Edit tour

Windows Analysis Report
bfsvc.exe

Overview

General Information

Sample name:	bfsvc.exe
Analysis ID:	1525467
MD5:	60a339532f6a5290d435acbd30cb1992
SHA1:	49ac28641a0448d4179eb870c1af4327a1799650
SHA256:	ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
Tags:	exeuser-smica83
Infos:

Detection

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE / OLE file has an invalid certificate

Potential key logger detected (key state polling based)

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

bfsvc.exe (PID: 1424 cmdline: "C:\Users\user\Desktop\bfsvc.exe" MD5: 60A339532F6A5290D435ACBD30CB1992)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bfsvc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%			Perma Link

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

6_2_0000000140145940

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_00000001400E00A4 GetSystemMetrics,GetAsyncKeyState,WindowFromPoint,ScreenToClient,SendMessageA,ScreenToClient,

6_2_00000001400E00A4

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005098C MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,	6_2_000000014005098C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114F8C GetKeyState,GetKeyState,GetKeyState,	6_2_0000000140114F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400159A4 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	6_2_00000001400159A4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013EA78 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	6_2_000000014013EA78

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054054	6_2_0000000140054054
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140080090	6_2_0000000140080090
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D8088	6_2_00000001400D8088
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400400EC	6_2_00000001400400EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400380F4	6_2_00000001400380F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124158	6_2_0000000140124158
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140100148	6_2_0000000140100148
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014001C178	6_2_000000014001C178
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8198	6_2_00000001400A8198
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400481D8	6_2_00000001400481D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401981D0	6_2_00000001401981D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401742B8	6_2_00000001401742B8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C2B0	6_2_000000014013C2B0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012C33C	6_2_000000014012C33C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D4340	6_2_00000001400D4340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009035C	6_2_000000014009035C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019844C	6_2_000000014019844C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A4464	6_2_00000001400A4464
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401745E4	6_2_00000001401745E4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A05F0	6_2_00000001401A05F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011C638	6_2_000000014011C638
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007C650	6_2_000000014007C650
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401606C0	6_2_00000001401606C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A06F8	6_2_00000001400A06F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401007D8	6_2_00000001401007D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140118838	6_2_0000000140118838
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140104874	6_2_0000000140104874
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013C8CC	6_2_000000014013C8CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DC8D4	6_2_00000001400DC8D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008CA04	6_2_000000014008CA04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140124AA0	6_2_0000000140124AA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140054B9C	6_2_0000000140054B9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140140BFC	6_2_0000000140140BFC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E8C04	6_2_00000001400E8C04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A0C4C	6_2_00000001401A0C4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140174C9C	6_2_0000000140174C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140158C9C	6_2_0000000140158C9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140078CA0	6_2_0000000140078CA0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140068CB4	6_2_0000000140068CB4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400BCCC4	6_2_00000001400BCCC4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400FCCD4	6_2_00000001400FCCD4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140134D48	6_2_0000000140134D48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ACD60	6_2_00000001400ACD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140090DE4	6_2_0000000140090DE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400ECE24	6_2_00000001400ECE24
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A8E58	6_2_00000001400A8E58
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E4E64	6_2_00000001400E4E64
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010CF78	6_2_000000014010CF78
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401310A0	6_2_00000001401310A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115184	6_2_0000000140115184
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400351AC	6_2_00000001400351AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401451AC	6_2_00000001401451AC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140169268	6_2_0000000140169268
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400692F0	6_2_00000001400692F0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400792EC	6_2_00000001400792EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011D340	6_2_000000014011D340
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5348	6_2_00000001400C5348
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F53C8	6_2_00000001400F53C8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005943C	6_2_000000014005943C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014003944C	6_2_000000014003944C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400514CC	6_2_00000001400514CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A94D8	6_2_00000001400A94D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401314FC	6_2_00000001401314FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401254E8	6_2_00000001401254E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105510	6_2_0000000140105510
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F162C	6_2_00000001400F162C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139680	6_2_0000000140139680
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008D694	6_2_000000014008D694
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1714	6_2_00000001400B1714
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A1748	6_2_00000001400A1748
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E1754	6_2_00000001400E1754
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140149780	6_2_0000000140149780
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013D788	6_2_000000014013D788
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400457C0	6_2_00000001400457C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400317E0	6_2_00000001400317E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005980C	6_2_000000014005980C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B58DC	6_2_00000001400B58DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401418CC	6_2_00000001401418CC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A58E8	6_2_00000001400A58E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140105924	6_2_0000000140105924
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140021938	6_2_0000000140021938
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401A5984	6_2_00000001401A5984
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401699D0	6_2_00000001401699D0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400E5A0C	6_2_00000001400E5A0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014005DA4C	6_2_000000014005DA4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013DA9C	6_2_000000014013DA9C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012DA84	6_2_000000014012DA84
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5AE0	6_2_00000001400D5AE0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140065AF0	6_2_0000000140065AF0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D5C1C	6_2_00000001400D5C1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140171C2C	6_2_0000000140171C2C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115CDC	6_2_0000000140115CDC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140085CF8	6_2_0000000140085CF8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F1D10	6_2_00000001400F1D10
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140095D80	6_2_0000000140095D80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140139DEC	6_2_0000000140139DEC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140131E48	6_2_0000000140131E48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B5E90	6_2_00000001400B5E90
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010DED4	6_2_000000014010DED4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140121F04	6_2_0000000140121F04
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140039F48	6_2_0000000140039F48
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B1F5C	6_2_00000001400B1F5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400C5F8C	6_2_00000001400C5F8C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140142110	6_2_0000000140142110
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AE170	6_2_00000001400AE170
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014013A1C4	6_2_000000014013A1C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400821FC	6_2_00000001400821FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009A1F8	6_2_000000014009A1F8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D6210	6_2_00000001400D6210
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007A2D8	6_2_000000014007A2D8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400DA2EC	6_2_00000001400DA2EC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A6304	6_2_00000001400A6304
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014009E3C0	6_2_000000014009E3C0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140162420	6_2_0000000140162420
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401AE40C	6_2_00000001401AE40C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140086488	6_2_0000000140086488
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014000E4E0	6_2_000000014000E4E0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401264F4	6_2_00000001401264F4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6524	6_2_00000001400F6524
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140062578	6_2_0000000140062578
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400525FC	6_2_00000001400525FC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014015A6A0	6_2_000000014015A6A0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014002A6E8	6_2_000000014002A6E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010675C	6_2_000000014010675C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400B2758	6_2_00000001400B2758
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014019E774	6_2_000000014019E774
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401427A8	6_2_00000001401427A8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014016E7C4	6_2_000000014016E7C4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140066824	6_2_0000000140066824
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014008E858	6_2_000000014008E858
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400D2868	6_2_00000001400D2868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140152868	6_2_0000000140152868
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146894	6_2_0000000140146894
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401768D4	6_2_00000001401768D4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400968DC	6_2_00000001400968DC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400A68E8	6_2_00000001400A68E8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F2A80	6_2_00000001400F2A80
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140136AA8	6_2_0000000140136AA8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014014AB1C	6_2_000000014014AB1C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140122B40	6_2_0000000140122B40
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400EAB50	6_2_00000001400EAB50
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140126B98	6_2_0000000140126B98
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400AAB88	6_2_00000001400AAB88
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140082C0C	6_2_0000000140082C0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012AC4C	6_2_000000014012AC4C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014012ECB8	6_2_000000014012ECB8
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001400F6CE4	6_2_00000001400F6CE4
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140146D0C	6_2_0000000140146D0C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010AD60	6_2_000000014010AD60
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014007ED88	6_2_000000014007ED88

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400BCC44 appears 97 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140098F30 appears 61 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 00000001400076E0 appears 237 times
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: String function: 0000000140004B34 appears 61 times

Source: bfsvc.exe

Static PE information: invalid certificate

Source: classification engine

Classification label: mal56.winEXE@1/1@0/0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140014264 FindResourceA,LoadResource,LockResource,FreeResource,

6_2_0000000140014264

Source: C:\Users\user\Desktop\bfsvc.exe

File created: C:\Users\user~1\AppData\Local\Temp\~SF877.tmp

Jump to behavior

Source: bfsvc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\bfsvc.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: bfsvc.exe	ReversingLabs: Detection: 39%
Source: bfsvc.exe	Virustotal: Detection: 58%

Source: C:\Users\user\Desktop\bfsvc.exe

File read: C:\Users\user\Desktop\bfsvc.exe

Jump to behavior

Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: bfsvc.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: bfsvc.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: bfsvc.exe

Static file information: File size 2789712 > 1048576

Source: bfsvc.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400

Source: bfsvc.exe

Static PE information: More than 200 imports for USER32.dll

Source: bfsvc.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D3543 push rbx; retf	6_2_004D3544
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D1B79 push rbp; ret	6_2_004D1B7A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D0A2C push rax; ret	6_2_004D0A3A
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D283E pushfq ; ret	6_2_004D283F
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D30DF push rbx; iretd	6_2_004D30E3
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_004D15FC push rbx; ret	6_2_004D15FD
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014010D541 push rcx; ret	6_2_000000014010D542

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140094878 GetParent,IsIconic,GetParent,GetDlgCtrlID,	6_2_0000000140094878
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	6_2_0000000140114B5C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011562C IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoA,CopyRect,CopyRect,SystemParametersInfoA,OffsetRect,GetSystemMetrics,GetSystemMetrics,	6_2_000000014011562C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140115954 IsIconic,PostMessageA,	6_2_0000000140115954
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_000000014011609C IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	6_2_000000014011609C
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_00000001401168BC GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	6_2_00000001401168BC
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140116BC0 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageA,IsWindow,GetWindowRect,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,	6_2_0000000140116BC0
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140002E00 IsIconic,	6_2_0000000140002E00

Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\bfsvc.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX			Jump to behavior

Source: C:\Users\user\Desktop\bfsvc.exe

API coverage: 0.0 %

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014019A694 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

6_2_000000014019A694

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

6_2_0000000140196A38

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014006C43C OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError,

6_2_000000014006C43C

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

6_2_0000000140039024

Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		6_2_0000000140196A38
Source: C:\Users\user\Desktop\bfsvc.exe	Code function: 6_2_0000000140192D94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		6_2_0000000140192D94

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,

6_2_000000014001E3DC

Source: C:\Users\user\Desktop\bfsvc.exe

Code function: 6_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

6_2_000000014003CAC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	21 Input Capture	2 Security Software Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	1 Application Window Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bfsvc.exe	39%	ReversingLabs	Win64.Trojan.SpywareX
bfsvc.exe	58%	Virustotal		Browse
bfsvc.exe	100%	Avira	TR/Spy.Bobik.fivkh

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525467
Start date and time:	2024-10-04 09:18:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bfsvc.exe
Detection:	MAL
Classification:	mal56.winEXE@1/1@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.

Process:	C:\Users\user\Desktop\bfsvc.exe
File Type:	data
Category:	modified
Size (bytes):	174548
Entropy (8bit):	7.9989319921201245
Encrypted:	true
SSDEEP:	3072:UmHqdQxxy7SdsuzoCJbpYiUxOuTT5N+6N3/51Qg+b3TYtTJYkGVE+z4i2OqJI+y:UeqexM7SdooUxOy7Nh1Qg+HYtTWkMVcI
MD5:	92400F38A0E86B23DB1E64358ACEBCED
SHA1:	4991C69B137ECDFEC978FBA643DC6CB2DBC7D2B5
SHA-256:	65325DF0FB8678FAE5022869D45643558DAAF8766EA36CD23BECD3B6BDDA32B8
SHA-512:	5405BCC84520A06AE08EFCBA1A11F8C0683B7BD798A6915DB9549056471434EE62B32E672DB7A6D065A9ADBC4C8428BFA02000AC6A246A301350D59C385A5ECE
Malicious:	false
Reputation:	low
Preview:	..%......eW.Y......3...Q.......-...6v@..@..u.3.\.\...A.....d..........9.^.. .x.v.,..]..'[k#.h..{....^.. .cG.Z.m.}.,....7zL...R.E0...&.&..}9........"T.]=wZ.i.....0Y..P~55._.UA...)3..P..N.+......&.5.,..m'B.......<X@\|..i.UO.i.c..L@..Q.yF.2 ._.#.{.yg.Z..Ks.a.jt.>G..V...MUQ~..oI....<...\|....M...G....J..R."....8...o...e.b.?.FP..#...8.+..J.....J..n.3Z.$n.q......'...3.2..4B.u.Q..o..U.2..1.$l....]H.....i.U"....f..H....A...<P=..jo.&..0.. .r...u....F..-.A..k.\..?......g..q..p.(GL.\|....%..fL....1.i...W.O.en.t.5...i.NIcY[.D..P.....wv.C.au...y.5ym..z.i...0..\..I.#...........}z.Y.5.Er%J..G..+.......mo.0..?.7{..@+@..G$.p.x.c..F....4{..k....`..\..1...y./N.'..q.T>3C...e.zk...t..d/..M*;.w-...OQ.1...o.,.E..&...,....Q.....u/......[....5}.....).....[.x...3.......~..\.>.$.\...@.y.9;L.....5q..Z.='.(..[."...E..s&di(....:...e..4.rJ]..S.Rd.Ah..V].\.jM.-8Ie/..=... @v.t........i...^.<.n.o.......R.."V.X..tu.m. .HF......R.u..5f.n..S`L...x....M..]...."_....N..._.^

Static File Info

General

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.35497393259666
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	bfsvc.exe
File size:	2'789'712 bytes
MD5:	60a339532f6a5290d435acbd30cb1992
SHA1:	49ac28641a0448d4179eb870c1af4327a1799650
SHA256:	ee7926b30c734b49f373b88b3f0d73a761b832585ac235eda68cf9435c931269
SHA512:	5fe71e5f3df06c257da11fdc9186188ec021df67be86ec4a7286156f3a5f27fd1bc7a9a3e42672a7c92b1c8ca291f110d8b08c6282a4dd25afae890c97c1fe08
SSDEEP:	49152:SWloiaXmVQDg/xrTYp3Rp8Z7iOOSaIOzd9nLgUvSSP88O5Z2Cfz8kIL+hlaDOjiH:SWv0yOSQbnLLSSP8L5IzY8FkT8
TLSH:	1CD57D5F67B851D9C5A7C178C5268A8FE7F3B8A10930C38F40A54B9E5FB32628D1B721
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o..E...E...E.....+.J.....).......(.S.......H.......D.......G.......f...E...e....W..S....W..L....W..#....W..A....W%.D...E.M.D..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140192ac4
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65D698E7 [Thu Feb 22 00:44:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e99b1acfe7b35844f0584357831f0665

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Tableau Software Inc.
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	27/05/2023 20:15:00 01/01/2040 00:59:59
Subject Chain	CN=Tableau Software Inc.
Version:	3
Thumbprint MD5:	1DC7895A0C06936950D50A29047999BE
Thumbprint SHA-1:	6624C7B8FAAC176D1C1CB10B03E7EE58A4853F91
Thumbprint SHA-256:	F76D6AE999702C40C74D2575A2923F571359B90743A80BB5445C442C7C558EF6
Serial:	76CB5D1E6C2B6895428115705D9AC765

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007FBBB8B0E02Ch
dec eax
add esp, 28h
jmp 00007FBBB8B0D537h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007FBBB8B0D6D2h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007FBBB8B0D6D5h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
add ecx, dword ptr [ebx+08h]
test byte ptr [ecx+03h], 0000000Fh
je 00007FBBB8B0D6CEh
movzx eax, byte ptr [ecx+03h]
and eax, FFFFFFF0h
dec eax
cwde
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007FBBB8B0D0B2h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx

Rich Headers

Programming Language:

[C++] VS2015 build 23026
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25da00	0x17c
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x288000	0x5350	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x271000	0x15c60	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x2a8c00	0x550
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28e000	0xef3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2211f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2212a8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x221210	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bc2e0	0x1bc400	b51bb458f4da03b2ac05d7bfdb2988ac	False	0.5279119917698368	zlib compressed data	6.4274818862709555	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1be000	0x9f926	0x9fc00	221966d18488fc88b46efbcdb39d5a14	False	0.2700187671165884	data	4.542617662939858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x25e000	0x127b4	0x7800	df3e929c55c7972dbff0d4164cdad5e7	False	0.19547526041666666	data	4.147628436363404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x271000	0x15c60	0x15e00	37f832ba1a326f736003396574f5ffd9	False	0.5044084821428572	data	6.16397692708684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x287000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x288000	0x5350	0x5400	76a6e84e7298c02c76385d01d614bc32	False	0.23939732142857142	data	3.665069544682688	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28e000	0xef3c	0xf000	af5c9342690516674eda0363f0bd45c9	False	0.10154622395833333	data	5.444310130802154	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x288ac0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x288bf4	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x288ca8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x288ddc	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x288f10	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x289044	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x289178	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x2892ac	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x2893e0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x289514	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x289648	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x28977c	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x2898b0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x2899e4	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x289b18	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x289c4c	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x289d80	0x220	Device independent bitmap graphic, 85 x 10 x 4, image size 440	Portuguese	Brazil	0.15441176470588236
RT_BITMAP	0x289fa0	0xe8	Device independent bitmap graphic, 28 x 8 x 4, image size 128	Portuguese	Brazil	0.3706896551724138
RT_BITMAP	0x28a088	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x28a140	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_DIALOG	0x28a284	0x33e	data	English	United States	0.4072289156626506
RT_DIALOG	0x28a5c4	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x28a6ac	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x28a6e0	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x28a764	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x28a790	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x28a914	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x28ae04	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x28b068	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x28b344	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x28b3d0	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x28b47c	0xde	data	English	United States	0.536036036036036
RT_STRING	0x28b55c	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x28ba04	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x28bc2c	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x28bc58	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0x28c198	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9705882352941176
RT_GROUP_CURSOR	0x28c1bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c20c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c220	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c234	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c248	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c25c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c270	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c284	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c298	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c2ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c2c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x28c2d4	0x72c	OpenPGP Secret Key			0.3044662309368192
RT_VERSION	0x28ca00	0x72c	OpenPGP Secret Key	English	United States	0.3044662309368192
RT_MANIFEST	0x28d12c	0x224	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators	English	United States	0.531021897810219

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, IsValidCodePage, SetFilePointerEx, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetStringTypeW, LCMapStringW, FindFirstFileExA, ExitProcess, GetFileType, SetStdHandle, QueryPerformanceFrequency, HeapQueryInformation, VirtualQuery, VirtualAlloc, GetSystemInfo, GetCommandLineW, GetCommandLineA, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlPcToFileHeader, RtlUnwindEx, OutputDebugStringW, FindNextFileA, WriteConsoleW, CreateFileW, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateEventW, WaitForSingleObjectEx, ResetEvent, SearchPathA, GetProfileIntA, GetTempFileNameA, GetTempPathA, FindResourceExW, VerifyVersionInfoA, VerSetConditionMask, GetTickCount, SystemTimeToTzSpecificLocalTime, GetFileTime, GetFileSizeEx, GetFileAttributesExA, GetFileAttributesA, FileTimeToLocalFileTime, SetErrorMode, GetWindowsDirectoryA, GetCPInfo, GetOEMCP, VirtualProtect, lstrcpyA, FileTimeToSystemTime, GetThreadLocale, GetVolumeInformationA, lstrcmpiA, GetCurrentProcess, DuplicateHandle, WriteFile, UnlockFile, SetFilePointer, SetEndOfFile, ReadFile, LockFile, GetFullPathNameA, GetFileSize, FlushFileBuffers, FindFirstFileA, FindClose, CreateFileA, DeleteFileA, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, CompareStringW, GetCurrentDirectoryA, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetACP, InitializeCriticalSection, GlobalFlags, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetSystemDirectoryW, EncodePointer, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, CopyFileA, FormatMessageA, MulDiv, LocalFree, GlobalSize, GetCurrentProcessId, GlobalAddAtomA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetProcAddress, GetModuleHandleW, GetModuleHandleA, CompareStringA, WideCharToMultiByte, MultiByteToWideChar, FindResourceW, lstrcmpA, GlobalDeleteAtom, GlobalAlloc, SizeofResource, LoadLibraryExW, GetModuleFileNameA, FreeLibrary, GetVersionExA, GetCurrentThread, ResumeThread, SuspendThread, SetThreadPriority, GetCurrentThreadId, CreateEventA, CloseHandle, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, CreateActCtxW, FindResourceA, LoadLibraryW, GlobalFree, GlobalUnlock, GlobalLock, LockResource, LoadResource, GetModuleHandleExW, GetModuleFileNameW, FreeResource, SetLastError, OutputDebugStringA, Sleep, WaitForSingleObject, SetEvent, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, GetLastError, RaiseException, GetStdHandle, DecodePointer
USER32.dll	GetAsyncKeyState, GetMenuItemInfoA, DestroyMenu, LoadImageW, TrackMouseEvent, InflateRect, MessageBeep, GetNextDlgGroupItem, IsRectEmpty, IntersectRect, SetRect, InvalidateRgn, CopyAcceleratorTableA, CharNextA, LoadCursorW, WindowFromPoint, ReleaseCapture, SetCapture, WaitMessage, CharUpperA, DestroyIcon, KillTimer, SetTimer, DeleteMenu, SystemParametersInfoA, CopyImage, GetSysColorBrush, RealChildWindowFromPoint, IsDialogMessageA, SetWindowTextA, CheckDlgButton, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, GetTopWindow, GetClassNameA, GetClassLongPtrA, GetClassLongA, SetWindowLongPtrA, GetWindowLongPtrA, SetWindowLongA, PtInRect, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthA, GetWindowTextA, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, CreatePopupMenu, SetScrollPos, ScrollWindow, RedrawWindow, SetForegroundWindow, GetForegroundWindow, UpdateWindow, TrackPopupMenu, SetMenu, GetMenu, GetCapture, SetFocus, GetDlgCtrlID, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowRgn, IsMenu, CreateWindowExA, GetClassInfoExA, RegisterClassA, CallWindowProcA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, OffsetRect, SetRectEmpty, SendDlgItemMessageA, FillRect, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, GetWindowDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, UnhookWindowsHookEx, RemoveMenu, SetParent, OpenClipboard, CloseClipboard, SendMessageA, IsIconic, EnableWindow, GetSystemMetrics, DrawIcon, AppendMenuA, InsertMenuA, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringA, CopyRect, MapVirtualKeyA, GetKeyNameTextA, MapDialogRect, GetWindow, SetWindowContextHelpId, SetWindowPos, GetLastActivePopup, GetWindowThreadProcessId, GetMenuDefaultItem, BringWindowToTop, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, InsertMenuItemA, LoadImageA, UnpackDDElParam, ReuseDDElParam, RegisterClipboardFormatA, DrawFocusRect, DrawIconEx, GetIconInfo, MessageBoxA, SetCursor, ShowOwnedPopups, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, SetLayeredWindowAttributes, EnumDisplayMonitors, GetScrollPos, SetClassLongPtrA, GetClientRect, UnregisterClassA, DefWindowProcA, GetClassInfoA, IsWindow, GetDC, ReleaseDC, InvalidateRect, GetWindowRect, GetSysColor, LoadCursorA, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoA, GetParent, LoadBitmapW, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetDlgItem, GetNextDlgTabItem, GetActiveWindow, IsWindowEnabled, SetActiveWindow, GetWindowLongA, GetDesktopWindow, GetMessageA, TranslateMessage, DispatchMessageA, PeekMessageA, IsWindowVisible, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExA, CallNextHookEx, PostMessageA, PostQuitMessage, SetClipboardData, EmptyClipboard, DrawStateA, DrawEdge, DrawFrameControl, IsZoomed, LoadMenuW, DestroyCursor, GetWindowRgn, CreateMenu, SubtractRect, TranslateMDISysAccel, DefMDIChildProcA, DefFrameProcA, DrawMenuBar, GetUpdateRect, IsClipboardFormatAvailable, CharUpperBuffA, ModifyMenuA, GetDoubleClickTime, SetMenuDefaultItem, LockWindowUpdate, DestroyAcceleratorTable, CreateAcceleratorTableA, LoadAcceleratorsW, ToAsciiEx, GetKeyboardState, MapVirtualKeyExA, IsCharLowerA, GetKeyboardLayout, GetComboBoxInfo, MonitorFromPoint, UpdateLayeredWindow, PostThreadMessageA, UnionRect, FrameRect, CopyIcon, SetCursorPos, IsChild, GetSystemMenu
GDI32.dll	GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextColor, SetTextAlign, GetObjectA, MoveToEx, TextOutA, ExtTextOutA, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateFontIndirectA, GetTextExtentPoint32A, GetTextMetricsA, GetClipBox, GetTextColor, GetRgnBox, CombineRgn, GetMapMode, SetRectRgn, DPtoLP, CreateCompatibleBitmap, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, CreateDIBitmap, EnumFontFamiliesA, GetTextCharsetInfo, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, EnumFontFamiliesExA, OffsetRgn, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, GetTextFaceA, ExcludeClipRect, Escape, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateCompatibleDC, BitBlt, GetDeviceCaps, CreateDCA, CopyMetaFileA, PatBlt, CreateRectRgnIndirect, CreateBitmap, GetBkColor, Rectangle
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	SystemFunction036, RegOpenKeyExA, RegQueryValueExA, RegEnumKeyExA, RegEnumValueA, RegQueryValueA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
SHELL32.dll	SHBrowseForFolderA, SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetDesktopFolder, DragQueryFileA, SHAppBarMessage, ShellExecuteA, DragFinish
COMCTL32.dll	ImageList_Draw, ImageList_GetImageCount
SHLWAPI.dll	PathFindFileNameA, PathIsUNCA, PathStripToRootA, StrFormatKBSizeA, PathFindExtensionA, PathRemoveFileSpecW
UxTheme.dll	GetThemeSysColor, GetWindowTheme, IsAppThemed, GetThemePartSize, DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName, IsThemeBackgroundPartiallyTransparent
ole32.dll	CoGetClassObject, CoRevokeClassObject, OleFlushClipboard, OleIsCurrentClipboard, CoRegisterMessageFilter, DoDragDrop, OleGetClipboard, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, OleLockRunning, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CreateStreamOnHGlobal, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, CoInitializeEx, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, CoInitialize, CoCreateInstance, CoCreateGuid, CoUninitialize
OLEAUT32.dll	SysAllocString, SysStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, SafeArrayDestroy, LoadTypeLib, OleCreateFontIndirect, VariantCopy, VarBstrFromDate, VariantChangeType, VariantClear, SysAllocStringByteLen, VariantInit, SysAllocStringLen, SysFreeString
oledlg.dll
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundA
kernel32.dll	VirtualFree, LoadLibraryA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Portuguese	Brazil

Target ID:	6
Start time:	03:19:06
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\bfsvc.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\bfsvc.exe"
Imagebase:	0x140000000
File size:	2'789'712 bytes
MD5 hash:	60A339532F6A5290D435ACBD30CB1992
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	3
Total number of Limit Nodes:	0

Executed Functions

Function 00000001401AFA10 Relevance: 1.5, APIs: 1, Instructions: 45
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000001401A8DC5,?,?,?,?,?,?,00000001,?,00000000,00000000,?,00000001401A9145), ref: 00000001401B52BC

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 0c6015700f10203d47990b4f177d0c7227f3a8a0714919e4fd2070c064e0b4a0
Instruction ID: ea5043d2945b5a5c5d86a962bbe6931362609dd15833583eaed335c036de4542
Opcode Fuzzy Hash: 0c6015700f10203d47990b4f177d0c7227f3a8a0714919e4fd2070c064e0b4a0
Instruction Fuzzy Hash: 2F11ED7641EA40C1F277AB7794943FC69B0632DF40F74410BA30746AF98739C081B613

Non-executed Functions

Function 000000014015A6A0 Relevance: 83.1, APIs: 46, Strings: 1, Instructions: 850COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077A89
Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077AC1
Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077AF9
Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077B31
Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077B69
Part of subcall function 0000000140077A4C: OpenThemeData.UXTHEME(?,?,00000000,000000014006C59A,?,?,00000000,000000014006C5CA), ref: 0000000140077BA1

GetWindowTheme.UXTHEME ref: 000000014015A6F9
GetThemeSysColor.UXTHEME ref: 000000014015A810
GetSysColor.USER32 ref: 000000014015A81D
GetThemeSysColor.UXTHEME ref: 000000014015A858
GetSysColor.USER32 ref: 000000014015A862
GetThemeSysColor.UXTHEME ref: 000000014015A891
GetSysColor.USER32 ref: 000000014015A89B
GetThemeSysColor.UXTHEME ref: 000000014015A8D7
GetSysColor.USER32 ref: 000000014015A8E4
GetThemeSysColor.UXTHEME ref: 000000014015A92B
GetSysColor.USER32 ref: 000000014015A938
GetThemeSysColor.UXTHEME ref: 000000014015A975
GetSysColor.USER32 ref: 000000014015A982
GetThemeSysColor.UXTHEME ref: 000000014015A9B6
GetSysColor.USER32 ref: 000000014015A9C3
GetThemeSysColor.UXTHEME ref: 000000014015A9F9
GetSysColor.USER32 ref: 000000014015AA03
GetThemeSysColor.UXTHEME ref: 000000014015AA20
GetSysColor.USER32 ref: 000000014015AA2D
GetThemeSysColor.UXTHEME ref: 000000014015AA61
GetSysColor.USER32 ref: 000000014015AA6E
GetThemeSysColor.UXTHEME ref: 000000014015AAA4
GetSysColor.USER32 ref: 000000014015AAAE
GetThemeColor.UXTHEME ref: 000000014015AB46
GetThemeColor.UXTHEME ref: 000000014015AB65
GetThemeColor.UXTHEME ref: 000000014015AB84
GetThemeColor.UXTHEME ref: 000000014015AC2C
CreateSolidBrush.GDI32 ref: 000000014015AC52
GetThemeColor.UXTHEME ref: 000000014015ACAD
CreateSolidBrush.GDI32 ref: 000000014015AE93
CreateSolidBrush.GDI32 ref: 000000014015B044
CreateSolidBrush.GDI32 ref: 000000014015B0CE
CreateSolidBrush.GDI32 ref: 000000014015B0F4
CreatePen.GDI32 ref: 000000014015B11C
CreatePen.GDI32 ref: 000000014015B197
GetThemeColor.UXTHEME ref: 000000014015B1D9
GetThemeColor.UXTHEME ref: 000000014015B1FA
GetThemeColor.UXTHEME ref: 000000014015B21E
GetThemeColor.UXTHEME ref: 000000014015B23E
GetThemeColor.UXTHEME ref: 000000014015B264
GetThemeColor.UXTHEME ref: 000000014015B28D
GetThemeColor.UXTHEME ref: 000000014015B2B6
CreatePen.GDI32 ref: 000000014015B383
CreatePen.GDI32 ref: 000000014015B56B
CreatePen.GDI32 ref: 000000014015B08C

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Strings

]=, xrefs: 000000014015ABB0

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Color$Theme$Create$DataOpen$BrushSolid$ConditionMask$InfoMetricsSystemVerifyVersionWindow
String ID: ]=
API String ID: 496337575-3008166804
Opcode ID: 36a42bfc20767f5a5949a9b1e34ba2bb19fc34349a70d9db8ad0d374af5b1106
Instruction ID: 584f48896b693374354c5ca75ca53548dac7cfd5517a140cd7b36dd4215586a7
Opcode Fuzzy Hash: 36a42bfc20767f5a5949a9b1e34ba2bb19fc34349a70d9db8ad0d374af5b1106
Instruction Fuzzy Hash: 85926C753016909BE75AEF76E9487D973A5F74CB80F44462AAB1A877B1CF39D820CB00

Function 000000014013A1C4 Relevance: 50.0, APIs: 27, Strings: 1, Instructions: 969windowsleepCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014013A2EF
SendMessageA.USER32 ref: 000000014013A304
GetClientRect.USER32 ref: 000000014013A31A
InflateRect.USER32 ref: 000000014013A334
SetRectEmpty.USER32 ref: 000000014013A43F
SetRectEmpty.USER32 ref: 000000014013A44C
InflateRect.USER32 ref: 000000014013A470
SetRectEmpty.USER32 ref: 000000014013A509
SetRectEmpty.USER32 ref: 000000014013A51C
RedrawWindow.USER32 ref: 000000014013A7F8
RedrawWindow.USER32 ref: 000000014013A80D
GetParent.USER32 ref: 000000014013A817
RedrawWindow.USER32 ref: 000000014013A831
RedrawWindow.USER32 ref: 000000014013A873
GetParent.USER32 ref: 000000014013A9AD
GetClientRect.USER32 ref: 000000014013AAA4
GetWindowRect.USER32 ref: 000000014013AABF

Part of subcall function 00000001401383A8: GetParent.USER32 ref: 00000001401383B0

OffsetRect.USER32 ref: 000000014013AD79
FillRect.USER32 ref: 000000014013ADCB
OffsetRect.USER32 ref: 000000014013ADDC
Sleep.KERNEL32 ref: 000000014013ADE7
BringWindowToTop.USER32 ref: 000000014013AEAB
RedrawWindow.USER32 ref: 000000014013AEC0
BringWindowToTop.USER32 ref: 000000014013AF1F
GetParent.USER32 ref: 000000014013B044
RedrawWindow.USER32 ref: 000000014013B069
RedrawWindow.USER32 ref: 000000014013B09E

Strings

_, xrefs: 000000014013AE81

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Window$Redraw$EmptyParent$BringClientInflateMessageOffsetSend$FillSleep
String ID: _
API String ID: 1810678059-701932520
Opcode ID: 7196a433c6ea76524304dba66a288767f7af4b77700ce58a3b4b400b9e5f6185
Instruction ID: 693f7050a9d36fcd30b0e53a05b6e268123939a7e13e2ac19fb9cb0d084da6a6
Opcode Fuzzy Hash: 7196a433c6ea76524304dba66a288767f7af4b77700ce58a3b4b400b9e5f6185
Instruction Fuzzy Hash: AEA2AA32700A808BFB1ADF66D5947ED77A1F78CB88F44412ADB1A57BA4DB38D465CB00

Function 00000001400400EC Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 580
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetClassNameA.USER32 ref: 00000001400401B0
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400402D0

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

SendMessageA.USER32 ref: 0000000140040314
SendMessageA.USER32 ref: 000000014004032E
GetClassNameA.USER32 ref: 000000014004037E
SendMessageA.USER32 ref: 000000014004042D
SendMessageA.USER32 ref: 0000000140040451
IntersectRect.USER32 ref: 000000014004046C
SendMessageA.USER32 ref: 00000001400404A0
CreatePopupMenu.USER32 ref: 00000001400404DB
CreateCompatibleDC.GDI32 ref: 00000001400404F1
CopyRect.USER32 ref: 00000001400405F1
OffsetRect.USER32 ref: 000000014004061C
CreateCompatibleBitmap.GDI32 ref: 0000000140040650
GetSysColor.USER32 ref: 00000001400406B6
InsertMenuItemA.USER32 ref: 000000014004079D

Part of subcall function 0000000140031BF0: SetBkColor.GDI32 ref: 0000000140031C16
Part of subcall function 0000000140031BF0: ExtTextOutA.GDI32 ref: 0000000140031C41

Part of subcall function 0000000140043148: OutputDebugStringA.KERNEL32 ref: 0000000140043194
Part of subcall function 0000000140043148: ActivateActCtx.KERNEL32 ref: 00000001400431B9

CopyRect.USER32 ref: 00000001400407DA

Strings

ToolbarWindow32, xrefs: 0000000140040334, 00000001400403B9
ReBarWindow32, xrefs: 0000000140040165, 00000001400401E7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$Rect$Create$ClassColorCompatibleCopyHashMenuName$ActivateBitmapDebugImplImpl::InsertIntersectItemOffsetOutputPopupStringText
String ID: ReBarWindow32$ToolbarWindow32
API String ID: 4200770845-2283011909
Opcode ID: f1ec1a530d31e6d49d35ab38d4267d0ac6cc2ff3d5a8d52e1a77349328dfca7d
Instruction ID: af3b5d037ba77f3f1d5bff304295e1f85c26273473929589269746b36c7db709
Opcode Fuzzy Hash: f1ec1a530d31e6d49d35ab38d4267d0ac6cc2ff3d5a8d52e1a77349328dfca7d
Instruction Fuzzy Hash: 6E427976701A4086EB12EB26E8943DE77A1FB88BD8F014126EB5E57BBADF34C544C740

Function 000000014019E774 Relevance: 31.9, APIs: 20, Instructions: 1857COMMONLIBRARYCODE

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 000000014019EAEA
_invalid_parameter_noinfo.LIBCMT ref: 000000014019ED0D
_invalid_parameter_noinfo.LIBCMT ref: 000000014019F027
_invalid_parameter_noinfo.LIBCMT ref: 000000014019F23A
memcpy_s.LIBCMT ref: 000000014019F475
memcpy_s.LIBCMT ref: 000000014019F508
memcpy_s.LIBCMT ref: 000000014019F6BC
memcpy_s.LIBCMT ref: 000000014019F896
memcpy_s.LIBCMT ref: 000000014019F98B
memcpy_s.LIBCMT ref: 000000014019F9C3
memcpy_s.LIBCMT ref: 000000014019FA5A
memcpy_s.LIBCMT ref: 000000014019FB6B
memcpy_s.LIBCMT ref: 000000014019FC13
memcpy_s.LIBCMT ref: 000000014019FC59
memcpy_s.LIBCMT ref: 000000014019FE95
memcpy_s.LIBCMT ref: 000000014019FF04
memcpy_s.LIBCMT ref: 000000014019FF42
memcpy_s.LIBCMT ref: 000000014019FFEC
memcpy_s.LIBCMT ref: 00000001401A0210
memcpy_s.LIBCMT ref: 00000001401A0400

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: memcpy_s$_invalid_parameter_noinfo
String ID:
API String ID: 2880407647-0
Opcode ID: f8810956eb8acc48fce56f2be67b85d136ca45276c187f40e67b00757efa5c85
Instruction ID: 7f845a52945f05180379d9d56b58d034b89e05d40e97768c5a0a00d49988804f
Opcode Fuzzy Hash: f8810956eb8acc48fce56f2be67b85d136ca45276c187f40e67b00757efa5c85
Instruction Fuzzy Hash: B103A1726002C18BE776CE66D940BE937E5F39CB8CF541129DB066BBA9D734DA44CB40

Function 000000014009E3C0 Relevance: 31.8, APIs: 16, Strings: 2, Instructions: 330windowkeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014009E42A
GetKeyState.USER32 ref: 000000014009E43E
GetKeyState.USER32 ref: 000000014009E452
GetParent.USER32 ref: 000000014009E487
GetParent.USER32 ref: 000000014009E4E0
SendMessageA.USER32 ref: 000000014009E572
ScreenToClient.USER32 ref: 000000014009E5A2
GetCursorPos.USER32 ref: 000000014009E615
SendMessageA.USER32 ref: 000000014009E639
SendMessageA.USER32 ref: 000000014009E6CA
SendMessageA.USER32 ref: 000000014009E6F3
SendMessageA.USER32 ref: 000000014009E712
SetWindowPos.USER32 ref: 000000014009E736
SendMessageA.USER32 ref: 000000014009E74B
SendMessageA.USER32 ref: 000000014009E785
GetParent.USER32 ref: 000000014009E84A

Strings

@, xrefs: 000000014009E5B7
H, xrefs: 000000014009E57C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$ParentState$ClientCursorScreenWindow
String ID: @$H
API String ID: 1877249070-104103126
Opcode ID: 9f7822b0f65bd2c1016ad60894ea1fa889adc3cadacaebc5d432e044db08789e
Instruction ID: c9b1545d2775fc9dfefd616e4f388a48467402c2c9554309f10ee3454a6e4965
Opcode Fuzzy Hash: 9f7822b0f65bd2c1016ad60894ea1fa889adc3cadacaebc5d432e044db08789e
Instruction Fuzzy Hash: 46E19032700A9082FB669F66E8447EE67A1FB88BE4F044225EF5A077F5DF38C8518700

Function 00000001400A06F8 Relevance: 28.6, APIs: 15, Strings: 1, Instructions: 615windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A07A9
CreateCompatibleDC.GDI32 ref: 00000001400A07C2
CreateCompatibleBitmap.GDI32 ref: 00000001400A07F9
SelectObject.GDI32 ref: 00000001400A086B
BitBlt.GDI32 ref: 00000001400A08AE
OffsetRect.USER32 ref: 00000001400A08C5
InflateRect.USER32 ref: 00000001400A0F14

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

Part of subcall function 0000000140010E10: GetStockObject.GDI32 ref: 0000000140010E1F
Part of subcall function 0000000140010E10: SelectObject.GDI32 ref: 0000000140010E37
Part of subcall function 0000000140010E10: SelectObject.GDI32 ref: 0000000140010E49

Ellipse.GDI32 ref: 00000001400A0AA2
Ellipse.GDI32 ref: 00000001400A0AC3
Ellipse.GDI32 ref: 00000001400A0AE4
Rectangle.GDI32 ref: 00000001400A0B67
BitBlt.GDI32 ref: 00000001400A0F88
DeleteObject.GDI32 ref: 00000001400A0FAB

Strings

, xrefs: 00000001400A0F5A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object$Select$CreateEllipse$CompatibleHashRect$BitmapBrushDeleteImplImpl::InflateOffsetRectangleSolidStock
String ID:
API String ID: 3053867852-3916222277
Opcode ID: 188d7654dc8521aafe1c1d5cfe5c51620a0ddf0679b49d6b77f46af0856cc47a
Instruction ID: b4b56f718099b0902b2e6d70588895fc80a1a66bd0874c504da7fdd41073d29e
Opcode Fuzzy Hash: 188d7654dc8521aafe1c1d5cfe5c51620a0ddf0679b49d6b77f46af0856cc47a
Instruction Fuzzy Hash: EF42E432610A948AE712DF3AD4407AD77A4FB5D7D8F008316FF4AA7A64DB34D892CB40

Function 00000001400380F4 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140038132
GetDlgItem.USER32 ref: 000000014003816D
GetWindowRect.USER32 ref: 0000000140038185
MapDialogRect.USER32 ref: 00000001400381AC
SetWindowPos.USER32 ref: 00000001400381E6
GetDlgItem.USER32 ref: 00000001400381F8
GetWindowRect.USER32 ref: 000000014003820D
SetWindowPos.USER32 ref: 0000000140038241
GetWindowRect.USER32 ref: 000000014003825E
GetWindowRect.USER32 ref: 00000001400382CA
GetDlgItem.USER32 ref: 00000001400382E1
GetWindowRect.USER32 ref: 00000001400382F3
GetDlgItem.USER32 ref: 000000014003832E
ShowWindow.USER32 ref: 0000000140038341
EnableWindow.USER32 ref: 000000014003834C

Strings

, xrefs: 00000001400382AA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: d2959668741f030bc2650ab122a7f979d1a754ecaed5a266fbeeaaecbea18947
Instruction ID: fefeb67712eed8592489a16acf5041009f2038ebd924d60c1c97dd9ee9e1c726
Opcode Fuzzy Hash: d2959668741f030bc2650ab122a7f979d1a754ecaed5a266fbeeaaecbea18947
Instruction Fuzzy Hash: 75714E32B106508AFB16DF76E8947AE77B1FB8CB88F045124EE4A5BB68DF39D4418700

Function 00000001400D8088 Relevance: 27.5, APIs: 18, Instructions: 487windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400D8171
GetMenuItemCount.USER32 ref: 00000001400D82E1
AppendMenuA.USER32 ref: 00000001400D82FA
AppendMenuA.USER32 ref: 00000001400D8319
SendMessageA.USER32 ref: 00000001400D83B0
SendMessageA.USER32 ref: 00000001400D83EE
GetMenuItemCount.USER32 ref: 00000001400D8449
AppendMenuA.USER32 ref: 00000001400D8462
AppendMenuA.USER32 ref: 00000001400D8481
GetMenuItemCount.USER32 ref: 00000001400D84E6
AppendMenuA.USER32 ref: 00000001400D84FF
AppendMenuA.USER32 ref: 00000001400D851E
GetWindow.USER32 ref: 00000001400D85D7
AppendMenuA.USER32 ref: 00000001400D866A
AppendMenuA.USER32 ref: 00000001400D873C
GetMenuItemCount.USER32 ref: 00000001400D8798
AppendMenuA.USER32 ref: 00000001400D87B1
AppendMenuA.USER32 ref: 00000001400D87CB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow
String ID:
API String ID: 1330099508-0
Opcode ID: 0955cba78ca229a7665d94679b824e31b1ec93270c5e77939fed11cebdf983da
Instruction ID: f45d8fdd629357a463e78bcfa77575248bf134656ccbd68978182e2da89a1fa1
Opcode Fuzzy Hash: 0955cba78ca229a7665d94679b824e31b1ec93270c5e77939fed11cebdf983da
Instruction Fuzzy Hash: 24124B72700A4182EA66DB27E9543EE63A1FB89FD4F448125EF1A4BBB5DF38C542C710

Function 000000014010675C Relevance: 26.9, APIs: 17, Instructions: 1420COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401067A9
SetRectEmpty.USER32 ref: 00000001401067B6
SetRectEmpty.USER32 ref: 00000001401067C3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: b35dded53f313dc05a88d4c02ed6fc2445c4d45a10a2121c5c30bd9cfcab8b3d
Instruction ID: b87f1fd70d351762d148318ffe6656d1f8fcd7587d60ee193fff8265d464966f
Opcode Fuzzy Hash: b35dded53f313dc05a88d4c02ed6fc2445c4d45a10a2121c5c30bd9cfcab8b3d
Instruction Fuzzy Hash: CBE2AFB2B04680CBE766CF76E5407EEB7A1F388B88F105115DB9A53BA5DB38D594CB00

Function 00000001400D6210 Relevance: 25.7, APIs: 17, Instructions: 243windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 00000001400D6287
InvalidateRect.USER32 ref: 00000001400D629B
UpdateWindow.USER32 ref: 00000001400D62A5
GetMessageA.USER32 ref: 00000001400D62E9
DispatchMessageA.USER32 ref: 00000001400D62F7
PeekMessageA.USER32 ref: 00000001400D630E
GetCapture.USER32 ref: 00000001400D6318
SetCapture.USER32 ref: 00000001400D6327
GetCapture.USER32 ref: 00000001400D6335
GetWindowRect.USER32 ref: 00000001400D635F
SetCursorPos.USER32 ref: 00000001400D6385
GetCapture.USER32 ref: 00000001400D638B
GetMessageA.USER32 ref: 00000001400D63AE
DispatchMessageA.USER32 ref: 00000001400D63D6
ReleaseCapture.USER32 ref: 00000001400D6427
IsWindow.USER32 ref: 00000001400D6430
SendMessageA.USER32 ref: 00000001400D644D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
String ID:
API String ID: 4077352625-0
Opcode ID: ec7788f71b57861f9eef55850247e42570aeb73f9c07f92cd4ed52dfed0ac72e
Instruction ID: b856f2af7f1f6cec5c070ebc34f41f0452ad42e4d128a7e966039e928dfee85c
Opcode Fuzzy Hash: ec7788f71b57861f9eef55850247e42570aeb73f9c07f92cd4ed52dfed0ac72e
Instruction Fuzzy Hash: 1AA14971711A4086FB26AF77D8547ED27A1AB8CBC4F084425EF0A5BAB5EF38C546C350

Function 000000014001C178 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014001C1C0
MultiByteToWideChar.KERNEL32 ref: 000000014001C234
GlobalUnlock.KERNEL32 ref: 000000014001C30A

Strings

, xrefs: 000000014001C21C
System, xrefs: 000000014001C17F, 000000014001C383, 000000014001C39E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: $System
API String ID: 231414890-3632600494
Opcode ID: 7dabcc3e18e32fd565abb529dc4ed5deec53e6e8c96acc06af9c728f4fa57c5b
Instruction ID: a4f9702f887cbaa91b3bd3e0d7c7abb6c9c21272f21f9707fef31d8521dcf876
Opcode Fuzzy Hash: 7dabcc3e18e32fd565abb529dc4ed5deec53e6e8c96acc06af9c728f4fa57c5b
Instruction Fuzzy Hash: E881A13221069086EB2ADB63E8547EA73A0FB4CFD4F158625EF5A4B7A5DF39C905C700

Function 00000001400A6304 Relevance: 23.1, APIs: 10, Strings: 3, Instructions: 383windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400A6349
SetRectEmpty.USER32 ref: 00000001400A639A
MapWindowPoints.USER32 ref: 00000001400A63FB
MapWindowPoints.USER32 ref: 00000001400A6497
GetWindowRect.USER32 ref: 00000001400A64B9
BitBlt.GDI32 ref: 00000001400A64F7

Part of subcall function 00000001400A3604: UnionRect.USER32 ref: 00000001400A3693
Part of subcall function 00000001400A3604: EqualRect.USER32 ref: 00000001400A36A1
Part of subcall function 00000001400A3604: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A36C3
Part of subcall function 00000001400A3604: CreateCompatibleDC.GDI32 ref: 00000001400A36DA
Part of subcall function 00000001400A3604: CreateCompatibleBitmap.GDI32 ref: 00000001400A3711

OffsetRect.USER32 ref: 00000001400A65B2
InflateRect.USER32 ref: 00000001400A65FD
IsRectEmpty.USER32 ref: 00000001400A6708
IsRectEmpty.USER32 ref: 00000001400A6867

Strings

A, xrefs: 00000001400A656E
, xrefs: 00000001400A64D1
d, xrefs: 00000001400A6576

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EmptyWindow$CompatibleCreateHashPoints$BitmapClientEqualImplImpl::InflateOffsetUnion
String ID: $A$d
API String ID: 2947425956-3806085984
Opcode ID: 74d9c690253447ac2db783a117ea9ebe19df25713a3d7690bd5ae9a7824a46c6
Instruction ID: 1d7ff4c1840084f237ce36f448e27ea8179e961b27274bdd4c6cc4fd05044442
Opcode Fuzzy Hash: 74d9c690253447ac2db783a117ea9ebe19df25713a3d7690bd5ae9a7824a46c6
Instruction Fuzzy Hash: 85025C72A00A818AEB12DF76D4447DD73B5F799B88F05822AEF4957B68EF34C584CB40

Function 00000001401AE40C Relevance: 22.3, APIs: 8, Strings: 4, Instructions: 1310COMMON

Download Yara Rule

APIs

Part of subcall function 00000001401B0594: LoadLibraryA.KERNEL32 ref: 00000001401B4294

_invalid_parameter_noinfo.LIBCMT ref: 00000001401AEACE
memcpy_s.LIBCMT ref: 00000001401AF47B
memcpy_s.LIBCMT ref: 00000001401AF522

Part of subcall function 00000001401AF778: _invalid_parameter_noinfo.LIBCMT ref: 00000001401AF7AA

memcpy_s.LIBCMT ref: 00000001401AF5EB

Part of subcall function 000000014019B8E0: _invalid_parameter_noinfo.LIBCMT ref: 000000014019B905

Strings

1#SNAN, xrefs: 00000001401AF685
1#IND, xrefs: 00000001401AF666
1#INF, xrefs: 00000001401AF6C3
1#QNAN, xrefs: 00000001401AF6A4

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$LibraryLoad
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 1188078765-2761157908
Opcode ID: 2eb5e3c3092c973d4466623d8ba99e9c01fb93beb9ffc120cc0b8cf1a3825af6
Instruction ID: f3aad58998aacc2cec83dc2744c5667e06e6ff3f6345266a1e0d78b44f2dfe77
Opcode Fuzzy Hash: 2eb5e3c3092c973d4466623d8ba99e9c01fb93beb9ffc120cc0b8cf1a3825af6
Instruction Fuzzy Hash: 88B2D3726002818BEB66CEAAD580BEE37E5F39CB88F505119DB1657BA8D734C985CF40

Function 0000000140104874 Relevance: 21.6, APIs: 14, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff7e39ef1cfd8ea67438c1e8013cf291da4cfe959c2454b24ce547db79fa05b
Instruction ID: b8b6eec4c481ef3cf7aeb88451b1e67b4077f3c2383160e25a5ffeb3b8049523
Opcode Fuzzy Hash: 9ff7e39ef1cfd8ea67438c1e8013cf291da4cfe959c2454b24ce547db79fa05b
Instruction Fuzzy Hash: 315254B2701A8086EB5ADB67C5943ED23A1FB8DF84F188126CF9A57BA6DF35C455C300

Function 000000014008E858 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 767windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014008E8A5
OffsetRect.USER32 ref: 000000014008F1E8
InflateRect.USER32 ref: 000000014008F325
OffsetRect.USER32 ref: 000000014008F35E
IsRectEmpty.USER32 ref: 000000014008F3C3
SetRectEmpty.USER32 ref: 000000014008E91C

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

SendMessageA.USER32 ref: 000000014008E95C
GetTextExtentPoint32A.GDI32 ref: 000000014008EB05
OffsetRect.USER32 ref: 000000014008ECF3
SetRectEmpty.USER32 ref: 000000014008ED47

Strings

VUUU, xrefs: 000000014008EF19

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$Offset$ExceptionExtentInflateMessagePoint32SendTextThrow
String ID: VUUU
API String ID: 2130057593-2040033107
Opcode ID: bc1327213b30de33396231bb8c140939712d22c22d90bf79bec489bf67248f14
Instruction ID: 43a3fb0840e111406319e184a27f7ee33d6db16a6989635822cb64692a2aa51c
Opcode Fuzzy Hash: bc1327213b30de33396231bb8c140939712d22c22d90bf79bec489bf67248f14
Instruction Fuzzy Hash: 35727E73700681DBEB5ACF7AC5847EC73A5F348B85F004125EB19A76A5CB34EAA5CB40

Function 00000001401264F4 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 407windowCOMMON

Download Yara Rule

APIs

LoadMenuW.USER32 ref: 000000014012669C
IsMenu.USER32 ref: 0000000140126701
DestroyMenu.USER32 ref: 0000000140126721
LoadMenuW.USER32 ref: 000000014012675E
IsMenu.USER32 ref: 000000014012680B
DestroyMenu.USER32 ref: 000000014012682B
InvalidateRect.USER32 ref: 000000014012687B
UpdateWindow.USER32 ref: 0000000140126885

Part of subcall function 0000000140142A4C: SendMessageA.USER32 ref: 0000000140142A7D
Part of subcall function 0000000140142A4C: SendMessageA.USER32 ref: 0000000140142A99
Part of subcall function 0000000140142A4C: SendMessageA.USER32 ref: 0000000140142AB8

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

InvalidateRect.USER32 ref: 0000000140126B00
UpdateWindow.USER32 ref: 0000000140126B0A

Strings

MenuBar, xrefs: 0000000140126967

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$MessageSend$DestroyInvalidateLoadRectUpdateWindow$ExceptionThrow
String ID: MenuBar
API String ID: 804277600-731504628
Opcode ID: 05c5a445d491df3299e2a145a46c8128be6306f5315543e44c1f6cf087e648c3
Instruction ID: 7ce92a1967d554d4ad573217bb6da1c8f1737f778987f374748e35f8ce5a1ad9
Opcode Fuzzy Hash: 05c5a445d491df3299e2a145a46c8128be6306f5315543e44c1f6cf087e648c3
Instruction Fuzzy Hash: 49023AB6201B8181EB569F27E8547E923A1FB89FD4F08913AEF0A57BA5DF38C545C300

Function 00000001400481D8 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 395windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014019A840: _invalid_parameter_noinfo.LIBCMT ref: 000000014019A881

LoadIconA.USER32 ref: 00000001400485A0

Strings

MFCButton_ImageType, xrefs: 00000001400484AB
MFCButton_ImageOnRight, xrefs: 000000014004862B
MFCButton_CursorType, xrefs: 000000014004842E
MFCButton_ImageOnTop, xrefs: 0000000140048606
MFCButton_ImageID, xrefs: 0000000140048528
MFCButton_Tooltip, xrefs: 0000000140048353
TRUE, xrefs: 00000001400483D2
MFCButton_Autosize, xrefs: 00000001400482EE
MFCButton_Style, xrefs: 0000000140048284
MFCButton_FullTextTool, xrefs: 00000001400483AB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: IconLoad_invalid_parameter_noinfo
String ID: MFCButton_Autosize$MFCButton_CursorType$MFCButton_FullTextTool$MFCButton_ImageID$MFCButton_ImageOnRight$MFCButton_ImageOnTop$MFCButton_ImageType$MFCButton_Style$MFCButton_Tooltip$TRUE
API String ID: 4060274358-3825445498
Opcode ID: 84a2bcb86b30332bd573ead77533f412c30df4fe0616666644806cc0081e8131
Instruction ID: d462ce3384fe4644cb63f7d4454abd15e57d530b9b472fdcbfcf853240fdaa36
Opcode Fuzzy Hash: 84a2bcb86b30332bd573ead77533f412c30df4fe0616666644806cc0081e8131
Instruction Fuzzy Hash: 36F1BE72701A4286EB25AF7AC4503ED23A1EB89BD8F058536AF19A7BF5DF34C905C344

Function 000000014009035C Relevance: 18.6, APIs: 12, Instructions: 630windowCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140090564
InvalidateRect.USER32 ref: 00000001400906F3
UpdateWindow.USER32 ref: 00000001400906FD
SendMessageA.USER32 ref: 0000000140090746

Part of subcall function 00000001400088C8: FindResourceW.KERNEL32 ref: 0000000140008904
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 0000000140008951
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 000000014000899F

CreateSolidBrush.GDI32 ref: 0000000140090C11
LoadCursorW.USER32 ref: 0000000140090CC1

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

LoadCursorW.USER32 ref: 0000000140090D20

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ByteCharCursorLoadMultiWideWindow$BrushCreateExceptionFindInvalidateMessageRectRedrawResourceSendSolidThrowUpdate
String ID:
API String ID: 248893609-0
Opcode ID: e48fea5516f253a63b8a8341fc8072052e5f348626782cc986f949dc04649585
Instruction ID: ccee259ca3edc22d7b7cea8ef7cbf139b57001007bbdc2526ece554873a32bd1
Opcode Fuzzy Hash: e48fea5516f253a63b8a8341fc8072052e5f348626782cc986f949dc04649585
Instruction Fuzzy Hash: D852DE76301A408BEB2ADB26D554BED37A5F788BC8F444229EB1A477B1CF38D565CB00

Function 0000000140086488 Relevance: 18.3, APIs: 12, Instructions: 346windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140086533
GetCursorPos.USER32 ref: 0000000140086565
GetParent.USER32 ref: 00000001400865CB
ReleaseCapture.USER32 ref: 0000000140086746
GetParent.USER32 ref: 0000000140086758
SendMessageA.USER32 ref: 0000000140086775
GetWindowRect.USER32 ref: 00000001400867BB
SetParent.USER32 ref: 0000000140086878
GetParent.USER32 ref: 00000001400868E4
InvalidateRect.USER32 ref: 00000001400868FB
GetParent.USER32 ref: 0000000140086906
UpdateWindow.USER32 ref: 0000000140086918

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Parent$Rect$Window$CaptureCursorEmptyInvalidateMessageReleaseSendUpdate
String ID:
API String ID: 2800639987-0
Opcode ID: 425c4c51b30c27d15ecba3d9613b2283a024e41fed68820e87f52c7090a5a953
Instruction ID: 359915b1d2986295504e3aa914ffff437e0272924bcc6c59b61dbd6df5424049
Opcode Fuzzy Hash: 425c4c51b30c27d15ecba3d9613b2283a024e41fed68820e87f52c7090a5a953
Instruction Fuzzy Hash: 7BE16736700A4186EB16EB67D4987AD27A5FB8DFC8F468425EF0A477A0EF39C605C300

Function 0000000140062578 Relevance: 18.3, APIs: 12, Instructions: 314windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400625F1
GetCursorPos.USER32 ref: 000000014006261B
ClientToScreen.USER32 ref: 0000000140062634
ScreenToClient.USER32 ref: 0000000140062708
SendMessageA.USER32 ref: 0000000140062736
SendMessageA.USER32 ref: 0000000140062779
GetParent.USER32 ref: 0000000140062783
SetParent.USER32 ref: 000000014006279C
GetWindowRect.USER32 ref: 00000001400628B9
ClientToScreen.USER32 ref: 00000001400628D2
OffsetRect.USER32 ref: 0000000140062946
RedrawWindow.USER32 ref: 00000001400629B8

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientRectScreenWindow$MessageParentSend$CursorOffsetRedraw
String ID:
API String ID: 2611947581-0
Opcode ID: f1ca728b9b7be3b48c68b738e8068f3867148e192482268864006875b1294eaf
Instruction ID: 3c2a73423af4c40e9de08dbcb548f76717672122adfdd93e765fd4a4d6e7d47d
Opcode Fuzzy Hash: f1ca728b9b7be3b48c68b738e8068f3867148e192482268864006875b1294eaf
Instruction Fuzzy Hash: 30E11436710A4486EB559F6AD8947EC27B2F78CF89F088525EF0E57B68DF38C5488740

Function 00000001401168BC Relevance: 16.7, APIs: 11, Instructions: 211windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32(?,?,?,00000001400DE092), ref: 0000000140116900
IsChild.USER32(?,?,?,00000001400DE092), ref: 0000000140116933
SendMessageA.USER32 ref: 000000014011695D
IsChild.USER32(?,?,?,00000001400DE092), ref: 000000014011697A
SendMessageA.USER32 ref: 00000001401169A9
GetFocus.USER32(?,?,?,00000001400DE092), ref: 00000001401169E7
IsIconic.USER32 ref: 0000000140116A07
GetAsyncKeyState.USER32 ref: 0000000140116A98
GetAsyncKeyState.USER32 ref: 0000000140116AB7
GetAsyncKeyState.USER32 ref: 0000000140116ACA
IsWindowVisible.USER32 ref: 0000000140116B37

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: AsyncState$ChildFocusMessageSend$IconicVisibleWindow
String ID:
API String ID: 1788245744-0
Opcode ID: 3a200009013656cadad2b4690f51a65be167a9d46ead56041f3198ea09570ee6
Instruction ID: 7261e7ea93ac54fb6beca97e4dd5fcc506516fb263da0fd0f384590e336b62dc
Opcode Fuzzy Hash: 3a200009013656cadad2b4690f51a65be167a9d46ead56041f3198ea09570ee6
Instruction Fuzzy Hash: 0A814E71300A4586FBAA9B63E8547E963A1BB4CF85F0844259F4A4F7B1EF7ACC458310

Function 0000000140152868 Relevance: 15.6, APIs: 10, Instructions: 586COMMON

Download Yara Rule

APIs

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

CreateSolidBrush.GDI32 ref: 000000014015310F
CreateSolidBrush.GDI32 ref: 000000014015312A
CreateSolidBrush.GDI32 ref: 0000000140153145
CreateSolidBrush.GDI32 ref: 0000000140153160
CreateSolidBrush.GDI32 ref: 000000014015317B
CreateSolidBrush.GDI32 ref: 0000000140153196
CreateSolidBrush.GDI32 ref: 00000001401531AD
CreatePen.GDI32 ref: 00000001401531CE
CreateSolidBrush.GDI32 ref: 00000001401531E5
CreatePen.GDI32 ref: 000000014015321C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Create$BrushSolid$ConditionMask$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2676432164-0
Opcode ID: 58ffd7a5f094478e9bd45ff2ebd4fdf09c09f77fadba4623ab6ea6b9bcd99b02
Instruction ID: f8edf173d87a77c41fad9d92ee904dcc205c0081bc2427f6c57487c036237282
Opcode Fuzzy Hash: 58ffd7a5f094478e9bd45ff2ebd4fdf09c09f77fadba4623ab6ea6b9bcd99b02
Instruction Fuzzy Hash: 2442BD722002608BE71BDB36D8557E972E4B74D780F404A1AEB1A8BBF1DF79D951CB40

Function 0000000140054054 Relevance: 15.4, APIs: 10, Instructions: 378COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014005409B
FillRect.USER32 ref: 0000000140054172
FillRect.USER32 ref: 0000000140054291

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Fill$Empty
String ID:
API String ID: 11351758-0
Opcode ID: 01e8e24b9ef8966cbac478f06f3055b4ad757593e0042bc18232f97a81dafcde
Instruction ID: f689ec3001f7ccf5877b74f3eee6086367968789548b70b41b0fe486141ca389
Opcode Fuzzy Hash: 01e8e24b9ef8966cbac478f06f3055b4ad757593e0042bc18232f97a81dafcde
Instruction Fuzzy Hash: B1026A72710A908AEB16CF66D8403ED73B2F748B88F004626EF4A67BA4DF35D595C780

Function 0000000140142110 Relevance: 15.2, APIs: 10, Instructions: 189windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140142159
SendMessageA.USER32 ref: 0000000140142219
LoadMenuW.USER32 ref: 000000014014224F
SendMessageA.USER32 ref: 000000014014229E
LoadMenuW.USER32 ref: 000000014014231D
SendMessageA.USER32 ref: 0000000140142371
IsMenu.USER32 ref: 00000001401423E4
DestroyMenu.USER32 ref: 0000000140142406
InvalidateRect.USER32 ref: 000000014014241D
UpdateWindow.USER32 ref: 000000014014242E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MenuMessageSend$Load$DestroyInvalidateRectUpdateWindow
String ID:
API String ID: 1063757174-0
Opcode ID: f96ae0511038bf9f27f1623b3ed23e52b44ab304f884f09cb3e78bf6898026db
Instruction ID: 0dec8ff8cbeab9b31b05714dba5d7e3e5c72b616d82b0010de07285a427a79a0
Opcode Fuzzy Hash: f96ae0511038bf9f27f1623b3ed23e52b44ab304f884f09cb3e78bf6898026db
Instruction Fuzzy Hash: 4C913936301B8482EA599F66E8547E973A0FB89F90F458026DF1E47BB1DF38D4A5C340

Function 00000001400F6524 Relevance: 13.9, APIs: 9, Instructions: 380COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400F6565
CopyRect.USER32 ref: 00000001400F6577
GetCursorPos.USER32 ref: 00000001400F65EE
GetWindowRect.USER32 ref: 00000001400F6604
IsRectEmpty.USER32 ref: 00000001400F671C
CopyRect.USER32 ref: 00000001400F6742
CopyRect.USER32 ref: 00000001400F6791
GetWindowRect.USER32 ref: 00000001400F6946
SetRect.USER32 ref: 00000001400F69CF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Copy$EmptyWindow$Cursor
String ID:
API String ID: 32871445-0
Opcode ID: 3dec7274c178bc0e9714bd5ccbbeb0f0f69b693eddc75a01e1131625b1f70ba5
Instruction ID: ac47a5753a21de578bd643c6ebd684aa699dcf1add251f2c83b7c0886dcbb5b0
Opcode Fuzzy Hash: 3dec7274c178bc0e9714bd5ccbbeb0f0f69b693eddc75a01e1131625b1f70ba5
Instruction Fuzzy Hash: F0F1AB32700A418AFB2A9B77D5607EE67A1FB4DBC8F045529EF0A1BB65DF78C5468300

Function 000000014000E4E0 Relevance: 13.8, APIs: 9, Instructions: 251filecommemoryCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014000E577
CopyMetaFileA.GDI32 ref: 000000014000E586
GlobalUnlock.KERNEL32 ref: 000000014000E598
GlobalFree.KERNEL32 ref: 000000014000E5A1
GlobalUnlock.KERNEL32 ref: 000000014000E5A9
CoTaskMemAlloc.OLE32 ref: 000000014000E62C
memcpy_s.LIBCMT ref: 000000014000E64C
OleDuplicateData.OLE32 ref: 000000014000E6C7
CopyFileA.KERNEL32 ref: 000000014000E7DA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Global$CopyFileUnlock$AllocDataDuplicateFreeLockMetaTaskmemcpy_s
String ID:
API String ID: 547643586-0
Opcode ID: 794989b84f79112a7d3a4f4e8a43b261c62ee59bae2d1f823c383858ea7aa138
Instruction ID: 57e2f37087462e99caa7af8a8b4996a430ed603eee11b937accce0cdade90de9
Opcode Fuzzy Hash: 794989b84f79112a7d3a4f4e8a43b261c62ee59bae2d1f823c383858ea7aa138
Instruction Fuzzy Hash: 46A17EB2200A8182EB66DB2BE8957AD77A0F78DFD4F048526AB5A53BF4DF34C454C700

Function 0000000140080090 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

GetClientRect.USER32 ref: 00000001400B510F
GetWindowRect.USER32 ref: 00000001400B5129

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

OffsetRect.USER32 ref: 00000001400B514C

Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010641
Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010661

GetWindowRect.USER32 ref: 00000001400B51AD
GetRgnBox.GDI32 ref: 00000001400B51C8
OffsetRect.USER32 ref: 00000001400B51E2
CreateRectRgnIndirect.GDI32 ref: 00000001400B51FB

Part of subcall function 0000000140010C90: ExtSelectClipRgn.GDI32 ref: 0000000140010CC8
Part of subcall function 0000000140010C90: ExtSelectClipRgn.GDI32 ref: 0000000140010CE6

OffsetRgn.GDI32 ref: 00000001400B5246
OffsetRect.USER32 ref: 00000001400B526E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClipOffset$ClientWindow$ExcludeScreenSelect$CreateIndirect
String ID:
API String ID: 3873550030-0
Opcode ID: 3c70702c6c887ac58b0c70e8e38b9991217a56bde66dfffc83f42f786e2c3e00
Instruction ID: d91efae64722732532180b6a297a36e6849dee5596fa53c345100694aaec30ac
Opcode Fuzzy Hash: 3c70702c6c887ac58b0c70e8e38b9991217a56bde66dfffc83f42f786e2c3e00
Instruction Fuzzy Hash: A7913832B00A859AEB01DFB6D4807EC7371F789B8CF548212EB496BA68DF75C645C380

Function 00000001400525FC Relevance: 13.7, APIs: 9, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

Part of subcall function 0000000140057570: GetStockObject.GDI32 ref: 000000014005758E

GetTextMetricsA.GDI32 ref: 000000014005266C
GetClientRect.USER32 ref: 0000000140052695
GetStockObject.GDI32 ref: 00000001400526C6
SendMessageA.USER32 ref: 00000001400526E9
SendMessageA.USER32 ref: 000000014005275D
SendMessageA.USER32 ref: 000000014005278D
SelectObject.GDI32 ref: 00000001400527C4
GetSystemMetrics.USER32 ref: 000000014005282E
RedrawWindow.USER32 ref: 00000001400528D7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageObjectSend$MetricsStock$ClientRectRedrawSelectSystemTextWindow
String ID:
API String ID: 1942730005-0
Opcode ID: c85e34eb4ec949ee16153a8cfe484500787785a12f4e819e79cd3e4c20fc610b
Instruction ID: 084e0ee9ee87c335824ec2faee91c1ab858688bd309787b6489c17ebded04cfe
Opcode Fuzzy Hash: c85e34eb4ec949ee16153a8cfe484500787785a12f4e819e79cd3e4c20fc610b
Instruction Fuzzy Hash: E9916932700A808BE759CF3AD9847ED77A1F789B85F144125EB1947BA4DF39D865CB00

Function 0000000140066824 Relevance: 13.7, APIs: 9, Instructions: 180windowclipboardCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014006686C
CreateCompatibleDC.GDI32 ref: 0000000140066874
CreateCompatibleBitmap.GDI32 ref: 00000001400668A8
FillRect.USER32 ref: 0000000140066968
OpenClipboard.USER32 ref: 0000000140066A0F

Part of subcall function 000000014000F898: DeleteDC.GDI32 ref: 000000014000F8BF

Part of subcall function 000000014000F910: ReleaseDC.USER32 ref: 000000014000F939

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CompatibleCreateHash$BitmapClipboardDeleteFillImplImpl::OpenRectReleaseWindow
String ID:
API String ID: 260565351-0
Opcode ID: 45a28ba4ca3838d043fec543fc9d9dd7b18cd943c46c336a9c1fc6c9e726eac7
Instruction ID: 01c06553de76dd500b1c55a0e3b2ce7427d1e41de021adb5e15da1055f0c4100
Opcode Fuzzy Hash: 45a28ba4ca3838d043fec543fc9d9dd7b18cd943c46c336a9c1fc6c9e726eac7
Instruction Fuzzy Hash: 52819472214A8086E722EB72E8547EE73A5F7C9790F505526EB5E83AF6DF38C504CB00

Function 000000014011C638 Relevance: 12.9, APIs: 8, Instructions: 916COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014011C72E
GetTextExtentPoint32A.GDI32 ref: 000000014011C7A6
GetTextMetricsA.GDI32 ref: 000000014011C89E
OffsetRect.USER32 ref: 000000014011CECB
SetRectEmpty.USER32 ref: 000000014011D08F
SetRectEmpty.USER32 ref: 000000014011D0D1
GetTextColor.GDI32 ref: 000000014011D178
GetTextColor.GDI32 ref: 000000014011D195

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RectText$ColorEmpty$ExtentInflateMetricsOffsetPoint32
String ID:
API String ID: 1739790009-0
Opcode ID: d901b4c23c2fbde0aabd929514f812fa513cebbab6cdfb453705d2423105b41c
Instruction ID: bf5ec8eb5a5d547f77b12244c7aab81707973024fa93ef6a6605ab620224b803
Opcode Fuzzy Hash: d901b4c23c2fbde0aabd929514f812fa513cebbab6cdfb453705d2423105b41c
Instruction Fuzzy Hash: C592AF726246908BE729CF7AD4447DD37A5F74CB88F144226EF599BBA8DB34D844CB00

Function 000000014006C43C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014006C477
ActivateActCtx.KERNEL32 ref: 000000014006C49C
GetLastError.KERNEL32 ref: 000000014006C4EA
DeactivateActCtx.KERNEL32 ref: 000000014006C4FD
SetLastError.KERNEL32 ref: 000000014006C509

Strings

ImageList_GetImageCount, xrefs: 000000014006C4B9
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014006C470

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_GetImageCount$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3851965670
Opcode ID: 97e0d7f8edf44b2e4c63611b0179ac2b5170c15d837a78d860d9f00112b3efe5
Instruction ID: 292a002f544c7071a1172ea45cf9ca8d212b712621d19e9c48243e690df24f4c
Opcode Fuzzy Hash: 97e0d7f8edf44b2e4c63611b0179ac2b5170c15d837a78d860d9f00112b3efe5
Instruction Fuzzy Hash: DC213D32210B1186FB12DB67AC907BA67E5BB9CBD0F550829EF4E873B4DF78C8448240

Function 0000000140124158 Relevance: 12.3, APIs: 8, Instructions: 312windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001401241C9
SetRectEmpty.USER32 ref: 0000000140124220
OffsetRect.USER32 ref: 00000001401242BB
SetRectEmpty.USER32 ref: 000000014012430D

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

LoadMenuW.USER32 ref: 00000001401243F5
GetMenuItemCount.USER32 ref: 0000000140124422
GetMenuItemID.USER32 ref: 000000014012443B
GetSubMenu.USER32 ref: 00000001401244B7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MenuRect$EmptyItem$ClientCountExceptionLoadOffsetThrow
String ID:
API String ID: 3889270008-0
Opcode ID: 43422855921b0680951836a42c3cb398608fede1c3218585b457d4cdb8d7028d
Instruction ID: 6273f6daabc243467196f3f8bdca6d72f056a8eade08b5dc19f52e0c137a531a
Opcode Fuzzy Hash: 43422855921b0680951836a42c3cb398608fede1c3218585b457d4cdb8d7028d
Instruction Fuzzy Hash: EAD19A72701A5086FB1ADB67D8543ED27A0FB8CF98F044629EF5A67AA5DF34C485C340

Function 000000014001E3DC Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000000,0000000140009522), ref: 000000014001E415
GetProcAddress.KERNEL32(?,00000000,0000000140009522), ref: 000000014001E42A
EncodePointer.KERNEL32(?,00000000,0000000140009522), ref: 000000014001E436
DecodePointer.KERNEL32(00000000,?,00000000,0000000140009522), ref: 000000014001E445
GetLocaleInfoW.KERNEL32(?,00000000,0000000140009522), ref: 000000014001E496

Strings

GetLocaleInfoEx, xrefs: 000000014001E420
kernel32.dll, xrefs: 000000014001E40E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleInfoLocaleModuleProc
String ID: GetLocaleInfoEx$kernel32.dll
API String ID: 1461536855-1547310189
Opcode ID: 503f486ff0ffb33519f5e8d8cbf11f91cc188773c6c5e0cbdb0664c667ee99f1
Instruction ID: e0c3f2351615fab9b682299bcf8f5350fc3c3050ffc3bf0dc7451e62e0b7115d
Opcode Fuzzy Hash: 503f486ff0ffb33519f5e8d8cbf11f91cc188773c6c5e0cbdb0664c667ee99f1
Instruction Fuzzy Hash: B8217F34305B9087FA169B63B8847D967A0B79CFD0F444424EF0A0BB75DF3AC4428300

Function 00000001400B2758 Relevance: 12.3, APIs: 8, Instructions: 294windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400B287F
InflateRect.USER32 ref: 00000001400B28B8
GetTextColor.GDI32 ref: 00000001400B28C2
InflateRect.USER32 ref: 00000001400B299F
SendMessageA.USER32 ref: 00000001400B29D6
InflateRect.USER32 ref: 00000001400B2A3D
SendMessageA.USER32 ref: 00000001400B2AA1
SendMessageA.USER32 ref: 00000001400B2AE3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$InflateRect$ColorText
String ID:
API String ID: 3954612264-0
Opcode ID: b18d07ef269df0a3a41b45a935a0f7fc3e16aac544582a9bb72f5a95106ea682
Instruction ID: 2a1d9a42ccf2b60835cf2816ae3804356df2ecc99be73b5d5feba4f75975f26e
Opcode Fuzzy Hash: b18d07ef269df0a3a41b45a935a0f7fc3e16aac544582a9bb72f5a95106ea682
Instruction Fuzzy Hash: 9AE12A36610A508AE766DFA6D8847DD77B0F78CB88F004126EF4A97AB4DF78C845CB00

Function 000000014011609C Relevance: 12.1, APIs: 8, Instructions: 143windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001401160DB
ScreenToClient.USER32 ref: 00000001401161A4
IsIconic.USER32 ref: 00000001401161CF
GetSystemMetrics.USER32 ref: 00000001401161DC
PtInRect.USER32 ref: 0000000140116220

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

PtInRect.USER32 ref: 0000000140116243
GetSystemMetrics.USER32 ref: 000000014011625A
PtInRect.USER32 ref: 0000000140116276

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MetricsRectSystem$ConditionMask$ClientIconicInfoScreenVerifyVersionVisibleWindow
String ID:
API String ID: 2943403874-0
Opcode ID: f6e39b15388d36ab7284d4fee07fc81b4d96ac708facecbf4facbbcb9f2c880a
Instruction ID: b51a3c27467fe6a32a27ed1362f020bb3a890fe44f80f35eabe55e46e9e06324
Opcode Fuzzy Hash: f6e39b15388d36ab7284d4fee07fc81b4d96ac708facecbf4facbbcb9f2c880a
Instruction Fuzzy Hash: A3513B32610A518AEB9ACF66D8917ED37B0F78CF84F044526EF0A8BAA5DF35C845C740

Function 000000014002A6E8 Relevance: 10.8, APIs: 7, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014003005C: SysStringLen.OLEAUT32 ref: 0000000140030089
Part of subcall function 000000014003005C: CoGetClassObject.OLE32 ref: 00000001400300B2

CreateILockBytesOnHGlobal.OLE32 ref: 000000014002A90C
StgCreateDocfileOnILockBytes.OLE32 ref: 000000014002A930
GlobalAlloc.KERNEL32 ref: 000000014002A982
GlobalLock.KERNEL32 ref: 000000014002A993
GlobalUnlock.KERNEL32 ref: 000000014002A9B1
CreateILockBytesOnHGlobal.OLE32 ref: 000000014002A9D6
StgOpenStorageOnILockBytes.OLE32 ref: 000000014002AA02

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: GlobalLock$Bytes$Create$AllocClassDocfileObjectOpenStorageStringUnlock
String ID:
API String ID: 1740323717-0
Opcode ID: 7a65110a23c38d8bfe6bc063e4ffe508b3d450199f37bde86a4cb3e0dcf4e77d
Instruction ID: 475745bcb8c97eece5de9d81771ccedc6ccdf9cb05d225e28568d07c72da25c1
Opcode Fuzzy Hash: 7a65110a23c38d8bfe6bc063e4ffe508b3d450199f37bde86a4cb3e0dcf4e77d
Instruction Fuzzy Hash: 38C1E637700A4586EB16CB66D45439D23B1FB89F98F56412ADF0E9BBA4DF39C84AC340

Function 000000014012C33C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32 ref: 000000014012C369
IsWindow.USER32 ref: 000000014012C395
GetWindowRect.USER32 ref: 000000014012C3FC
CopyRect.USER32 ref: 000000014012C572
LockWindowUpdate.USER32 ref: 000000014012C5B1

Strings

6, xrefs: 000000014012C595

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$LockRectUpdate$Copy
String ID: 6
API String ID: 2992910783-498629140
Opcode ID: c76322e88924b4a6b529ba7461766417b93290688e112497a45b9bd2aaaa528e
Instruction ID: cfc95d3d66fc2e60152338ed25c138621c711d77f12e5f0a7a72364a72a9fd67
Opcode Fuzzy Hash: c76322e88924b4a6b529ba7461766417b93290688e112497a45b9bd2aaaa528e
Instruction Fuzzy Hash: 10815B767106808AEB55DF66D694BAE77A1F78CFC8F058029DF0A57B68DF38C5058B00

Function 00000001401742B8 Relevance: 10.7, APIs: 7, Instructions: 201COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 0000000140174319
CombineRgn.GDI32 ref: 0000000140174371
GetRgnBox.GDI32 ref: 0000000140174407
InflateRect.USER32 ref: 000000014017441F
CreatePolygonRgn.GDI32 ref: 0000000140174478
CombineRgn.GDI32 ref: 00000001401744A4
GetRgnBox.GDI32 ref: 00000001401744BC

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CombineCreateRect$InflatePolygon
String ID:
API String ID: 918227291-0
Opcode ID: 7373fd6b46c20240b373a15f32f13ec58b2c16d67c96f9adb1c7b4fec35f1ffa
Instruction ID: 9776c65117733d0510a3cd3ea46e553623fa194e85b9700c1a442a36716be0d2
Opcode Fuzzy Hash: 7373fd6b46c20240b373a15f32f13ec58b2c16d67c96f9adb1c7b4fec35f1ffa
Instruction Fuzzy Hash: ED919A72710A408AE712DF62D950BED37A6F78DB88F504125EF099BBA8DF38C515CB40

Function 00000001401427A8 Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014014281B
SendMessageA.USER32 ref: 000000014014285A
SendMessageA.USER32 ref: 000000014014289B
LoadIconW.USER32 ref: 00000001401428D8
LoadIconA.USER32 ref: 00000001401428ED
GetClassLongPtrA.USER32 ref: 0000000140142952
SendMessageA.USER32 ref: 0000000140142999

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$IconLoad$ClassLong
String ID:
API String ID: 489031586-0
Opcode ID: a5182fcdc2441d9e2d3937769920d46a52759f0c3418013a8fae2d97be3b5c84
Instruction ID: ff9cf7784c7d35249f109dfd8ee234c1073e2b66ba5470215da1d843732839d1
Opcode Fuzzy Hash: a5182fcdc2441d9e2d3937769920d46a52759f0c3418013a8fae2d97be3b5c84
Instruction Fuzzy Hash: DB516C35301A8192EB5ADB63E9907E963A1FB8DF84F884025DB1E47BB6DF38D491C301

Function 000000014007A2D8 Relevance: 9.6, APIs: 6, Instructions: 606COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014007A366

Part of subcall function 000000014005C57C: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
Part of subcall function 000000014005C57C: GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

GetClientRect.USER32 ref: 000000014007A439
SetRectEmpty.USER32 ref: 000000014007A83D
IntersectRect.USER32 ref: 000000014007A8BA
InflateRect.USER32 ref: 000000014007ABE6
IntersectRect.USER32 ref: 000000014007A874

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Client$ConditionHashIntersectMask$EmptyImplImpl::InflateInfoMetricsSystemVerifyVersion
String ID:
API String ID: 1165222285-0
Opcode ID: 71889c2c7c221e24337db717a967efa238687ca89698a5ac738ae071c7b1098c
Instruction ID: 3cb6e261637e0cb2a64ddf980aa9ab8bb4d4cb166f498e00729243c034750e26
Opcode Fuzzy Hash: 71889c2c7c221e24337db717a967efa238687ca89698a5ac738ae071c7b1098c
Instruction Fuzzy Hash: EC52C036214A5496EB16CB26D9447EE73A4FB8EBC4F408116EB4A57BB4DF7CC854CB00

Function 00000001400AE170 Relevance: 9.4, APIs: 6, Instructions: 366COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 00000001400AE2AB
Rectangle.GDI32 ref: 00000001400AE36F

Part of subcall function 00000001400AF790: DeleteObject.GDI32 ref: 00000001400AF7E8

InflateRect.USER32 ref: 00000001400AE3EC
Rectangle.GDI32 ref: 00000001400AE49D
OffsetRect.USER32 ref: 00000001400AE533
OffsetRect.USER32 ref: 00000001400AE6F2

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ConditionInflateMaskOffsetRectangle$DeleteInfoMetricsObjectSystemVerifyVersion
String ID:
API String ID: 2746137879-0
Opcode ID: b1acac4bf5b3e085eca56a7780bfbc7362d4cea06b589b4f06c96abbe4771a1b
Instruction ID: b74f232e35f635887f9c7a80d20418fa988c15f5a6e0eca8ed815f165f7d32bf
Opcode Fuzzy Hash: b1acac4bf5b3e085eca56a7780bfbc7362d4cea06b589b4f06c96abbe4771a1b
Instruction Fuzzy Hash: 61029E327106608AFB23DB63E8447DD33A5B79CB88F404616EF4A57AB5DF789984CB00

Function 00000001400E00A4 Relevance: 9.1, APIs: 6, Instructions: 145keyboardwindowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00000001400E00F8
GetAsyncKeyState.USER32 ref: 00000001400E0106
WindowFromPoint.USER32 ref: 00000001400E0148
ScreenToClient.USER32 ref: 00000001400E0193
SendMessageA.USER32 ref: 00000001400E01EE
ScreenToClient.USER32 ref: 00000001400E025B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientScreen$AsyncFromMessageMetricsPointSendStateSystemWindow
String ID:
API String ID: 1550688781-0
Opcode ID: d841e01153b05b6682ac1cd8805abe467111474449abbf417e40a80b490d1b42
Instruction ID: 0fc4f39412acd311e7cab3cb75f146460b082fff3b5384d68989fa6ce1b86742
Opcode Fuzzy Hash: d841e01153b05b6682ac1cd8805abe467111474449abbf417e40a80b490d1b42
Instruction Fuzzy Hash: 18510B36711A4586FF569B66D9583E827B0F78CBE4F104029EF4A6BBA4DF35C8858340

Function 0000000140146894 Relevance: 6.4, APIs: 4, Instructions: 351COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014015D0C3

Part of subcall function 0000000140147470: GetParent.USER32 ref: 000000014014756E
Part of subcall function 0000000140147470: PostMessageA.USER32 ref: 00000001401475AA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyMessageParentPostRect
String ID:
API String ID: 977790137-0
Opcode ID: 7b677f8e2534eb68b302e76478c6bda7cf881ca83ec41a8a8562d0a5bd7e13ec
Instruction ID: d137065f6c1d1246197d6603e1a80ae6cfc7802f6d0145886097b4f6271131ac
Opcode Fuzzy Hash: 7b677f8e2534eb68b302e76478c6bda7cf881ca83ec41a8a8562d0a5bd7e13ec
Instruction Fuzzy Hash: E6E17272600A8486EB66CF26D8857ED73A1F788F98F184236DF494B6B5DF39C486C701

Function 00000001400A8198 Relevance: 6.3, APIs: 4, Instructions: 287keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00000001400A82DB
GetClientRect.USER32 ref: 00000001400A8470
SetScrollPos.USER32 ref: 00000001400A855B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: AsyncClientRectScrollState
String ID:
API String ID: 1386077005-0
Opcode ID: 30ad183b2a2920bfb1e12f071c0e0d19359371925079fb690cc914d98b534557
Instruction ID: 8e4e157c7d1c771779f180b7b71d5556c2a608a25cc15e08c5edf83f38cb7b5c
Opcode Fuzzy Hash: 30ad183b2a2920bfb1e12f071c0e0d19359371925079fb690cc914d98b534557
Instruction Fuzzy Hash: 73B16F32A01A5586EB7A9B7685543FD63E1EB9DFC0F088235EF1A477A4DF34C9908B40

Function 00000001400A4464 Relevance: 6.3, APIs: 4, Instructions: 252COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00000001400A44B2
FillRect.USER32 ref: 00000001400A457E
FillRect.USER32 ref: 00000001400A4635

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: FillRect$BrushCreateSolid
String ID:
API String ID: 248659410-0
Opcode ID: f5f9964dea8b69d0cbfcbe78aeb31b221e26d0b76310af23ca6e47773580a7ad
Instruction ID: fe01d17434abfa09c75bea483d5fd87a912de9e9834109b026791cf72bde91a5
Opcode Fuzzy Hash: f5f9964dea8b69d0cbfcbe78aeb31b221e26d0b76310af23ca6e47773580a7ad
Instruction Fuzzy Hash: A8911672F106608AE709DF76C8513EC7BB4F798788F54921AEF069BA68DB34C581C740

Function 0000000140100148 Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140100225
OffsetRect.USER32 ref: 00000001401002D2
GetSysColor.USER32 ref: 00000001401002E6
InflateRect.USER32 ref: 00000001401003BF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Inflate$ColorOffset
String ID:
API String ID: 3313136937-0
Opcode ID: 358d2ed937ab11e9b5fb96a45945092f14578723671d6154c3d59fd99007f17e
Instruction ID: 90f9a3f32a4ca6958fd5d6e1b257c791591f2e41e7b3da01bb9737d7b845346b
Opcode Fuzzy Hash: 358d2ed937ab11e9b5fb96a45945092f14578723671d6154c3d59fd99007f17e
Instruction Fuzzy Hash: 8B817272B14A508AE752CB79D4547DD77B0F789B98F00422AEF4AA7BA4DF38C44AC740

Function 0000000140094878 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140094895
GetParent.USER32 ref: 00000001400948D5
GetDlgCtrlID.USER32 ref: 000000014009494F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Parent$Ctrl
String ID:
API String ID: 2540549881-0
Opcode ID: a319d7f4b4db70985af59fe4c4bef505b51f00bb8c7a9ad0ace6d2de394b5949
Instruction ID: 55374f3b56a8cecdbb59917fa5e67c9b359e1d4f2bfd3a18ca7bdf98e6d89f47
Opcode Fuzzy Hash: a319d7f4b4db70985af59fe4c4bef505b51f00bb8c7a9ad0ace6d2de394b5949
Instruction Fuzzy Hash: B531B631B11A8182FB569727E8507EE5290AB8DBD4F084534FF0A4BBB9EF39C4414340

Function 000000014019A694 Relevance: 6.1, APIs: 4, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualQuery.KERNEL32 ref: 000000014019A6E5
GetSystemInfo.KERNEL32 ref: 000000014019A6FC
VirtualAlloc.KERNEL32 ref: 000000014019A760
VirtualProtect.KERNEL32 ref: 000000014019A77A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Virtual$AllocInfoProtectQuerySystem
String ID:
API String ID: 3562403962-0
Opcode ID: 38f42db8a3ea81e136869f798ff5ade0744b221a5c06a6fca8f06558db0c80b9
Instruction ID: 996046e6bc1ff4301541ac4de53e45337601754ac3454221ac0a78e2ec0ffa28
Opcode Fuzzy Hash: 38f42db8a3ea81e136869f798ff5ade0744b221a5c06a6fca8f06558db0c80b9
Instruction Fuzzy Hash: 0C314F36310A818AEB25CF76D8957D933E4F74CB88F8840269B0A8BB54EF39D659C740

Function 0000000140014264 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142A1
LoadResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142B2
LockResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142C3
FreeResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142E6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 93596d37b60206399b307c3bf7d745f2afb2e06937d13262f44832a26f65bd79
Instruction ID: b33a70c6116f2cfd5668806adb93cbf4799a3ded3be66a2513baeaf937ccea57
Opcode Fuzzy Hash: 93596d37b60206399b307c3bf7d745f2afb2e06937d13262f44832a26f65bd79
Instruction Fuzzy Hash: 5C116935311F8185EF5AAF97A944399A6E4AB8DFD0F4C4025EF0A4BB79DE39C8818700

Function 00000001401606C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

UUUU, xrefs: 0000000140160B5F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: f5bd7f21f511667d4a926301e5e1a60b03735a2fdb4d8cb1d9577e1c63539498
Instruction ID: 4a2226d66e9d8a0b942fc86394febb1441506d72d2a750bfcc4e3a7f2ddc4bd3
Opcode Fuzzy Hash: f5bd7f21f511667d4a926301e5e1a60b03735a2fdb4d8cb1d9577e1c63539498
Instruction Fuzzy Hash: B6918B76A106548AFB56CF66CC447EE37B1B348B98F11891ADF1E57AA8DB30D881C740

Function 00000001401A05F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMONLIBRARYCODE

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00000001401A067B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 5f74570c7e06965f6a33a9577543d7e73e180dd4273b264fce28b5b44df58a71
Instruction ID: 888d341c0877e2af2c0d7dc9aa12b5f890d4eba1cf9727885f261c7797bd1f1e
Opcode Fuzzy Hash: 5f74570c7e06965f6a33a9577543d7e73e180dd4273b264fce28b5b44df58a71
Instruction Fuzzy Hash: 56D1DF3271468487EB76CF16E1887AAB7E1F388B88F148124CB8A57B54D73CE985CF00

Function 00000001401007D8 Relevance: 4.8, APIs: 3, Instructions: 286windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400FA7B8: GetParent.USER32 ref: 00000001400FA7CF
Part of subcall function 00000001400FA7B8: SendMessageA.USER32 ref: 00000001400FA805

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

SetRectEmpty.USER32 ref: 0000000140100A5E

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

GetParent.USER32 ref: 0000000140100B75
SendMessageA.USER32 ref: 0000000140100B9F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientMessageParentScreenSend$EmptyExceptionRectThrow
String ID:
API String ID: 3589519406-0
Opcode ID: cf71db9798a3924bac1219ee8b9e4e9d40a36ceec34b1dd752730ec0b70ceb54
Instruction ID: 2373cbb418405145bc69290961272395e326051fdbb444ce90f7a3675eddd56e
Opcode Fuzzy Hash: cf71db9798a3924bac1219ee8b9e4e9d40a36ceec34b1dd752730ec0b70ceb54
Instruction Fuzzy Hash: 78C135B6701A808AEB56DF27D4547ED33A0FB49F88F089525AF4A1BBA5DF38C944C740

Function 00000001400DA2EC Relevance: 4.8, APIs: 3, Instructions: 265keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00000001400DA31C
GetWindowRect.USER32 ref: 00000001400DA381
GetCursorPos.USER32 ref: 00000001400DA3DF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CursorRectStateWindow
String ID:
API String ID: 3412758350-0
Opcode ID: c65e5dc50a443a174f98d57b616fba6baa4712403afa21a200cf364f57026a3e
Instruction ID: 63b3354d3b618bfaad72e8ea6e109ab4c389fadfa3b5fa20ec9b07d353e87bf3
Opcode Fuzzy Hash: c65e5dc50a443a174f98d57b616fba6baa4712403afa21a200cf364f57026a3e
Instruction Fuzzy Hash: 57B17B36700B418AEB5ADB6794847ED6BA0BB8DBD8F084421EF0A577A5EF38C455C720

Function 000000014016E7C4 Relevance: 4.7, APIs: 3, Instructions: 168COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014016E82A
GetWindowRect.USER32 ref: 000000014016E85F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EmptyWindow
String ID:
API String ID: 1559801663-0
Opcode ID: acb10852541f36d9afd8102a014b614daeb13a097de44081b470fce635229fd6
Instruction ID: d9a90d38b4fb7d96385774a5728e0e992a45c91e4b74919950ada06b465930ab
Opcode Fuzzy Hash: acb10852541f36d9afd8102a014b614daeb13a097de44081b470fce635229fd6
Instruction Fuzzy Hash: 6D618873710A8086EB11DBA6E8947ED63B1FB89B88F509A25EF4D1BB68DF34C105C340

Function 00000001400968DC Relevance: 4.7, APIs: 3, Instructions: 151windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140096936
SendMessageA.USER32 ref: 0000000140096959
GetClientRect.USER32 ref: 0000000140096996

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientMessageParentRectSend
String ID:
API String ID: 608431981-0
Opcode ID: beec588f5012458b4a4e013124ad8285c1ca3ca18136d10bcd964b4d9d2387da
Instruction ID: 36e47eb3b58c649040b253caef2a6ddadcfde7817cfa778b570f557867dc4b10
Opcode Fuzzy Hash: beec588f5012458b4a4e013124ad8285c1ca3ca18136d10bcd964b4d9d2387da
Instruction Fuzzy Hash: 35613632B106518AEB11EFB69450BDD37B5F78CBC8F544125EE4A2BA68DB34C515CB80

Function 00000001400D4340 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00000001400D470A

Strings

DUMMY, xrefs: 00000001400D44F2

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientScreen
String ID: DUMMY
API String ID: 3917795285-3097505935
Opcode ID: f4c1c71ea7761968e95d3d7b434389cf72146e7b598ab07c93dc6ce1c3d8e7ee
Instruction ID: 44e4ef64b67e2f18db7f272c15841dacf8b17cc24fa4e3964c103fb125def24c
Opcode Fuzzy Hash: f4c1c71ea7761968e95d3d7b434389cf72146e7b598ab07c93dc6ce1c3d8e7ee
Instruction Fuzzy Hash: 05D15B76305A8082EB26DB26E4543EE73A0FB89BE4F444225EB5E47BE5DF78C545C700

Function 00000001400821FC Relevance: 3.1, APIs: 2, Instructions: 96COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140082356

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: d142978e9b3eca97e7a85562d3bfdb626e7b8c1c649461191b900d71febe593f
Instruction ID: 2c865e733adf60653ea7d91596effc69c99c2101b6273bd72539c61ae4419853
Opcode Fuzzy Hash: d142978e9b3eca97e7a85562d3bfdb626e7b8c1c649461191b900d71febe593f
Instruction Fuzzy Hash: 79415B77714A4086E754CB26E2947AEB7A1F78DFD4F148121EF4903B68CF39C5558B00

Function 000000014013C2B0 Relevance: 1.9, APIs: 1, Instructions: 425COMMON

Download Yara Rule

APIs

OffsetRect.USER32 ref: 000000014013C313

Part of subcall function 0000000140068560: IsRectEmpty.USER32 ref: 000000014006859C
Part of subcall function 0000000140068560: IsRectEmpty.USER32 ref: 00000001400685D6
Part of subcall function 0000000140068560: IntersectRect.USER32 ref: 0000000140068659
Part of subcall function 0000000140068560: IntersectRect.USER32 ref: 0000000140068702

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EmptyIntersect$Offset
String ID:
API String ID: 836864506-0
Opcode ID: 97e900fc6574415598a4b3539e8609bbf49de5d7416bfb6cfd07edd2f9da474a
Instruction ID: 1786d1b2df407845115a2e66ba9a565e87e2928bdb74c7fb9ea35594a7268b7f
Opcode Fuzzy Hash: 97e900fc6574415598a4b3539e8609bbf49de5d7416bfb6cfd07edd2f9da474a
Instruction Fuzzy Hash: E02234B3F186908EF711CFB9D0407ED7BB1A35875CF10522AEE49A6B58DB34954ACB40

Function 0000000140162420 Relevance: 1.6, APIs: 1, Instructions: 127COMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 00000001401625F4

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RedrawWindow
String ID:
API String ID: 2219533335-0
Opcode ID: e55dfdb04220195f91dc6d7ced6095564d3bf8bbce5465da4aa6ca6f54bb462c
Instruction ID: 466860a1a33606d182123fede4413482f00ab4067c30c7deb784b95cc5221aea
Opcode Fuzzy Hash: e55dfdb04220195f91dc6d7ced6095564d3bf8bbce5465da4aa6ca6f54bb462c
Instruction Fuzzy Hash: 82517BBA310A9486EB55DB1BD8A87EA33A4F789F9CF154921CF5D077A1CF35C4418700

Function 00000001401745E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 000000014017466A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbb74db56036cbbfaf091470ef6f3f57234a45fbb8891ea4fe7e16ae191821e
Instruction ID: 365799995b075a53de47d41a55fd55710138137240b465cb4f0df80c806da757
Opcode Fuzzy Hash: 8fbb74db56036cbbfaf091470ef6f3f57234a45fbb8891ea4fe7e16ae191821e
Instruction Fuzzy Hash: DB41713261468087EB62DF26E9457DE77A0F78DB88F544126EF494BAA9CF79C844CB00

Function 00000001400D2868 Relevance: 1.6, APIs: 1, Instructions: 69windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400D2920

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 571941b75d284c0e3a1b0bbad0209c51c275d66463705e34800227981e4bdc87
Instruction ID: ef79b013cb5d424262e73ca3b7b825dbbaa69c078e93859ae171811298a54cad
Opcode Fuzzy Hash: 571941b75d284c0e3a1b0bbad0209c51c275d66463705e34800227981e4bdc87
Instruction Fuzzy Hash: EE21D172B1864046F7169A23B9117EA6251EBDABD4F484214FB990BEA6CF3CC1038B10

Function 000000014019844C Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140198603

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 85ca403b8fb1d4519de06e84c7f6a2474a897abe6fb6ccc5e012c71c573c8d6a
Instruction ID: 76314936d5f29107022717314254fda495c6163246521f4bb3c3d473f4c5a9d2
Opcode Fuzzy Hash: 85ca403b8fb1d4519de06e84c7f6a2474a897abe6fb6ccc5e012c71c573c8d6a
Instruction Fuzzy Hash: 6381D27231024086FBAA9A2B91407EE23E0F74DF48F555516EF029B6FAC735C94ADF41

Function 00000001401981D0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 000000014019836A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 420153ed87f0689d2848d7703e65061c32730aeada706f67dc26f51aa38d2801
Instruction ID: 1a02935a022a19bad6d28762aebb10cc47c0ed1a508da647a1f45c417330eace
Opcode Fuzzy Hash: 420153ed87f0689d2848d7703e65061c32730aeada706f67dc26f51aa38d2801
Instruction Fuzzy Hash: F1712331214A8046FBBB8B2B90403EE6791B74AF48F681616DF05DBBFAC635C946CF45

Function 000000014009A1F8 Relevance: .4, Instructions: 412COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: _mbsinc$_invalid_parameter_noinfo
String ID:
API String ID: 176019313-0
Opcode ID: 46a0c5bbc1499da4b503e82397ad3424a487ed0478343973716350131aa24b43
Instruction ID: b7108b5d8bb4c637fbaa70f1e3ee02463dd877941e0d4170e20f3d16cfe42eef
Opcode Fuzzy Hash: 46a0c5bbc1499da4b503e82397ad3424a487ed0478343973716350131aa24b43
Instruction Fuzzy Hash: 80027D72B11A459AFB05EB7AC4517DD23B1FB497A8F404226AB1D93AF9DF38C905C380

Function 00000001401768D4 Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ExceptionThrow
String ID:
API String ID: 432778473-0
Opcode ID: 632969b1eacb5b53dc440b4a1e59b619052cecfae53ec17c52bbff69ce096518
Instruction ID: c5fd70a0748097bb4da8d300c73ca120dfd994b317ff1e59d28f7f536032bac2
Opcode Fuzzy Hash: 632969b1eacb5b53dc440b4a1e59b619052cecfae53ec17c52bbff69ce096518
Instruction Fuzzy Hash: 31710132704B94CAEA9AAF66E1913D967A0F74CFC4F188436DB5D43B65DF74D4A28300

Function 000000014007C650 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71dc8f7122e4d8c589db71f1311524bae4952f7341f41edebdf08342b2e4084a
Instruction ID: 29989a7bd7593131c0cc83ec21945473d6f6f77f442c633b9395cd789b5dc781
Opcode Fuzzy Hash: 71dc8f7122e4d8c589db71f1311524bae4952f7341f41edebdf08342b2e4084a
Instruction Fuzzy Hash: 8071F135320211A2F762CB2B9890FDA23A5FB9D7C4F54951DAF0D839E5EB39D414CB40

Function 000000014005E090 Relevance: 63.3, APIs: 42, Instructions: 315
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32 ref: 000000014005E0B1
GetSysColor.USER32 ref: 000000014005E0C8
GetSysColor.USER32 ref: 000000014005E0E3
GetSysColor.USER32 ref: 000000014005E0EF
GetDeviceCaps.GDI32 ref: 000000014005E11F
GetSysColor.USER32 ref: 000000014005E12D
GetSysColor.USER32 ref: 000000014005E140
GetSysColor.USER32 ref: 000000014005E14F
GetSysColor.USER32 ref: 000000014005E15E
GetSysColor.USER32 ref: 000000014005E16D
GetSysColor.USER32 ref: 000000014005E17C
GetSysColor.USER32 ref: 000000014005E18B
GetSysColor.USER32 ref: 000000014005E197
GetSysColor.USER32 ref: 000000014005E1A3
GetSysColor.USER32 ref: 000000014005E1AF
GetSysColor.USER32 ref: 000000014005E1BB
GetSysColor.USER32 ref: 000000014005E1CA
GetSysColor.USER32 ref: 000000014005E1D6
GetSysColor.USER32 ref: 000000014005E1E5
GetSysColor.USER32 ref: 000000014005E1F4
GetSysColor.USER32 ref: 000000014005E203
GetSysColor.USER32 ref: 000000014005E212
GetSysColor.USER32 ref: 000000014005E221
GetSysColor.USER32 ref: 000000014005E230
GetSysColor.USER32 ref: 000000014005E23F
GetSysColor.USER32 ref: 000000014005E24E
GetSysColor.USER32 ref: 000000014005E273
GetSysColorBrush.USER32 ref: 000000014005E28C
GetSysColorBrush.USER32 ref: 000000014005E2AD
GetSysColorBrush.USER32 ref: 000000014005E2CE
CreateSolidBrush.GDI32 ref: 000000014005E2FC
CreateSolidBrush.GDI32 ref: 000000014005E31F
CreateSolidBrush.GDI32 ref: 000000014005E345
CreateSolidBrush.GDI32 ref: 000000014005E36B
CreateSolidBrush.GDI32 ref: 000000014005E38E
CreateSolidBrush.GDI32 ref: 000000014005E3B1
CreateSolidBrush.GDI32 ref: 000000014005E3D4
CreatePen.GDI32 ref: 000000014005E3FF
CreatePen.GDI32 ref: 000000014005E42A
CreatePen.GDI32 ref: 000000014005E455
CreateSolidBrush.GDI32 ref: 000000014005E4DF
CreatePatternBrush.GDI32 ref: 000000014005E535

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Color$BrushCreate$Solid$CapsDevicePattern
String ID:
API String ID: 3066057030-0
Opcode ID: 39f5fb73c64a481fc174ffd1f3ea85a679f85d5bd3239221a493f90ec9cab56c
Instruction ID: b78d731a2916c52ef46e35a34c9513bddc8a1c0b9658a0b322cf95da61f1a4a1
Opcode Fuzzy Hash: 39f5fb73c64a481fc174ffd1f3ea85a679f85d5bd3239221a493f90ec9cab56c
Instruction Fuzzy Hash: D2E12B76600A8097E74ADF32E9943ED73B1F748B91F084139AB5A8B6B5DF39D464CB00

Function 0000000140066264 Relevance: 44.0, APIs: 24, Strings: 1, Instructions: 248
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CopyImage.USER32 ref: 00000001400662E3
GetObjectA.GDI32 ref: 0000000140066324
DeleteObject.GDI32 ref: 0000000140066378
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140066393
CreateCompatibleDC.GDI32 ref: 000000014006639B
GetObjectA.GDI32 ref: 00000001400663B8
GetObjectA.GDI32 ref: 00000001400663F1
SelectObject.GDI32 ref: 0000000140066410
CreateCompatibleBitmap.GDI32 ref: 0000000140066464

Strings

, xrefs: 000000014006654E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object$CompatibleCreateHash$BitmapCopyDeleteImageImplImpl::Select
String ID:
API String ID: 3263576654-3916222277
Opcode ID: e1319d896c913b83331d85ad1326d0a30acdd0c005fff7db55b6fa0e0bad089d
Instruction ID: bba5b80a1533580037a261be909322ae0854477a67e8d175068441500e3cc9f5
Opcode Fuzzy Hash: e1319d896c913b83331d85ad1326d0a30acdd0c005fff7db55b6fa0e0bad089d
Instruction Fuzzy Hash: 7FB14872304A908AEB169F62E8543EDB7B1F788BD4F144525EB4E5BAB8DF38C455CB00

Function 000000014003017C Relevance: 31.9, APIs: 21, Instructions: 387
windowkeyboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFocus.USER32 ref: 00000001400301C2
GetParent.USER32 ref: 0000000140030215
GetParent.USER32 ref: 000000014003022C
GetKeyState.USER32 ref: 000000014003031F
SendMessageA.USER32 ref: 000000014003035A
SendMessageA.USER32 ref: 00000001400303ED
SendMessageA.USER32 ref: 0000000140030469
GetNextDlgGroupItem.USER32 ref: 00000001400304EE
GetWindowLongA.USER32 ref: 0000000140030530
SendMessageA.USER32 ref: 0000000140030547
SendMessageA.USER32 ref: 000000014003055E
MessageBeep.USER32 ref: 0000000140030670

Part of subcall function 00000001400310C8: SendMessageA.USER32 ref: 00000001400310DB

IsDialogMessageA.USER32 ref: 00000001400306CE
GetFocus.USER32 ref: 00000001400306DA
GetFocus.USER32 ref: 00000001400306ED
IsWindow.USER32 ref: 000000014003070C
GetFocus.USER32 ref: 0000000140030716
IsWindow.USER32 ref: 0000000140030734
GetFocus.USER32 ref: 000000014003073E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Send$Focus$Window$Parent$BeepDialogGroupItemLongNextState
String ID:
API String ID: 1817911776-0
Opcode ID: 625de83f6688d15abd8b48718fb96f92a8f03805cb65430f02063b3d936153f3
Instruction ID: d608c971f5de22f1e14da5992ad17e3e9a0d7e8fb008115e89eeeb61e57fcdf9
Opcode Fuzzy Hash: 625de83f6688d15abd8b48718fb96f92a8f03805cb65430f02063b3d936153f3
Instruction Fuzzy Hash: 13F16A71206B4082FE6B9B5395A47EB67A1AB8CFC4F144529FF4A4B7B5DF79C8418300

Function 00000001400184D8 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 000000014001854A

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

GetClassLongA.USER32 ref: 0000000140018592
GlobalGetAtomNameA.KERNEL32 ref: 00000001400185C9
CompareStringA.KERNEL32 ref: 00000001400185F3
SetWindowLongPtrA.USER32 ref: 000000014001864E
GetClassNameA.USER32 ref: 00000001400186C1

Part of subcall function 000000014019A840: _invalid_parameter_noinfo.LIBCMT ref: 000000014019A881

GetClassLongPtrA.USER32 ref: 00000001400186F3
GetWindowLongPtrA.USER32 ref: 000000014001870A
GetPropA.USER32 ref: 0000000140018725
SetPropA.USER32 ref: 0000000140018739
GetPropA.USER32 ref: 0000000140018745
GlobalAddAtomA.KERNEL32 ref: 0000000140018753
SetWindowLongPtrA.USER32 ref: 0000000140018768

Part of subcall function 0000000140019E80: OutputDebugStringA.KERNEL32 ref: 0000000140019EBA
Part of subcall function 0000000140019E80: ActivateActCtx.KERNEL32 ref: 0000000140019EDF

CallNextHookEx.USER32 ref: 000000014001877D
UnhookWindowsHookEx.USER32 ref: 000000014001878F

Strings

AfxOldWndProc423, xrefs: 0000000140018718
ime, xrefs: 00000001400185E0
#32768, xrefs: 0000000140018696, 00000001400186D3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNextString$ActivateCompareDebugExceptionOutputThrowUnhookWindows_invalid_parameter_noinfo
String ID: #32768$AfxOldWndProc423$ime
API String ID: 2071670248-4034971020
Opcode ID: f0e851516c2f30be1635978cda98bfe21fe0380db4e9bf1f001879d340fa3e28
Instruction ID: 191d4ff228a53118fc77ec4e012e97623c85d388d390fa9037096af708ffdb28
Opcode Fuzzy Hash: f0e851516c2f30be1635978cda98bfe21fe0380db4e9bf1f001879d340fa3e28
Instruction Fuzzy Hash: 05716E72204A8186FA269B27E8547DA33A1BB8DFD0F644625EF5A0B7F5DF39C945C300

Function 00000001401628AC Relevance: 30.1, APIs: 20, Instructions: 133windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001401628C5
GetSystemMenu.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 00000001401628EB
SetMenuDefaultItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 000000014016291A
GetParent.USER32 ref: 0000000140162924
IsZoomed.USER32 ref: 0000000140162936
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 000000014016294F
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 0000000140162964
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 0000000140162979
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 000000014016298B
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 000000014016299D
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 00000001401629AF
EnableMenuItem.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 00000001401629C1
GetParent.USER32 ref: 00000001401629CB
DeleteMenu.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 00000001401629F3
DeleteMenu.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 0000000140162A05
GetParent.USER32 ref: 0000000140162A0F
DeleteMenu.USER32(?,?,?,?,?,?,?,00000001401616F4,?,?,?,?,?,?,00000001,00000001400DEE26), ref: 0000000140162A37
GetParent.USER32 ref: 0000000140162A4B
GetParent.USER32 ref: 0000000140162A9B
TrackPopupMenu.USER32 ref: 0000000140162AD2

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$Item$Enable$Parent$Delete$DefaultPopupSystemTrackZoomed
String ID:
API String ID: 4239930045-0
Opcode ID: a855b0c206ff72b79eb54b1edd76f9d287c98d5477c4fe6ff6f238d9d34b1eb6
Instruction ID: cbdaa56be2c47826b84f082c8f430c54a12f26740842849ae74d67aca848c8b9
Opcode Fuzzy Hash: a855b0c206ff72b79eb54b1edd76f9d287c98d5477c4fe6ff6f238d9d34b1eb6
Instruction Fuzzy Hash: 87510836320A9183FB669B63E8547A963A0FB8DF95F444429EF4E4BBA5DF39C441C700

Function 000000014012E5D8 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014012E627
GetUpdateRect.USER32 ref: 000000014012E64D
GetClientRect.USER32 ref: 000000014012E668
GetWindowRect.USER32 ref: 000000014012E682
OffsetRect.USER32 ref: 000000014012E6A7
OffsetRect.USER32 ref: 000000014012E6CC
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014012E6DF
CreateCompatibleDC.GDI32 ref: 000000014012E6FD
CreateCompatibleBitmap.GDI32 ref: 000000014012E725
IsRectEmpty.USER32 ref: 000000014012E781
CreateRectRgnIndirect.GDI32 ref: 000000014012E78E
GetWindowRect.USER32 ref: 000000014012E81B

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

OffsetRect.USER32 ref: 000000014012E83D
InflateRect.USER32 ref: 000000014012E84D
BitBlt.GDI32 ref: 000000014012E983
LeaveCriticalSection.KERNEL32 ref: 000000014012E9B9

Strings

, xrefs: 000000014012E961

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientCreateOffset$CompatibleCriticalHashScreenSectionWindow$BitmapEmptyEnterImplImpl::IndirectInflateLeaveUpdate
String ID:
API String ID: 2619300001-3916222277
Opcode ID: 67f497045dac7f5bc3f02ef3734628d33091762c320479e51c38035707e3f0ac
Instruction ID: fe94143c5aa3cde04f2e267db9abcde978ef14d817b3aa335678f376b1d6c0bd
Opcode Fuzzy Hash: 67f497045dac7f5bc3f02ef3734628d33091762c320479e51c38035707e3f0ac
Instruction Fuzzy Hash: 5ED159B2710A909AEB01DF66E8803ED77B0F788B98F504616EF5967B68DF78C545CB00

Function 000000014006C72C Relevance: 28.6, APIs: 19, Instructions: 92COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C98E
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C99D
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9AC
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9BB
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9CA
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9D9
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9E8
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9F7
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA06
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA15
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA24
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA33
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA42
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA51
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA60
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA72
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA84
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA96
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CAA8

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: 47b1c073c2efbe2db297774675f4cea43fed58c0ed35c163442df1a0ebd90449
Instruction ID: 7ea57da2b3cb3230a2381ef4efeb4ecf8fd8ee3a0141a3226b5a3c10be615ff0
Opcode Fuzzy Hash: 47b1c073c2efbe2db297774675f4cea43fed58c0ed35c163442df1a0ebd90449
Instruction Fuzzy Hash: 9541BC35212E0095EF5ADFA6D8A47B82371AF8CFA5F18491ADF0E476B48F39C4449211

Function 000000014006C71C Relevance: 28.6, APIs: 19, Instructions: 86COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C98E
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C99D
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9AC
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9BB
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9CA
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9D9
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9E8
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9F7
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA06
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA15
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA24
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA33
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA42
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA51
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA60
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA72
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA84
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA96
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CAA8

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: b4c0caf5280881ea91040c1d30b2cc213ae7ef9bcd607696fa33fe9cde2c9f51
Instruction ID: f77266410e85049347739b717b1920e225630cd94c49338327f971b30756a35d
Opcode Fuzzy Hash: b4c0caf5280881ea91040c1d30b2cc213ae7ef9bcd607696fa33fe9cde2c9f51
Instruction Fuzzy Hash: CC41AB39212E00D5EF5ADFA7D8A47B82371AF8CFA5F18491ADF0E476A48F39C4849251

Function 00000001400547F4 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140054851
GetClientRect.USER32 ref: 0000000140054869
GetSystemMetrics.USER32 ref: 000000014005488E
GetSystemMetrics.USER32 ref: 00000001400548BE
InvalidateRect.USER32 ref: 00000001400548E8
UpdateWindow.USER32 ref: 00000001400548F2
RedrawWindow.USER32 ref: 0000000140054B14

Part of subcall function 0000000140052D2C: SendMessageA.USER32 ref: 0000000140052DB3
Part of subcall function 0000000140052D2C: SendMessageA.USER32 ref: 0000000140052DE9

Strings

MFCPropertyGrid_DescriptionRows, xrefs: 0000000140054A50
Property, xrefs: 0000000140054AA3
MFCPropertyGrid_ModifiedProperties, xrefs: 0000000140054AE3
MFCPropertyGrid_AlphabeticMode, xrefs: 0000000140054ABD
MFCPropertyGrid_HeaderCtrl, xrefs: 0000000140054A88
Value, xrefs: 0000000140054A9C
MFCPropertyGrid_DescriptionArea, xrefs: 00000001400549FA
MFCPropertyGrid_VSDotNetLook, xrefs: 0000000140054B21

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$MetricsRectSystemWindow$ClientInvalidateRedrawUpdate
String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
API String ID: 3900036962-2695045869
Opcode ID: 2f4d4d70c1fa883a329d52188e6b47d892e3acb59a8f32f479ff6160b3d60dba
Instruction ID: 073eaac70e10153c570b31bb26ff97a2a18c594b665f24b0d1c3a6f2141efba2
Opcode Fuzzy Hash: 2f4d4d70c1fa883a329d52188e6b47d892e3acb59a8f32f479ff6160b3d60dba
Instruction Fuzzy Hash: 75B18E72700A458BFB15DF7AE8907DD37A1FB88B98F045225EB1A47AA9DF38C445CB40

Function 0000000140068560 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 312windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014006859C
IsRectEmpty.USER32 ref: 00000001400685D6
IntersectRect.USER32 ref: 0000000140068659
IntersectRect.USER32 ref: 0000000140068702
IsRectEmpty.USER32 ref: 000000014006873F
IsRectEmpty.USER32 ref: 0000000140068751
SelectObject.GDI32 ref: 000000014006876D
IsRectEmpty.USER32 ref: 0000000140068789
IsRectEmpty.USER32 ref: 00000001400687A3
AlphaBlend.MSIMG32 ref: 0000000140068842
StretchBlt.GDI32 ref: 00000001400688A6
SelectObject.GDI32 ref: 00000001400688BD
SetRectEmpty.USER32 ref: 0000000140068979

Strings

, xrefs: 0000000140068871

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$AlphaBlendStretch
String ID:
API String ID: 3434778532-3916222277
Opcode ID: 81bd72339e550de2273a3c154f64898ee45b991c2178bf82205e96649b858b30
Instruction ID: 68f7bb375df8e28703d8a69e2447eacc52b6ad1e5543518cbb9dc3b293d3e9d1
Opcode Fuzzy Hash: 81bd72339e550de2273a3c154f64898ee45b991c2178bf82205e96649b858b30
Instruction Fuzzy Hash: 2FE13676B146408FE721CFBAD8407AD7BB1F348B88F144615EF4AA7A68DB38E445CB50

Function 0000000140024298 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 0000000140024329
GetCapture.USER32 ref: 000000014002433C
ReleaseCapture.USER32 ref: 0000000140024347
PeekMessageA.USER32 ref: 0000000140024366
PeekMessageA.USER32 ref: 0000000140024381
GetMessageA.USER32 ref: 000000014002439B
TranslateMessage.USER32 ref: 00000001400243BB
PeekMessageA.USER32 ref: 000000014002442D
SendMessageA.USER32 ref: 0000000140024450
PeekMessageA.USER32 ref: 0000000140024489
ReleaseCapture.USER32 ref: 00000001400244B7
GetMessageA.USER32 ref: 00000001400244CB
DispatchMessageA.USER32 ref: 00000001400244D4
GetCursorPos.USER32 ref: 00000001400244E2
PeekMessageA.USER32 ref: 0000000140024510
DispatchMessageA.USER32 ref: 0000000140024519

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Peek$Capture$DispatchRelease$CursorSendTranslate
String ID:
API String ID: 605349011-0
Opcode ID: 7293df1ecb82b1802a444963bfd1083dda5e1e0ecdfa5887acd9ef4c0bf88615
Instruction ID: 18dbc39062217b1d38bd860f85da0745a6c5d20de0849a0abc7af766fb96ff3c
Opcode Fuzzy Hash: 7293df1ecb82b1802a444963bfd1083dda5e1e0ecdfa5887acd9ef4c0bf88615
Instruction Fuzzy Hash: E6619D32700A9086F766EF27E8547AD67A0F74DFC4F548129EB4A47AA5DF38C8858B00

Function 0000000140096230 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 182timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014009625F
GetWindowRect.USER32 ref: 0000000140096275
KillTimer.USER32 ref: 0000000140096300
ReleaseCapture.USER32 ref: 0000000140096306
SetCursor.USER32 ref: 000000014009630E
GetParent.USER32 ref: 0000000140096324
SetCursor.USER32 ref: 0000000140096370
LoadCursorW.USER32 ref: 0000000140096387
SetCursor.USER32 ref: 0000000140096390
GetParent.USER32 ref: 00000001400963E2
GetParent.USER32 ref: 0000000140096442
UpdateWindow.USER32 ref: 0000000140096497

Strings

Q, xrefs: 00000001400964B6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Cursor$Parent$Window$CaptureKillLoadRectReleaseTimerUpdate
String ID: Q
API String ID: 3172647089-3463352047
Opcode ID: fc02d4b307ad23343008e0e5d4598c3f6fec2021cacb1caf78e4fd73d13c9a0b
Instruction ID: 1692fe5312aa731dd1348a0d06181e55fffd642996e67e251578450d9ed71dc4
Opcode Fuzzy Hash: fc02d4b307ad23343008e0e5d4598c3f6fec2021cacb1caf78e4fd73d13c9a0b
Instruction Fuzzy Hash: A4914932B10A408AFB16DBB6D5947EC33B0F74CB88F504525EF1A97AA5CB39E954C710

Function 000000014014E078 Relevance: 21.2, APIs: 14, Instructions: 238COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014014E0DC
FillRect.USER32 ref: 000000014014E130
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014014E190
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000000014014E1A6
SetRectEmpty.USER32 ref: 000000014014E1CB
SetRect.USER32 ref: 000000014014E20D
IsRectEmpty.USER32 ref: 000000014014E217
FillRect.USER32 ref: 000000014014E235
SetRectEmpty.USER32 ref: 000000014014E296
InflateRect.USER32 ref: 000000014014E332
IntersectRect.USER32 ref: 000000014014E344
InflateRect.USER32 ref: 000000014014E353
IntersectRect.USER32 ref: 000000014014E365
FillRect.USER32 ref: 000000014014E37F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EmptyFillInflate$IntersectWindow
String ID:
API String ID: 2442469634-0
Opcode ID: 6d53d822b35c1403ee9716b4d60778b4f66abfdeec87edbc31c49f385ccbea44
Instruction ID: 2de2fe94347bbd672b654f034ae6e92c1afa29b89481c5a863ae6cc93c0a9d1d
Opcode Fuzzy Hash: 6d53d822b35c1403ee9716b4d60778b4f66abfdeec87edbc31c49f385ccbea44
Instruction Fuzzy Hash: 7BB16672B00A949BEB16DFA6D584BEC37B1F74CB88F058129DF0A63A68DB34D545CB40

Function 0000000140092244 Relevance: 21.2, APIs: 14, Instructions: 234windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 000000014009228F
GetSystemMetrics.USER32 ref: 000000014009238D
GetSystemMetrics.USER32 ref: 000000014009239E
InflateRect.USER32 ref: 00000001400923F1
InvalidateRect.USER32 ref: 0000000140092405
InflateRect.USER32 ref: 000000014009242C
InvalidateRect.USER32 ref: 0000000140092440
UpdateWindow.USER32 ref: 000000014009244A
GetCapture.USER32 ref: 0000000140092461
GetCursorPos.USER32 ref: 00000001400924A5
GetSystemMetrics.USER32 ref: 00000001400924D7
GetCapture.USER32 ref: 00000001400924DF
GetParent.USER32 ref: 000000014009251B
SendMessageA.USER32 ref: 0000000140092546

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$MetricsSystem$CaptureInflateInvalidate$ClientCursorMessageParentScreenSendUpdateWindow
String ID:
API String ID: 2772127108-0
Opcode ID: bc8380946acf46fcdb537c1546a39a07fc39be3b58062761f01ab7cee5929a54
Instruction ID: f02414b866b85d2272f4551e9630ca0183cf20339921a51b0dc92c26b305e4e9
Opcode Fuzzy Hash: bc8380946acf46fcdb537c1546a39a07fc39be3b58062761f01ab7cee5929a54
Instruction Fuzzy Hash: 5AB12972A10A518AEB15CF7AD8947EC37B0F78CB88F544125EF0A9B7A9DB38C545CB10

Function 00000001400887AC Relevance: 21.2, APIs: 14, Instructions: 189windowCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140088805
PtInRect.USER32 ref: 0000000140088812
SendMessageA.USER32 ref: 000000014008883F
GetParent.USER32 ref: 0000000140088860
SendMessageA.USER32 ref: 0000000140088889
SendMessageA.USER32 ref: 00000001400888DA
ReleaseCapture.USER32 ref: 00000001400888F4
ReleaseCapture.USER32 ref: 00000001400889A5
ReleaseCapture.USER32 ref: 00000001400889F4
IsRectEmpty.USER32 ref: 0000000140088A4F
InvalidateRect.USER32 ref: 0000000140088A64
IsRectEmpty.USER32 ref: 0000000140088A6E
InvalidateRect.USER32 ref: 0000000140088A83
UpdateWindow.USER32 ref: 0000000140088A8D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$CaptureMessageReleaseSend$EmptyInvalidateWindow$ParentRedrawUpdate
String ID:
API String ID: 1443145988-0
Opcode ID: fc793ffb0c24f33571b3673a8d7a2289c2554b7d7c2e50bed506a6ccea39a038
Instruction ID: fb9c1f2e2f6086b516037bcc6752005354e7192a46351b9cbec26efbfda5ebfb
Opcode Fuzzy Hash: fc793ffb0c24f33571b3673a8d7a2289c2554b7d7c2e50bed506a6ccea39a038
Instruction Fuzzy Hash: E3914236300A8197EB1A8B26DA847ED77B9F788BC4F044426DF1A4B7A4DF38D665C740

Function 0000000140006554 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 92libraryCOMMON

Download Yara Rule

APIs

QueryActCtxW.KERNEL32 ref: 00000001400065AF
GetModuleHandleExW.KERNEL32 ref: 00000001400065DA
GetModuleFileNameW.KERNEL32 ref: 00000001400065FB
SetLastError.KERNEL32 ref: 0000000140006613
CreateActCtxW.KERNEL32 ref: 0000000140006659
GetLastError.KERNEL32 ref: 000000014000666A
ActivateActCtx.KERNEL32 ref: 00000001400066A4
FindActCtxSectionStringW.KERNEL32 ref: 00000001400066CF
LoadLibraryW.KERNEL32 ref: 00000001400066E0
DeactivateActCtx.KERNEL32 ref: 00000001400066EE

Strings

Comctl32.dll, xrefs: 00000001400066C0, 00000001400066D9
p, xrefs: 00000001400066AE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLastModule$ActivateCreateDeactivateFileFindHandleLibraryLoadNameQuerySectionString
String ID: Comctl32.dll$p
API String ID: 550771814-195350848
Opcode ID: 3c4bd078e14ded7ea1fb5fe5fb3a0c2bbf61f624839abfdbb2ad9c72058a1aaa
Instruction ID: e164090612886bf080541d212c36036545472af77b83ff5f4f042f9d3f1088f8
Opcode Fuzzy Hash: 3c4bd078e14ded7ea1fb5fe5fb3a0c2bbf61f624839abfdbb2ad9c72058a1aaa
Instruction Fuzzy Hash: A4410871204B8482EB66DB66F88439AB3A5F748BA4F400229E79A576F4DF79C548CB00

Function 000000014006A0D4 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014006A134

Strings

, xrefs: 000000014006A128

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-3916222277
Opcode ID: eb60ade70cc064c9b6e109d561d5cef1802bd6b325a9158ec9311a19e5454b48
Instruction ID: eca0f0eacf11f483645be4ae6f07c746f684691369f534a154e666bea5fa48b0
Opcode Fuzzy Hash: eb60ade70cc064c9b6e109d561d5cef1802bd6b325a9158ec9311a19e5454b48
Instruction Fuzzy Hash: D7717C72314A4086E722EF2AE84439A67A1F38EBD4F244525FF4E877A4DB79C955CB00

Function 00000001400647E8 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140064904

Part of subcall function 0000000140061D68: GetWindowRect.USER32 ref: 0000000140061D83

Strings

%TsPane-%d, xrefs: 000000014006487F
RecentRowIndex, xrefs: 00000001400649AB
RecentFrameAlignment, xrefs: 0000000140064994
%TsPane-%d%x, xrefs: 0000000140064892
PinState, xrefs: 00000001400649EC
IsFloating, xrefs: 00000001400649BE
Panes, xrefs: 000000014006481E
RectRecentFloat, xrefs: 0000000140064966
RectRecentDocked, xrefs: 000000014006497D
MRUWidth, xrefs: 00000001400649D5

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RectWindow
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 861336768-2628993547
Opcode ID: 49b9931f7652c77026f868cf6523362eddabcafac70f71d29e28dd4472adc345
Instruction ID: 77868240798182432c8581466370ad210f319c8e1e0e41d609370073c1bca2f1
Opcode Fuzzy Hash: 49b9931f7652c77026f868cf6523362eddabcafac70f71d29e28dd4472adc345
Instruction Fuzzy Hash: A7716776310A4192EB0AEB2AD8847EC37A1FB89FE4F448616DF29137A4DF34C856C340

Function 000000014003E1F0 Relevance: 18.4, APIs: 12, Instructions: 449COMMON

Download Yara Rule

APIs

PathRemoveFileSpecW.SHLWAPI ref: 000000014003E2E1
WideCharToMultiByte.KERNEL32 ref: 000000014003E35A
WideCharToMultiByte.KERNEL32 ref: 000000014003E3A2
CoTaskMemFree.OLE32 ref: 000000014003E3DA
PathRemoveFileSpecW.SHLWAPI ref: 000000014003E4FF
WideCharToMultiByte.KERNEL32 ref: 000000014003E52F
CoTaskMemFree.OLE32 ref: 000000014003E53F
PathRemoveFileSpecW.SHLWAPI ref: 000000014003E5A6
WideCharToMultiByte.KERNEL32 ref: 000000014003E615
CoTaskMemFree.OLE32 ref: 000000014003E625
PathFindFileNameA.SHLWAPI ref: 000000014003E731
PathFindExtensionA.SHLWAPI ref: 000000014003E78F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Path$ByteCharFileMultiWide$FreeRemoveSpecTask$Find$ExtensionName
String ID:
API String ID: 2333376506-0
Opcode ID: 0655440b737667075ef24714b07c9b9ef2edad08e5c2ddb8159c70cce9059e6e
Instruction ID: 1f062982248cafdf721bcd2926f278e0cad4d80aec4977131dc9e3228f594a7e
Opcode Fuzzy Hash: 0655440b737667075ef24714b07c9b9ef2edad08e5c2ddb8159c70cce9059e6e
Instruction Fuzzy Hash: 94122876701A458AEB16DF2AD4943AD77A1FB88F98F044126EF1E57BA4DF38C445C340

Function 00000001400BE86C Relevance: 18.3, APIs: 12, Instructions: 255windowCOMMON

Download Yara Rule

APIs

PatBlt.GDI32 ref: 00000001400BE90C
PatBlt.GDI32 ref: 00000001400BE930
PatBlt.GDI32 ref: 00000001400BE957
PatBlt.GDI32 ref: 00000001400BE97E
InflateRect.USER32 ref: 00000001400BE991
InflateRect.USER32 ref: 00000001400BE99F
PatBlt.GDI32 ref: 00000001400BE9F4
PatBlt.GDI32 ref: 00000001400BEA1E

Part of subcall function 000000014014EBA8: PatBlt.GDI32 ref: 000000014014EC1D
Part of subcall function 000000014014EBA8: PatBlt.GDI32 ref: 000000014014EC41
Part of subcall function 000000014014EBA8: PatBlt.GDI32 ref: 000000014014EC68
Part of subcall function 000000014014EBA8: PatBlt.GDI32 ref: 000000014014EC8F
Part of subcall function 000000014014EBA8: InflateRect.USER32 ref: 000000014014ECA2
Part of subcall function 000000014014EBA8: InflateRect.USER32 ref: 000000014014ECB0
Part of subcall function 000000014014EBA8: PatBlt.GDI32 ref: 000000014014ED06

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: e4cf7f8ea620847635236e12a5d88376b68992ff643618529eed73f1848de149
Instruction ID: a4b2490057b48693362f4408216f98836c6e4917a2405f1de9d64c4b422583c2
Opcode Fuzzy Hash: e4cf7f8ea620847635236e12a5d88376b68992ff643618529eed73f1848de149
Instruction Fuzzy Hash: D6B19A32614A908AE721DF36E444B9DBB60F78DF98F048215EF895BB69DF38E541CB00

Function 00000001400E8394 Relevance: 18.2, APIs: 12, Instructions: 247timewindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400E83C0
GetCursorPos.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E83DD
ScreenToClient.USER32 ref: 00000001400E83EC
GetParent.USER32 ref: 00000001400E8491
SetTimer.USER32 ref: 00000001400E84FD
InvalidateRect.USER32 ref: 00000001400E8511
UpdateWindow.USER32 ref: 00000001400E851B
KillTimer.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E852C
KillTimer.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E8600
GetParent.USER32 ref: 00000001400E8618
GetParent.USER32 ref: 00000001400E8697
SendMessageA.USER32 ref: 00000001400E8726

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID:
API String ID: 2010726786-0
Opcode ID: ae449cde4f514241e8794a7b00c13d5857e0acea471998605f1b0afa0c43a2a3
Instruction ID: 24165bae613907c7bfd52497d383519468396d3868a9b197ea670969325ae87e
Opcode Fuzzy Hash: ae449cde4f514241e8794a7b00c13d5857e0acea471998605f1b0afa0c43a2a3
Instruction Fuzzy Hash: 4DB13772301A5082EA6A9B53E5543E963A0FB8DFE0F044525EF1E2BBB5EF39D851C340

Function 00000001400B6654 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F73C: BeginPaint.USER32(?,?,?,?,?,00000001400061B8), ref: 000000014000F776

GetClientRect.USER32 ref: 00000001400B66A5
GetSysColorBrush.USER32 ref: 00000001400B6710
FillRect.USER32 ref: 00000001400B6720

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

FillRect.USER32 ref: 00000001400B6749
GetSysColor.USER32 ref: 00000001400B67BE
GetSysColor.USER32 ref: 00000001400B67D4
InflateRect.USER32 ref: 00000001400B687D
InflateRect.USER32 ref: 00000001400B68D4

Strings

$, xrefs: 00000001400B68DA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Color$FillInflateObjectSelect$BeginBrushClientPaint
String ID: $
API String ID: 3914823541-3993045852
Opcode ID: 3eb5af6ad1f2b4c3ade133a7bcf498fed3c21877ac4a3d72e6fbb75d572b8802
Instruction ID: f82179a28a0867b2b3a33a1b79e58b2e863b312ac9a1c6212e21fa7a1b81d0ba
Opcode Fuzzy Hash: 3eb5af6ad1f2b4c3ade133a7bcf498fed3c21877ac4a3d72e6fbb75d572b8802
Instruction Fuzzy Hash: 6E81AD32B10B448AEB01DF76D8807DD7371F788B84F504221EB5A6BAA9DF38D915CB40

Function 0000000140176100 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 000000014017612F
EqualRect.USER32 ref: 0000000140176143
CreateRectRgn.GDI32 ref: 000000014017618F
CreateRectRgn.GDI32 ref: 00000001401761C6
CreateRectRgnIndirect.GDI32(?,?,?,?,?,?,?,?,00000000), ref: 00000001401761D1
CombineRgn.GDI32 ref: 00000001401761F4
SetWindowRgn.USER32 ref: 0000000140176205
RedrawWindow.USER32 ref: 0000000140176294

Strings

X, xrefs: 0000000140176234

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Create$EqualWindow$CombineIndirectRedraw
String ID: X
API String ID: 1400420921-3081909835
Opcode ID: 16d23cd95831d398d4e14ec261f219fef693c5d4026e7fd188a0ed78f29c8162
Instruction ID: 1eeb2c6f0d3e775fdfe36a91c0508719cdc3145b31e513fadaad79ea36addefd
Opcode Fuzzy Hash: 16d23cd95831d398d4e14ec261f219fef693c5d4026e7fd188a0ed78f29c8162
Instruction Fuzzy Hash: 43515B32720A908AE716DF76E948BED77B0F748B98F148124DF5A17AA9DF38D544CB00

Function 000000014004A4B8 Relevance: 15.3, APIs: 10, Instructions: 310windowCOMMON

Download Yara Rule

APIs

RealizePalette.GDI32 ref: 000000014004A517
InflateRect.USER32 ref: 000000014004A627
InflateRect.USER32 ref: 000000014004A679

Part of subcall function 000000014004AF44: GetSystemPaletteEntries.GDI32 ref: 000000014004AFDA
Part of subcall function 000000014004AF44: CreatePalette.GDI32 ref: 000000014004B039

InflateRect.USER32 ref: 000000014004A6BB
GetNearestPaletteIndex.GDI32 ref: 000000014004A6FE
FillRect.USER32 ref: 000000014004A722

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

InflateRect.USER32 ref: 000000014004A751
FillRect.USER32 ref: 000000014004A7D0
InflateRect.USER32 ref: 000000014004A840
InflateRect.USER32 ref: 000000014004A96F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Inflate$Palette$ConditionFillMaskSystem$CreateEntriesIndexInfoMetricsNearestRealizeVerifyVersion
String ID:
API String ID: 1448520935-0
Opcode ID: 32fe88e2e6b838b5198746b84f71b56bea39f743370ade10b62a730d0bcbcfba
Instruction ID: 29e34e6e934ede0ce56dd0dc1e274dfbd58f97f05a27dc2cf29fbb27c6ff9601
Opcode Fuzzy Hash: 32fe88e2e6b838b5198746b84f71b56bea39f743370ade10b62a730d0bcbcfba
Instruction Fuzzy Hash: 2BE16A36710A608AFB12DF62E8447E937A4B74DB88F004626EF0A57BB5DF78C955CB40

Function 00000001400B08C4 Relevance: 15.2, APIs: 10, Instructions: 230windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400B097C
SendMessageA.USER32 ref: 00000001400B099D
SendMessageA.USER32 ref: 00000001400B09BC
SendMessageA.USER32 ref: 00000001400B09D8
SendMessageA.USER32 ref: 00000001400B09F7
SendMessageA.USER32 ref: 00000001400B0B38
SendMessageA.USER32 ref: 00000001400B0BAE
SendMessageA.USER32 ref: 00000001400B0BCD
SendMessageA.USER32 ref: 00000001400B0BE9
SendMessageA.USER32 ref: 00000001400B0C08

Part of subcall function 000000014001AEEC: IsWindow.USER32 ref: 000000014001AF05
Part of subcall function 000000014001AEEC: SetWindowTextA.USER32 ref: 000000014001AF2C

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$Window$ExceptionTextThrow
String ID:
API String ID: 604127595-0
Opcode ID: efe2d4bcc881a018e8048ef5686db9603a46d621fbc6043469dbd0a17049ee13
Instruction ID: d54b49463c2959654c800cf3884960c8b2100f6c542279a542246626f71f6827
Opcode Fuzzy Hash: efe2d4bcc881a018e8048ef5686db9603a46d621fbc6043469dbd0a17049ee13
Instruction Fuzzy Hash: 07917F35300A8082EA5ADF97D8507E9A761FB89FD4F548122EF2D8B7A5DF35C4528300

Function 000000014006A36C Relevance: 15.2, APIs: 10, Instructions: 215COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014006A3C6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object
String ID:
API String ID: 2936123098-0
Opcode ID: 8922f84cafd1d44b880d7488232c76f05adf5d186b78d7e3fa2715efc75d225c
Instruction ID: c6032844d6d55e2d475e6de67b8e431c80706e9796353fef3ac847dd80795382
Opcode Fuzzy Hash: 8922f84cafd1d44b880d7488232c76f05adf5d186b78d7e3fa2715efc75d225c
Instruction Fuzzy Hash: 97818E72304A5086EB22EB2BE84439AA7A1F78DBD4F540515FF4E97BB4DA7CC8558B00

Function 0000000140170578 Relevance: 15.2, APIs: 10, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014017060A
PtInRect.USER32 ref: 000000014017063C
PtInRect.USER32 ref: 0000000140170652
PtInRect.USER32 ref: 000000014017069F
GetParent.USER32 ref: 00000001401706AD
InflateRect.USER32 ref: 00000001401706F1
PtInRect.USER32 ref: 00000001401706FF
GetWindowRect.USER32 ref: 0000000140170788
InflateRect.USER32 ref: 0000000140170798
PtInRect.USER32 ref: 00000001401707A6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$InflateWindow$Parent
String ID:
API String ID: 1237301043-0
Opcode ID: d3c6553e95652d46054866db5f34092fb4b34f99821555c17d150aad43bc71db
Instruction ID: ea8f44ca63c9189592d7ce7932e429a49697e4fa7a1c9ef581b166ed050ac28c
Opcode Fuzzy Hash: d3c6553e95652d46054866db5f34092fb4b34f99821555c17d150aad43bc71db
Instruction Fuzzy Hash: 52712636700B4089EB56CFA6D4947ED37B1BB48F98F148026EF4A57AA8EB35D485C700

Function 000000014016A384 Relevance: 15.2, APIs: 10, Instructions: 157COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014016A3CD
SetRectEmpty.USER32 ref: 000000014016A3D7
SetRectEmpty.USER32 ref: 000000014016A3E1
GetWindowRect.USER32 ref: 000000014016A435
IsRectEmpty.USER32 ref: 000000014016A43F
GetWindowRect.USER32 ref: 000000014016A4A6
IsRectEmpty.USER32 ref: 000000014016A4B0
UnionRect.USER32 ref: 000000014016A4FA
UnionRect.USER32 ref: 000000014016A535
UnionRect.USER32 ref: 000000014016A570

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$Union$Window
String ID:
API String ID: 1425901760-0
Opcode ID: 263fd2832c8a5545b786eaa69eff12bf0e33bf700ed1f3643ff3ee0bc5f34308
Instruction ID: 0e94b07ca3a92c6032342eae2005853d9021ffe4e829f7a251bbc5b62341af7e
Opcode Fuzzy Hash: 263fd2832c8a5545b786eaa69eff12bf0e33bf700ed1f3643ff3ee0bc5f34308
Instruction Fuzzy Hash: 0E712872B10A118AFB16CB66DC943EC2770FB88F98F984516DF0A57A68DF78C855CB40

Function 000000014001C728 Relevance: 15.1, APIs: 10, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001C74B
GlobalAlloc.KERNEL32 ref: 000000014001C7C8
GlobalHandle.KERNEL32 ref: 000000014001C7D0
GlobalUnlock.KERNEL32 ref: 000000014001C7DC
GlobalReAlloc.KERNEL32 ref: 000000014001C802
GlobalLock.KERNEL32 ref: 000000014001C822
LeaveCriticalSection.KERNEL32 ref: 000000014001C874
GlobalHandle.KERNEL32 ref: 000000014001C8AD
GlobalLock.KERNEL32 ref: 000000014001C8B6
LeaveCriticalSection.KERNEL32 ref: 000000014001C8BF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: a419376fe4d22a09ecf2eb8abe2a8c76fd3642423acde9ca47871142585a823c
Instruction ID: 8f02ca93e8a882d5454026eae1076cfc1a908aea47187eb683201359d45e125e
Opcode Fuzzy Hash: a419376fe4d22a09ecf2eb8abe2a8c76fd3642423acde9ca47871142585a823c
Instruction Fuzzy Hash: 7A41AE75710B8487EA19DF16A1943A873A1F78CB80F048425EB6B4BBA1CF39D4618300

Function 0000000140024524 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0000000140024553
WindowFromPoint.USER32 ref: 0000000140024561
GetActiveWindow.USER32 ref: 0000000140024589
GetCurrentThreadId.KERNEL32 ref: 00000001400245A5
GetWindowThreadProcessId.USER32 ref: 00000001400245B8
GetDesktopWindow.USER32 ref: 00000001400245C9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: c6d9b63832bb6b29dc2cc4695231e5c0bcb3335a5e22e2cff4626c3997d869a5
Instruction ID: d2a8981b69ef4ff39e8bf1af636f78ab6cff15cdd1dfb424f03a4e52a7d32a4b
Opcode Fuzzy Hash: c6d9b63832bb6b29dc2cc4695231e5c0bcb3335a5e22e2cff4626c3997d869a5
Instruction Fuzzy Hash: 0E313E31601A5096FF67AFA3A8983EA66E0B74DBC4F040429EF4B0B7B1DF79C8458601

Function 000000014013E860 Relevance: 15.1, APIs: 10, Instructions: 94COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?,?,?,?,?,?,000000014009CAF5), ref: 000000014013E895
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,000000014009CAF5), ref: 000000014013E8B5
SetRect.USER32 ref: 000000014013E8F8
InvalidateRect.USER32 ref: 000000014013E90C
SetRect.USER32 ref: 000000014013E929
InvalidateRect.USER32 ref: 000000014013E93D
SetRect.USER32 ref: 000000014013E96A
InvalidateRect.USER32 ref: 000000014013E97E
SetRect.USER32 ref: 000000014013E99B
InvalidateRect.USER32 ref: 000000014013E9AF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Invalidate$Window$Proc
String ID:
API String ID: 570070710-0
Opcode ID: 2f42a8cf4da5cd2d20587395ea3138bd32c5d50507d7060698c26b175e2a8bf4
Instruction ID: 884c3a9a220ee72445be0051d8b40e1c5bc6b484b8897f9848e0d6906f81369c
Opcode Fuzzy Hash: 2f42a8cf4da5cd2d20587395ea3138bd32c5d50507d7060698c26b175e2a8bf4
Instruction Fuzzy Hash: 17413436720A659AFB11CF76D888BAD37B1F78CB88F004105CF492BAA8DB79C145CB50

Function 00000001400A26FC Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 271windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A27A1
CreateCompatibleDC.GDI32 ref: 00000001400A27B9
CreateCompatibleBitmap.GDI32 ref: 00000001400A27FC
SelectObject.GDI32 ref: 00000001400A2876
BitBlt.GDI32 ref: 00000001400A28B9
BitBlt.GDI32 ref: 00000001400A2A78
DeleteObject.GDI32 ref: 00000001400A2A9B

Strings

, xrefs: 00000001400A2A4D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CompatibleConditionCreateHashMaskObject$BitmapDeleteImplImpl::InfoMetricsSelectSystemVerifyVersion
String ID:
API String ID: 821148471-3916222277
Opcode ID: bea0494d51fe24fc4aaba9f1b3c4d1640b54d353fd72c42ef7ddfeebaff4bb94
Instruction ID: d121b8fbdb5efdfd30181f8c99abff2c242ccc14a982c07a3bc1d698bb54a508
Opcode Fuzzy Hash: bea0494d51fe24fc4aaba9f1b3c4d1640b54d353fd72c42ef7ddfeebaff4bb94
Instruction Fuzzy Hash: DBC19F72704A508AE716DF6AD4407ED37B0F758B88F14462AEF4A97BA9DF38C845CB00

Function 000000014001E4B8 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 135libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001E4F9
GetProcAddress.KERNEL32 ref: 000000014001E50E
EncodePointer.KERNEL32 ref: 000000014001E51A
DecodePointer.KERNEL32 ref: 000000014001E529
GetUserDefaultUILanguage.KERNEL32 ref: 000000014001E54C
GetSystemDefaultUILanguage.KERNEL32 ref: 000000014001E5C8

Strings

GetThreadPreferredUILanguages, xrefs: 000000014001E504
kernel32.dll, xrefs: 000000014001E4F2

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: DefaultLanguagePointer$AddressDecodeEncodeHandleModuleProcSystemUser
String ID: GetThreadPreferredUILanguages$kernel32.dll
API String ID: 4277466594-1646127487
Opcode ID: 79ba85598e6b7f8c81bfb79aa1c140e1123330dbfa14105e5dae3700fe303649
Instruction ID: ea2a59e869ac5323a43da15bf1f906942e71760a2c33a848cce96f83b39c9a10
Opcode Fuzzy Hash: 79ba85598e6b7f8c81bfb79aa1c140e1123330dbfa14105e5dae3700fe303649
Instruction Fuzzy Hash: 5351BC72720A5199FF02DF62D8997EC23B1B71CBC8F854026DF0A5BAA5EE39C509C350

Function 0000000140072114 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 121COMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 0000000140072156
InflateRect.USER32 ref: 0000000140072188
DrawThemeBackground.UXTHEME ref: 00000001400721B9
GetThemeColor.UXTHEME ref: 00000001400721DD
GetThemeColor.UXTHEME ref: 0000000140072201
GetSysColorBrush.USER32 ref: 000000014007221B
FillRect.USER32 ref: 000000014007222A

Strings

%, xrefs: 0000000140072284

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Color$Theme$Rect$BackgroundBrushDrawFillInflate
String ID: %
API String ID: 1195098489-2567322570
Opcode ID: 5c5e6d60c4af61aeea24db67f537338681e017e45000dffcdb59d073f596e51f
Instruction ID: 9b64fbb9433285d4a6ff100ae8cd8b9bd0ab06af6b93c59b546e43acae47bfd9
Opcode Fuzzy Hash: 5c5e6d60c4af61aeea24db67f537338681e017e45000dffcdb59d073f596e51f
Instruction Fuzzy Hash: 22516B36214A8486E762DF26E984B9977A0F78CFD4F108225EF4A47BA4DF38C545CB00

Function 0000000140018310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 0000000140018364
CallWindowProcA.USER32 ref: 00000001400183E1

Part of subcall function 0000000140018A10: GetWindowRect.USER32 ref: 0000000140018A58
Part of subcall function 0000000140018A10: GetWindow.USER32 ref: 0000000140018A78

SetWindowLongPtrA.USER32 ref: 000000014001840F
RemovePropA.USER32 ref: 000000014001841F
GlobalFindAtomA.KERNEL32 ref: 000000014001842C
GlobalDeleteAtom.KERNEL32 ref: 0000000140018435

Part of subcall function 0000000140018ACC: GetWindowRect.USER32 ref: 0000000140018AE0

CallWindowProcA.USER32 ref: 00000001400184A1

Strings

AfxOldWndProc423, xrefs: 000000014001835D, 0000000140018415, 0000000140018425

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
String ID: AfxOldWndProc423
API String ID: 3892049428-1060338832
Opcode ID: c9c8e382074733968dfbf3acdbb131c33e7d87264b9783002a1dd8b08e1ec4e2
Instruction ID: 78fe286bd9fb68c80d46a47bb8c6bef4467a238a6714f0d43b4e05638bbcdf3f
Opcode Fuzzy Hash: c9c8e382074733968dfbf3acdbb131c33e7d87264b9783002a1dd8b08e1ec4e2
Instruction Fuzzy Hash: 48419E32204A4182EA669B67A8543EAB7A0F78EFD4F404115BF9A0FBB9DF3DC1458700

Function 000000014001C374 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C3B0
GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C3BE
GetObjectA.GDI32 ref: 000000014001C3D6
GetDC.USER32 ref: 000000014001C3E7
GetDeviceCaps.GDI32 ref: 000000014001C406
MulDiv.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C418
ReleaseDC.USER32 ref: 000000014001C426

Strings

System, xrefs: 000000014001C17F, 000000014001C383, 000000014001C39E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 12e02f717ae4a397120da84bb10993e25d301aface3a689a321c9258b741ae67
Instruction ID: f9dbb477e6af988df83a4ec679ef4aad5530ae4a78cbb75a90288a3cb5249ab4
Opcode Fuzzy Hash: 12e02f717ae4a397120da84bb10993e25d301aface3a689a321c9258b741ae67
Instruction Fuzzy Hash: ED213931314B5482FB169B22F8547AA73E0F74CF80F44452AAE9A5BBA8DF3DD506CB04

Function 000000014001A040 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014001A070
ActivateActCtx.KERNEL32 ref: 000000014001A095
LoadLibraryW.KERNEL32 ref: 000000014001A0B0
GetLastError.KERNEL32 ref: 000000014001A0CB
DeactivateActCtx.KERNEL32 ref: 000000014001A0DE
SetLastError.KERNEL32 ref: 000000014001A0EA

Strings

hhctrl.ocx, xrefs: 000000014001A04B
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014001A069

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugLibraryLoadOutputString
String ID: IsolationAware function called after IsolationAwareCleanup$hhctrl.ocx
API String ID: 154522064-68518318
Opcode ID: 418aab3cc449475630519d34a3ed929e93ba6a2051088221332bc0341f737ef8
Instruction ID: 23343dc2a9835a43b598a41035da69b691466916a088cc472484114a9b1d611b
Opcode Fuzzy Hash: 418aab3cc449475630519d34a3ed929e93ba6a2051088221332bc0341f737ef8
Instruction Fuzzy Hash: E321EA36604F4186F7529B66E8843A962E4B78DFD0F5545249B1A8B3B4DF7EC8458240

Function 00000001401104CC Relevance: 13.7, APIs: 9, Instructions: 244windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32 ref: 0000000140110555
DestroyMenu.USER32 ref: 0000000140110571
ClientToScreen.USER32 ref: 00000001401105CF
GetWindowRect.USER32 ref: 00000001401105E5
ClientToScreen.USER32 ref: 000000014011065A
ClientToScreen.USER32 ref: 00000001401106B9
GetParent.USER32 ref: 0000000140110742
GetParent.USER32 ref: 0000000140110802
GetParent.USER32 ref: 0000000140110830

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientParentScreen$DestroyMenu$RectWindow
String ID:
API String ID: 3328890127-0
Opcode ID: 28c9e44641a83a574f902be2641ffa13b08f71383d74b065902b235c046ba59c
Instruction ID: db72d4f5fbc0636724be853e1797e7459980346324e1e840306b0027f03569ef
Opcode Fuzzy Hash: 28c9e44641a83a574f902be2641ffa13b08f71383d74b065902b235c046ba59c
Instruction Fuzzy Hash: DFB10372B11A548AEB5A9F66D8547EC33A0F78CF88F084525DF0A4B7A9EF78C445C700

Function 000000014003C010 Relevance: 13.6, APIs: 9, Instructions: 148timeCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32 ref: 000000014003C0A5
GetFileSizeEx.KERNEL32 ref: 000000014003C0BE
GetFileAttributesA.KERNEL32 ref: 000000014003C100

Part of subcall function 000000014003BD08: GetModuleHandleA.KERNEL32 ref: 000000014003BD3A
Part of subcall function 000000014003BD08: GetProcAddress.KERNEL32 ref: 000000014003BD4F

FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C117
FileTimeToSystemTime.KERNEL32 ref: 000000014003C129
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C157
FileTimeToSystemTime.KERNEL32 ref: 000000014003C169
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C199
FileTimeToSystemTime.KERNEL32 ref: 000000014003C1AB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Time$File$LocalSystem$AddressAttributesHandleModuleProcSize
String ID:
API String ID: 461657242-0
Opcode ID: 530e8852f118ca2e27282b072913caa5eb63dd3687bcad63cdb64cd1a11a2856
Instruction ID: 87081f45d203f1b7fd6a9ec6d3adc3ab29b45fec011108cf088263c1bba8b5ed
Opcode Fuzzy Hash: 530e8852f118ca2e27282b072913caa5eb63dd3687bcad63cdb64cd1a11a2856
Instruction Fuzzy Hash: D7615C32310A0596FB229F76D8907EE23B0F749BD8F444612EB1AC7AA9EF34C565C350

Function 000000014013E67C Relevance: 13.6, APIs: 9, Instructions: 136timekeyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 000000014013E6A3
GetCursorPos.USER32 ref: 000000014013E6C7
ScreenToClient.USER32 ref: 000000014013E6D6
GetCapture.USER32 ref: 000000014013E748
ClientToScreen.USER32 ref: 000000014013E797
WindowFromPoint.USER32 ref: 000000014013E7A2
IsChild.USER32 ref: 000000014013E7BC
KillTimer.USER32 ref: 000000014013E7FE
KillTimer.USER32 ref: 000000014013E821

Part of subcall function 0000000140014F70: GetForegroundWindow.USER32 ref: 0000000140014F8E
Part of subcall function 0000000140014F70: GetLastActivePopup.USER32 ref: 0000000140014FA3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorForegroundFromLastPointPopupState
String ID:
API String ID: 3566347107-0
Opcode ID: fa3a8e632f3877d30cd30347bd13a6a6c04e0dfe167a658304dcb36151c9134a
Instruction ID: ac83d0bb89f80252119c5d93b9cfd2d2cb222bda5af70bfebeb29008deabb9be
Opcode Fuzzy Hash: fa3a8e632f3877d30cd30347bd13a6a6c04e0dfe167a658304dcb36151c9134a
Instruction Fuzzy Hash: F1513E39601B5481FA169B17E8943A927E1F78CFE4F044625EF1E0BBF5DE39D4458340

Function 00000001400386F8 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140038726
GetWindowLongA.USER32 ref: 000000014003873C
IsWindowEnabled.USER32 ref: 000000014003874B
GetDlgItem.USER32 ref: 0000000140038767
GetWindowLongA.USER32 ref: 0000000140038778
IsWindowEnabled.USER32 ref: 0000000140038787
GetFocus.USER32 ref: 00000001400387C1
IsWindowEnabled.USER32 ref: 00000001400387CA
SetFocus.USER32 ref: 00000001400387D7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: fffe951cb1e597dff22ede8827bcf3b84457bee5f563c833cfa2c4f882ec3a23
Instruction ID: d1df8497db9188f41e7f8931666302d18fe34a8811a69c7e8bb85201cbfdabc0
Opcode Fuzzy Hash: fffe951cb1e597dff22ede8827bcf3b84457bee5f563c833cfa2c4f882ec3a23
Instruction Fuzzy Hash: 45215135204B8086FB169F17A8883AA63A1AB8DFD4F644424EF5A4B7B4DF3DC4428300

Function 0000000140092790 Relevance: 13.6, APIs: 9, Instructions: 66COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400927B0
GetCursorPos.USER32 ref: 00000001400927C7
ScreenToClient.USER32 ref: 00000001400927D6
PtInRect.USER32 ref: 00000001400927E4

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

SetCursor.USER32 ref: 0000000140092815
IsRectEmpty.USER32 ref: 000000014009282C
GetCursorPos.USER32 ref: 0000000140092843
ScreenToClient.USER32 ref: 0000000140092852
PtInRect.USER32 ref: 0000000140092860

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Cursor$ClientConditionEmptyMaskScreen$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2548857199-0
Opcode ID: f1c5da4c657e604ce041ed9e1736694d688306d6a3e13c4a1c496cf4e0806d95
Instruction ID: 77856b934ba56bd4355dd74fda6266ea0bc4e2553eefba3a9ae903759421c6c0
Opcode Fuzzy Hash: f1c5da4c657e604ce041ed9e1736694d688306d6a3e13c4a1c496cf4e0806d95
Instruction Fuzzy Hash: 8F312836625A4082FB529F63E9947EA73A4F79CB81F441026EB0B87AB4DF78C444CB00

Function 00000001400A201C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 295COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00000001400A207D
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A20D5
CreateCompatibleDC.GDI32 ref: 00000001400A20EA

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Strings

, xrefs: 00000001400A23A9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CreateHash$BrushCompatibleFillImplImpl::RectSolid
String ID:
API String ID: 3371017225-3916222277
Opcode ID: 70aaa54d921bc1ae0faec4f8527f1ad9e1a4f36762b2a5c5772fcee96d78db83
Instruction ID: 778977e43ab98b68219c451754782bb00b71bd7068432214ac57fc4975aa2649
Opcode Fuzzy Hash: 70aaa54d921bc1ae0faec4f8527f1ad9e1a4f36762b2a5c5772fcee96d78db83
Instruction Fuzzy Hash: B6C1B1727146508AE715DF6AE84079EBBB0F798788F10422AEF8A57B79DB38D541CF00

Function 000000014014E7D8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 196windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014014E890
CreateCompatibleDC.GDI32 ref: 000000014014E8A2
CreateCompatibleBitmap.GDI32 ref: 000000014014E8F9
BitBlt.GDI32 ref: 000000014014E96C
BitBlt.GDI32 ref: 000000014014EA10
BitBlt.GDI32 ref: 000000014014EA40

Part of subcall function 00000001400A1748: IsRectEmpty.USER32 ref: 00000001400A17A0
Part of subcall function 00000001400A1748: DrawStateA.USER32 ref: 00000001400A183E
Part of subcall function 00000001400A1748: DrawStateA.USER32 ref: 00000001400A1885

Strings

, xrefs: 000000014014E943

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CompatibleCreateDrawHashState$BitmapEmptyImplImpl::Rect
String ID:
API String ID: 1835183343-3916222277
Opcode ID: 707eaacd1f333f90e7631025428f49f1178dd105f872df9eb0f716a6b6bc2dbc
Instruction ID: 76f1d7d6896b817909e1819b09f00ce5b0ef42ecc669885a25ed19fd19939006
Opcode Fuzzy Hash: 707eaacd1f333f90e7631025428f49f1178dd105f872df9eb0f716a6b6bc2dbc
Instruction Fuzzy Hash: 19913577704A808BE725CF66E48079D77B4F798B98F10412AEF8A93B68DB34D845CB40

Function 00000001400A2474 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 178windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A252A
CreateCompatibleDC.GDI32 ref: 00000001400A2540
CreateCompatibleBitmap.GDI32 ref: 00000001400A2576

Part of subcall function 00000001400A4464: FillRect.USER32 ref: 00000001400A44B2

Strings

, xrefs: 00000001400A2672

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CompatibleCreateHash$BitmapFillImplImpl::Rect
String ID:
API String ID: 113466278-3916222277
Opcode ID: 84dc484e5c904232f6caa8da5f617bbca15208de159a8312b796e6b9196e75c6
Instruction ID: ddbd8db7e0f1f5b303dc67e8cee8a39992395dca3635fc8f63ac495b5fd73301
Opcode Fuzzy Hash: 84dc484e5c904232f6caa8da5f617bbca15208de159a8312b796e6b9196e75c6
Instruction Fuzzy Hash: 91715A72B05A408AE711DFAAD8407DD77B1F798B98F044225EF4DA7B68DB34D845CB40

Function 000000014005A534 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014005A5A8

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

SendMessageA.USER32 ref: 000000014005A603
GetParent.USER32 ref: 000000014005A60F
SendMessageA.USER32 ref: 000000014005A62B
SendMessageA.USER32 ref: 000000014005A650
GetTextMetricsA.GDI32 ref: 000000014005A67F

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

Strings

VUUU, xrefs: 000000014005A69C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$ObjectSelect$ClientMetricsParentRectText
String ID: VUUU
API String ID: 816482960-2040033107
Opcode ID: fdc959638cc7a3c94e0ff965dabfb00faa49eacffd9b0214c83b248a498cf9d3
Instruction ID: 52b224af4de6620340dc33d11797ba4b885cbf428d672f953fe01127996e4c27
Opcode Fuzzy Hash: fdc959638cc7a3c94e0ff965dabfb00faa49eacffd9b0214c83b248a498cf9d3
Instruction Fuzzy Hash: 62719C32711A808AEB16DF66D554BDC37B1EB89BC8F048225EF095BB69EF39C941C740

Function 00000001400AA598 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400AA5C9
OffsetRect.USER32 ref: 00000001400AA5E9
SendMessageA.USER32 ref: 00000001400AA5FD
IsWindowVisible.USER32 ref: 00000001400AA607
SendMessageA.USER32 ref: 00000001400AA6BD
RedrawWindow.USER32 ref: 00000001400AA6D2

Strings

S, xrefs: 00000001400AA665

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$MessageRectSend$OffsetRedrawVisible
String ID: S
API String ID: 2707749077-543223747
Opcode ID: 4cf565f49e921ccb7bc34502981bad8b790a670e7d192dd13d5c1bfad2f892c9
Instruction ID: 0814a441e0061ba5179c8a20ca0494e58ad62e48a47107073c96871539167dfb
Opcode Fuzzy Hash: 4cf565f49e921ccb7bc34502981bad8b790a670e7d192dd13d5c1bfad2f892c9
Instruction Fuzzy Hash: A1316C3262468087E711CF26E894B9A7BB0F7C9B88F544215EB494BB68DB7EC540CF00

Function 0000000140034878 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00000001400348BF
ActivateActCtx.KERNEL32 ref: 00000001400348E4
GetLastError.KERNEL32 ref: 000000014003493A
DeactivateActCtx.KERNEL32 ref: 000000014003494D
SetLastError.KERNEL32 ref: 0000000140034959

Strings

ImageList_AddMasked, xrefs: 0000000140034902
IsolationAware function called after IsolationAwareCleanup, xrefs: 00000001400348B8

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_AddMasked$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-4170123302
Opcode ID: bcf03f3bded608e5f54bfa03bf49b8072a78e8522f988affc3d801a1478f7179
Instruction ID: 14033dc45e128cdc0a448c89edbbab7a7342dc11aa7db89a11585a432ff4c2b7
Opcode Fuzzy Hash: bcf03f3bded608e5f54bfa03bf49b8072a78e8522f988affc3d801a1478f7179
Instruction Fuzzy Hash: 6C317336210B5182FB139B67AC8439A67E4B78CBE0F450526AF1A9B3F0DF78D805C340

Function 0000000140006404 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140006446
ActivateActCtx.KERNEL32 ref: 000000014000646B
CreateDialogIndirectParamA.USER32 ref: 0000000140006499
GetLastError.KERNEL32 ref: 00000001400064B3
DeactivateActCtx.KERNEL32 ref: 00000001400064C6
SetLastError.KERNEL32 ref: 00000001400064D2

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000643F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateCreateDeactivateDebugDialogIndirectOutputParamString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 475891805-2690750368
Opcode ID: 10220c86ce94fa878582d0e8f7f699df8b336143fc0f0a2eb4041e5784e0c850
Instruction ID: 8653f6cf525813a225a874b27b9d65e10fbd50aaee495754c52300a0da069f31
Opcode Fuzzy Hash: 10220c86ce94fa878582d0e8f7f699df8b336143fc0f0a2eb4041e5784e0c850
Instruction Fuzzy Hash: 4F213676310F5586EB42DB63A8843AAA6E5FB9CFC0F444429EF4A977B4CF78C8058640

Function 000000014003E864 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014003E89F
ActivateActCtx.KERNEL32 ref: 000000014003E8C4
GetLastError.KERNEL32 ref: 000000014003E912
DeactivateActCtx.KERNEL32 ref: 000000014003E925
SetLastError.KERNEL32 ref: 000000014003E931

Strings

GetOpenFileNameA, xrefs: 000000014003E8E1
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014003E898

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: GetOpenFileNameA$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3929324911
Opcode ID: 27dc712620cf008f3d3ca39e635af03ba9b771f317b55e81b9cb09d9bfff0d09
Instruction ID: 1d8a0d5203312a9c9eb1dd0db8a6e14a08645fba437eafcd356ec93e3cb4acc6
Opcode Fuzzy Hash: 27dc712620cf008f3d3ca39e635af03ba9b771f317b55e81b9cb09d9bfff0d09
Instruction Fuzzy Hash: 02215136600B9286FB539B67AC4439A67E4BB8CBC0F440526DF4A873F0DF78C9058344

Function 000000014001A104 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,0000000140012532), ref: 000000014001A13C
ActivateActCtx.KERNEL32(?,?,?,?,?,0000000140012532), ref: 000000014001A161
RegisterClassA.USER32 ref: 000000014001A17E
GetLastError.KERNEL32(?,?,?,?,?,0000000140012532), ref: 000000014001A19A
DeactivateActCtx.KERNEL32(?,?,?,?,?,0000000140012532), ref: 000000014001A1AE
SetLastError.KERNEL32(?,?,?,?,?,0000000140012532), ref: 000000014001A1BA

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014001A135

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorLast$ActivateClassDeactivateDebugOutputRegisterString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 312599135-2690750368
Opcode ID: e128e79c6cafbca2257b4314d6881c3734b55cd186bbe52b900a141363012fec
Instruction ID: 2014e1aeb247783d24b3d6a6768d1fedea903a34b820ab61b25c40cfeb2df096
Opcode Fuzzy Hash: e128e79c6cafbca2257b4314d6881c3734b55cd186bbe52b900a141363012fec
Instruction Fuzzy Hash: 47214735604B9182FB129B67E8843A9B7E5FB8DBE0F440525EB4A9B7B4DF79C8418340

Function 000000014002C398 Relevance: 12.2, APIs: 8, Instructions: 220windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000000014002C3F3
GetDesktopWindow.USER32 ref: 000000014002C414
GetWindowRect.USER32 ref: 000000014002C42A
GetWindowRect.USER32 ref: 000000014002C438
IntersectRect.USER32 ref: 000000014002C668
EqualRect.USER32 ref: 000000014002C676
IsRectEmpty.USER32 ref: 000000014002C681
InvalidateRect.USER32 ref: 000000014002C6A2

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Window$DesktopEmptyEqualIntersectInvalidateVisible
String ID:
API String ID: 1271683057-0
Opcode ID: f582d979ad2efe50d9ddb8afa26ddb2a6fef03463898e4c2f67fb3d8bc4e7a9f
Instruction ID: be0d743b65ee016a4e2b173fe4a0f53007aaf8ab0a3f1a9df6ac02ba69317282
Opcode Fuzzy Hash: f582d979ad2efe50d9ddb8afa26ddb2a6fef03463898e4c2f67fb3d8bc4e7a9f
Instruction Fuzzy Hash: 59A16276710A0586EB16CB6AD4947ED27B0FB8CB88F444126EF0E97B69DF38C9858740

Function 00000001401300B0 Relevance: 12.2, APIs: 8, Instructions: 215timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001401300FC
KillTimer.USER32 ref: 0000000140130112
GetWindowRect.USER32 ref: 0000000140130130
ShowWindow.USER32 ref: 00000001401301C3
ShowWindow.USER32 ref: 0000000140130227
BringWindowToTop.USER32 ref: 0000000140130231
BringWindowToTop.USER32 ref: 000000014013023E
SetTimer.USER32 ref: 0000000140130279

Part of subcall function 00000001400D79A8: GetWindowRect.USER32 ref: 00000001400D79E9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Timer$BringKillRectShow
String ID:
API String ID: 411157578-0
Opcode ID: 170f047fc413d3c8f0aa85d2f3a8dfad3c1f9e12988d0987d88dae201c42f0d5
Instruction ID: f8104873e5332d622bcaa3de354a10279e611eab608bec9eac5400c82b76ee64
Opcode Fuzzy Hash: 170f047fc413d3c8f0aa85d2f3a8dfad3c1f9e12988d0987d88dae201c42f0d5
Instruction Fuzzy Hash: 60A12772700A448BFB5ACB66CAA87ED73E5F78CB84F044125DB1A576A5DF38D860C704

Function 00000001400E411C Relevance: 12.1, APIs: 8, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400E4177
GetParent.USER32 ref: 00000001400E41AA
SetParent.USER32 ref: 00000001400E4208
GetTopWindow.USER32 ref: 00000001400E42B5
GetWindow.USER32 ref: 00000001400E42D4
IsWindow.USER32 ref: 00000001400E42FB
GetParent.USER32 ref: 00000001400E4308
DestroyWindow.USER32 ref: 00000001400E4317

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Parent$DestroyMessageSend
String ID:
API String ID: 2635554982-0
Opcode ID: c18831b2b8ee27ed85c48bde17adb6acd1f35c6fa2ea9860c8f9486de3cf35f5
Instruction ID: 74d3e61f2ca7c91189e02b5a6b7a943266a658bd417abf59e0b3b44f372cf499
Opcode Fuzzy Hash: c18831b2b8ee27ed85c48bde17adb6acd1f35c6fa2ea9860c8f9486de3cf35f5
Instruction Fuzzy Hash: B3514732601A4482EB56DF67D4943E963A0FB89FE4F480525EF1E1BBB5DF39D8418390

Function 00000001400488B8 Relevance: 12.1, APIs: 8, Instructions: 98windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014004896C
SendMessageA.USER32 ref: 000000014004899E
IsWindow.USER32 ref: 00000001400489A7
RedrawWindow.USER32 ref: 00000001400489C0
IsWindow.USER32 ref: 00000001400489D1
ReleaseCapture.USER32 ref: 00000001400489E4
KillTimer.USER32 ref: 0000000140048A03
SendMessageA.USER32 ref: 0000000140048A2A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: 6ff3bd09c1e83a4a0eb0165b950ddcf6de4156f6381cf832c9797e211c82824b
Instruction ID: 4352e8bea2776b8310c392d947df775572282aba44613dd5afa983df9e1bcf8e
Opcode Fuzzy Hash: 6ff3bd09c1e83a4a0eb0165b950ddcf6de4156f6381cf832c9797e211c82824b
Instruction Fuzzy Hash: 73412732300A8197EB6E8F2296503EC76A5F78DFC0F090425EF5667661CF35D8B1870A

Function 000000014000E174 Relevance: 12.1, APIs: 8, Instructions: 76windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 000000014000E19C
GetMenuItemCount.USER32 ref: 000000014000E1A8
GetSubMenu.USER32 ref: 000000014000E1BA
GetMenuItemCount.USER32 ref: 000000014000E1D0
GetSubMenu.USER32 ref: 000000014000E1E3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$CountItem
String ID:
API String ID: 3435231853-0
Opcode ID: 8a2a8ac1f9183c3bfc258f1213e064b190d546274fe7a6b64e03b3cc978c33d4
Instruction ID: 0d9c15ad08e2c5ccff4ca77421fb56934aeeddbd4cc36b8e9f327a030b503cf3
Opcode Fuzzy Hash: 8a2a8ac1f9183c3bfc258f1213e064b190d546274fe7a6b64e03b3cc978c33d4
Instruction Fuzzy Hash: 2621A1B5704A9042FA17CBA3B8843AA62E6B78CFC0F544824EF176B774DE7CC5468700

Function 000000014011237C Relevance: 12.1, APIs: 8, Instructions: 76COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140063B84: GetCursorPos.USER32 ref: 0000000140063BC0
Part of subcall function 0000000140063B84: OffsetRect.USER32 ref: 0000000140063BF5
Part of subcall function 0000000140063B84: RedrawWindow.USER32 ref: 0000000140063C37

PtInRect.USER32 ref: 00000001401123C6
InvalidateRect.USER32 ref: 00000001401123FA
UpdateWindow.USER32 ref: 0000000140112404
IsRectEmpty.USER32 ref: 0000000140112414
PtInRect.USER32 ref: 0000000140112426
InvalidateRect.USER32 ref: 000000014011245A
UpdateWindow.USER32 ref: 0000000140112464
TrackMouseEvent.USER32 ref: 0000000140112498

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Window$InvalidateUpdate$CursorEmptyEventMouseOffsetRedrawTrack
String ID:
API String ID: 898900272-0
Opcode ID: 11c8ab350b75d3996d83322c122ff4c715e6a4ebcb5de551a5d73cbf8b00ecde
Instruction ID: 8b9ea04724db78bebe6a9408626d8f4a633bfdb00688cca848dc1d22a9f451c6
Opcode Fuzzy Hash: 11c8ab350b75d3996d83322c122ff4c715e6a4ebcb5de551a5d73cbf8b00ecde
Instruction Fuzzy Hash: 2D311C32200B90C6EB658F23D5943A97BA6F78CF99F044125DF495BBA8DF39C465CB10

Function 00000001401042F4 Relevance: 10.8, APIs: 7, Instructions: 308COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014010437D
SetRectEmpty.USER32 ref: 000000014010438F
IsRectEmpty.USER32 ref: 000000014010439F
IsRectEmpty.USER32 ref: 000000014010444A
CreateRectRgnIndirect.GDI32 ref: 0000000140104568

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

IsRectEmpty.USER32 ref: 0000000140104727
IsRectEmpty.USER32 ref: 0000000140104763

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$CreateExceptionIndirectThrow
String ID:
API String ID: 668937991-0
Opcode ID: 204e4f4779de2cbf8a0b54cc3d2fc5051d95e127aee18139b0550602959196ae
Instruction ID: 4fa78d4eb9629cb1b2137781e6ea10e3979f4d0458074150cb42b92f096b8c18
Opcode Fuzzy Hash: 204e4f4779de2cbf8a0b54cc3d2fc5051d95e127aee18139b0550602959196ae
Instruction Fuzzy Hash: 8BE17BB6B00B8096EB16DB66C4843ED73A1F78DB88F044226DF5957B66EF34D5A4C380

Function 00000001400285B8 Relevance: 10.7, APIs: 7, Instructions: 249COMMONLIBRARYCODE

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00000001400286D6
CoTaskMemFree.OLE32 ref: 00000001400287A9
CoTaskMemFree.OLE32 ref: 00000001400287B9
CoTaskMemFree.OLE32 ref: 00000001400287F9
CoTaskMemFree.OLE32 ref: 0000000140028808
CoTaskMemFree.OLE32 ref: 0000000140028843
CoTaskMemFree.OLE32 ref: 0000000140028852

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: FreeTask$ClearVariant
String ID:
API String ID: 903088277-0
Opcode ID: 993fa596e5cddf711fea8a0ea3d2f49fa2e544bd2157dd3b6717c09891c02c59
Instruction ID: 0b0d54c6f3a753077958bdf3026fedac4755858d4bbb2517c69e4000ae342c9e
Opcode Fuzzy Hash: 993fa596e5cddf711fea8a0ea3d2f49fa2e544bd2157dd3b6717c09891c02c59
Instruction Fuzzy Hash: DEA12636302A0086EB6ADF2AD4A47AD63A4FB89F94F145529DF4E63B75CF34C865C304

Function 00000001400823E0 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 204COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014008255D

Strings

%TsMFCToolBar-%d%x, xrefs: 0000000140082497
MFCToolBars, xrefs: 0000000140082418
%TsMFCToolBar-%d, xrefs: 0000000140082484
Buttons, xrefs: 00000001400825E3
Name, xrefs: 00000001400825AD

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window
String ID: %TsMFCToolBar-%d$%TsMFCToolBar-%d%x$Buttons$MFCToolBars$Name
API String ID: 2353593579-190999575
Opcode ID: 2d9ec0b4c51ad9e9b872ed3a02a03215acb8b58b2289fc56769e407e2a023f0a
Instruction ID: d94e2b95da68ad7f26b9a793d0aaa5879b804f73a1ba015cfba391665e831530
Opcode Fuzzy Hash: 2d9ec0b4c51ad9e9b872ed3a02a03215acb8b58b2289fc56769e407e2a023f0a
Instruction Fuzzy Hash: 83819172211A4482EB15EB2AE8503DE67A0FBC9FE4F405226AB6E477F5DF38C945C740

Function 000000014009C820 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011CC8: GetForegroundWindow.USER32 ref: 0000000140011CD1
Part of subcall function 0000000140011CC8: IsChild.USER32 ref: 0000000140011CF1
Part of subcall function 0000000140011CC8: SetForegroundWindow.USER32 ref: 0000000140011D0C

GetClientRect.USER32 ref: 000000014013DEDA
GetWindowRect.USER32 ref: 000000014013DEF0
OffsetRect.USER32 ref: 000000014013DF12
OffsetRect.USER32 ref: 000000014013DF35
SendMessageA.USER32 ref: 000000014013DF6B

Strings

@, xrefs: 000000014009C8C7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Window$ForegroundOffset$ChildClientMessageSend
String ID: @
API String ID: 2015933643-2766056989
Opcode ID: 2310adb0bfa284a0eac4d395bb641e824f7f0078bc221a62098387edf2b55917
Instruction ID: aef859f6fce198b3cd78924d48442090c2b24d507a42f4d4915c430fd7087f2f
Opcode Fuzzy Hash: 2310adb0bfa284a0eac4d395bb641e824f7f0078bc221a62098387edf2b55917
Instruction Fuzzy Hash: 1C717E72B21A5586FF06DB66E4957ED2360FB8CB88F544525EF4E0BAAADF38C4058340

Function 00000001400BA2B8 Relevance: 10.6, APIs: 7, Instructions: 150COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 00000001400BA320
CreateDIBSection.GDI32 ref: 00000001400BA3D7
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400BA3F8
CreateCompatibleDC.GDI32 ref: 00000001400BA400
SelectObject.GDI32 ref: 00000001400BA419
SelectObject.GDI32 ref: 00000001400BA48F
DeleteObject.GDI32 ref: 00000001400BA4A9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object$CreateHashSelect$CompatibleDeleteImplImpl::Section
String ID:
API String ID: 4202567346-0
Opcode ID: 3d0437d88d3e56ccce75fa4bdd7bc5dd39a9295602c6478965fe5ec92c6ae632
Instruction ID: 8df90cddd7ed562167812d9f7f453183bc0c03e8c5ec37defa30d697d91ebed4
Opcode Fuzzy Hash: 3d0437d88d3e56ccce75fa4bdd7bc5dd39a9295602c6478965fe5ec92c6ae632
Instruction Fuzzy Hash: 4F613A72B00A408AE715DFA6D4547ED33B2F749BA8F454125EF192B7A8DF78C445C740

Function 00000001400160D4 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 130libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001614A

Part of subcall function 00000001401926AC: EnterCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926BC
Part of subcall function 00000001401926AC: LeaveCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926FC

GetProcAddress.KERNEL32 ref: 000000014001619E
GetProcAddress.KERNEL32 ref: 00000001400161E5

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

Strings

user32.dll, xrefs: 0000000140016143
CloseTouchInputHandle, xrefs: 00000001400161DE
GetTouchInputInfo, xrefs: 0000000140016197

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$AddressEnterProc$HandleLeaveModule
String ID: CloseTouchInputHandle$GetTouchInputInfo$user32.dll
API String ID: 2874807561-1853737257
Opcode ID: 80ee873cc1010cb6bf13c54d01b8489c2b0f877281af2a9c764219ed0a6096fe
Instruction ID: c8d4d7835de1e3644dae78c887b92a5a141e43a480f93f0b165f8fb227fcd360
Opcode Fuzzy Hash: 80ee873cc1010cb6bf13c54d01b8489c2b0f877281af2a9c764219ed0a6096fe
Instruction Fuzzy Hash: 7F512671600A4196EA52EB63EC84BE533A5B79CBD0F480625EF094B7F2DFBAC845C700

Function 000000014003C224 Relevance: 10.6, APIs: 7, Instructions: 123timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C2B5
FileTimeToSystemTime.KERNEL32 ref: 000000014003C2CA
GetFileAttributesExA.KERNEL32 ref: 000000014003C2F5
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C309
FileTimeToSystemTime.KERNEL32 ref: 000000014003C31B
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C34B
FileTimeToSystemTime.KERNEL32 ref: 000000014003C35D

Part of subcall function 000000014003BD08: GetModuleHandleA.KERNEL32 ref: 000000014003BD3A
Part of subcall function 000000014003BD08: GetProcAddress.KERNEL32 ref: 000000014003BD4F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Time$File$LocalSystem$AddressAttributesHandleModuleProc
String ID:
API String ID: 1857739635-0
Opcode ID: f7ad6baea61a333cc7098ee54a0ce0ce9e3f698c21cb54d2ed676cf1b179ff62
Instruction ID: d32a96e57b1f9206397bc19fb2f8ea740b3796b149bc9578628cd8f6eb236056
Opcode Fuzzy Hash: f7ad6baea61a333cc7098ee54a0ce0ce9e3f698c21cb54d2ed676cf1b179ff62
Instruction Fuzzy Hash: 50514A72720A1595FB12CFB6D8907EE23B1B748BD8F908015EF0A9B6A8EF74C655C350

Function 000000014007E634 Relevance: 10.6, APIs: 7, Instructions: 109COMMON

Download Yara Rule

APIs

UpdateWindow.USER32 ref: 000000014007E6DC
EqualRect.USER32 ref: 000000014007E713
InflateRect.USER32 ref: 000000014007E734
InvalidateRect.USER32 ref: 000000014007E747
InflateRect.USER32 ref: 000000014007E761
InvalidateRect.USER32 ref: 000000014007E772
UpdateWindow.USER32 ref: 000000014007E77C

Part of subcall function 000000014007C2FC: InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,000000014007A285), ref: 000000014007C37F
Part of subcall function 000000014007C2FC: InflateRect.USER32 ref: 000000014007C40E
Part of subcall function 000000014007C2FC: RedrawWindow.USER32 ref: 000000014007C425

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$InflateInvalidateWindow$Update$EqualRedraw
String ID:
API String ID: 4176466011-0
Opcode ID: efe9857a0961afb9f9de582d9d0e8efb01a76156b97e09ca1310c303abe06439
Instruction ID: b2c10a17082016809b39f3d6fe6c233dc29a835fb20a11c8b79eb528dc36c743
Opcode Fuzzy Hash: efe9857a0961afb9f9de582d9d0e8efb01a76156b97e09ca1310c303abe06439
Instruction Fuzzy Hash: 5841AC36705A8482EB298B22D9847E9B3A0F78CFC4F108225EF5A577A4EF3CD455CB00

Function 0000000140076704 Relevance: 10.6, APIs: 7, Instructions: 91windowCOMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014007674D
InflateRect.USER32 ref: 000000014007675E
PatBlt.GDI32 ref: 000000014007678D
PatBlt.GDI32 ref: 00000001400767AC
PatBlt.GDI32 ref: 00000001400767CE
PatBlt.GDI32 ref: 00000001400767EF

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

FillRect.USER32 ref: 0000000140076841

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ConditionFillMask$InflateInfoMetricsSystemVerifyVersion
String ID:
API String ID: 1705627015-0
Opcode ID: 05ad6f832e3cf80e14e2e6fed39de59708126461fea29939235cc48148c0d2f8
Instruction ID: f1d73e292ed37f0a04f8834c87e6070eeb0c29191a1aa433d3728016bbf735d8
Opcode Fuzzy Hash: 05ad6f832e3cf80e14e2e6fed39de59708126461fea29939235cc48148c0d2f8
Instruction Fuzzy Hash: 56413D726106548BE725DF67E984B89B7A0F74CB94F40851AAB5A83BB0CF7CE850CF00

Function 00000001400920F8 Relevance: 10.6, APIs: 7, Instructions: 88windowCOMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 0000000140092138
GetCursorPos.USER32 ref: 000000014009215E
GetSystemMetrics.USER32 ref: 0000000140092190
GetCapture.USER32 ref: 0000000140092198
ReleaseCapture.USER32 ref: 00000001400921CC
GetParent.USER32 ref: 00000001400921EA
SendMessageA.USER32 ref: 0000000140092215

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Capture$Release$CursorMessageMetricsParentSendSystem
String ID:
API String ID: 237134002-0
Opcode ID: f1ee6e50503388a728ff2d860e78424e8f36a17eadc171d106be286c8d40a10b
Instruction ID: d414f7da52d9090cf3e6d61d0945b5f9cd18a3c4e10f48d146ce99eaa3281846
Opcode Fuzzy Hash: f1ee6e50503388a728ff2d860e78424e8f36a17eadc171d106be286c8d40a10b
Instruction Fuzzy Hash: 26411D36610A40CAEB66DF7AD8847E837A0F78CF99F144125FB0A476A5DB38C585CB10

Function 00000001400127B0 Relevance: 10.6, APIs: 7, Instructions: 70COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400127D7
GetWindowRect.USER32 ref: 0000000140012803
ScreenToClient.USER32 ref: 0000000140012811
ScreenToClient.USER32 ref: 000000014001281F
EqualRect.USER32 ref: 000000014001282D
DeferWindowPos.USER32 ref: 000000014001286C
SetWindowPos.USER32 ref: 0000000140012896

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$ClientRectScreen$DeferEqualParent
String ID:
API String ID: 443303494-0
Opcode ID: 6f1f532636ae0a8728bc5b9a7002e4acc31f33973a24ca7a824843026886c322
Instruction ID: 6035d3420e682ed13a173c8aa664ab7a0c0bd193d683f6138df59620661f8986
Opcode Fuzzy Hash: 6f1f532636ae0a8728bc5b9a7002e4acc31f33973a24ca7a824843026886c322
Instruction Fuzzy Hash: D0314F32214A808AEB558F26E5947A9B7B0F78DFD8F148115EB4A4BB68DF3DC454CB00

Function 0000000140094334 Relevance: 10.6, APIs: 7, Instructions: 65windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140094373
ReleaseCapture.USER32 ref: 000000014009439B
GetWindowRect.USER32 ref: 00000001400943B7
GetParent.USER32 ref: 00000001400943F2
SendMessageA.USER32 ref: 0000000140094412
SetRectEmpty.USER32 ref: 000000014009441B
SetRectEmpty.USER32 ref: 0000000140094428

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$CaptureMessageParentReleaseSendWindow
String ID:
API String ID: 2026794321-0
Opcode ID: 612de6c83303f14ba7b01e7bf65efad0f2e10313e95250234140461c58827fb8
Instruction ID: 81cb96a4a5cff18e626326e3fb37320f412b65a0b0792915e51ffd3de682f922
Opcode Fuzzy Hash: 612de6c83303f14ba7b01e7bf65efad0f2e10313e95250234140461c58827fb8
Instruction Fuzzy Hash: C6314836614A8482EB11CF22E4847AD73B0F78CF88F554625EF994B728DF79C945CB40

Function 00000001400241B8 Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400241C5
SendMessageA.USER32 ref: 00000001400241DB
GetFocus.USER32(?,?,?,00000001400241AF,?,?,00000000,000000014000B515), ref: 00000001400241FA
SendMessageA.USER32 ref: 0000000140024210

Part of subcall function 0000000140012330: GetParent.USER32 ref: 0000000140012359

GetLastActivePopup.USER32 ref: 000000014002423C
SendMessageA.USER32 ref: 0000000140024252

Part of subcall function 0000000140012330: GetWindowLongA.USER32 ref: 000000014001237D
Part of subcall function 0000000140012330: GetParent.USER32 ref: 000000014001238C

SendMessageA.USER32 ref: 000000014002427F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend$Parent$ActiveCaptureFocusLastLongPopupWindow
String ID:
API String ID: 3194460488-0
Opcode ID: b61d15ef9ca980beb28f3bf8acff6c6f008ade9a9baf740c94563c7844846f26
Instruction ID: b4134cd19e12dbccf35b1be88bca45655c619be53e29b8062babe0662babc4c5
Opcode Fuzzy Hash: b61d15ef9ca980beb28f3bf8acff6c6f008ade9a9baf740c94563c7844846f26
Instruction Fuzzy Hash: 68213334315A4182FF6B9B63A951BE91695AB9DFC4F481438BF0A0FBA1EE3DC8544300

Function 00000001400082BC Relevance: 10.6, APIs: 7, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00000001400082DC
lstrcmpA.KERNEL32 ref: 00000001400082EC
DocumentPropertiesA.WINSPOOL.DRV ref: 000000014000833B
GlobalAlloc.KERNEL32 ref: 0000000140008348
GlobalLock.KERNEL32 ref: 0000000140008358
DocumentPropertiesA.WINSPOOL.DRV ref: 0000000140008379
ClosePrinter.WINSPOOL.DRV ref: 000000014000839C

Part of subcall function 000000014001B240: GlobalFlags.KERNEL32(?,?,?,?,?,?,?,00000001400666D0,?,?,?,000000014009EF32), ref: 000000014001B252
Part of subcall function 000000014001B240: GlobalUnlock.KERNEL32 ref: 000000014001B262
Part of subcall function 000000014001B240: GlobalFree.KERNEL32 ref: 000000014001B270

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreePrinter.Unlocklstrcmp
String ID:
API String ID: 992435789-0
Opcode ID: beb639c678da0addad8fc662929d67eb676ea3125c368d6263fb682b4a5ef6fd
Instruction ID: 24bb22d11aeb24d1f248ac47737e953fecc81ec1b61c2858d6db9537e3c7a991
Opcode Fuzzy Hash: beb639c678da0addad8fc662929d67eb676ea3125c368d6263fb682b4a5ef6fd
Instruction Fuzzy Hash: 35215471210A8086EB65DB23E5553AE62A0FB8DFC4F148525EF8E4BAB6CF3DC5448700

Function 000000014001E6A0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,000000014000910C), ref: 000000014001E6D8
GetProcAddress.KERNEL32(?,?,?,000000014000910C), ref: 000000014001E6ED
EncodePointer.KERNEL32(?,?,?,000000014000910C), ref: 000000014001E6F9
DecodePointer.KERNEL32(?,?,?,000000014000910C), ref: 000000014001E708

Strings

RegisterApplicationRecoveryCallback, xrefs: 000000014001E6E3
kernel32.dll, xrefs: 000000014001E6D1

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRecoveryCallback$kernel32.dll
API String ID: 2061474489-202725706
Opcode ID: 603698e5afad0d30f6280204f3769c8f657c342402101958f4ca94f6f4b5e22e
Instruction ID: 9821f6e2af990964298689372ac7f7fd5d17ad684ef1fef6d070f4f8f2aac07d
Opcode Fuzzy Hash: 603698e5afad0d30f6280204f3769c8f657c342402101958f4ca94f6f4b5e22e
Instruction Fuzzy Hash: 21115731306B9181FA669B03B84439876E4A78CFD0F485465AF4A4B7B0DF39D4418340

Function 000000014001E7CC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001E804
GetProcAddress.KERNEL32 ref: 000000014001E819
EncodePointer.KERNEL32 ref: 000000014001E825
DecodePointer.KERNEL32 ref: 000000014001E834

Strings

SHCreateItemFromParsingName, xrefs: 000000014001E80F
shell32.dll, xrefs: 000000014001E7FD

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHCreateItemFromParsingName$shell32.dll
API String ID: 2061474489-2320870614
Opcode ID: dd980e01acb41a6aa916e2fc5e4482f893b197ef2f9fbca28cc64a7cfc9758a4
Instruction ID: 6de0aaea82ef63c439665beca652254c934b2112c32d5646891f6c8d05205417
Opcode Fuzzy Hash: dd980e01acb41a6aa916e2fc5e4482f893b197ef2f9fbca28cc64a7cfc9758a4
Instruction Fuzzy Hash: BE111331606B9085FA569B03A89839977A4FB9CFC0F484469AF8E0B7B4DF39C451C300

Function 000000014001E874 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001E8AB
GetProcAddress.KERNEL32 ref: 000000014001E8C0
EncodePointer.KERNEL32 ref: 000000014001E8CC
DecodePointer.KERNEL32 ref: 000000014001E8DB

Strings

shell32.dll, xrefs: 000000014001E8A4
SHGetKnownFolderPath, xrefs: 000000014001E8B6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: SHGetKnownFolderPath$shell32.dll
API String ID: 2061474489-2936008475
Opcode ID: 54c40a41480f1968f1d9172789c2432c3a9b4066d5a102ab34281872467aab0b
Instruction ID: dbd1e026bc61bd0adf75fe10b3aa24b77fed62c9ae3cd984d4a6fa4d8db5eed3
Opcode Fuzzy Hash: 54c40a41480f1968f1d9172789c2432c3a9b4066d5a102ab34281872467aab0b
Instruction Fuzzy Hash: 6E111331716B9581FA169B47A854398B7A4F79CFC0F484469AF4E1B7B8DF39C4518340

Function 000000014001E358 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 000000014001E37F
GetProcAddress.KERNEL32 ref: 000000014001E394
EncodePointer.KERNEL32 ref: 000000014001E3A0
DecodePointer.KERNEL32 ref: 000000014001E3AF

Strings

uxtheme.dll, xrefs: 000000014001E378
EndBufferedPaint, xrefs: 000000014001E38A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: EndBufferedPaint$uxtheme.dll
API String ID: 2061474489-2993015961
Opcode ID: 9051f8c778b2ea458b23628fda055043400a39e1140617cad55c1bafcd1ccdcf
Instruction ID: 799512e02739a6a11572b38c7ffe6fbb88b01c77a9d06a522623ee31e890eda2
Opcode Fuzzy Hash: 9051f8c778b2ea458b23628fda055043400a39e1140617cad55c1bafcd1ccdcf
Instruction Fuzzy Hash: 4E014F30306B8082FE568B17B85839862E0AB8CFC0F585425AB5E4B3B4EF38C5458700

Function 000000014001E748 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(?,?,?,00000001400090EC), ref: 000000014001E76F
GetProcAddress.KERNEL32(?,?,?,00000001400090EC), ref: 000000014001E784
EncodePointer.KERNEL32(?,?,?,00000001400090EC), ref: 000000014001E790
DecodePointer.KERNEL32(?,?,?,00000001400090EC), ref: 000000014001E79F

Strings

RegisterApplicationRestart, xrefs: 000000014001E77A
kernel32.dll, xrefs: 000000014001E768

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeHandleModuleProc
String ID: RegisterApplicationRestart$kernel32.dll
API String ID: 2061474489-1259503209
Opcode ID: d07e0d34c9c5bf5429a46980766452ded4651a4467a3de348edc0d06371a1ef2
Instruction ID: 557392444f7acb0320c3a5059489c74ac2c9910f882c707f00651644ad2bc012
Opcode Fuzzy Hash: d07e0d34c9c5bf5429a46980766452ded4651a4467a3de348edc0d06371a1ef2
Instruction Fuzzy Hash: 2C01193170AA9182FE66CB57B8583E962E0AB8CFD4F584464EB4E4B7B4EF38C4518700

Function 000000014008A4E0 Relevance: 9.3, APIs: 6, Instructions: 276windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32 ref: 000000014008A535

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

CopyIcon.USER32 ref: 000000014008A543
DestroyIcon.USER32 ref: 000000014008A65D
GetParent.USER32 ref: 000000014008A7F6
GetParent.USER32 ref: 000000014008A84A
RedrawWindow.USER32 ref: 000000014008A86F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Icon$DestroyParent$CopyExceptionRedrawThrowWindow
String ID:
API String ID: 1709181241-0
Opcode ID: c7cc4c5aa5d4520c2c2549eaa1557ee336fe8bd1ea76f0edf09704ec9c2bdd7c
Instruction ID: ba56f32b9f985b4570e703a6378ba7377c4cba17827675ec8c9b48408fe7ddd7
Opcode Fuzzy Hash: c7cc4c5aa5d4520c2c2549eaa1557ee336fe8bd1ea76f0edf09704ec9c2bdd7c
Instruction Fuzzy Hash: 50C15C36701A5086FB56DB27D4943E923A1FB8DBC4F184136EB094BBB9EF79C5928700

Function 000000014016217C Relevance: 9.2, APIs: 6, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetSystemMenu.USER32 ref: 0000000140162257
IsMenu.USER32 ref: 0000000140162271
IsMenu.USER32 ref: 0000000140162282
GetWindowLongA.USER32 ref: 00000001401622AA
GetMenuItemInfoA.USER32 ref: 000000014016239E
RedrawWindow.USER32 ref: 00000001401623FE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$Window$InfoItemLongRedrawSystem
String ID:
API String ID: 2777924814-0
Opcode ID: 25b9ff89710a65c160bb07fd54f5ff6672dd3c937e8a76e319ac8446ef8d287b
Instruction ID: d8a202d61822fae17210d9b4ad9f011f56ac1054b444526b79f7ac6693503d31
Opcode Fuzzy Hash: 25b9ff89710a65c160bb07fd54f5ff6672dd3c937e8a76e319ac8446ef8d287b
Instruction Fuzzy Hash: D3716E76201A8086FB569F2798543EA27A1F789F98F084939DF5E0B7E5DF38C4458704

Function 000000014007E7E0 Relevance: 9.2, APIs: 6, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f356717c9e4e47fb630d9d1aad7612d26721290a403c9705d5c9fae9a51e96a6
Instruction ID: 28fbb3c4555720bc2cc393eed3dd701af366d0d79290d3e322374128f31aff27
Opcode Fuzzy Hash: f356717c9e4e47fb630d9d1aad7612d26721290a403c9705d5c9fae9a51e96a6
Instruction Fuzzy Hash: 1D614736601A8582EB56AF27E8443E967A1F78DFC4F488035EF0A4B7B4EE39C446C301

Function 000000014006601C Relevance: 9.2, APIs: 6, Instructions: 150windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140066074
CreateCompatibleDC.GDI32 ref: 000000014006607C
CreateDIBSection.GDI32 ref: 0000000140066116
CreateCompatibleBitmap.GDI32 ref: 0000000140066132
FillRect.USER32 ref: 0000000140066194
DrawStateA.USER32 ref: 00000001400661CB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Create$CompatibleHash$BitmapDrawFillImplImpl::RectSectionStateWindow
String ID:
API String ID: 1031390013-0
Opcode ID: 8352c1e63e2230702d54cd908370a2d68bf4fac40f3b8f6b7e1b9df9d67bc498
Instruction ID: 1dab2b26bdcf91615e21f207206829d60612bfeb03c0f8aba15b667f3b82f01e
Opcode Fuzzy Hash: 8352c1e63e2230702d54cd908370a2d68bf4fac40f3b8f6b7e1b9df9d67bc498
Instruction Fuzzy Hash: 28615572710A408AEB12DFA6E8907DE73B5B788798F10452AEF4D57BA9CF74C458CB00

Function 000000014008E388 Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014008E545
SetRectEmpty.USER32 ref: 000000014008E54E
SetRectEmpty.USER32 ref: 000000014008E573
SetRectEmpty.USER32 ref: 000000014008E5CC
SetRectEmpty.USER32 ref: 000000014008E5D5
SetRectEmpty.USER32 ref: 000000014008E5DE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: e7bea7843111b36d054903a46d774165d23f85fc9c3e34bfc2ed7f65e5661339
Instruction ID: 91394957eebae8f4e06ecbf172874733e988caa2ac3f09ada7803fb7096d85c7
Opcode Fuzzy Hash: e7bea7843111b36d054903a46d774165d23f85fc9c3e34bfc2ed7f65e5661339
Instruction Fuzzy Hash: 0361C476101F9895D782DF12EA88BCA73ACFB48750F96852AEB9D43360EF348565C701

Function 000000014011A73C Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 000000014011A624: GetProfileIntA.KERNEL32 ref: 000000014011A698
Part of subcall function 000000014011A624: GetProfileIntA.KERNEL32 ref: 000000014011A6B8

CopyRect.USER32 ref: 000000014011A79E
GetCursorPos.USER32 ref: 000000014011A7B0
SetRect.USER32 ref: 000000014011A7CE
IsRectEmpty.USER32 ref: 000000014011A7F3
InflateRect.USER32 ref: 000000014011A809
DoDragDrop.OLE32 ref: 000000014011A870

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Profile$CopyCursorDragDropEmptyInflate
String ID:
API String ID: 1351899944-0
Opcode ID: 8a392993abe23d09970579fd873a75b6b606e8d72446d436f35b827d2af3b75c
Instruction ID: deed8a5652506851cb2f41e243453cb0a48ee4e513c1becaabe51195acb9c9cc
Opcode Fuzzy Hash: 8a392993abe23d09970579fd873a75b6b606e8d72446d436f35b827d2af3b75c
Instruction Fuzzy Hash: 39412E76201A4086EA669F17E8447D9B7A0F78CFE1F445226EF5A0BBB4DB3CC546C700

Function 00000001401384E4 Relevance: 9.1, APIs: 6, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014013851B
SendMessageA.USER32 ref: 000000014013857D
SendMessageA.USER32 ref: 00000001401385A4
SendMessageA.USER32 ref: 00000001401385C9
SendMessageA.USER32 ref: 00000001401385E7
SendMessageA.USER32 ref: 000000014013860C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: e15d21a990376fab482b4d2f9f8d9afafe372692fb8f9d1dc397197a419fe3e7
Instruction ID: 7523807c16d2b9d9f2e651a80314135f6a944ee43ed9fb982ed31cb1a8ef81c9
Opcode Fuzzy Hash: e15d21a990376fab482b4d2f9f8d9afafe372692fb8f9d1dc397197a419fe3e7
Instruction Fuzzy Hash: 7131A276701A9082E7019B67E854B8E67A1FBC8FE4F8182259F2D47BB5DE78C9468340

Function 00000001400E0360 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 00000001400E0390
GetTopWindow.USER32 ref: 00000001400E03DD
GetWindow.USER32 ref: 00000001400E042B
IsWindow.USER32 ref: 00000001400E045B
GetParent.USER32 ref: 00000001400E0468
DestroyWindow.USER32 ref: 00000001400E0477

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Destroy$AcceleratorParentTable
String ID:
API String ID: 3451810566-0
Opcode ID: 8a60a8c03e2872724cc266959311ffb317f804d966576e785583c3f2b6a366fa
Instruction ID: 26b505a7da75dc27f1ca09e6cb227c545c0d28ba057f1c9a5eaa9d5e0b43eb63
Opcode Fuzzy Hash: 8a60a8c03e2872724cc266959311ffb317f804d966576e785583c3f2b6a366fa
Instruction Fuzzy Hash: 1B4141B2611B4082EA269B23E5443A963B4F78CFE0F140225EF9A57BF5DF38C995C340

Function 00000001400DE198 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 00000001400DE1C7
GetTopWindow.USER32 ref: 00000001400DE215
GetWindow.USER32 ref: 00000001400DE256
IsWindow.USER32 ref: 00000001400DE27D
GetParent.USER32 ref: 00000001400DE28A
DestroyWindow.USER32 ref: 00000001400DE299

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Destroy$AcceleratorParentTable
String ID:
API String ID: 3451810566-0
Opcode ID: eac9d03e845e7da886381d355dc897a194c40ab76c27a13600d4ccf98215fb04
Instruction ID: 9ca89aa70100e21113356716221f6bdab5292b7d9e1e4c707b6d38dd25ea9406
Opcode Fuzzy Hash: eac9d03e845e7da886381d355dc897a194c40ab76c27a13600d4ccf98215fb04
Instruction Fuzzy Hash: A7415B32610B8086EA66AB13E4443FD6365FB9DBE0F180225EF5A076A5DF38C542C710

Function 000000014009C668 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014009C6A7
IsThemeBackgroundPartiallyTransparent.UXTHEME ref: 000000014009C6C4
DrawThemeParentBackground.UXTHEME ref: 000000014009C6DA
SetRectEmpty.USER32 ref: 000000014009C6EC
SystemParametersInfoA.USER32 ref: 000000014009C6FE
DrawThemeBackground.UXTHEME ref: 000000014009C746

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: BackgroundTheme$DrawRect$ClientEmptyInfoParametersParentPartiallySystemTransparent
String ID:
API String ID: 3870343638-0
Opcode ID: f2a5cf92459e566e834c9d50ac5cef6b62362c5e5aa7093cb48db557960703e0
Instruction ID: 8826ba32f2c8849f7a9ba9d2bc0e2806bdab26da01694472bbaf8e85c8b3a8ae
Opcode Fuzzy Hash: f2a5cf92459e566e834c9d50ac5cef6b62362c5e5aa7093cb48db557960703e0
Instruction Fuzzy Hash: B3313D76B20A548AFB11DB62D894BDD77B0FB4CB88F544521EF0967A28DB34C544C740

Function 00000001400A8674 Relevance: 9.1, APIs: 6, Instructions: 67timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 00000001400A8699
ReleaseCapture.USER32 ref: 00000001400A86A7
PtInRect.USER32 ref: 00000001400A86F8
InvalidateRect.USER32 ref: 00000001400A875E
SetTimer.USER32 ref: 00000001400A8786

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 05ba7cfb7c42a4418c401342e810f43dbe435cf8e48eebe1a1882f71db991369
Instruction ID: aaa7c8dc2bd94924866484808fc33ce8bd57150d488edc75160e70228842eea2
Opcode Fuzzy Hash: 05ba7cfb7c42a4418c401342e810f43dbe435cf8e48eebe1a1882f71db991369
Instruction Fuzzy Hash: 61314F7A204A4182EB658F23D9583ED27A1F758FC9F188235EF460B6A4DF39C584CB11

Function 00000001400487D4 Relevance: 9.1, APIs: 6, Instructions: 54windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400487F3
SendMessageA.USER32 ref: 0000000140048829
SetCapture.USER32 ref: 0000000140048855
InvalidateRect.USER32 ref: 0000000140048872
UpdateWindow.USER32 ref: 000000014004887C
SetTimer.USER32 ref: 000000014004889A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CaptureInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 3683363781-0
Opcode ID: 32537d589d6da56e7f63cd049dea78263d0a82d5554c78dfd1009b903560a915
Instruction ID: e0563a391f8bf94345c0a7c631e6993b2937ea0bcd0c1e921f26c5253727a4d8
Opcode Fuzzy Hash: 32537d589d6da56e7f63cd049dea78263d0a82d5554c78dfd1009b903560a915
Instruction Fuzzy Hash: D5210735711A4083EB2A9B67E5953ED66A0F78CFC4F544039EF4A0BBA1CF3AD4528700

Function 00000001401663AC Relevance: 9.1, APIs: 6, Instructions: 53timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001401663D7
SetRectEmpty.USER32 ref: 00000001401663F3
IsWindow.USER32 ref: 000000014016640F
IsWindow.USER32 ref: 0000000140166448
GetCursorPos.USER32 ref: 0000000140166457
ScreenToClient.USER32 ref: 0000000140166466

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$ClientCursorEmptyKillRectScreenTimer
String ID:
API String ID: 59764216-0
Opcode ID: 4f843b9c96215bccad5c7d5444644577144f3d579183cacd4169878729154414
Instruction ID: ee351df4d2b1173cf167c97c1bdbf7bbbeca48457aa1f4e66f21718051f4f57b
Opcode Fuzzy Hash: 4f843b9c96215bccad5c7d5444644577144f3d579183cacd4169878729154414
Instruction Fuzzy Hash: DD21E436204A8082EB05DF26E8943ED67B0FB89F85F584425EB4A4B7B9DF39C846C711

Function 0000000140112208 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006395C: ReleaseCapture.USER32 ref: 000000014006399E
Part of subcall function 000000014006395C: IsWindow.USER32 ref: 00000001400639BF
Part of subcall function 000000014006395C: DestroyWindow.USER32 ref: 00000001400639D0
Part of subcall function 000000014006395C: GetParent.USER32 ref: 00000001400639F0
Part of subcall function 000000014006395C: IsRectEmpty.USER32 ref: 0000000140063AAF

InvalidateRect.USER32 ref: 0000000140112237
UpdateWindow.USER32 ref: 0000000140112241
GetParent.USER32 ref: 000000014011226D
SendMessageA.USER32 ref: 000000014011228E
InvalidateRect.USER32 ref: 00000001401122B7
UpdateWindow.USER32 ref: 00000001401122C1

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Rect$InvalidateParentUpdate$CaptureDestroyEmptyMessageReleaseSend
String ID:
API String ID: 3907864948-0
Opcode ID: b37b8c27562feb0a62d400c84129cbc6b4befd86dd7806d9b095d15f22eb373f
Instruction ID: 45cb732ecbdf0e266f5d072208fc47f31a866786e83cf57959075817673f2af6
Opcode Fuzzy Hash: b37b8c27562feb0a62d400c84129cbc6b4befd86dd7806d9b095d15f22eb373f
Instruction Fuzzy Hash: 5821B832211A44CAFB6A9F62D8957EC27A1F789F49F040025CF0A0F6A4EF7AC4A4C710

Function 0000000140112138 Relevance: 9.0, APIs: 6, Instructions: 43windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32 ref: 000000014011217C
UpdateWindow.USER32 ref: 0000000140112186
GetParent.USER32 ref: 00000001401121A5
SendMessageA.USER32 ref: 00000001401121C6
InvalidateRect.USER32 ref: 00000001401121F0
UpdateWindow.USER32 ref: 00000001401121FA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: InvalidateRectUpdateWindow$MessageParentSend
String ID:
API String ID: 2428145105-0
Opcode ID: 15d3f5735ce3c16929ba5edd05587953e7a6055c710b8f7d0083118f217c6381
Instruction ID: 63f042ff872cb60b5a38979e3c251b875906a163bde1452c804c21abf31d3567
Opcode Fuzzy Hash: 15d3f5735ce3c16929ba5edd05587953e7a6055c710b8f7d0083118f217c6381
Instruction Fuzzy Hash: 4011AA75211A45CAFB5A9F62D8993E837A1E789F49F040035DF090F6A5DF7AC8A4CB10

Function 000000014008C3EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

GetParent.USER32 ref: 000000014008C631

Part of subcall function 0000000140024810: _CxxThrowException.LIBVCRUNTIME ref: 000000014002485E

Strings

MFCOutlookBars, xrefs: 000000014008C46A
%TsMFCOutlookBar-%d, xrefs: 000000014008C4D1
MFCOutlookCustomPages, xrefs: 000000014008C7A2
%TsMFCOutlookBar-%d%x, xrefs: 000000014008C4E4

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ExceptionThrow$Parent
String ID: %TsMFCOutlookBar-%d$%TsMFCOutlookBar-%d%x$MFCOutlookBars$MFCOutlookCustomPages
API String ID: 1716319653-3944741965
Opcode ID: f70dfae479a6366e5adf2e26eb335336b0f8e9c71f21092eb16eae164afa4f25
Instruction ID: 3253d468f5158c5adff518e5a0b1a64e8cd6f884bca30d691c11e71427df6dd1
Opcode Fuzzy Hash: f70dfae479a6366e5adf2e26eb335336b0f8e9c71f21092eb16eae164afa4f25
Instruction Fuzzy Hash: 4CC19F72215A8182EB12EB16E4507EE6361F789BE0F409126FB5E57BF5DF38C949CB00

Function 000000014017A228 Relevance: 9.0, APIs: 6, Instructions: 32windowCOMMON

Download Yara Rule

APIs

DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A246
DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A253
DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A260
DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A26D
DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A27A
DestroyIcon.USER32(?,?,?,000000014011EA21), ref: 000000014017A287

Part of subcall function 000000014000F898: DeleteDC.GDI32 ref: 000000014000F8BF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: DestroyIcon$Delete
String ID:
API String ID: 3598321939-0
Opcode ID: 6af8df00e1583b8acf09aa17d2239e23b3172b45def65010470a85e126296309
Instruction ID: da5971940ce3fe89824d223bfb895e1365d2b44f2a762276d1b8ea76ba91f46a
Opcode Fuzzy Hash: 6af8df00e1583b8acf09aa17d2239e23b3172b45def65010470a85e126296309
Instruction Fuzzy Hash: 89114276214E8091EB42AF26E8A43E82335F78CF89F544035EB4E87675DF34C556D310

Function 00000001400B83F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400B8455
GetTempPathA.KERNEL32 ref: 00000001400B84C5
GetTempFileNameA.KERNEL32 ref: 00000001400B8556
CreateFileA.KERNEL32 ref: 00000001400B85A6

Strings

AFX, xrefs: 00000001400B854C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: FileTemp$CloseCreateHandleNamePath
String ID: AFX
API String ID: 777972874-1300893600
Opcode ID: 6f82073cb42a3791417ba8703ede30ac5445ef4c2d7fc2ee3f5ebb1a0480e9a4
Instruction ID: 59bc10f2b77634c82a0551760ca0cad9fb1883aef669d0f20c815cf6df352cd3
Opcode Fuzzy Hash: 6f82073cb42a3791417ba8703ede30ac5445ef4c2d7fc2ee3f5ebb1a0480e9a4
Instruction Fuzzy Hash: 57819172300A8182EB259F66E8547DE63A1F788BE5F048215EF6A877F5DF78C845C740

Function 0000000140052090 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400B6410: SetRectEmpty.USER32 ref: 00000001400B645C

SetRectEmpty.USER32 ref: 000000014005226B
SetRectEmpty.USER32 ref: 000000014005227B
SetRectEmpty.USER32 ref: 0000000140052284

Strings

False, xrefs: 00000001400522E3, 00000001400522F2
True, xrefs: 00000001400522C5, 00000001400522D4

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyRect
String ID: False$True
API String ID: 2270935405-1895882422
Opcode ID: 03748b0ff2ccc68a3a8516761aa307e4e4a2d6496d433c64ea3134555f873e93
Instruction ID: c4dfe43153bcc122ad396c1f641ba81b96b6334b1610060e0e49126f4b043d0e
Opcode Fuzzy Hash: 03748b0ff2ccc68a3a8516761aa307e4e4a2d6496d433c64ea3134555f873e93
Instruction Fuzzy Hash: A471E372101B808AE7699F25F8407DBB7A9F789745F904219DBEA473A1DF39E065CB00

Function 00000001400125AC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 137COMMON

Download Yara Rule

APIs

_snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 000000014001262A
_snwprintf_s.LEGACY_STDIO_DEFINITIONS ref: 00000001400126AE
GetClassInfoA.USER32 ref: 00000001400126FE

Strings

Afx:%p:%x, xrefs: 0000000140012611
Afx:%p:%x:%p:%p:%p, xrefs: 0000000140012684

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: _snwprintf_s$ClassInfo
String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
API String ID: 1957674926-2801496823
Opcode ID: e47cfc0e982254efc31b597ebbca8d1d82ebd9c1ae965628a52bb458b01a24f6
Instruction ID: ecb1ff6d863f27c22861d4c50048236dff83d0cf367637147f75b58c625171bb
Opcode Fuzzy Hash: e47cfc0e982254efc31b597ebbca8d1d82ebd9c1ae965628a52bb458b01a24f6
Instruction Fuzzy Hash: D7513A36200744CAEB2AAF63A8153ED33A4F789B84F558026FB550BBB5CB39C861D751

Function 000000014000A814 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 135registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32 ref: 000000014000A90A
RegEnumKeyA.ADVAPI32 ref: 000000014000A92F
RegCloseKey.ADVAPI32 ref: 000000014000A9F4

Strings

Software\Classes\, xrefs: 000000014000A87C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CloseEnumOpen
String ID: Software\Classes\
API String ID: 1332880857-1121929649
Opcode ID: a4e79e9036cddb1c4257712ee8a43ccd4893ec8566a00595f39dce63951d367a
Instruction ID: 60ca946fc54407c09940880fb36c02e109f8a8d2606c2f00fb9f5de7d3dc73ef
Opcode Fuzzy Hash: a4e79e9036cddb1c4257712ee8a43ccd4893ec8566a00595f39dce63951d367a
Instruction Fuzzy Hash: 4C5151B2715A8182EA51DB2AF440399A3A0F78ABF0F544211FBAD47BE9DF3CC545C740

Function 000000014009671C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

Part of subcall function 0000000140010EF8: SetMapMode.GDI32 ref: 0000000140010F13
Part of subcall function 0000000140010EF8: SetMapMode.GDI32 ref: 0000000140010F24

LPtoDP.GDI32 ref: 0000000140096791
LPtoDP.GDI32 ref: 00000001400967B2
LPtoDP.GDI32 ref: 00000001400967DB
InvalidateRect.USER32 ref: 00000001400968B9

Strings

gfff, xrefs: 0000000140096821

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Mode$InvalidateRectWindow
String ID: gfff
API String ID: 2869978635-1553575800
Opcode ID: ce717fe7bef45045771abfb3bfb51e081245b2191500c6bbb7fc38f794b00502
Instruction ID: fd4dc76c3312a708b8d9fe16fe8b17500c613a8d3638df030294bf7ff03948db
Opcode Fuzzy Hash: ce717fe7bef45045771abfb3bfb51e081245b2191500c6bbb7fc38f794b00502
Instruction Fuzzy Hash: 64518072710A449BE75DCF2AD9403D9B7A1F38CB80F448221EB99877A4DF38E4A1CB40

Function 0000000140142604 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014014267B
SendMessageA.USER32 ref: 0000000140142693
MessageBeep.USER32 ref: 00000001401426CC

Part of subcall function 00000001401429C4: GetWindowRect.USER32(?,?,?,?,?,?,?,00000001401415D3,?,?,?,00000001400A803E), ref: 00000001401429FA

GetSubMenu.USER32 ref: 00000001401426DC

Strings

Can't create context menu!, xrefs: 0000000140142776

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Send$BeepMenuRectWindow
String ID: Can't create context menu!
API String ID: 2474006099-1189624947
Opcode ID: bb8885db517598eb144e650c6459074925d805fdc2c40dfd02b8b33fdf679c8b
Instruction ID: edfaa7be4e48848d549b38d04775a5970be1f828beffed9c81baecf38abc45bf
Opcode Fuzzy Hash: bb8885db517598eb144e650c6459074925d805fdc2c40dfd02b8b33fdf679c8b
Instruction Fuzzy Hash: C4416936310B4082FA1A9B23D954BE972A1F789FD5F544225EB2A07BB6DF38C0618700

Function 000000014000A114 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 66registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000000014000A145
GetProcAddress.KERNEL32 ref: 000000014000A15E
RegCreateKeyExA.ADVAPI32 ref: 000000014000A225

Strings

RegCreateKeyTransactedA, xrefs: 000000014000A154
Advapi32.dll, xrefs: 000000014000A13E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: AddressCreateHandleModuleProc
String ID: Advapi32.dll$RegCreateKeyTransactedA
API String ID: 1964897782-1184998024
Opcode ID: b9db55b21369e3fc019ff1d78b33bb18ec3ed70c55d4d1c836835bf1b8c18d06
Instruction ID: 968eaac5c935025fdfbe47f712a0faa533242673cbdd8feb1a6c09763d628c27
Opcode Fuzzy Hash: b9db55b21369e3fc019ff1d78b33bb18ec3ed70c55d4d1c836835bf1b8c18d06
Instruction Fuzzy Hash: 1131C576208B808ADB61CB16F49479AB3A4F789BD4F144126EF8D43B68DF3DC440CB00

Function 0000000140006324 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

Edit, xrefs: 0000000140006390

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID:
String ID: Edit
API String ID: 0-554135844
Opcode ID: 2a8d60232d05ba9d2f29a0518ced74612b34365303465f87ed68663d825f1b95
Instruction ID: 309a165e6ed4840558f10b80b839e2542947799d2af3d1c50323d84bedc18cfb
Opcode Fuzzy Hash: 2a8d60232d05ba9d2f29a0518ced74612b34365303465f87ed68663d825f1b95
Instruction Fuzzy Hash: 0B214FB130064082FB66DB33F5843ED62A2AB4CFC4F189025EB095B6F5DF79C941C241

Function 000000014000A248 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48registrylibraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 000000014000A275
GetProcAddress.KERNEL32 ref: 000000014000A28A
RegOpenKeyExA.ADVAPI32 ref: 000000014000A2DD

Strings

RegOpenKeyTransactedA, xrefs: 000000014000A280
Advapi32.dll, xrefs: 000000014000A26E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: AddressHandleModuleOpenProc
String ID: Advapi32.dll$RegOpenKeyTransactedA
API String ID: 1337834000-496252237
Opcode ID: 7ec2acb2c3dd9d1849753389e37f5ff6fd4a9c4466b57697c24138341c934137
Instruction ID: 50fdee1655dca7ed0dbed1dc351acb313a9549251b104aa0b334c224728b0232
Opcode Fuzzy Hash: 7ec2acb2c3dd9d1849753389e37f5ff6fd4a9c4466b57697c24138341c934137
Instruction Fuzzy Hash: 6A110472218B4086EA21CB5AF45479AB7A0F78DFC4F184125EB8907B68DF7DC485CB04

Function 000000014001DFE4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E04A

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E02F
EncodePointer.KERNEL32 ref: 000000014001E03B

Strings

dwmapi.dll, xrefs: 000000014001E014
DwmDefWindowProc, xrefs: 000000014001E025

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmDefWindowProc$dwmapi.dll
API String ID: 2269242174-234806475
Opcode ID: afa5c513bb6d0ef0fe528d36720396a375f0abd1a8de73b545e2ac904c51664d
Instruction ID: 0aea6cb0e30aa8c60b757be263759f477cbcd1223c2e4377ffbc8827ad13816a
Opcode Fuzzy Hash: afa5c513bb6d0ef0fe528d36720396a375f0abd1a8de73b545e2ac904c51664d
Instruction Fuzzy Hash: DB115335605B8481EA028B03A8543A8B3A4BB8CFC0F480825EF8D4B7B4EF79D4918340

Function 000000014001E178 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E1DF

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E1C4
EncodePointer.KERNEL32 ref: 000000014001E1D0

Strings

DwmSetIconicLivePreviewBitmap, xrefs: 000000014001E1BA
dwmapi.dll, xrefs: 000000014001E1A9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetIconicLivePreviewBitmap$dwmapi.dll
API String ID: 2269242174-1757063745
Opcode ID: b4d8fb25b54d155bac89313b23da28642f658fbb48b072c7ce363eae746130aa
Instruction ID: 9835159e43232efca30faa029ff971d122d256d37db6a78438db36cae382776e
Opcode Fuzzy Hash: b4d8fb25b54d155bac89313b23da28642f658fbb48b072c7ce363eae746130aa
Instruction Fuzzy Hash: 91112531302B9081FA569B47A8583E8A6A4BB9CFC4F585425EF5A4B7B5DF39D4828300

Function 000000014001E2B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 44libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E31A

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E2FF
EncodePointer.KERNEL32 ref: 000000014001E30B

Strings

DwmSetWindowAttribute, xrefs: 000000014001E2F5
dwmapi.dll, xrefs: 000000014001E2E4

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetWindowAttribute$dwmapi.dll
API String ID: 2269242174-3105884578
Opcode ID: 71f4b746d8dd59c611550b7e25374bf4a04212ea017f381874203b2026e4e3b2
Instruction ID: 5285210d0fab44bba904522041f46e6dc5edfd021b09f6a9918f7df3c3235203
Opcode Fuzzy Hash: 71f4b746d8dd59c611550b7e25374bf4a04212ea017f381874203b2026e4e3b2
Instruction Fuzzy Hash: 72115331202B8181FA168B07A848799B6A4BB9CFC4F880469EF5A0B7B0DF39D9428300

Function 000000014011A624 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 40COMMON

Download Yara Rule

APIs

Part of subcall function 000000014001B800: EnterCriticalSection.KERNEL32 ref: 000000014001B7A0
Part of subcall function 000000014001B800: InitializeCriticalSection.KERNEL32 ref: 000000014001B7BF
Part of subcall function 000000014001B800: LeaveCriticalSection.KERNEL32 ref: 000000014001B7D3

GetProfileIntA.KERNEL32 ref: 000000014011A698
GetProfileIntA.KERNEL32 ref: 000000014011A6B8

Strings

DragDelay, xrefs: 000000014011A6AA
windows, xrefs: 000000014011A691, 000000014011A6B1
DragMinDist, xrefs: 000000014011A68A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$Profile$EnterInitializeLeave
String ID: DragDelay$DragMinDist$windows
API String ID: 2203521320-2101198082
Opcode ID: 23cafc09370c4f9552a3d4e18702f29c57e24575342d9f4f1413706605c6922e
Instruction ID: e7fa8c5bdfeeff609490f2a916e8ea7e7c38d7433ec9c829fdf132b5f2e599fe
Opcode Fuzzy Hash: 23cafc09370c4f9552a3d4e18702f29c57e24575342d9f4f1413706605c6922e
Instruction Fuzzy Hash: 33114C72620B048FF712AF26E8583D837A0F328B3AF450619DB19062F9DBBCC549CB00

Function 000000014001E220 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 39libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E27F

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E264
EncodePointer.KERNEL32 ref: 000000014001E270

Strings

dwmapi.dll, xrefs: 000000014001E249
DwmSetIconicThumbnail, xrefs: 000000014001E25A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmSetIconicThumbnail$dwmapi.dll
API String ID: 2269242174-2331651847
Opcode ID: 6051073f63d16ebbc157cf7cdc013e32447413b1f50e88d9e0a1a48489e1f254
Instruction ID: 662cd6b302f8c25a22eea2fc7a410c87ee1c88a37f5d9bfc22dcfc6f6357f52e
Opcode Fuzzy Hash: 6051073f63d16ebbc157cf7cdc013e32447413b1f50e88d9e0a1a48489e1f254
Instruction Fuzzy Hash: 9E014831206B9081FE569B43B8643E967A4AB9CFD4F485424EF4A0B7B5EF39C4818700

Function 000000014001E104 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 32libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E153

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E138
EncodePointer.KERNEL32 ref: 000000014001E144

Strings

DwmIsCompositionEnabled, xrefs: 000000014001E12E
dwmapi.dll, xrefs: 000000014001E11D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmIsCompositionEnabled$dwmapi.dll
API String ID: 2269242174-1198327662
Opcode ID: 0a5eed8c36064cac222222080e356b49e8e22d4e5fbc3942b4ec063d46b9452c
Instruction ID: b02e07d5ae0e0bba15b26486aacccd7b65a4bd6eb35e26b7439e0ba70b34188d
Opcode Fuzzy Hash: 0a5eed8c36064cac222222080e356b49e8e22d4e5fbc3942b4ec063d46b9452c
Instruction Fuzzy Hash: 51F04930706B8091FE579B13B9983E863E4AB4DFC0F485464AF0A4B3B0EF78C0908300

Function 000000014001E090 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

DecodePointer.KERNEL32 ref: 000000014001E0DF

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32 ref: 000000014001E0C4
EncodePointer.KERNEL32 ref: 000000014001E0D0

Strings

dwmapi.dll, xrefs: 000000014001E0A9
DwmInvalidateIconicBitmaps, xrefs: 000000014001E0BA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$DecodeHandleLibraryLoadModule
String ID: DwmInvalidateIconicBitmaps$dwmapi.dll
API String ID: 2269242174-1901905683
Opcode ID: e869aca775bdd63505a700ea4fcc106f21e72e8b1b44ee43d599dc0557324839
Instruction ID: 1828d9127b0b689ebfa01144d84fa11ed0844ce13e4fce5d21fd59de5aebe4f8
Opcode Fuzzy Hash: e869aca775bdd63505a700ea4fcc106f21e72e8b1b44ee43d599dc0557324839
Instruction Fuzzy Hash: 50F0F930306A8082FE579B57B9583E862A0AB4CFC4F485424EF4A0B3B5EF79C495C300

Function 000000014012E1B0 Relevance: 7.8, APIs: 5, Instructions: 273COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 000000014012E263
GetWindowRect.USER32 ref: 000000014012E2BF
CopyRect.USER32 ref: 000000014012E38B
CopyRect.USER32 ref: 000000014012E3CE
CopyRect.USER32 ref: 000000014012E472

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Copy$Window
String ID:
API String ID: 1774135527-0
Opcode ID: d362024d7e96f633d21fc6d35043cb461d87c53e4d778d1d4b33715f9f856d5c
Instruction ID: 8aa189ed58b6a17497c5d3ba89a5e3196adfe4526ea56901e80c26b8f54bfbec
Opcode Fuzzy Hash: d362024d7e96f633d21fc6d35043cb461d87c53e4d778d1d4b33715f9f856d5c
Instruction Fuzzy Hash: D5C168B6B00A408BEB16DFAAD4847ED77B1F748B88F054029DF1AA7B68DB38D0458740

Function 00000001401AA458 Relevance: 7.8, APIs: 5, Instructions: 265COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 92c14d8fda237f2469eb1ce4423a4eb8634de4579769ed11d55cd52f831dca17
Instruction ID: ccdfb08274d08db8de9545d803f52e0f1e259c7b87ce4dceb45e735ef9950416
Opcode Fuzzy Hash: 92c14d8fda237f2469eb1ce4423a4eb8634de4579769ed11d55cd52f831dca17
Instruction Fuzzy Hash: CBA1A27270078046FF638FA294443EA76E1E74CFA4F9846279B6A077E5EB7DC4848B40

Function 000000014014082C Relevance: 7.7, APIs: 5, Instructions: 209windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001401408B5
SendMessageA.USER32 ref: 00000001401408D3
InflateRect.USER32 ref: 0000000140140915
GetSysColor.USER32 ref: 000000014014092D
GetSysColor.USER32 ref: 0000000140140944

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ColorRect$ClientInflateMessageSend
String ID:
API String ID: 1205032120-0
Opcode ID: 39f9ce9c5ab8e507cebfb5c8c662030d85478e17ebebceb6840b86dd79506212
Instruction ID: a61af6a62a16f2c95199589d9ecea9da74efd8d4aa9bd06ab23fb81e2ca7d454
Opcode Fuzzy Hash: 39f9ce9c5ab8e507cebfb5c8c662030d85478e17ebebceb6840b86dd79506212
Instruction Fuzzy Hash: EDA14932624B848AE751CF7AD8447ED73B0F789B88F145226EF8957AA8DF38D544CB00

Function 00000001400F03F4 Relevance: 7.7, APIs: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400F0492
SendMessageA.USER32 ref: 00000001400F05B3
IsWindow.USER32 ref: 00000001400F05BC
ScreenToClient.USER32 ref: 00000001400F0626

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientCursorMessageScreenSendWindow
String ID:
API String ID: 349605733-0
Opcode ID: b5dd981d8df0fbcb8c96258c46a180aa4087620c68b9f0e39489578092ba9c8a
Instruction ID: 1f028cb54e2554757e4b228f8cd79d42639c41ab77aa142942bc4a662d5dea8d
Opcode Fuzzy Hash: b5dd981d8df0fbcb8c96258c46a180aa4087620c68b9f0e39489578092ba9c8a
Instruction Fuzzy Hash: ED718972710A4186EB16CB66D8643ED37A0FB8CBE8F44812AEF0A57BA4DF79C545C700

Function 000000014012A508 Relevance: 7.7, APIs: 5, Instructions: 174COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014012A589
InflateRect.USER32 ref: 000000014012A5AD
PtInRect.USER32 ref: 000000014012A5BB
PtInRect.USER32 ref: 000000014012A5D1
GetTickCount.KERNEL32 ref: 000000014012A663

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientCountInflateTick
String ID:
API String ID: 2651408654-0
Opcode ID: b9c87ce42da0f30ab691e7172f21a1989028eafee2a98ea0af7840f959eb2651
Instruction ID: 89b58eb6df6b956bdd644e720e7bf5b8e11374090389ddd422721508a2efe9c8
Opcode Fuzzy Hash: b9c87ce42da0f30ab691e7172f21a1989028eafee2a98ea0af7840f959eb2651
Instruction Fuzzy Hash: 75616B76700A808BEB119B27D5947ED73B1F748F88F94812ADF0AA7BA4DB38C555C700

Function 000000014012460C Relevance: 7.7, APIs: 5, Instructions: 166COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401246DD
IsRectEmpty.USER32 ref: 00000001401246FC
GetParent.USER32 ref: 0000000140124716
GetClientRect.USER32 ref: 000000014012472C
SetRectEmpty.USER32 ref: 000000014012473E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$ClientParent
String ID:
API String ID: 4012213158-0
Opcode ID: 9cdd295fa2d574adb02e73921d551205f54fa62e0964edacb206cad5b3f14767
Instruction ID: 923dc83cd166ed7979a002b7b348c7e949ef18735f847966c3e37b8b02b1f41c
Opcode Fuzzy Hash: 9cdd295fa2d574adb02e73921d551205f54fa62e0964edacb206cad5b3f14767
Instruction Fuzzy Hash: B8616C72B10A508AEB11DF7AD8917EC3BB0B789F98F045529DF1A6BA68DF34D441CB00

Function 00000001400DA0B0 Relevance: 7.7, APIs: 5, Instructions: 162windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400DA1B1
ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001400F553F), ref: 00000001400DA1EF
IsWindow.USER32 ref: 00000001400DA250
IsWindowVisible.USER32 ref: 00000001400DA25D
ShowWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001400F553F), ref: 00000001400DA2A0

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Show$Visible
String ID:
API String ID: 2757229004-0
Opcode ID: 28ed144224273296e39cd970b5e9c1ac11d4b79f16c37b8e96ea340b0961686c
Instruction ID: 305dd0c01f50b1919fd3650c5f5d782663ede1c8fb777835bde0760d5e3ad735
Opcode Fuzzy Hash: 28ed144224273296e39cd970b5e9c1ac11d4b79f16c37b8e96ea340b0961686c
Instruction Fuzzy Hash: DD516C76305A8082EA1A9F27E5903EE63A0FF8DFD0F184525EF590BBA5DF39C4428310

Function 0000000140122508 Relevance: 7.7, APIs: 5, Instructions: 154windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 00000001401225D5
LockWindowUpdate.USER32 ref: 00000001401226E0
SendMessageA.USER32 ref: 0000000140122704
LockWindowUpdate.USER32 ref: 000000014012270C
PostMessageA.USER32 ref: 0000000140122748

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$LockMessageUpdate$PostSend
String ID:
API String ID: 1309142107-0
Opcode ID: dec0ba48cbdab6cc4493fff6aa3cc753a568e6c8d5f7bbc4a7d77fdb6347d6af
Instruction ID: a1e1a7aef0d97d9a1c6b0f40881a4fb2772d749999ff05ee332f84ff8188740d
Opcode Fuzzy Hash: dec0ba48cbdab6cc4493fff6aa3cc753a568e6c8d5f7bbc4a7d77fdb6347d6af
Instruction Fuzzy Hash: 746105B2201A4591EE5AAB27E4543ED23A0EB8CFD0F48492AEF0E177B5EF79C545C300

Function 000000014007E114 Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

LoadCursorW.USER32 ref: 000000014007E180
LoadCursorW.USER32 ref: 000000014007E1DB
LoadCursorA.USER32 ref: 000000014007E22D
CreatePen.GDI32 ref: 000000014007E2DE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CursorLoad$Create
String ID:
API String ID: 1516763891-0
Opcode ID: 5ba9d3e63c288bfe023253326b061f8137448f12efb0e5cd59e08c27bf8b072e
Instruction ID: 875e682243e251bb96655b2a11663d4b224de2f322f45d1395f138cd3ca5d916
Opcode Fuzzy Hash: 5ba9d3e63c288bfe023253326b061f8137448f12efb0e5cd59e08c27bf8b072e
Instruction Fuzzy Hash: 63614A7021165185FB62EB63AC497E973E4A74DBC4F44482AAB0A8B7F2DF7CC941CB40

Function 0000000140168720 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401687A1

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

SetRectEmpty.USER32 ref: 0000000140168801

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientEmptyRectScreen
String ID:
API String ID: 3814305177-0
Opcode ID: 080e8c435b68b368db12d98e125b1ed88f98a57bbc424665509508e73de2e7c2
Instruction ID: 4c38e94419671c86bd2f57e815ff56c87868f62f402a6d85f28d21cf1a5157d8
Opcode Fuzzy Hash: 080e8c435b68b368db12d98e125b1ed88f98a57bbc424665509508e73de2e7c2
Instruction Fuzzy Hash: 55512832B04A508AFB11DBBAD8907EC33B1A748B88F514625DF0D67A69EF34D955C780

Function 00000001400846C4 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 00000001400846E4

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Part of subcall function 00000001400B7938: GetKeyboardState.USER32 ref: 00000001400B7963
Part of subcall function 00000001400B7938: GetKeyboardLayout.USER32 ref: 00000001400B797C
Part of subcall function 00000001400B7938: MapVirtualKeyA.USER32 ref: 00000001400B7989
Part of subcall function 00000001400B7938: ToAsciiEx.USER32 ref: 00000001400B79A6

WindowFromPoint.USER32 ref: 0000000140084708
ScreenToClient.USER32 ref: 000000014008473E
GetParent.USER32 ref: 00000001400847B1
UpdateWindow.USER32 ref: 0000000140084818

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: KeyboardWindow$AsciiCallClientExceptionFromHookLayoutNextParentPointScreenStateThrowUpdateVirtual
String ID:
API String ID: 3488867240-0
Opcode ID: c15f93272a27c68edad4a6a1612b127cfacf21c2eaf72dc12ca73b7786ddaa71
Instruction ID: 2ae3e1ade39ca8862cb88713347e1a34e9d1cfd5c0ce1882d244eac6f2b89c36
Opcode Fuzzy Hash: c15f93272a27c68edad4a6a1612b127cfacf21c2eaf72dc12ca73b7786ddaa71
Instruction Fuzzy Hash: DF513D76604B8082EB16DB5BE8947E967A1FB8DBC0F24842AFB0D477B6DF79C5418700

Function 00000001400EA068 Relevance: 7.6, APIs: 5, Instructions: 125COMMON

Download Yara Rule

APIs

GetTopWindow.USER32 ref: 00000001400EA10D

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

GetWindow.USER32 ref: 00000001400EA12E
IsWindow.USER32 ref: 00000001400EA157
GetParent.USER32 ref: 00000001400EA165
DestroyWindow.USER32 ref: 00000001400EA175

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$DestroyExceptionParentThrow
String ID:
API String ID: 3721763721-0
Opcode ID: 5a0529a8bbf91402e744cb374ed432da8eb872f84ffb8f76c213aaf3d49d7410
Instruction ID: a5db403b3695a2ec3687f80935b37a749b99095821c6d0a8e0c6480e1137f86d
Opcode Fuzzy Hash: 5a0529a8bbf91402e744cb374ed432da8eb872f84ffb8f76c213aaf3d49d7410
Instruction Fuzzy Hash: 97514D32205A4082EE169B23D4503E963A4F78EFE0F181526EB5E677B6DF39D9428340

Function 000000014014474C Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140144784
GetCursorPos.USER32 ref: 0000000140144794

Part of subcall function 0000000140102538: IsRectEmpty.USER32 ref: 0000000140102551

PtInRect.USER32 ref: 00000001401447E4
PostMessageA.USER32 ref: 0000000140144878
PtInRect.USER32 ref: 00000001401448C3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$CursorEmptyMessagePostWindow
String ID:
API String ID: 1800939087-0
Opcode ID: 9e94b904b8dddab969e8c3e27fdc21cd9d1affc3ce3a6142e111dcf92ea82aa7
Instruction ID: 9b064fb671d5ed3ad1ef1f2271a96cf13f8e134aaa1eef514498870c05b06758
Opcode Fuzzy Hash: 9e94b904b8dddab969e8c3e27fdc21cd9d1affc3ce3a6142e111dcf92ea82aa7
Instruction Fuzzy Hash: D5518A32B106828BEB16CBB6D5843ED63B0F74CB88F154536DB4A97AB9DB34D4918740

Function 00000001400AE11C Relevance: 7.6, APIs: 5, Instructions: 119timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001400E889F
KillTimer.USER32 ref: 00000001400E88AE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: KillTimer
String ID:
API String ID: 729406807-0
Opcode ID: 5be58cc2e0e74bd52d5d670984b331308efd81748bb54c9ae231281bdc7a1db6
Instruction ID: 6bb21f9dd53e2fbbacccb62f33babf93c841cac672a7b734d9354e4cc843e5f5
Opcode Fuzzy Hash: 5be58cc2e0e74bd52d5d670984b331308efd81748bb54c9ae231281bdc7a1db6
Instruction Fuzzy Hash: 9F510D32711A8082EE6A9B17E4547A963A0FB9CFD4F184435EF5E1BBA5DF39C852C340

Function 00000001400EA8B0 Relevance: 7.6, APIs: 5, Instructions: 115COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400EA8EB
GetCursorPos.USER32 ref: 00000001400EA906
ScreenToClient.USER32 ref: 00000001400EA918
GetClientRect.USER32 ref: 00000001400EA939

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

SetRect.USER32 ref: 00000001400EA9F3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Client$RectScreen$CursorWindow
String ID:
API String ID: 3730894386-0
Opcode ID: 72b63afaf33a1e038da9b442ae7121cbedde7427ce42759134e8df985c4cded2
Instruction ID: 855319fb5a3a0f7d0a864cb5a570b0a2b7fc26bba493885e16ddf4b2c0467deb
Opcode Fuzzy Hash: 72b63afaf33a1e038da9b442ae7121cbedde7427ce42759134e8df985c4cded2
Instruction Fuzzy Hash: E2516632724A449BEB25CF36D484BDD77A0F789B88F008215AB4A4BE58DB38DA55CB40

Function 00000001400AC0B0 Relevance: 7.6, APIs: 5, Instructions: 109keyboardCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,00000000,?,00000001400A8903), ref: 00000001400AC0F7
GetSystemMetrics.USER32 ref: 00000001400AC102
GetSystemMetrics.USER32 ref: 00000001400AC10F
GetKeyState.USER32 ref: 00000001400AC13B
InflateRect.USER32 ref: 00000001400AC175

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MetricsRectSystem$InflateStateWindow
String ID:
API String ID: 1515687257-0
Opcode ID: fc6bbd3fce9969974587a9dbf04c7edf23b621367d77e0889729f1bb40aa5e59
Instruction ID: 9f893b3fada5d662ea5c4a8b9418f8cf34baea7be2049ba9e994097b778d5a71
Opcode Fuzzy Hash: fc6bbd3fce9969974587a9dbf04c7edf23b621367d77e0889729f1bb40aa5e59
Instruction Fuzzy Hash: 1B41DD727206408AFF168B67D844BE972A0F39DBC4F554626EF1B57BA5DB38C881CB00

Function 00000001401583F8 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00000001401584BA

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

GetParent.USER32 ref: 00000001401584F2
GetClientRect.USER32 ref: 0000000140158508
GetParent.USER32 ref: 0000000140158512
MapWindowPoints.USER32 ref: 0000000140158532

Part of subcall function 000000014015141C: FillRect.USER32 ref: 00000001401514FC

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ConditionFillMaskParent$ClientInfoMetricsPointsSystemVerifyVersionWindow
String ID:
API String ID: 2091702480-0
Opcode ID: 04921b24c37db4e0fa0a2c11aca312a35e616acdf26826d4f1a527507c7911d8
Instruction ID: ce663a88422d57f52a47c67802b1eb107350e5ae5644295e1eefcfb1234c82ff
Opcode Fuzzy Hash: 04921b24c37db4e0fa0a2c11aca312a35e616acdf26826d4f1a527507c7911d8
Instruction Fuzzy Hash: 89413932620A658AFB16DB63DC457EC33A4B78CF98F044622DF0A6B6B4EB75C545C740

Function 000000014004C5D0 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

GetWindowRect.USER32 ref: 000000014004C633
GetClientRect.USER32 ref: 000000014004C666

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

OffsetRect.USER32 ref: 000000014004C68A
OffsetRect.USER32 ref: 000000014004C6C0
CreateRectRgnIndirect.GDI32 ref: 000000014004C6DA

Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C5C
Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C77

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

Part of subcall function 000000014000F910: ReleaseDC.USER32 ref: 000000014000F939

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientRect$Screen$ClipOffsetSelectWindow$CreateIndirectRelease
String ID:
API String ID: 1821481394-0
Opcode ID: af329ba80a06732795bc08cf6e8e9a5ea05fcbd50cb436fb9d29d82436771518
Instruction ID: 2f9639f04b3ca0138b6bb4e651a7f9e70051d28a9923d9408c59df8b35f933fe
Opcode Fuzzy Hash: af329ba80a06732795bc08cf6e8e9a5ea05fcbd50cb436fb9d29d82436771518
Instruction Fuzzy Hash: 7D515733B00A809AE715DF76D5847EC33B1F798B88F408212EB5967AA9EF34D665C740

Function 0000000140080488 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400804BD
ScreenToClient.USER32 ref: 00000001400804EC
ScreenToClient.USER32 ref: 000000014008054A
PtInRect.USER32 ref: 000000014008057A
SetCursor.USER32 ref: 00000001400805E3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 8cc6fa2f49ce395e2c4438767a5626a68cf7dc8aa26fcd7cb25c671d6b78ba22
Instruction ID: 8a30683682ee77cf32c3fbcf77e3047f59c6aba1e00ac3d1a2b507810b0fcde9
Opcode Fuzzy Hash: 8cc6fa2f49ce395e2c4438767a5626a68cf7dc8aa26fcd7cb25c671d6b78ba22
Instruction Fuzzy Hash: D6412632710A108AFB56DB66E8947ED33B0F74CB98F40442AEB0A876B5CF78D555CB60

Function 000000014014C2F0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 000000014014B0DC: GetParent.USER32 ref: 000000014014B0E4
Part of subcall function 000000014014B0DC: GetParent.USER32 ref: 000000014014B0ED

GetWindowLongA.USER32 ref: 000000014014C362
RedrawWindow.USER32(?,?,?,?,?,?,?,000000014014B790), ref: 000000014014C3AF
SetWindowLongA.USER32(?,?,?,?,?,?,?,000000014014B790), ref: 000000014014C3C4
SetWindowPos.USER32 ref: 000000014014C3EB
GetClientRect.USER32 ref: 000000014014C400

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: 7fc0948f5b1a723b1823e11866735f34cb5dfb7632d69293e19212e01aaf6ed7
Instruction ID: 6ef36dd66c9bab86892d46333446fe3036203309a56966c7d9d08fe998e4370f
Opcode Fuzzy Hash: 7fc0948f5b1a723b1823e11866735f34cb5dfb7632d69293e19212e01aaf6ed7
Instruction Fuzzy Hash: B6316D36324B8086FBA29F2798547E963A1B78CF94F098535DF0A4B7B5DF78C5418704

Function 000000014017A0F8 Relevance: 7.6, APIs: 5, Instructions: 75COMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014017A14C
SetRectEmpty.USER32 ref: 000000014017A1C3
CreateCompatibleDC.GDI32 ref: 000000014017A1CB
SetRectEmpty.USER32 ref: 000000014017A1E6
CreatePen.GDI32 ref: 000000014017A1FA

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CreateEmptyHashRect$CompatibleExceptionImplImpl::Throw
String ID:
API String ID: 2788163655-0
Opcode ID: 92ac932ef8513661616d468d00138025884f8931c87f9cdd6ffbfa3e66ee47e3
Instruction ID: 6e91404b924a0068755c0c8b6b445288a0e94b09f0330119ab5bfc8cd0758c5b
Opcode Fuzzy Hash: 92ac932ef8513661616d468d00138025884f8931c87f9cdd6ffbfa3e66ee47e3
Instruction Fuzzy Hash: 1D315736200B8085E7569F22E844BD933A8F74CFA4F988935DFA90B365DF38C1A1D314

Function 0000000140080894 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400838C0: GetWindowRect.USER32 ref: 000000014008392B
Part of subcall function 00000001400838C0: CreateRoundRectRgn.GDI32 ref: 0000000140083967
Part of subcall function 00000001400838C0: SetWindowRgn.USER32 ref: 0000000140083984

GetSystemMenu.USER32 ref: 000000014008092F
DeleteMenu.USER32 ref: 0000000140080951
DeleteMenu.USER32 ref: 0000000140080963
DeleteMenu.USER32 ref: 0000000140080975
EnableMenuItem.USER32 ref: 0000000140080998

Part of subcall function 000000014007D724: SetRectEmpty.USER32 ref: 000000014007D755
Part of subcall function 000000014007D724: ReleaseCapture.USER32 ref: 000000014007D75B
Part of subcall function 000000014007D724: SetCapture.USER32 ref: 000000014007D771
Part of subcall function 000000014007D724: GetCapture.USER32 ref: 000000014007D7B6
Part of subcall function 000000014007D724: ReleaseCapture.USER32 ref: 000000014007D7C9
Part of subcall function 000000014007D724: SetCapture.USER32 ref: 000000014007D7DF

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CaptureMenu$DeleteRect$ReleaseWindow$CreateEmptyEnableItemRoundSystem
String ID:
API String ID: 2896308491-0
Opcode ID: ff4441687bc2106b91803fac70992bbaffb04ef9d44810b9cda271f545d128a1
Instruction ID: c31056ce87e504705644a515ea8933d950ddfe41b2869efa33083bfcb8ee3f57
Opcode Fuzzy Hash: ff4441687bc2106b91803fac70992bbaffb04ef9d44810b9cda271f545d128a1
Instruction Fuzzy Hash: F431C136710A8182EBA2DB27D4547A967A0FBCDFC0F489426EF4A07B65DE38C981C750

Function 000000014000A520 Relevance: 7.6, APIs: 5, Instructions: 72registryCOMMON

Download Yara Rule

APIs

RegDeleteKeyA.ADVAPI32 ref: 000000014000A572
RegDeleteValueA.ADVAPI32 ref: 000000014000A598
RegCloseKey.ADVAPI32 ref: 000000014000A5DE

Part of subcall function 000000014000996C: RegCloseKey.ADVAPI32 ref: 0000000140009AF3
Part of subcall function 000000014000996C: RegCloseKey.ADVAPI32 ref: 0000000140009B02

WritePrivateProfileStringA.KERNEL32 ref: 000000014000A5FD

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Close$Delete$PrivateProfileStringValueWrite
String ID:
API String ID: 1330817964-0
Opcode ID: 62a1ebdd8d1838b5ed94ba643afe0b18c44c7507a1d77a221d07bae7effddd7a
Instruction ID: 1fc86d63a0a80619706e859f2a98f1843c2939417df56a3487d85fc3a90cacc7
Opcode Fuzzy Hash: 62a1ebdd8d1838b5ed94ba643afe0b18c44c7507a1d77a221d07bae7effddd7a
Instruction Fuzzy Hash: 0D21B0B2705B9085FE56DB23684479AA2E4BB8EFC1F484025EF4A0BBB4DF3CC0428700

Function 00000001400761A4 Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 0000000140076200

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

GetParent.USER32 ref: 0000000140076215
GetClientRect.USER32 ref: 000000014007622C
GetParent.USER32 ref: 0000000140076236
MapWindowPoints.USER32 ref: 0000000140076257

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ConditionMaskParentRect$ClientFillInfoMetricsPointsSystemVerifyVersionWindow
String ID:
API String ID: 3537607005-0
Opcode ID: ee084eb1a43d3ba155d47975070746f2dc65961f412f835b20a4d494b6480062
Instruction ID: c97c2a5616296794e85451bdcf3edf6196753ee23e6f692602ebaa01b426866c
Opcode Fuzzy Hash: ee084eb1a43d3ba155d47975070746f2dc65961f412f835b20a4d494b6480062
Instruction Fuzzy Hash: B9213A72220A9482EA52DB63E8987E977A0FB8CFD4F404522EF4A477B5EF79C545C700

Function 000000014016648C Relevance: 7.6, APIs: 5, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001401664B6
ScreenToClient.USER32 ref: 00000001401664C4
GetClientRect.USER32 ref: 00000001401664DC
PtInRect.USER32 ref: 00000001401664EA

Part of subcall function 0000000140166568: SetTimer.USER32 ref: 00000001401665F7
Part of subcall function 0000000140166568: GetCursorPos.USER32 ref: 0000000140166667

RedrawWindow.USER32 ref: 0000000140166543

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientCursorRect$RedrawScreenTimerWindow
String ID:
API String ID: 3841464911-0
Opcode ID: b63d405f951501abcec02f63ed8d577b78bbdf682f316b14655657dd942e3a1c
Instruction ID: a296181ae44e85f18960b3465b9e092ff399a0bed3e65e33471b915f3513148c
Opcode Fuzzy Hash: b63d405f951501abcec02f63ed8d577b78bbdf682f316b14655657dd942e3a1c
Instruction Fuzzy Hash: C0210432B20A148AFB05CFB6D8553ED3BB1F788FA9F444625DF1A5A6A8CF38C1058754

Function 0000000140024668 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 0000000140024682
SendMessageA.USER32 ref: 00000001400246A5
ClientToScreen.USER32 ref: 00000001400246B6
GetWindowLongA.USER32 ref: 00000001400246C4
GetParent.USER32 ref: 00000001400246D3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 260d0dc07bdc63e946010c716fbf04969a552b68f2b540d6c7fec75ce4b4b09e
Instruction ID: e0c7bc0dbb15dd733f6d74535f21822486bac28c0d2573732cd99ed7ffdeac7d
Opcode Fuzzy Hash: 260d0dc07bdc63e946010c716fbf04969a552b68f2b540d6c7fec75ce4b4b09e
Instruction Fuzzy Hash: 15014435314A8082FB458B6BAAD437A62E2EB8DFE0F449524FE5647BB8DF7CC4458700

Function 000000014004C438 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 000000014004C454
RedrawWindow.USER32 ref: 000000014004C477
PtInRect.USER32 ref: 000000014004C492
ReleaseCapture.USER32 ref: 000000014004C4A2
RedrawWindow.USER32 ref: 000000014004C4B7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: 533066ff917525ea24b8eae20450df4bcee678d187447748bd8f40d84352e16c
Instruction ID: 9596c728aba896a70a7b5cac42bfbd0ebbea3f507a18a74110866a0e733ec5dc
Opcode Fuzzy Hash: 533066ff917525ea24b8eae20450df4bcee678d187447748bd8f40d84352e16c
Instruction Fuzzy Hash: 93018F76A11641C2FB668F37D568FB826B1E798F85F088430DF020B6B4EF3AC4459704

Function 0000000140128508 Relevance: 7.5, APIs: 5, Instructions: 30windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140128526
EnableMenuItem.USER32 ref: 0000000140128538
EnableMenuItem.USER32 ref: 000000014012854A
EnableMenuItem.USER32 ref: 000000014012855C
EnableMenuItem.USER32 ref: 000000014012856E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 4fc6857faa428bb25dfd8f69a187776df76f2e0737d0f38118c1934e480d6e6b
Instruction ID: 96bc014de1ea77de1a991b72c44ed380d299c9669ec6c67c384f9e136a6c9679
Opcode Fuzzy Hash: 4fc6857faa428bb25dfd8f69a187776df76f2e0737d0f38118c1934e480d6e6b
Instruction Fuzzy Hash: 71F01235310E8087FB109B67E480669A271EBDEF94F549029AF494BB78CE79C882CB50

Function 000000014006A6B4 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

Part of subcall function 000000014006969C: FindResourceA.KERNEL32(?,?,?,000000014006A800), ref: 00000001400696DA

LoadImageW.USER32(?,?,?,?,?,?,?,?,?,?,?,000000014006924D), ref: 000000014006A870
GetObjectA.GDI32 ref: 000000014006A88D
DeleteObject.GDI32 ref: 000000014006A911

Strings

, xrefs: 000000014006A881

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Object$DeleteFindImageLoadResource
String ID:
API String ID: 3536577864-3916222277
Opcode ID: 3eb1d2ab707d5d4d33a53f36f966eb301fa6bd0164d90b9f4c59aafe12f66cdd
Instruction ID: e6b1d164a9e4c41e5398e59fa722369727938d350398faa434c352d9ca2fcf64
Opcode Fuzzy Hash: 3eb1d2ab707d5d4d33a53f36f966eb301fa6bd0164d90b9f4c59aafe12f66cdd
Instruction Fuzzy Hash: AF917E36200A508AEB56EB26EC447D933A6F70DB98F244526EF5E477B1DF39C466CB00

Function 0000000140042118 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

GetDlgCtrlID.USER32 ref: 00000001400421CA

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

MultiByteToWideChar.KERNEL32 ref: 000000014004228F
SetWindowPos.USER32 ref: 00000001400422D8

Part of subcall function 00000001401A24B0: _invalid_parameter_noinfo.LIBCMT ref: 00000001401A24DB

Strings

P, xrefs: 0000000140042279

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ByteCharCtrlExceptionMultiThrowWideWindow_invalid_parameter_noinfo
String ID: P
API String ID: 1201849540-3110715001
Opcode ID: ea9a049c4e8cca7e2680d54481da859a3740b99ca7356cf6e86baa205be6fc44
Instruction ID: fd311ddb683d24d725a8c47ff3438d9d28aad8d7efbbe0dcb440de3e695dda86
Opcode Fuzzy Hash: ea9a049c4e8cca7e2680d54481da859a3740b99ca7356cf6e86baa205be6fc44
Instruction Fuzzy Hash: B551FE72300B4192EB269B6AD4503D977A0EB8DBF4F554326EF69476F5CFB8C8408608

Function 00000001401081A4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

OffsetRect.USER32 ref: 0000000140108246

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

Strings

group, xrefs: 00000001401082C6, 00000001401082DC
Open, xrefs: 0000000140108328, 000000014010833E
Close, xrefs: 0000000140108362, 000000014010836E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientScreen$ExceptionOffsetRectThrow
String ID: Close$Open$group
API String ID: 1301811384-1548409829
Opcode ID: 5d4f0b5ca828aae16939ab907b45bcaf0f1920a93d395664c3353a02d81297e6
Instruction ID: a61cfb2256915eebf8d775dd0fc0416b53cd455a9e8455d33e2a60d7d5343d9f
Opcode Fuzzy Hash: 5d4f0b5ca828aae16939ab907b45bcaf0f1920a93d395664c3353a02d81297e6
Instruction Fuzzy Hash: D351DF72304A8186EB26DF27E5807E9B760F788F80F444125EF8947AB5EF78D591C740

Function 00000001400EA700 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400EA73C
CopyRect.USER32 ref: 00000001400EA74D
GetClientRect.USER32 ref: 00000001400EA767

Part of subcall function 00000001400EC258: SetRectEmpty.USER32 ref: 00000001400EC26B
Part of subcall function 00000001400EC258: GetWindowRect.USER32(?,?,?,00000001400EBEDD,?,?,?,00000001400EBC6C), ref: 00000001400EC281

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

Strings

4, xrefs: 00000001400EA861

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Client$EmptyScreen$CopyWindow
String ID: 4
API String ID: 3811915028-4088798008
Opcode ID: 7e6b50e9a2db7e35b7d7341088589e89dd12cb7690f9091fd688cb9cacde64d2
Instruction ID: 581f95dbe77cac96be895cd800cba402fd67746b73bc08a548e901ce0ba98cf4
Opcode Fuzzy Hash: 7e6b50e9a2db7e35b7d7341088589e89dd12cb7690f9091fd688cb9cacde64d2
Instruction Fuzzy Hash: 90514B73B106108AEB12DF66D8447DC3771B78DB98F154111EF0967A69DB38E846C780

Function 00000001401282D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014012848A
ReleaseCapture.USER32 ref: 00000001401284DF
SetCapture.USER32 ref: 00000001401284EC

Strings

', xrefs: 000000014012834B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Capture$ParentRelease
String ID: '
API String ID: 149653543-1754440256
Opcode ID: 6ca664329ee3fe15c8043a737c7a91b3c3260a9063291a775b1469edb3450a09
Instruction ID: ac4ee5c5d4cfa41aefa4960c7ee9fc74fd77585afbb5f92cda0499a8fe4f0f4a
Opcode Fuzzy Hash: 6ca664329ee3fe15c8043a737c7a91b3c3260a9063291a775b1469edb3450a09
Instruction Fuzzy Hash: 04512872601F8681EB459F2AD8943E92361FB89FC8F585135EF0E9B7A9EF39C1458310

Function 000000014008009C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140080174
ScreenToClient.USER32 ref: 0000000140080183
SendMessageA.USER32 ref: 0000000140080237

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

Part of subcall function 0000000140192458: _onexit.LIBCMT ref: 000000014019245C

Part of subcall function 00000001401926AC: EnterCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926BC
Part of subcall function 00000001401926AC: LeaveCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926FC

Strings

@, xrefs: 00000001400801A9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$Enter$ClientCursorLeaveMessageScreenSend_onexit
String ID: @
API String ID: 3388613480-2766056989
Opcode ID: cf23ea55641dad5ceeaa38559011d791160b16cec5476b22b3cda6a759d94387
Instruction ID: 7eab887813dce70daffc65f3f81bfb74160905e56d62feecd4d2136e7ebe1d21
Opcode Fuzzy Hash: cf23ea55641dad5ceeaa38559011d791160b16cec5476b22b3cda6a759d94387
Instruction Fuzzy Hash: 92514B72214A8082EBA2DB16E8587D973A0F78CB94F400526EB5D477F5DFBDC954CB40

Function 00000001401722E8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014017235F
GetWindowRect.USER32 ref: 0000000140172381

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

UpdateWindow.USER32 ref: 000000014017243A

Strings

T, xrefs: 00000001401723D3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Client$RectScreenWindow$Update
String ID: T
API String ID: 978449426-3187964512
Opcode ID: 6bfca6a60eea5f2f2b42d03567bb347f45be8b87c7377064f31b93af1a2dc2a3
Instruction ID: 3a578bc8025b26c33f64f2b4d6c77dbd2a19ab9ab990596c3dd07c0134766698
Opcode Fuzzy Hash: 6bfca6a60eea5f2f2b42d03567bb347f45be8b87c7377064f31b93af1a2dc2a3
Instruction Fuzzy Hash: CF410536B20A508AEB50CB66D494BED77B0F78CB88F145126EF4A57B28DF39C581CB00

Function 0000000140036398 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 89COMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 000000014003642F
GetWindowLongA.USER32 ref: 0000000140036481

Strings

ComboBox, xrefs: 0000000140036453
ComboBoxEx32, xrefs: 0000000140036466

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClassLongNameWindow
String ID: ComboBox$ComboBoxEx32
API String ID: 1147815241-1907415764
Opcode ID: 178c34a99a9b1fcb80117b22765a09a2b1a2fdd167cc9180bac05c14461bd5a7
Instruction ID: 9d6ff7b55721fe82b8fdfb9b824e8232c7798590a0e885a1bb3e6d7c0b973785
Opcode Fuzzy Hash: 178c34a99a9b1fcb80117b22765a09a2b1a2fdd167cc9180bac05c14461bd5a7
Instruction Fuzzy Hash: 25318F76A00A4482FB169F36E5443AE73A1F789BD4F548229EB69477EACF78C450C740

Function 00000001401662A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400E926C: GetClientRect.USER32 ref: 00000001400E92B6
Part of subcall function 00000001400E926C: PtInRect.USER32 ref: 00000001400E92CD
Part of subcall function 00000001400E926C: MapWindowPoints.USER32 ref: 00000001400E9305
Part of subcall function 00000001400E926C: SendMessageA.USER32 ref: 00000001400E9327

SetRectEmpty.USER32 ref: 00000001401662FA
IsWindow.USER32 ref: 0000000140166336
SetTimer.USER32 ref: 000000014016637A

Strings

d, xrefs: 000000014016634C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Window$ClientEmptyMessagePointsSendTimer
String ID: d
API String ID: 2745976862-2564639436
Opcode ID: e16c5a92eaab9662c4ff89fc990a94a8949a569e403667bc0c7ac91ddc0272b0
Instruction ID: 3d305fd672377d61af3c94d315434de7469de224c5bb2940f124eeb31c3177ec
Opcode Fuzzy Hash: e16c5a92eaab9662c4ff89fc990a94a8949a569e403667bc0c7ac91ddc0272b0
Instruction Fuzzy Hash: 63210236201B8082EB159F66E8543ED67A0FB89F85F584425DF4E0BBA9EF39C485C750

Function 0000000140012424 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014001B800: EnterCriticalSection.KERNEL32 ref: 000000014001B7A0
Part of subcall function 000000014001B800: InitializeCriticalSection.KERNEL32 ref: 000000014001B7BF
Part of subcall function 000000014001B800: LeaveCriticalSection.KERNEL32 ref: 000000014001B7D3

Part of subcall function 0000000140013410: GetModuleHandleW.KERNEL32 ref: 0000000140013445
Part of subcall function 0000000140013410: GetProcAddress.KERNEL32 ref: 000000014001345A
Part of subcall function 0000000140013410: EncodePointer.KERNEL32 ref: 0000000140013466
Part of subcall function 0000000140013410: LoadLibraryExW.KERNEL32 ref: 000000014001348E

GetProcAddress.KERNEL32(?,?,?,?,?,?,?,0000000140006316), ref: 0000000140012498
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,0000000140006316), ref: 00000001400124AB

Strings

HtmlHelpA, xrefs: 000000014001248E
hhctrl.ocx, xrefs: 0000000140012475

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$AddressLibraryProc$EncodeEnterFreeHandleInitializeLeaveLoadModulePointer
String ID: HtmlHelpA$hhctrl.ocx
API String ID: 2185989549-63838506
Opcode ID: bd223f03047dde5b7fe4b110ae26d1191d76240d433f750cc178566e5b5d9cc5
Instruction ID: 47e334c7323b03451e0c9ca22a9ba54a634a44a60bc56a28915ae5b3e76c33fe
Opcode Fuzzy Hash: bd223f03047dde5b7fe4b110ae26d1191d76240d433f750cc178566e5b5d9cc5
Instruction Fuzzy Hash: B3212631210B4586FB16AB53E85039963A4E78CFC4F484825FF4A4B7A5DF7AD891C380

Function 0000000140176044 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

EqualRect.USER32 ref: 0000000140176064
SetWindowRgn.USER32 ref: 000000014017608C
RedrawWindow.USER32 ref: 00000001401760EE

Strings

X, xrefs: 00000001401760AE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$EqualRectRedraw
String ID: X
API String ID: 960909151-3081909835
Opcode ID: a020e78d200b140ce94e9e896ddd92e28f83d69d2130b01ae63a448fda8a78a9
Instruction ID: 69afe0ef133759b597451b140b8df44ddbc392773c63ff1db90133fb93f98af4
Opcode Fuzzy Hash: a020e78d200b140ce94e9e896ddd92e28f83d69d2130b01ae63a448fda8a78a9
Instruction Fuzzy Hash: 02118B3260068086EB55CF3AD549BD977A0F388B88F088134DF150BB58DF39C5948B80

Function 00000001401364F0 Relevance: 6.4, APIs: 4, Instructions: 397windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 0000000140136531
GetWindow.USER32 ref: 0000000140136570
IsWindowVisible.USER32 ref: 0000000140136679
GetWindow.USER32 ref: 0000000140136990

Part of subcall function 0000000140133DF4: GetWindowRect.USER32 ref: 0000000140133ED2
Part of subcall function 0000000140133DF4: GetWindowRect.USER32 ref: 0000000140133EE8
Part of subcall function 0000000140133DF4: UnionRect.USER32 ref: 0000000140133EFA

Part of subcall function 0000000140137034: OutputDebugStringA.KERNEL32 ref: 0000000140137071
Part of subcall function 0000000140137034: ActivateActCtx.KERNEL32 ref: 0000000140137096

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Rect$ActivateDebugOutputStringUnionVisible
String ID:
API String ID: 2353767845-0
Opcode ID: 4e44e248d2ee4f8d7ecc941951fa4b477f2e5555b68146d53503e58319e17755
Instruction ID: 516b5f1c1eb255373c5ce3a0df4b46c7a96a71277c563f71050b4ceaaf2fe341
Opcode Fuzzy Hash: 4e44e248d2ee4f8d7ecc941951fa4b477f2e5555b68146d53503e58319e17755
Instruction Fuzzy Hash: 9CF13572201A8186FB5AAB37D8543ED27A5BB8DFD8F088125EF1A4B7A5DF38C445C340

Function 00000001400FE520 Relevance: 6.2, APIs: 4, Instructions: 240COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400FE584
SetRectEmpty.USER32 ref: 00000001400FE5CF
IsRectEmpty.USER32 ref: 00000001400FE628

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 5c211dea367093eda2462c4922b19145585972eaf8e9a507f89d044ae8fc209c
Instruction ID: 0f05cd8f4d33c51d34958b2ce4a72a9d6277e5dc364633037f73e75069563155
Opcode Fuzzy Hash: 5c211dea367093eda2462c4922b19145585972eaf8e9a507f89d044ae8fc209c
Instruction Fuzzy Hash: FCA16D767006818BEB59CF3ADA94BAC37A5F75CB88F088139EF06876A4DB74E454C710

Function 00000001400D8804 Relevance: 6.2, APIs: 4, Instructions: 218keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400D883E
GetKeyState.USER32 ref: 00000001400D8849
IsRectEmpty.USER32 ref: 00000001400D88AF
GetWindowRect.USER32 ref: 00000001400D8A66

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: 400c48befa198c7ef059c710f4dc624af676e5f0c0c12b8d19da7b3aa5c271db
Instruction ID: 613a7aed3a875118ea1c8338ac12f3c185de5a1cc4dd7a7b645d828d2986a4d5
Opcode Fuzzy Hash: 400c48befa198c7ef059c710f4dc624af676e5f0c0c12b8d19da7b3aa5c271db
Instruction Fuzzy Hash: 0D914772600A408AEB66DB27D854BED67A4FB4CFD8F484016EF0A5BBA4DF39C546C710

Function 000000014004E0F8 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014004E251
InflateRect.USER32 ref: 000000014004E28E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientInflate
String ID:
API String ID: 256450704-0
Opcode ID: fd4545da1b74b8d735a6ad03e7b60ad673cc379013380761b3b341eda0354415
Instruction ID: 42f80576ca675a1093db004fed00f57afe8cc14d5250ee1a66a18ef986e8de98
Opcode Fuzzy Hash: fd4545da1b74b8d735a6ad03e7b60ad673cc379013380761b3b341eda0354415
Instruction Fuzzy Hash: D891AE727106818AEB16DF7AD5947ED37A0FB48BD8F008226FF1A47AA9DB34C940C740

Function 00000001401668C0 Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001401669BF

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

GetCursorPos.USER32 ref: 0000000140166A05
ScreenToClient.USER32 ref: 0000000140166A13
GetWindowRect.USER32 ref: 0000000140166B5D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClientCriticalCursorEnterParentRectScreenSectionWindow
String ID:
API String ID: 3708717923-0
Opcode ID: 75502354431489fd434a74bafa06af16bc66bc29564c2134cfd6b5f5b78e89c2
Instruction ID: fdaaf900a814c4ef0e5628e72078e6b3a8f261386abf20b97d8086de5b7da791
Opcode Fuzzy Hash: 75502354431489fd434a74bafa06af16bc66bc29564c2134cfd6b5f5b78e89c2
Instruction Fuzzy Hash: 6D912376301A448AEB56DB26DC543E923A0F788F98F448A2ADF1D4B7B5EF78C445C300

Function 00000001400AA7B8 Relevance: 6.2, APIs: 4, Instructions: 171COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400AA821
InflateRect.USER32 ref: 00000001400AA853
GetSystemMetrics.USER32 ref: 00000001400AA8D9
EnableScrollBar.USER32 ref: 00000001400AAA17

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientEnableInflateMetricsScrollSystem
String ID:
API String ID: 2297266595-0
Opcode ID: 65fbfe35c64e0249d731fb4a7040785dc8c82ad8cbdca355dcd56cac5b0339d2
Instruction ID: f761904d6e6f1ae817c3bc8e7fbbda488784c5fbc83af354020da687a74d423c
Opcode Fuzzy Hash: 65fbfe35c64e0249d731fb4a7040785dc8c82ad8cbdca355dcd56cac5b0339d2
Instruction Fuzzy Hash: 7E8148726006809FE715CF3AC5547ED37E1F748B88F058629EB0A5BBA8DB39D955CB00

Function 00000001400D688C Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400D6ACD
SetRectEmpty.USER32 ref: 00000001400D6AD6
SetRectEmpty.USER32 ref: 00000001400D6ADF
SetRectEmpty.USER32 ref: 00000001400D6AE9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: ae096bb822b960a85e76dd85056f44d73793bfbe1abe7482bdf824e0450388d7
Instruction ID: 03b4962c21cf7e30d4d39df6ae7e1f20a45b7b3fdbbc6e0a69ff994666980344
Opcode Fuzzy Hash: ae096bb822b960a85e76dd85056f44d73793bfbe1abe7482bdf824e0450388d7
Instruction Fuzzy Hash: D171C536101B8096D751DF21E884BDD33A8F348F58F984639DFA91B369DF3885A5D328

Function 00000001401262B4 Relevance: 6.1, APIs: 4, Instructions: 139windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32 ref: 0000000140126359
GetMenuItemInfoA.USER32 ref: 000000014012643E
InvalidateRect.USER32 ref: 00000001401264BC
UpdateWindow.USER32 ref: 00000001401264C6

Part of subcall function 000000014014B41C: SendMessageA.USER32 ref: 000000014014B44B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$InfoInvalidateItemLongMenuMessageRectSendUpdate
String ID:
API String ID: 2843175645-0
Opcode ID: 262b60bf36e74977d204612b1029938a439e2be3ee62a87356a1b97476b09e81
Instruction ID: 257c02cd82b47a716e33d930e233fc292580671ff54d75598c4f4e5ce45d8097
Opcode Fuzzy Hash: 262b60bf36e74977d204612b1029938a439e2be3ee62a87356a1b97476b09e81
Instruction Fuzzy Hash: C8517B72211A8086EB55DF26D8547ED23A0F789F98F485239EE1E5BBEADF38C505C700

Function 0000000140166568 Relevance: 6.1, APIs: 4, Instructions: 131timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32 ref: 00000001401665F7
GetCursorPos.USER32 ref: 0000000140166667
TrackMouseEvent.USER32 ref: 00000001401666FE
RedrawWindow.USER32 ref: 000000014016677C

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ConditionMask$CursorEventInfoMetricsMouseRedrawSystemTimerTrackVerifyVersionWindow
String ID:
API String ID: 3033991446-0
Opcode ID: 2f125153f88a9dc592bdc384743a053e3a0e368cd09b34036d79a84bc8d487c3
Instruction ID: d5f9005cd0dc6c49900de539cd57bf47856b67a928d203e66643a0973862b74c
Opcode Fuzzy Hash: 2f125153f88a9dc592bdc384743a053e3a0e368cd09b34036d79a84bc8d487c3
Instruction Fuzzy Hash: F7613C32201A849BEB69DF36DD447E837A0F74CB8DF004529EB5D57AA4CB38D8A4CB40

Function 000000014005C57C Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

CreateCompatibleDC.GDI32(?,?,?,?,0000000140047659), ref: 000000014005C6CE
CreateCompatibleBitmap.GDI32 ref: 000000014005C6FA

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CompatibleConditionCreateHashMask$BitmapClientImplImpl::InfoMetricsRectSystemVerifyVersion
String ID:
API String ID: 2548309268-0
Opcode ID: c788e6bebcbd1bfabf624b9e6a115fc0ab82df0ac508c656d89c503268a086ed
Instruction ID: 2bdf77065ff7854f418837f4edaf1b77250ec1693b0d41b2f6e8ce6507a3a78e
Opcode Fuzzy Hash: c788e6bebcbd1bfabf624b9e6a115fc0ab82df0ac508c656d89c503268a086ed
Instruction Fuzzy Hash: B4514C36210B508AEA26DB13E944B9973E8F78CBD4F148526AF9D47BB1DF39D941C700

Function 000000014014E4C4 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014014E50D
InflateRect.USER32 ref: 000000014014E51C
InflateRect.USER32 ref: 000000014014E5AE
FillRect.USER32 ref: 000000014014E628

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$FillInflate
String ID:
API String ID: 3595577067-0
Opcode ID: 752751dd23c069473db96ae7a255f9fd2c198d271879aaa79ec6f1e0cb0e8f61
Instruction ID: be03526ec0b85514e16bafde5d8fc0c5a361c521b1d9c1f567d3993ad4d21d17
Opcode Fuzzy Hash: 752751dd23c069473db96ae7a255f9fd2c198d271879aaa79ec6f1e0cb0e8f61
Instruction Fuzzy Hash: 7B418936B00A548AEB11CFAAD9847EC37B0B78CF98F058622DF5A57BA4DF38D4458740

Function 000000014010A898 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014010A8D8
IsRectEmpty.USER32 ref: 000000014010A92C
IsRectEmpty.USER32 ref: 000000014010A946
CreateRectRgnIndirect.GDI32 ref: 000000014010A971

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty$CreateIndirect
String ID:
API String ID: 643833114-0
Opcode ID: 83468d5edcd912a65e6d9d9f117ba1d32ea6cedfd2360924bf6ea0a562d43393
Instruction ID: c5b4f7e71423eb5b661706c43b86ee007c3e2c14bc2622d63d4ad4a99efbe755
Opcode Fuzzy Hash: 83468d5edcd912a65e6d9d9f117ba1d32ea6cedfd2360924bf6ea0a562d43393
Instruction Fuzzy Hash: 0D416472B10A5085EB02DB76C8453ED23B4F74CF98F454226DF996BAA9EF38C186C340

Function 000000014014244C Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

MessageBeep.USER32 ref: 0000000140142551
GetSubMenu.USER32 ref: 0000000140142577
SendMessageA.USER32 ref: 00000001401425AD
InvalidateRect.USER32 ref: 00000001401425EB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$BeepExceptionInvalidateMenuRectSendThrow
String ID:
API String ID: 2854889734-0
Opcode ID: a338dc1f5b42d32989d2e700f43965a3e42c6e63580d88d6af957b4f968b4467
Instruction ID: d9ca90ca10f2d043bbbed70b56b6d274a7106d12361261b57ede686a9565b98b
Opcode Fuzzy Hash: a338dc1f5b42d32989d2e700f43965a3e42c6e63580d88d6af957b4f968b4467
Instruction Fuzzy Hash: 4041AF36300B8182EA15DB2BE8647DD67A0F789FA4F558226DF2E47BB5CF78C4818700

Function 0000000140164718 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140164840
RedrawWindow.USER32 ref: 0000000140164860
IsWindowVisible.USER32 ref: 000000014016488F
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00000001401648A9

Part of subcall function 0000000140160178: RedrawWindow.USER32 ref: 0000000140160211

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$ContextExternalRedraw$BaseBase::~Concurrency::details::InflateRectVisible
String ID:
API String ID: 1448133624-0
Opcode ID: 4a3c7b7bcc6207e125554ad96b109152d4a57abaf0626d4064e0b5b22aed49c8
Instruction ID: 61745d97d32be78deaf5fa20fd7170ca8ffe5db4795cc811b7ae48b5284b8c4c
Opcode Fuzzy Hash: 4a3c7b7bcc6207e125554ad96b109152d4a57abaf0626d4064e0b5b22aed49c8
Instruction Fuzzy Hash: 96414C32202B8082EB569B27DC947E923A0EBC9F99F185635DB4E4B7B5DF79C481C700

Function 0000000140062244 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400622EC
GetWindowRect.USER32 ref: 00000001400622FB
SendMessageA.USER32 ref: 0000000140062330
SendMessageA.USER32 ref: 00000001400623AD

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: MessageRectSend$EmptyWindow
String ID:
API String ID: 1914275016-0
Opcode ID: 1cc3ac479d8ad844119440cabe8e21a4b2c84ecd3e24a1fecb3a0ff6d7809a6d
Instruction ID: 8d71c7e48823a10621299f4da7c4bbc49ff99086844f0a431fd05fde13a145bd
Opcode Fuzzy Hash: 1cc3ac479d8ad844119440cabe8e21a4b2c84ecd3e24a1fecb3a0ff6d7809a6d
Instruction Fuzzy Hash: 0D412B32310E4482EB629F27D9947AE67A2F789FD9F548421EF0E47B64DF38C6458700

Function 00000001400E2290 Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400E236C
ClientToScreen.USER32 ref: 00000001400E237F
IsWindow.USER32 ref: 00000001400E23A3
ClientToScreen.USER32 ref: 00000001400E23F2

Part of subcall function 0000000140116BC0: IsWindowVisible.USER32 ref: 0000000140116C0F
Part of subcall function 0000000140116BC0: GetWindowRect.USER32 ref: 0000000140116C30
Part of subcall function 0000000140116BC0: PtInRect.USER32 ref: 0000000140116C3D
Part of subcall function 0000000140116BC0: GetAsyncKeyState.USER32 ref: 0000000140116C6C
Part of subcall function 0000000140116BC0: ScreenToClient.USER32 ref: 0000000140116CBD
Part of subcall function 0000000140116BC0: PtInRect.USER32 ref: 0000000140116D08
Part of subcall function 0000000140116BC0: SendMessageA.USER32 ref: 0000000140116D2E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$ClientRectScreen$AsyncMessageSendStateVisible
String ID:
API String ID: 2573223385-0
Opcode ID: cefed451b11f694ef976f54c01381d2ad68efa7a623d3d3b47177b6ef0817737
Instruction ID: 569743d6aa317e8b7a1497a7d75be047ece6b8db87835ea5554c806b80c337ce
Opcode Fuzzy Hash: cefed451b11f694ef976f54c01381d2ad68efa7a623d3d3b47177b6ef0817737
Instruction Fuzzy Hash: 68410D72204A4181EB599F36D0943AE73A0E78CFD4F445022FB4A976B9EB38CD95CB80

Function 00000001401124CC Relevance: 6.1, APIs: 4, Instructions: 82COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

GetClientRect.USER32 ref: 000000014011251B
GetWindowRect.USER32 ref: 0000000140112531

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

OffsetRect.USER32 ref: 000000014011255C

Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010641
Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010661

OffsetRect.USER32 ref: 000000014011257F

Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C5C
Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C77

Part of subcall function 000000014000F910: ReleaseDC.USER32 ref: 000000014000F939

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Clip$Client$ExcludeOffsetScreenSelectWindow$Release
String ID:
API String ID: 3827821671-0
Opcode ID: 82a059f584cb16939d3209a1b1636ceb475b2357e00bef3b9ff8515e4ebc3c86
Instruction ID: 323d6aab30a3390ee347435a9c0eed227d815196302af68f51d8494254d4e266
Opcode Fuzzy Hash: 82a059f584cb16939d3209a1b1636ceb475b2357e00bef3b9ff8515e4ebc3c86
Instruction Fuzzy Hash: C4412572710A449AEB01CF36C5813EC73B1FB9CB98F459622EB4957A68DF70C5A4C740

Function 0000000140056010 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014005603D
ScreenToClient.USER32 ref: 000000014005604C
SetCursor.USER32 ref: 0000000140056094
PtInRect.USER32 ref: 0000000140056125

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ConditionCursorMask$ClientInfoMetricsRectScreenSystemVerifyVersion
String ID:
API String ID: 3736470987-0
Opcode ID: 46dfd31d2ffe976ed33495d4dee1d2cc67c0d9d58471c22ce106282d3a79ecd3
Instruction ID: dbf3f979bbbf50b69a6b3860c23a7b0ed3e907261315e0ca1064f12a54f82029
Opcode Fuzzy Hash: 46dfd31d2ffe976ed33495d4dee1d2cc67c0d9d58471c22ce106282d3a79ecd3
Instruction Fuzzy Hash: DF315C32210A5086EB22DF67E9543EA33A1F78CBC9F440426EB0A476B6CF79C940CB40

Function 00000001400D6608 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,00000001400D02F0), ref: 00000001400D665B

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

SendMessageA.USER32 ref: 00000001400D66A5
SetRectEmpty.USER32 ref: 00000001400D66C0
OffsetRect.USER32 ref: 00000001400D66F6

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientScreen$EmptyMessageOffsetSendWindow
String ID:
API String ID: 4232917984-0
Opcode ID: 121f1655d601f0f29d1eaca5ef6d200c6bd42c0ff4a8793fb2af0615c34bd0e1
Instruction ID: 767a283c5269961600a262a6bd53fc35e49ec0e3e53b52695cac13e962782dad
Opcode Fuzzy Hash: 121f1655d601f0f29d1eaca5ef6d200c6bd42c0ff4a8793fb2af0615c34bd0e1
Instruction Fuzzy Hash: F1314876614B8482EB61CB22E0447DD73A1F78CFC8F551222EF890BA64DF79C546C740

Function 000000014014C6F4 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

CreateBitmap.GDI32 ref: 000000014014C76A
CreatePatternBrush.GDI32 ref: 000000014014C780
CreateBitmap.GDI32 ref: 000000014014C7CF
CreatePatternBrush.GDI32 ref: 000000014014C7E5

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Create$BitmapBrushPattern
String ID:
API String ID: 3280665104-0
Opcode ID: 0c5fc2efece5f014d41bd509d2d6272c7f8836d668ad40210444fcf7c7a8b2fb
Instruction ID: 3d9afd26d55bbc295913e2fb140eb4ac99bbe31fa01ef7acc0f6b5f399ef43fb
Opcode Fuzzy Hash: 0c5fc2efece5f014d41bd509d2d6272c7f8836d668ad40210444fcf7c7a8b2fb
Instruction Fuzzy Hash: FD311432710B508AE711DF62D858BDC37B8F748B98F514229DE996BBA8CB35C645C740

Function 000000014002C6CC Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 000000014002C744
IntersectRect.USER32 ref: 000000014002C759
EqualRect.USER32 ref: 000000014002C767
InvalidateRgn.USER32 ref: 000000014002C799

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EqualIntersectInvalidate
String ID:
API String ID: 1840461668-0
Opcode ID: fe672a0dc044a959b685107c1401e2645dfb577e36c58d436b334f9437bbbc81
Instruction ID: c2ae5403525da65f2dcdf46f4dd03c18dff814452751b13d32550dda61993b6f
Opcode Fuzzy Hash: fe672a0dc044a959b685107c1401e2645dfb577e36c58d436b334f9437bbbc81
Instruction Fuzzy Hash: F0314736710A5199EB02DB66E8807ED3BB0B78CB98F444026DF4E57A68DF30C59AC740

Function 000000014005017C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400501AB
MessageBeep.USER32 ref: 0000000140050211
SendMessageA.USER32 ref: 000000014005025F
SendMessageA.USER32 ref: 0000000140050274

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 5a70cbd2c377b8b78549c1732e190eb7a9103de722f21762fdaa65f8dc08a5b9
Instruction ID: 207cf5ad97a0c911577fb900d661d90260273ff61a7793c71c61eecbfb1734df
Opcode Fuzzy Hash: 5a70cbd2c377b8b78549c1732e190eb7a9103de722f21762fdaa65f8dc08a5b9
Instruction Fuzzy Hash: CE316D76200B8582EB059F66E8543DE7761FB89FE8F044226EF6A0B7E9CF79C4448740

Function 00000001400502D8 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140050307
MessageBeep.USER32 ref: 000000014005036D
SendMessageA.USER32 ref: 00000001400503BB
SendMessageA.USER32 ref: 00000001400503D0

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 6b69f6ba67f6d0ba5f4398ac26d42766fe1c4bdc1bbf637e941dcbff336f142f
Instruction ID: 7f6fc577bc7635b45592b246437e39d8dc2499834dce6e98546856f34e734d96
Opcode Fuzzy Hash: 6b69f6ba67f6d0ba5f4398ac26d42766fe1c4bdc1bbf637e941dcbff336f142f
Instruction Fuzzy Hash: 59315C76210B8582EB059F66E4503DE7761FB89BA8F044226EF6A0B7E9CF79C4458740

Function 00000001400B25CC Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400B25F2
LoadMenuW.USER32 ref: 00000001400B2632
GetSubMenu.USER32 ref: 00000001400B2642
TrackPopupMenu.USER32 ref: 00000001400B26B7

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Menu$LoadParentPopupTrack
String ID:
API String ID: 1336469532-0
Opcode ID: b0cc0d47e24fe64f0dbf7e7d81df66817b53308141c385206867121b31cd9fbe
Instruction ID: ac4fec2214c891919e8546897ac1688e087369e24ef2a396883f99727b04f459
Opcode Fuzzy Hash: b0cc0d47e24fe64f0dbf7e7d81df66817b53308141c385206867121b31cd9fbe
Instruction Fuzzy Hash: 14212572215B4082EA56CF53E4887AA67B0F789FC5F184425EF8A0BBA4DF38D450DB00

Function 00000001400388C0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?,0000000140036FB1), ref: 00000001400388F7
LoadResource.KERNEL32(?,?,?,0000000140036FB1), ref: 0000000140038911
LockResource.KERNEL32(?,?,?,0000000140036FB1), ref: 0000000140038927
GlobalFree.KERNEL32 ref: 000000014003896D

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 3b5b30af0758f363be24a8daa4369783377979b7d47baa09e238038ac17228d6
Instruction ID: 54c675d3b192e77bffa5a5d20ad3889ec4470696e3ac6d854a272fec489c6902
Opcode Fuzzy Hash: 3b5b30af0758f363be24a8daa4369783377979b7d47baa09e238038ac17228d6
Instruction Fuzzy Hash: DA212C71201F9185EA67AB13A5543EAA3E1EB48FC4F188465EF8D0BBA9DF38C4518341

Function 000000014005E6D8 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 000000014005E73F
GetWindowRect.USER32 ref: 000000014005E765
PtInRect.USER32 ref: 000000014005E775
CallNextHookEx.USER32 ref: 000000014005E79F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$CallCursorHookNextWindow
String ID:
API String ID: 3719484595-0
Opcode ID: f8f4f60e4332537402d727cb8bf175ecbb7c0e812a7ca5fe25dc4fc9478e7b3f
Instruction ID: 5a822c8894b5bfeaea75001e416b4148bb192e24103980a0c611ceb781daca84
Opcode Fuzzy Hash: f8f4f60e4332537402d727cb8bf175ecbb7c0e812a7ca5fe25dc4fc9478e7b3f
Instruction Fuzzy Hash: 9A215076224A8881FA66DF16E8583E66BA0F78CBD5F144811EB8E477B4CF3DC5458700

Function 0000000140156144 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

DrawThemeBackground.UXTHEME ref: 000000014015617E
IsRectEmpty.USER32 ref: 0000000140156187
InflateRect.USER32 ref: 000000014015619A
DrawThemeBackground.UXTHEME ref: 00000001401561C3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: BackgroundDrawRectTheme$EmptyInflate
String ID:
API String ID: 1053687596-0
Opcode ID: 0b371cdbbd5ccf8c873d0e0f215cb01e045488012f90266d92bc46e85df735a5
Instruction ID: 33f440632981e04cf3b8420bfe75f1e30bb4e1e76cdcc637764eb414f9f5f4fd
Opcode Fuzzy Hash: 0b371cdbbd5ccf8c873d0e0f215cb01e045488012f90266d92bc46e85df735a5
Instruction Fuzzy Hash: 5D216F36614A8086FB618B26E5407AEB375F7DCFC4F189220DF890BA69DF39C544C740

Function 000000014000A460 Relevance: 6.1, APIs: 4, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32 ref: 000000014000A4BF
RegCloseKey.ADVAPI32 ref: 000000014000A4CA
swprintf.LEGACY_STDIO_DEFINITIONS ref: 000000014000A4EB
WritePrivateProfileStringA.KERNEL32 ref: 000000014000A502

Part of subcall function 000000014000A030: RegCloseKey.ADVAPI32 ref: 000000014000A0DE

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Close$PrivateProfileStringValueWriteswprintf
String ID:
API String ID: 581541481-0
Opcode ID: 239a02bc26b21a03f071809955f4ee4be4c625edf8d1fd970a35b3b54ebfaaa9
Instruction ID: ad2cbaaea86dd97212027bb7c00ee611b9c227e1d73df3d1d996b90486193b86
Opcode Fuzzy Hash: 239a02bc26b21a03f071809955f4ee4be4c625edf8d1fd970a35b3b54ebfaaa9
Instruction Fuzzy Hash: 3E118F72316A8442FA529B56A850BDA67A4E78DFC4F480031AF0E07B64EF3CC4468700

Function 00000001401383EC Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140138422
SetRectEmpty.USER32 ref: 0000000140138434

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

PtInRect.USER32 ref: 000000014013846E
PtInRect.USER32 ref: 0000000140138480

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientEmptyScreen
String ID:
API String ID: 2023098818-0
Opcode ID: ca5ecf003ae659c348673b2d4a09c9fd84d5fa5ec0555089ba8ebb3a05ecfa1b
Instruction ID: dc3f6c33d49d0fed4364ef1386f26fdf16fb77a92b8f4a7c16ced3ac8bc09763
Opcode Fuzzy Hash: ca5ecf003ae659c348673b2d4a09c9fd84d5fa5ec0555089ba8ebb3a05ecfa1b
Instruction Fuzzy Hash: 9921F432710B1589FB00DBA6E8913ED73B5F798B88F444422DF4A5BA68DF78C115C740

Function 0000000140100678 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001401006CA
PtInRect.USER32 ref: 00000001401006DC
IsRectEmpty.USER32 ref: 00000001401006F0
PtInRect.USER32 ref: 0000000140100702

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$Empty
String ID:
API String ID: 4257549173-0
Opcode ID: b0febeb1954955258cb5f9b9673647dba52a29eab1f78df96fcbba388778989d
Instruction ID: b7a83d78f621cf04056c1f728905472362152e63afe4030f5b3e9a323e51519a
Opcode Fuzzy Hash: b0febeb1954955258cb5f9b9673647dba52a29eab1f78df96fcbba388778989d
Instruction Fuzzy Hash: AE11F875311A4481FBA69B2795543E932A6A788FC9F085035EF868AAB4DF3CC8948E11

Function 000000014003275C Relevance: 6.0, APIs: 4, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

SysStringLen.OLEAUT32 ref: 000000014003277C
WideCharToMultiByte.KERNEL32 ref: 00000001400327A5
SysAllocStringByteLen.OLEAUT32 ref: 00000001400327B1
WideCharToMultiByte.KERNEL32 ref: 00000001400327DE

Part of subcall function 000000014000DB14: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB30

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Byte$CharMultiStringWide$AllocExceptionThrow
String ID:
API String ID: 1645249506-0
Opcode ID: fbf0e780985c75990d89c1e06e5c18597875d821b3bf0d0b54e06ed0d04b647c
Instruction ID: 74e5e442d46317c6744120a9296a77341deea3b7a975fc6bde19a13687ec147c
Opcode Fuzzy Hash: fbf0e780985c75990d89c1e06e5c18597875d821b3bf0d0b54e06ed0d04b647c
Instruction Fuzzy Hash: 90117332618B4482E765CB62B44535BB7E0F78CBD4F044528FB864BB68DF3CC0448740

Function 00000001400624C4 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400624E1

Part of subcall function 0000000140064E2C: GetWindowRect.USER32 ref: 0000000140064E4C
Part of subcall function 0000000140064E2C: GetParent.USER32 ref: 0000000140064E92
Part of subcall function 0000000140064E2C: GetParent.USER32 ref: 0000000140064EA9

ScreenToClient.USER32 ref: 0000000140062506
SetCapture.USER32 ref: 0000000140062529
GetWindowRect.USER32 ref: 0000000140062566

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ParentRectWindow$CaptureClientCursorScreen
String ID:
API String ID: 3234571238-0
Opcode ID: d0fc4c09ce18d6023909332ee2c893c85fa6ee795f92054981a19e4aaf6551ab
Instruction ID: 382f91301e2edc75287b513e4d10fe553596b1e03d226fb794a780ed9dd17602
Opcode Fuzzy Hash: d0fc4c09ce18d6023909332ee2c893c85fa6ee795f92054981a19e4aaf6551ab
Instruction Fuzzy Hash: 01114536310F8492EB499B62D6983AC73A1F788FD5F048421EB1E077A1CFB8D5A4C740

Function 0000000140168098 Relevance: 6.0, APIs: 4, Instructions: 42timewindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001401680C0
ScreenToClient.USER32 ref: 00000001401680CF

Part of subcall function 0000000140167B14: PtInRect.USER32 ref: 0000000140167B77

KillTimer.USER32 ref: 00000001401680F0
IsWindowVisible.USER32 ref: 000000014016811B

Part of subcall function 00000001401141F0: IsWindowVisible.USER32 ref: 000000014011420B

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: VisibleWindow$ClientCursorKillRectScreenTimer
String ID:
API String ID: 2528662293-0
Opcode ID: 0dcc92f0fd76d81cd0b4f8e1ef29d78480a8298c1d17fe53bf7cb3500e011b59
Instruction ID: 689709b7a2e70c5d899c2131dcdc496b410c576e98911943c0e58a2133f678d3
Opcode Fuzzy Hash: 0dcc92f0fd76d81cd0b4f8e1ef29d78480a8298c1d17fe53bf7cb3500e011b59
Instruction Fuzzy Hash: B0114872210A4087EB569F12D9983A867A1F78CFDAF084524DF0E0B2A4DF78C859C711

Function 00000001400902BC Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400902C9
GetParent.USER32 ref: 00000001400902F8
SendMessageA.USER32 ref: 0000000140090316
ReleaseCapture.USER32 ref: 0000000140090348

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Capture$MessageParentReleaseSend
String ID:
API String ID: 1869852667-0
Opcode ID: 28f82acadd7c2a68dc0e6c9e376cb163630421c11a5c108f164e3657b04a597a
Instruction ID: 3a05d2dbe1c08d6763fa9dd6b3af6b3a5eec08ffa55c192b1e217e3e2f3ee98e
Opcode Fuzzy Hash: 28f82acadd7c2a68dc0e6c9e376cb163630421c11a5c108f164e3657b04a597a
Instruction Fuzzy Hash: D3010036610A4187FB569F67E8957E923A4EB8CFD5F089034AF1A0B3B5DE79C5848B00

Function 000000014001C5B4 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 000000014001C5F3
GlobalHandle.KERNEL32 ref: 000000014001C603
GlobalUnlock.KERNEL32 ref: 000000014001C610
GlobalFree.KERNEL32 ref: 000000014001C61A

Part of subcall function 000000014001C8CC: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C95E
Part of subcall function 000000014001C8CC: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C974
Part of subcall function 000000014001C8CC: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C97E
Part of subcall function 000000014001C8CC: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C995

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: FreeGlobal$CriticalSection$EnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1402163063-0
Opcode ID: ebcc847ce0997ad77b914da716e08dbfdff99b3b7cdfb39571aff647ee1d707e
Instruction ID: ecb203bafc02463a9b666fb63fd066c53b9f1be2df1c51e2940f563c28775bfb
Opcode Fuzzy Hash: ebcc847ce0997ad77b914da716e08dbfdff99b3b7cdfb39571aff647ee1d707e
Instruction Fuzzy Hash: 8B018F35211E4082EE168F26E5947A963B1FB4EFE1F0857249B2A0B6F4DF39C461C700

Function 0000000140119FF4 Relevance: 6.0, APIs: 4, Instructions: 37windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400FA920: IsRectEmpty.USER32 ref: 00000001400FA937
Part of subcall function 00000001400FA920: RedrawWindow.USER32 ref: 00000001400FA980

IsWindowVisible.USER32 ref: 000000014011A019
RedrawWindow.USER32 ref: 000000014011A039
IsWindowVisible.USER32 ref: 000000014011A056
RedrawWindow.USER32 ref: 000000014011A076

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Redraw$Visible$EmptyRect
String ID:
API String ID: 2056780629-0
Opcode ID: 99755c2f54527156d73ab42fe66f68154e64dc886e85f80e8354c8203e0ae581
Instruction ID: 05c8561fcba26cdf66e7647a10c2fd79c07c31311e3f04f0c9ac35ebbce7a23f
Opcode Fuzzy Hash: 99755c2f54527156d73ab42fe66f68154e64dc886e85f80e8354c8203e0ae581
Instruction Fuzzy Hash: F8011232310D0086FB699B6BD4947A56BA1EB8DFC8F5801269F494F171DF3AC4868200

Function 00000001400306A3 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014003070C
GetFocus.USER32 ref: 0000000140030716

Part of subcall function 0000000140030904: IsWindow.USER32 ref: 0000000140030926
Part of subcall function 0000000140030904: GetParent.USER32 ref: 0000000140030949

IsWindow.USER32 ref: 0000000140030734
GetFocus.USER32 ref: 000000014003073E

Part of subcall function 00000001400309C4: IsChild.USER32 ref: 00000001400309F4
Part of subcall function 00000001400309C4: GetWindowLongA.USER32 ref: 0000000140030A10

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Window$Focus$ChildLongParent
String ID:
API String ID: 1766597969-0
Opcode ID: a5753771f1199e9c8e36117d6da16387fba761895e93682ff7dc8cc6d1398e9e
Instruction ID: 0aed740efdb8319282772d49d961474b18002cbb3fed35dcc0f092c5f4a37984
Opcode Fuzzy Hash: a5753771f1199e9c8e36117d6da16387fba761895e93682ff7dc8cc6d1398e9e
Instruction Fuzzy Hash: E2F0FF3270568082FA43EB53A8553EE53A0A78DFE1F004425AF5A4B7B6DF38D5868710

Function 000000014001047C Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 0000000140010495
GetViewportExtEx.GDI32 ref: 00000001400104A4
MulDiv.KERNEL32 ref: 00000001400104C5
MulDiv.KERNEL32 ref: 00000001400104E9

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 4fb12cec3c4a46847ae8079a33c00c3f35a9f978043b80f7e12bc19e564e2700
Instruction ID: 73b35e27834f63d928ea3249d22773f13ba20f6781caf89168dbb760a6963692
Opcode Fuzzy Hash: 4fb12cec3c4a46847ae8079a33c00c3f35a9f978043b80f7e12bc19e564e2700
Instruction Fuzzy Hash: 6D010C3672464087DB09DF66E58469973B1FB8CB90F005425FB5647B65DF38D891CF40

Function 00000001400107C4 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 00000001400107DD
GetViewportExtEx.GDI32 ref: 00000001400107EC
MulDiv.KERNEL32 ref: 000000014001080D
MulDiv.KERNEL32 ref: 0000000140010831

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 36bbdfa0f2d2eb987a386c70018409b84310db4f8945d7ea448a6dc373badb99
Instruction ID: d29b15ca48b5bca34cf2704c010c819912baa1cc6bafa92f3f59777079a33ce2
Opcode Fuzzy Hash: 36bbdfa0f2d2eb987a386c70018409b84310db4f8945d7ea448a6dc373badb99
Instruction Fuzzy Hash: 4C010C3672464087DB09DF66E58469973B1FB8CB90F005425FB5647B65DF38D891CF40

Function 0000000140012330 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140012359
GetWindowLongA.USER32 ref: 000000014001237D
GetParent.USER32 ref: 000000014001238C
GetWindow.USER32 ref: 0000000140012399

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ParentWindow$Long
String ID:
API String ID: 941798831-0
Opcode ID: 6e0a4655a1139730bc3ad2f9845002214a8865a6573c8287d4aca77f1b42f37f
Instruction ID: 2d08e2c3a9a097add1eb474354568c53e570404895d0f26ff82ba8c910962ba4
Opcode Fuzzy Hash: 6e0a4655a1139730bc3ad2f9845002214a8865a6573c8287d4aca77f1b42f37f
Instruction Fuzzy Hash: F1F04F31301A4082FE1A5B57A5943FD22A1AB8DFD4F184424AF2A0F7F5DE3EC5908300

Function 000000014007E594 Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014007E5DD
InvalidateRect.USER32 ref: 000000014007E5F2
UpdateWindow.USER32 ref: 000000014007E5FC
SetRectEmpty.USER32 ref: 000000014007E605

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$EmptyInflateInvalidateUpdateWindow
String ID:
API String ID: 3040190709-0
Opcode ID: a09d8dab4ad522235830055118285068e87f06623766813a3699d766efd0fdf7
Instruction ID: 48a4a751cb282a3e4fd8f852833816cb896143f521d3a90708831fc07bb1679f
Opcode Fuzzy Hash: a09d8dab4ad522235830055118285068e87f06623766813a3699d766efd0fdf7
Instruction Fuzzy Hash: C9016D32210B8483E7258B26E4993D97360F78CF98F544624EB9A077B4DF7DC196CB00

Function 00000001401122E4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

InvalidateRect.USER32 ref: 0000000140112325
UpdateWindow.USER32 ref: 000000014011232F
InvalidateRect.USER32 ref: 0000000140112366
UpdateWindow.USER32 ref: 0000000140112370

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: InvalidateRectUpdateWindow
String ID:
API String ID: 1236202516-0
Opcode ID: e442c223008b32935d9309fdd01db4fa4d9c2d9f69a7a3405bd8603ea2096c61
Instruction ID: f61958dac20a125af5daf32018b847ff46dfb2e46592afd68a2101f1972f3351
Opcode Fuzzy Hash: e442c223008b32935d9309fdd01db4fa4d9c2d9f69a7a3405bd8603ea2096c61
Instruction Fuzzy Hash: EA01A972521A84CAF7558F26C4993E837A5F398F6EF180035CA090E1A4DF7BC4AACB10

Function 000000014004C554 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 000000014004C574
PtInRect.USER32 ref: 000000014004C586
SetCapture.USER32 ref: 000000014004C594
RedrawWindow.USER32 ref: 000000014004C5BB

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: d067b6940d31dbf1278770efb4ec4aa2fcd48076282c23c23ef50970b628feb0
Instruction ID: a0b00f44c955342de2b2f79999bac89ed203c8af48bfe01e70c1afcebb31632b
Opcode Fuzzy Hash: d067b6940d31dbf1278770efb4ec4aa2fcd48076282c23c23ef50970b628feb0
Instruction Fuzzy Hash: 70F0F976621A46C2FF559F67E495BAE27A0F788F89F045031EF0A4B664EF3AC0458700

Function 000000014004657C Relevance: 6.0, APIs: 4, Instructions: 20COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0000000140046598
GetTickCount.KERNEL32 ref: 00000001400465AA
CoFreeUnusedLibraries.OLE32 ref: 00000001400465BD
GetTickCount.KERNEL32 ref: 00000001400465C3

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CountTick$FreeLibrariesUnused
String ID:
API String ID: 3582965738-0
Opcode ID: 1f57d90dcbc13b1492b527137c5ef615da12181ebae75a24ad6b7c5e30ae5300
Instruction ID: db74456ead7dd77ec39f01b765c5df87d60880ff557917ed20ba30e17042e8f4
Opcode Fuzzy Hash: 1f57d90dcbc13b1492b527137c5ef615da12181ebae75a24ad6b7c5e30ae5300
Instruction Fuzzy Hash: 1DF03974911A8186FB6A6F67EC887E822F0B70C715F000929D303821B4EB7C84868B06

Function 00000001400C2598 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 365COMMON

Download Yara Rule

APIs

GetTextColor.GDI32 ref: 00000001400C2819

Part of subcall function 0000000140157D34: CreatePolygonRgn.GDI32 ref: 0000000140157E46

Strings

2, xrefs: 00000001400C2761

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ColorCreatePolygonText
String ID: 2
API String ID: 3928325479-450215437
Opcode ID: a5fd463f19412818be39668a15b2267c5067c50bfd03850e82e8adb68253d89a
Instruction ID: 67bb9f9badf028627f7d2781320c257afbba3ceeac86a765bb81c376c1939c39
Opcode Fuzzy Hash: a5fd463f19412818be39668a15b2267c5067c50bfd03850e82e8adb68253d89a
Instruction Fuzzy Hash: 55025C727186408BE769CF7AD544BED37B1F348B88F045625EF0A6BAA8CB749845CB40

Function 00000001400D4014 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400D4230

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

RedrawWindow.USER32 ref: 00000001400D4307

Part of subcall function 0000000140192458: _onexit.LIBCMT ref: 000000014019245C

Part of subcall function 00000001401926AC: EnterCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926BC
Part of subcall function 00000001401926AC: LeaveCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926FC

Part of subcall function 00000001400088C8: FindResourceW.KERNEL32 ref: 0000000140008904
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 0000000140008951
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 000000014000899F

Strings

4, xrefs: 00000001400D42DD

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterMultiWide$ClientFindLeaveRectRedrawResourceWindow_onexit
String ID: 4
API String ID: 3901185068-4088798008
Opcode ID: 1577e6d4ce7f6129cc922b103f483d361c2fbfb2ecdcbce46d4da2b5fcc16e96
Instruction ID: dea328c55d88e8dc9fa738ef3a71bbd0c6dc49f9f1cb63bd0390c04b88a1b9c6
Opcode Fuzzy Hash: 1577e6d4ce7f6129cc922b103f483d361c2fbfb2ecdcbce46d4da2b5fcc16e96
Instruction Fuzzy Hash: 62919C7A70064086FB26DB66D8843ED63A1AB9CBC4F584526EF09477B5DF38C582C750

Function 00000001400F8728 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014012D671
PostMessageA.USER32 ref: 000000014012D6A1

Part of subcall function 0000000140086988: RedrawWindow.USER32 ref: 0000000140086A02

Part of subcall function 000000014008A088: RedrawWindow.USER32 ref: 000000014008A130

Strings

e, xrefs: 00000001400F87DC

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: RedrawWindow$MessageParentPost
String ID: e
API String ID: 1301221577-4024072794
Opcode ID: a99d82d4cec597901e7869a9532a0bbb9b55c937556ea1439e05edfa620f0fd4
Instruction ID: 689f42f651290377ba7a227b13b131bb3eaf80f07c57f4a0ba9ce8a66bd362eb
Opcode Fuzzy Hash: a99d82d4cec597901e7869a9532a0bbb9b55c937556ea1439e05edfa620f0fd4
Instruction Fuzzy Hash: 78715972310A8486EB66EB23D4647EA33A1FB8DF84F584529AB0E4B7A5DF79C4458700

Function 00000001400F62A8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112COMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 00000001400F6320
GetClientRect.USER32 ref: 00000001400F6336

Strings

Afx:DockPane, xrefs: 00000001400F63E0

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Rect$ClientCopy
String ID: Afx:DockPane
API String ID: 1880273418-3269875795
Opcode ID: 0ae50c8dae5f00ad643b9fdedc5c54ec27e22f3aeb4558a6f3eb2ad7b229ee2f
Instruction ID: 64ccabc06a319515f18bffd2a8867d8abe2a640480271d6912760d0493b7e151
Opcode Fuzzy Hash: 0ae50c8dae5f00ad643b9fdedc5c54ec27e22f3aeb4558a6f3eb2ad7b229ee2f
Instruction Fuzzy Hash: A9516B72610A809AE755CF7AD4943EC77A0F78CBA8F008226EF5997BA4CF78C655C740

Function 00000001400E8754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400E886E

Strings

Control Panel\Desktop, xrefs: 00000001400E87B5
MenuShowDelay, xrefs: 00000001400E8804

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: Cursor
String ID: Control Panel\Desktop$MenuShowDelay
API String ID: 3268636600-702829638
Opcode ID: 7b40138c8dc891e35342e0bc11a5ae3b00ac65ae26586b65084aeb0da56f5264
Instruction ID: 3585451ae1db0ebfa5c80e1ca07172a4e961853455e46ab5be76539adeae5fd5
Opcode Fuzzy Hash: 7b40138c8dc891e35342e0bc11a5ae3b00ac65ae26586b65084aeb0da56f5264
Instruction Fuzzy Hash: B4317E71600A8586EF659B26E94439963A1F788BB5F444329EB6E877F4CF38C840C741

Function 00000001401905CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00000001401905F7

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

PatBlt.GDI32 ref: 000000014019065F

Strings

!, xrefs: 000000014019064E

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ObjectSelect$BrushColorCreateSolid
String ID: !
API String ID: 3610460338-2657877971
Opcode ID: d758595f8e0f9c9302edf9b86dba424ccda5aecc80144adff84f9f6be37d7fad
Instruction ID: 33776da0a552c38e6cf71461d0d1c6ff8f3a04a881718603f0c93ffa11ea39a4
Opcode Fuzzy Hash: d758595f8e0f9c9302edf9b86dba424ccda5aecc80144adff84f9f6be37d7fad
Instruction Fuzzy Hash: 04116032228A8086E711DB66F4407AEB760FBCDBD0F505215FB9907BB9DF78C4458B00

Function 0000000140004480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 00000001400044A2
LoadCursorA.USER32 ref: 00000001400044ED

Part of subcall function 00000001400124F4: GetClassInfoA.USER32 ref: 000000014001251E

Part of subcall function 00000001400102B4: _CxxThrowException.LIBVCRUNTIME ref: 00000001400102D0

Strings

X_WND_ANIMATE, xrefs: 0000000140004496, 000000014000450A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ClassInfo$CursorExceptionLoadThrow
String ID: X_WND_ANIMATE
API String ID: 2350586136-2383826567
Opcode ID: 16830258ddd1389848077405811c82920ec411a0afb243bd1305eb83905aa71a
Instruction ID: 98bb19b31cc42f65204f96367d06727b86bb08230ca54c08de15115b8bb4b4b3
Opcode Fuzzy Hash: 16830258ddd1389848077405811c82920ec411a0afb243bd1305eb83905aa71a
Instruction Fuzzy Hash: 121190B2618B8086E7A29B16F88039AB3B4F789784F500125F7CD47BA9DF7DC518CB40

Function 00000001400064F8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140006516
ActivateActCtx.KERNEL32 ref: 0000000140006537

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000650F

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: ActivateDebugOutputString
String ID: IsolationAware function called after IsolationAwareCleanup
API String ID: 396653078-2690750368
Opcode ID: 103a57d69cfcfbe9e03c100b65e941326a1ab96d83975bc33da29e61a765dc72
Instruction ID: 1edd85269c2ca2a48ba20875ce1c2bceda990c3f48118a99d210f015604b3941
Opcode Fuzzy Hash: 103a57d69cfcfbe9e03c100b65e941326a1ab96d83975bc33da29e61a765dc72
Instruction Fuzzy Hash: D4F082B070094286FB42EB67FDC47A462E1A74CBC1F840034EB1E866B4CB74C884C600

Function 000000014013E618 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME ref: 000000014013E650
OpenThemeData.UXTHEME ref: 000000014013E661

Strings

REBAR, xrefs: 000000014013E65A

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: DataTheme$CloseOpen
String ID: REBAR
API String ID: 1809247333-925029515
Opcode ID: d57b7c82ba4f73895e532f1890f12508a1012774a71faf3824198c50e0ccf796
Instruction ID: 99f9eea80f59f91bb07fb231763d2f057c88fb887e5329774311ab16a64c6f1a
Opcode Fuzzy Hash: d57b7c82ba4f73895e532f1890f12508a1012774a71faf3824198c50e0ccf796
Instruction Fuzzy Hash: 66F01CB1211B05C1FF56AF2BD8823D823A5AB5CF91F485025DF094A2B4EF39C685A350

Function 000000014001C8CC Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C95E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C974
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C97E
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C995

Memory Dump Source

Source File: 00000006.00000002.1277038321.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000006.00000002.1277022013.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277169251.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277232933.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277252742.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277270784.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277287398.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277303292.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000006.00000002.1277324911.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000000_bfsvc.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: 6a8a1c36a33dd14bef5dad7ba8e1ce4a9b8295741b90d15e96617bd21829802d
Instruction ID: ffe0a2e74273a4ad5531308953ad0c688cb00f45a725e6f31a1c054d3cee22a1
Opcode Fuzzy Hash: 6a8a1c36a33dd14bef5dad7ba8e1ce4a9b8295741b90d15e96617bd21829802d
Instruction Fuzzy Hash: 76312636210B0492EB258F17E5847A97771F788FD4F444011EF5A0BBA9CF39D9A6C380

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bfsvc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~SF8771.tmp

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: bfsvc.exePID: 1424, Parent PID: 4056

General

Chronological Activities

Disassembly

Analysis Process: bfsvc.exePID: 1424, Parent PID: 4056COMMON

Execution Graph

Graph

Executed Functions

Windows Analysis Report
bfsvc.exe

Function 00000001401AFA10 Relevance: 1.5, APIs: 1, Instructions: 45
COMMONLIBRARYCODE

Function 00000001400400EC Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 580
windowCOMMON