b1d2de7d099a8ef8b8ffbc7978dd5a4d0aaba7b456e672294eee77366359
Instruction Fuzzy Hash: 9F012C35302B8141EE17DB5BA5593EA63E4AB8EFC4F185038AF5E077A5EE3AC444C700

Function 000000014001AA94 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 000000014001AAD3
GlobalHandle.KERNEL32 ref: 000000014001AAE3
GlobalUnlock.KERNEL32 ref: 000000014001AAF0
GlobalFree.KERNEL32 ref: 000000014001AAFA

Part of subcall function 000000014001ADAC: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE3E
Part of subcall function 000000014001ADAC: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE54
Part of subcall function 000000014001ADAC: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE5E
Part of subcall function 000000014001ADAC: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE75

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: FreeGlobal$CriticalSection$EnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1402163063-0
Opcode ID: dea4dd27c8f1b5dba2b8c98e91afa67c58b5656aae5d028b4110de18fe85a241
Instruction ID: b52cf77b515e249a18b968dabf97de8c2c3d2411dbfe100eb9252b2dd787de06
Opcode Fuzzy Hash: dea4dd27c8f1b5dba2b8c98e91afa67c58b5656aae5d028b4110de18fe85a241
Instruction Fuzzy Hash: 70012C35201A4082EA2A8F66E5547A963A0FB4EFF1F1853249B690B6F5DF39C491CB00

Function 0000000140018DFC Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140018E15
GetParent.USER32 ref: 0000000140018E2C
GetParent.USER32 ref: 0000000140018E4B
SetFocus.USER32 ref: 0000000140018E6D

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Parent$Focus
String ID:
API String ID: 384096180-0
Opcode ID: bc1e0436fe98a6b167d6a971dacae89624feeda8732ffa5b2407fbd9b0029f14
Instruction ID: a2bbcf593cef2f77fb7739f8ac7c92c9bfd8cae9ff6b9244cdb880850ed44610
Opcode Fuzzy Hash: bc1e0436fe98a6b167d6a971dacae89624feeda8732ffa5b2407fbd9b0029f14
Instruction Fuzzy Hash: 2601A13571664581EE1AEBA394593E817E0E78DF95F150025EF0E4B372EE3AC5958700

Function 000000014002BBB4 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014002BBFD
InvalidateRect.USER32 ref: 000000014002BC12
UpdateWindow.USER32 ref: 000000014002BC1C
SetRectEmpty.USER32 ref: 000000014002BC25

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: 328feed1eb706e5d53357bb4df853e01a74d2f29dc9fdd0902a49cf8d33255b2
Instruction ID: bbf270155b444546d3f1ea57784396b5ddee0e41b50e2684e346c6897bbfb405
Opcode Fuzzy Hash: 328feed1eb706e5d53357bb4df853e01a74d2f29dc9fdd0902a49cf8d33255b2
Instruction Fuzzy Hash: CD01AD32200B8483E721CB66E4593D973A0F78CF98F504224EB9A077A4DF39C196CB40

Function 0000000140010C38 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140010C61
GetWindowLongW.USER32 ref: 0000000140010C85
GetParent.USER32 ref: 0000000140010C94
GetWindow.USER32 ref: 0000000140010CA1

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ParentWindow$Long
String ID:
API String ID: 941798831-0
Opcode ID: 648528c173668e25513e139a8143be3cb27af4f570fa4bf802d47b2b462e56ff
Instruction ID: bf4976589d910d92b5de8759d71cf42ff3ceed5823c770a72d0eb79d2963a672
Opcode Fuzzy Hash: 648528c173668e25513e139a8143be3cb27af4f570fa4bf802d47b2b462e56ff
Instruction Fuzzy Hash: D1F0A431301690C1FE165BA3A4543E91260EB8CFD1F184224EF9A0B7B2DE79C4808B40

Function 000000014016E6FC Relevance: 6.0, APIs: 4, Instructions: 25COMMON

Download Yara Rule

APIs

UpdateWindow.USER32 ref: 000000014016E72C
UpdateWindow.USER32 ref: 000000014016E742
SetRectEmpty.USER32 ref: 000000014016E74F
SetRectEmpty.USER32 ref: 000000014016E75C

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRectUpdateWindow
String ID:
API String ID: 2950567124-0
Opcode ID: 0ce6e8dc728218f17e0a57d4d10630d22ee23b3f62be128bc73e62e5ad5f9fa6
Instruction ID: 238232d3840446cb0bd8c006510f949e1895c5bbc08ee8f0d7786b05b984d5ee
Opcode Fuzzy Hash: 0ce6e8dc728218f17e0a57d4d10630d22ee23b3f62be128bc73e62e5ad5f9fa6
Instruction Fuzzy Hash: 4EF01735212545C2EF569BA2D8A53EC33A0FB88F49F084535CB0E0A174DF35C48B9B90

Function 00000001400B41B0 Relevance: 6.0, APIs: 4, Instructions: 19COMMONLIBRARYCODE

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400B41C9
SetRectEmpty.USER32 ref: 00000001400B41D3
SetRectEmpty.USER32 ref: 00000001400B41DD
SetRectEmpty.USER32 ref: 00000001400B41E7

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: e265f5bf3367e5c00d3ac12d2882463298f08f6e016cc6fe06fe434dbc7056d4
Instruction ID: 5f227274f5f842c015f8a370e4e930077b9260e5e60862ca63ef87b6d37290a9
Opcode Fuzzy Hash: e265f5bf3367e5c00d3ac12d2882463298f08f6e016cc6fe06fe434dbc7056d4
Instruction Fuzzy Hash: 1FE0C9B2620A0583EB119F61E86479C6370F758F1AF400014CB0A421B5EB39C5C9DB64

Function 01F8EBBC Relevance: 6.0, APIs: 4, Instructions: 17COMMONLIBRARYCODE

Download Yara Rule

APIs

__vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 01F8EBC0
__vcrt_initialize_locks.LIBVCRUNTIME ref: 01F8EBCA

Part of subcall function 01F901B4: __vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 01F901D3

__vcrt_initialize_ptd.LIBVCRUNTIME ref: 01F8EBD7
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 01F8EBE0

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: CriticalInitializeSection__vcrt___vcrt_initialize_locks__vcrt_initialize_ptd__vcrt_initialize_pure_virtual_call_handler__vcrt_uninitialize_locks
String ID:
API String ID: 1318428292-0
Opcode ID: 5edefcb9d109088291507d612d2727d6d0072ed9d83842a21c54a3387b9b7960
Instruction ID: d0e41f8b58515b0f165076e3d28bfe579e7ef0be37760e3760d4fb86ca8a9029
Opcode Fuzzy Hash: 5edefcb9d109088291507d612d2727d6d0072ed9d83842a21c54a3387b9b7960
Instruction Fuzzy Hash: 18D00285E19253D57E193BB61D411AD33486D77145FC850D0ED82A3107DE3B019B5633

Function 0000000140189214 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 0000000140189246
_invalid_parameter_noinfo.LIBCMT ref: 0000000140189491

Strings

*, xrefs: 0000000140189356

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: b206c2d9d9c75b8f5eedbe5379d3310f74cf8d340110449e0778834464cbdc42
Instruction ID: 3683c36dbd116a9bb5ae97b1b50d403648290ce61b87b9cef272afcdb9cdd0f5
Opcode Fuzzy Hash: b206c2d9d9c75b8f5eedbe5379d3310f74cf8d340110449e0778834464cbdc42
Instruction Fuzzy Hash: 6A815CB3504610C6EB6A9F3A81943AC3BB0F34DF58F6D121ADB06466B8DB35CB82D754

Function 01F91568 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F9159A
_invalid_parameter_noinfo.LIBCMT ref: 01F917D8

Strings

*, xrefs: 01F916A8

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: 3c0ce3883960ed90be8b8cbe063948cf398ebdc417f4eae54aacbe964f7eb319
Instruction ID: 3bd95389ef9690c034f9caa5eabeaf6ae81be186683088aa7b9f30c789e45e5e
Opcode Fuzzy Hash: 3c0ce3883960ed90be8b8cbe063948cf398ebdc417f4eae54aacbe964f7eb319
Instruction Fuzzy Hash: D4615BB7908657C6FF29AF2DC48412C3BA4F345F68B19123ACB4A87358DB36C485CB56

Function 000000014018949C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00000001401894CE
_invalid_parameter_noinfo.LIBCMT ref: 000000014018970C

Strings

*, xrefs: 00000001401895DC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *
API String ID: 3215553584-163128923
Opcode ID: da99078e6a74b400f8c7fb824b74ae718d47abbe4a3c80d96d32e4f71b9f67c0
Instruction ID: 6c6499914d6190389103775a875b8a217954243f4864abdc3c340909558f5a87
Opcode Fuzzy Hash: da99078e6a74b400f8c7fb824b74ae718d47abbe4a3c80d96d32e4f71b9f67c0
Instruction Fuzzy Hash: 4A716DB3115650CAE76A8F2A80843AD3BB0F34DF58F391216DB06463A8EB35CB81DB50

Function 0000000140024CDC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

Invalid DateTime, xrefs: 0000000140024DB2, 0000000140024E79

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: Decorator::getTableType
String ID: Invalid DateTime
API String ID: 4116345634-2190634649
Opcode ID: a0456a419fc3ec86d3f18b432e24fb0a5947ea3567b5944d06190d804baadd49
Instruction ID: 9d38f01cb3708ea89777d0cd9fc7aa27a15dd4ceeade16338bcb9c0d124d02e5
Opcode Fuzzy Hash: a0456a419fc3ec86d3f18b432e24fb0a5947ea3567b5944d06190d804baadd49
Instruction Fuzzy Hash: 27514AB2B11A0185FF069B3AD4453ED23A4BB49BE8F44461AEB29477FADF34C855C390

Function 01F8E83C Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 01F8E8FC

Strings

csm, xrefs: 01F8E8E2
, xrefs: 01F8E98B

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: CurrentImageNonwritable
String ID: $csm
API String ID: 3104724169-717980254
Opcode ID: e36f85ab0db7fdd07fe5af72f3e5da6b26d540670114267b8bf93a6d845d76f9
Instruction ID: 5ead4b829f82a19ddad878ab9c4bef7fbfadcade860008545dfe17c860549bd3
Opcode Fuzzy Hash: e36f85ab0db7fdd07fe5af72f3e5da6b26d540670114267b8bf93a6d845d76f9
Instruction Fuzzy Hash: 8951C132B11642CBCB64EF29E844B6D7BA5F344BD8F548521EE8B4370ADBBAD840C700

Function 01F99354 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 01F99397

Strings

e+000, xrefs: 01F9943F
gfff, xrefs: 01F994C2

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: e+000$gfff
API String ID: 3215553584-3030954782
Opcode ID: 94e3212b96b1670be98431199fbf629601f3ccd328fc73a03d0faf3c2685d04a
Instruction ID: d24423ee078bc4d5745dcaa51008a48a24919c5bc1278d15a3a23d2cf164a9d3
Opcode Fuzzy Hash: 94e3212b96b1670be98431199fbf629601f3ccd328fc73a03d0faf3c2685d04a
Instruction Fuzzy Hash: C2411762B147C186FB269F3DA94035D7B91F391B94F09D269CB988BBD9CB6EC045C700

Function 000000014003FDB8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 000000014003FE0A
GetClassInfoW.USER32 ref: 000000014003FE7E

Part of subcall function 000000014000B268: _CxxThrowException.LIBVCRUNTIME ref: 000000014000B284

Strings

%Ts:%x:%x:%x:%x, xrefs: 000000014003FE65

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClassCursorExceptionInfoLoadThrow
String ID: %Ts:%x:%x:%x:%x
API String ID: 2435886446-4057404147
Opcode ID: db7930cc9696d5d9bcbb4b360892eb8f7bcf5ffbad2aef42c95ceea4c9469d42
Instruction ID: 0346967ce5e0a4dd69c8b468919e7b00f5e1fa449b87bb6fd13a8e8f568cad94
Opcode Fuzzy Hash: db7930cc9696d5d9bcbb4b360892eb8f7bcf5ffbad2aef42c95ceea4c9469d42
Instruction Fuzzy Hash: 9131AC72310B458AE7169F62E4053ED33A5F748BE8F00812AEF9857BA9EF38C2558340

Function 01F8DF6A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

__DestructExceptionObject.LIBVCRUNTIME ref: 01F8DF92
__DestructExceptionObject.LIBVCRUNTIME ref: 01F8E01C

Strings

csm, xrefs: 01F8DFEF

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: DestructExceptionObject
String ID: csm
API String ID: 3088137261-1018135373
Opcode ID: 9b7a37655f386e39c80ceb4a5aed77449e91b8bad260fb4f824d85783b75064e
Instruction ID: bb4559c47877f8830755a686935a097635f18906d9b2f16a9a6ac619be19dc59
Opcode Fuzzy Hash: 9b7a37655f386e39c80ceb4a5aed77449e91b8bad260fb4f824d85783b75064e
Instruction Fuzzy Hash: 6E21487A604641C6D731EF56E44025EBBB1F789BA5F100216CF9E03BA5CB3AE486CB01

Function 01F82480 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

swprintf_s.LIBCONCRTD ref: 01F82508

Part of subcall function 01F81DC0: _vswprintf_s_l.LIBCONCRTD ref: 01F81E03

Strings

ComSpec, xrefs: 01F82518
/c ping -n 3 127.0.0.1 >NUL & echo EEEE > "%s", xrefs: 01F824F4

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: _vswprintf_s_lswprintf_s
String ID: /c ping -n 3 127.0.0.1 >NUL & echo EEEE > "%s"$ComSpec
API String ID: 2380855934-1337204767
Opcode ID: 8d90eadb38c46670f41569fe1b1eb1c27057c28cd952a8ec0a9e1f5faddf1e3e
Instruction ID: 087890a1a6c23c1b2ef153f925d807471ceff8eabb5ad6a2ebcd7b44b475bb8b
Opcode Fuzzy Hash: 8d90eadb38c46670f41569fe1b1eb1c27057c28cd952a8ec0a9e1f5faddf1e3e
Instruction Fuzzy Hash: D82127712285C596EB60DB25F8543DA7765F794784FC04035D68E47668DF3DC109C741

Function 01F81770 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48COMMON

Download Yara Rule

APIs

fwprintf.LIBCONCRTD ref: 01F81817

Strings

c:\, xrefs: 01F81793
%s\%c.tmp, xrefs: 01F8180B

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: fwprintf
String ID: %s\%c.tmp$c:\
API String ID: 968622242-3608748503
Opcode ID: 99c872a4d34854c9a1dfa40497e522be1e02fe2f78f0873e13ecb29e4b8abac8
Instruction ID: 8c0b49c084b3b3023f9b3be1069306d859aef5091febc1f7f7405339f3ee1389
Opcode Fuzzy Hash: 99c872a4d34854c9a1dfa40497e522be1e02fe2f78f0873e13ecb29e4b8abac8
Instruction Fuzzy Hash: E2116D7221C6C5CADB21DB24F85439BBBA1F389784F840226D68D47B28DB3EC245CF01

Function 000000014001D054 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 000000014001D087
GetClassNameW.USER32 ref: 000000014001D0A2

Strings

combobox, xrefs: 000000014001D0AC

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: combobox
API String ID: 1147815241-2240613097
Opcode ID: 54e9462cef7d3376f472ccf8ef010cabee2cc568e21c2ef1e4cecb2680d6d9e7
Instruction ID: 71c43dd4661c011a6c5f5e8b98677ff50c21d539aed321237112c8eb1615b2a3
Opcode Fuzzy Hash: 54e9462cef7d3376f472ccf8ef010cabee2cc568e21c2ef1e4cecb2680d6d9e7
Instruction Fuzzy Hash: D1016133215F4082EA22CB56F84179AB3A0E78DBE0F540616EB9A477B9DF39C141CB40

Function 000000014001481C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001D0F8: RealChildWindowFromPoint.USER32(?,?,?,?,?,?,?,000000014001483F), ref: 000000014001D11E

GetDlgCtrlID.USER32 ref: 000000014001484A
SendMessageW.USER32 ref: 000000014001487F

Strings

@, xrefs: 0000000140014857

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ChildCtrlFromMessagePointRealSendWindow
String ID: @
API String ID: 258411958-2766056989
Opcode ID: f3b5c53bd5a664273560ecd675a9eec0de8daed56378609b187c6783bed2a182
Instruction ID: 968ff2866e663e890fe84abe676ec7d51766d6f7d3ee5588ec5f4ec499c6f95b
Opcode Fuzzy Hash: f3b5c53bd5a664273560ecd675a9eec0de8daed56378609b187c6783bed2a182
Instruction Fuzzy Hash: A3015B32214B9082EB168F66E44436D76A0E789BF8F185324EF794BBF8CF39C4418700

Function 000000014003FB0C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetMonitorInfoW.USER32 ref: 000000014003FB31
CopyRect.USER32 ref: 000000014003FB45

Strings

(, xrefs: 000000014003FB26

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: a691b7b9feab9615eeefa3ec0e0b70100919a81e62a542b84e32dbd216c3aebd
Instruction ID: c2cb768d7934e57f76c8ea4aa79c5e5cf85ff0cc0ff28558e8dbdfa295ddb4ae
Opcode Fuzzy Hash: a691b7b9feab9615eeefa3ec0e0b70100919a81e62a542b84e32dbd216c3aebd
Instruction Fuzzy Hash: 4911CE72614680CBD751DF35E49464AB7F0FB8CB99F448025EB898B628EB38D984CF10

Function 01F86190 Relevance: 5.3, Strings: 4, Instructions: 283COMMON

Download Yara Rule

Strings

no future, xrefs: 01F862E5
wild scan, xrefs: 01F86564
insufficient lookahead, xrefs: 01F862B2
Code too clever, xrefs: 01F8620F

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: Code too clever$insufficient lookahead$no future$wild scan
API String ID: 0-1205821253
Opcode ID: 09a6889fa23b46f6a2c0452f23bedbb0a4974504f1eb6fd0e5e72c4bc10e99d4
Instruction ID: ea3553c3a305e34522a761d8ebb56c86bde8bc26db1903396c62d8ea9baca350
Opcode Fuzzy Hash: 09a6889fa23b46f6a2c0452f23bedbb0a4974504f1eb6fd0e5e72c4bc10e99d4
Instruction Fuzzy Hash: 06D1CA72618A848ACB61DB19E49016EBBB0F3C9798F540126FBCE83B69DB3DC551CF01

Function 0000000140008FA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140008FC6
ActivateActCtx.KERNEL32 ref: 0000000140008FE7

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140008FBF

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: ActivateDebugOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 396653078-2690750368
Opcode ID: de1070b5fc70bb2af168e0542d99b1a71c58f0c2d45f7d61236ea1876b89dc1d
Instruction ID: 4095027b44bf1ea930a61d54572f7b9fff043efb65ce4a3d151894cd71b05117
Opcode Fuzzy Hash: de1070b5fc70bb2af168e0542d99b1a71c58f0c2d45f7d61236ea1876b89dc1d
Instruction Fuzzy Hash: E8F0A77130464186F792EFA7F9C47B562E1B78CBC1F544039EB49826B0DA74C8C4CB04

Function 01F8C4C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

std::bad_alloc::bad_alloc.LIBCMT ref: 01F8C4C9
_CxxThrowException.LIBVCRUNTIME ref: 01F8C4DA

Strings

Unknown exception, xrefs: 01F8C4E5

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID: ExceptionThrowstd::bad_alloc::bad_alloc
String ID: Unknown exception
API String ID: 932687459-410509341
Opcode ID: 39991418bcfbb6b41fa5e60cbbcd42923bdc1cb5b0f0dffafd1db3ceda609f4b
Instruction ID: 662c3869e103cc1133a7f165397b98743efd175b406eaa7e44cd978447113a6c
Opcode Fuzzy Hash: 39991418bcfbb6b41fa5e60cbbcd42923bdc1cb5b0f0dffafd1db3ceda609f4b
Instruction Fuzzy Hash: 2ED09E63210A8691DE10FB04D894399B374F794708FD05422914D82575DF3EC64AC741

Function 01F84BB0 Relevance: 5.2, Strings: 4, Instructions: 225COMMON

Download Yara Rule

Strings

lit data: dyn %ld, stat %ld, xrefs: 01F84C3A
bad compressed size, xrefs: 01F84F77
dist data: dyn %ld, stat %ld, xrefs: 01F84C75
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u , xrefs: 01F84D1D

Memory Dump Source

Source File: 00000000.00000002.2533318886.0000000001F80000.00000040.00001000.00020000.00000000.sdmp, Offset: 01F80000, based on PE: true

Associated: 00000000.00000002.2533370987.0000000001FC1000.00000040.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_1f80000_Label.jbxd

Similarity

API ID:
String ID: dist data: dyn %ld, stat %ld$lit data: dyn %ld, stat %ld$opt %lu(%lu) stat %lu(%lu) stored %lu lit %u dist %u $bad compressed size
API String ID: 0-3797576753
Opcode ID: cb8e9e4c819737b0b6a7213a35bb940b6a2479c906c69a5f1ffdaf1e98821e61
Instruction ID: e8676e3581a775e2ce8e5a25520b09f90cc2e2a4201ccfece4b5b86d51b3b22c
Opcode Fuzzy Hash: cb8e9e4c819737b0b6a7213a35bb940b6a2479c906c69a5f1ffdaf1e98821e61
Instruction Fuzzy Hash: 15C1AB7671978987C700DB5AE4907AEB7A1F7CAB84F144135EA8D87B28CB39E402CF41

Function 000000014001ADAC Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE3E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE54
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE5E
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014001954F), ref: 000000014001AE75

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 6ca57513eed311584c038467ba740c754019f680f8950b7cae2b3722668ea240
Instruction ID: f27ce460a568bd9110dfe016d503de39698770734da69836a8683e4ecf1c00c1
Opcode Fuzzy Hash: 6ca57513eed311584c038467ba740c754019f680f8950b7cae2b3722668ea240
Instruction Fuzzy Hash: 42314636200A0482EB258F17E5803A977B0F38DFC4F448215EF5A07BA4CF79E8A5C740

Function 000000014001B0E8 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,00000001400232F5), ref: 000000014001B104
TlsGetValue.KERNEL32(?,?,00000000,00000001400232F5), ref: 000000014001B115
LeaveCriticalSection.KERNEL32(?,?,00000000,00000001400232F5), ref: 000000014001B135
LeaveCriticalSection.KERNEL32 ref: 000000014001B143

Memory Dump Source

Source File: 00000000.00000002.2533799659.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.2533769512.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2533969271.00000001401AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534037514.000000014024F000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534057865.0000000140250000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534076723.0000000140251000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534096455.0000000140260000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534118796.0000000140262000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2534139066.0000000140278000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_Label.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: 632c8b29365732df47e757e57d12433a07b2c33c1df32d050478edec0a45698b
Instruction ID: 7880eaece28dc199546a892ed1324bfad8924ab52b7d1f8a7c7e47a6abaa636e
Opcode Fuzzy Hash: 632c8b29365732df47e757e57d12433a07b2c33c1df32d050478edec0a45698b
Instruction Fuzzy Hash: 80014B31304A4492EB66CF57E5D47AA67A1EB8CFC4F594024EB4E4B774CF39D4828B00

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Label.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp-

C:\Users\user\AppData\Local\Temp\temp\192.168.2.5\c.tmp~

C:\Users\user\AppData\Local\Temp\~E52D1ACF.tmp

C:\Users\user\Desktop\Label.exe

\Device\Null

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Windows Analysis Report
Label.exe

Function 0000000140198110 Relevance: 1.3, APIs: 1, Instructions: 36
memoryCOMMONLIBRARYCODE

Function 0000000140041118 Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 426
windowCOMMON

Function 000000014002C3A8 Relevance: 42.5, APIs: 28, Instructions: 491
keyboardCOMMON

Function 000000014000BEE4 Relevance: 38.8, APIs: 21, Strings: 1, Instructions: 276
windowCOMMON

Function 000000014004EBC8 Relevance: 37.2, APIs: 20, Strings: 1, Instructions: 471
windowstringCOMMON

Function 0000000140047AD0 Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 579
windowCOMMON

Function 0000000140055D1C Relevance: 33.6, APIs: 18, Strings: 1, Instructions: 331
windowCOMMON

Function 0000000140022458 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 233
windowCOMMON

Function 0000000140054154 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 330
windowkeyboardCOMMON

Function 000000014000C33C Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 230
windowCOMMON