Edit tour

Windows Analysis Report
EXPLORER.EXE.exe

Overview

General Information

Sample name:	EXPLORER.EXE.exe
Analysis ID:	1525468
MD5:	2e5dc3f90227ea0fd2e0d23d8b330ddf
SHA1:	779d453a60404f03c3aab508be972f609b6fa879
SHA256:	12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444
Tags:	exePreftuser-smica83

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (creates a PE file in dynamic memory)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality for read data from the clipboard

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EXPLORER.EXE.exe (PID: 2736 cmdline: "C:\Users\user\Desktop\EXPLORER.EXE.exe" MD5: 2E5DC3F90227EA0FD2E0D23D8B330DDF)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: EXPLORER.EXE.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: EXPLORER.EXE.exe	ReversingLabs: Detection: 42%
Source: EXPLORER.EXE.exe	Virustotal: Detection: 59%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 96.6% probability

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Unpacked PE file: 0.2.EXPLORER.EXE.exe.400000.0.unpack

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0000000140145940

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140145940 GetAsyncKeyState,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,lstrcpyA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0000000140145940

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_00000001400E00A4 GetSystemMetrics,GetAsyncKeyState,WindowFromPoint,ScreenToClient,SendMessageA,ScreenToClient,

0_2_00000001400E00A4

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014005098C MessageBeep,GetKeyState,GetKeyState,GetKeyState,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,GetKeyState,SendMessageA,GetKeyState,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,	0_2_000000014005098C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140114F8C GetKeyState,GetKeyState,GetKeyState,	0_2_0000000140114F8C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400159A4 GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00000001400159A4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014009E3C0 GetKeyState,GetKeyState,GetKeyState,GetParent,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,	0_2_000000014009E3C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013EA78 GetParent,ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,	0_2_000000014013EA78

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0040EC78	0_2_0040EC78
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00403838	0_2_00403838
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00407C98	0_2_00407C98
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_004051FC	0_2_004051FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0040AAF0	0_2_0040AAF0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00400740	0_2_00400740
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0040AFC0	0_2_0040AFC0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140054054	0_2_0000000140054054
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140080090	0_2_0000000140080090
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D8088	0_2_00000001400D8088
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400400EC	0_2_00000001400400EC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400380F4	0_2_00000001400380F4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140124158	0_2_0000000140124158
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140100148	0_2_0000000140100148
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014001C178	0_2_000000014001C178
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A8198	0_2_00000001400A8198
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400481D8	0_2_00000001400481D8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401981D0	0_2_00000001401981D0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401742B8	0_2_00000001401742B8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013C2B0	0_2_000000014013C2B0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014012C33C	0_2_000000014012C33C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D4340	0_2_00000001400D4340
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014009035C	0_2_000000014009035C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014019844C	0_2_000000014019844C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A4464	0_2_00000001400A4464
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401745E4	0_2_00000001401745E4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401A05F0	0_2_00000001401A05F0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011C638	0_2_000000014011C638
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014007C650	0_2_000000014007C650
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401606C0	0_2_00000001401606C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A06F8	0_2_00000001400A06F8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401007D8	0_2_00000001401007D8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140118838	0_2_0000000140118838
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140104874	0_2_0000000140104874
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013C8CC	0_2_000000014013C8CC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400DC8D4	0_2_00000001400DC8D4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014008CA04	0_2_000000014008CA04
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140124AA0	0_2_0000000140124AA0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140054B9C	0_2_0000000140054B9C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140140BFC	0_2_0000000140140BFC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E8C04	0_2_00000001400E8C04
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401A0C4C	0_2_00000001401A0C4C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140174C9C	0_2_0000000140174C9C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140158C9C	0_2_0000000140158C9C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140078CA0	0_2_0000000140078CA0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140068CB4	0_2_0000000140068CB4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400BCCC4	0_2_00000001400BCCC4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400FCCD4	0_2_00000001400FCCD4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140134D48	0_2_0000000140134D48
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400ACD60	0_2_00000001400ACD60
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140090DE4	0_2_0000000140090DE4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400ECE24	0_2_00000001400ECE24
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A8E58	0_2_00000001400A8E58
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E4E64	0_2_00000001400E4E64
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010CF78	0_2_000000014010CF78
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401310A0	0_2_00000001401310A0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140115184	0_2_0000000140115184
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400351AC	0_2_00000001400351AC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401451AC	0_2_00000001401451AC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140169268	0_2_0000000140169268
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400692F0	0_2_00000001400692F0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400792EC	0_2_00000001400792EC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011D340	0_2_000000014011D340
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400C5348	0_2_00000001400C5348
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F53C8	0_2_00000001400F53C8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014005943C	0_2_000000014005943C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014003944C	0_2_000000014003944C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400514CC	0_2_00000001400514CC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A94D8	0_2_00000001400A94D8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401314FC	0_2_00000001401314FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401254E8	0_2_00000001401254E8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140105510	0_2_0000000140105510
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F162C	0_2_00000001400F162C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140139680	0_2_0000000140139680
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014008D694	0_2_000000014008D694
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B1714	0_2_00000001400B1714
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A1748	0_2_00000001400A1748
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E1754	0_2_00000001400E1754
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140149780	0_2_0000000140149780
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013D788	0_2_000000014013D788
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400457C0	0_2_00000001400457C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400317E0	0_2_00000001400317E0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014005980C	0_2_000000014005980C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B58DC	0_2_00000001400B58DC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401418CC	0_2_00000001401418CC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A58E8	0_2_00000001400A58E8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140105924	0_2_0000000140105924
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140021938	0_2_0000000140021938
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401A5984	0_2_00000001401A5984
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401699D0	0_2_00000001401699D0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E5A0C	0_2_00000001400E5A0C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014005DA4C	0_2_000000014005DA4C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013DA9C	0_2_000000014013DA9C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014012DA84	0_2_000000014012DA84
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D5AE0	0_2_00000001400D5AE0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140065AF0	0_2_0000000140065AF0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D5C1C	0_2_00000001400D5C1C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140171C2C	0_2_0000000140171C2C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140115CDC	0_2_0000000140115CDC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140085CF8	0_2_0000000140085CF8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F1D10	0_2_00000001400F1D10
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140095D80	0_2_0000000140095D80
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140139DEC	0_2_0000000140139DEC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140131E48	0_2_0000000140131E48
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B5E90	0_2_00000001400B5E90
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010DED4	0_2_000000014010DED4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140121F04	0_2_0000000140121F04
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140039F48	0_2_0000000140039F48
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B1F5C	0_2_00000001400B1F5C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400C5F8C	0_2_00000001400C5F8C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140142110	0_2_0000000140142110
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400AE170	0_2_00000001400AE170
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014013A1C4	0_2_000000014013A1C4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400821FC	0_2_00000001400821FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014009A1F8	0_2_000000014009A1F8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D6210	0_2_00000001400D6210
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014007A2D8	0_2_000000014007A2D8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400DA2EC	0_2_00000001400DA2EC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A6304	0_2_00000001400A6304
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014009E3C0	0_2_000000014009E3C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140162420	0_2_0000000140162420
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401AE40C	0_2_00000001401AE40C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140086488	0_2_0000000140086488
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014000E4E0	0_2_000000014000E4E0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401264F4	0_2_00000001401264F4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F6524	0_2_00000001400F6524
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140062578	0_2_0000000140062578
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400525FC	0_2_00000001400525FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014015A6A0	0_2_000000014015A6A0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014002A6E8	0_2_000000014002A6E8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010675C	0_2_000000014010675C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B2758	0_2_00000001400B2758
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014019E774	0_2_000000014019E774
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401427A8	0_2_00000001401427A8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014016E7C4	0_2_000000014016E7C4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140066824	0_2_0000000140066824
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014008E858	0_2_000000014008E858
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D2868	0_2_00000001400D2868
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140152868	0_2_0000000140152868
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140146894	0_2_0000000140146894
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401768D4	0_2_00000001401768D4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400968DC	0_2_00000001400968DC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A68E8	0_2_00000001400A68E8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F2A80	0_2_00000001400F2A80
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140136AA8	0_2_0000000140136AA8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014014AB1C	0_2_000000014014AB1C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140122B40	0_2_0000000140122B40
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400EAB50	0_2_00000001400EAB50
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140126B98	0_2_0000000140126B98
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400AAB88	0_2_00000001400AAB88
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140116BC0	0_2_0000000140116BC0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140082C0C	0_2_0000000140082C0C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014012AC4C	0_2_000000014012AC4C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014012ECB8	0_2_000000014012ECB8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F6CE4	0_2_00000001400F6CE4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140146D0C	0_2_0000000140146D0C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010AD60	0_2_000000014010AD60
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014007ED88	0_2_000000014007ED88
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400EEE0C	0_2_00000001400EEE0C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A2E90	0_2_00000001400A2E90
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140176ED0	0_2_0000000140176ED0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014016AF14	0_2_000000014016AF14
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D2F5C	0_2_00000001400D2F5C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014004EF74	0_2_000000014004EF74
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400A70A4	0_2_00000001400A70A4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401330D4	0_2_00000001401330D4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D7198	0_2_00000001400D7198
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400BB1FC	0_2_00000001400BB1FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400671FC	0_2_00000001400671FC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140093250	0_2_0000000140093250
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401572A0	0_2_00000001401572A0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400BF374	0_2_00000001400BF374
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400FF38C	0_2_00000001400FF38C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400B340C	0_2_00000001400B340C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014015343C	0_2_000000014015343C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010B580	0_2_000000014010B580
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014004F594	0_2_000000014004F594
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400DB5C0	0_2_00000001400DB5C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400375C0	0_2_00000001400375C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014002F5C4	0_2_000000014002F5C4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140137624	0_2_0000000140137624
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011F690	0_2_000000014011F690
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401776C0	0_2_00000001401776C0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400336C4	0_2_00000001400336C4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014006B700	0_2_000000014006B700
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011776C	0_2_000000014011776C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140017794	0_2_0000000140017794
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014004B7EC	0_2_000000014004B7EC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E7940	0_2_00000001400E7940
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014005F934	0_2_000000014005F934
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400F39E8	0_2_00000001400F39E8

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: String function: 00000001400BCC44 appears 97 times
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: String function: 0000000140098F30 appears 61 times
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: String function: 0000000140004B34 appears 80 times
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: String function: 0000000140002B70 appears 38 times
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: String function: 00000001400076E0 appears 237 times

Source: EXPLORER.EXE.exe, 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs EXPLORER.EXE.exe
Source: EXPLORER.EXE.exe	Binary or memory string: OriginalFilenameEXPLORER.EXE.MUIj% vs EXPLORER.EXE.exe

Source: classification engine

Classification label: mal68.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

0_2_000000014003CAC0

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140014264 FindResourceA,LoadResource,LockResource,FreeResource,

0_2_0000000140014264

Source: EXPLORER.EXE.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EXPLORER.EXE.exe	ReversingLabs: Detection: 42%
Source: EXPLORER.EXE.exe	Virustotal: Detection: 59%

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

File read: C:\Users\user\Desktop\EXPLORER.EXE.exe

Jump to behavior

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: EXPLORER.EXE.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: EXPLORER.EXE.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: EXPLORER.EXE.exe

Static file information: File size 2791424 > 1048576

Source: EXPLORER.EXE.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1bc400

Source: EXPLORER.EXE.exe

Static PE information: More than 200 imports for USER32.dll

Source: EXPLORER.EXE.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Unpacked PE file: 0.2.EXPLORER.EXE.exe.400000.0.unpack

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

0_2_0000000140039024

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00412945 push rsi; ret	0_2_00412946
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_004165BD push rcx; retf 003Fh	0_2_004165BE
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014010D541 push rcx; ret	0_2_000000014010D542

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140094878 GetParent,IsIconic,GetParent,GetDlgCtrlID,	0_2_0000000140094878
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140114B5C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140114B5C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140114B5C IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,	0_2_0000000140114B5C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011562C IsWindowVisible,IsWindowVisible,GetWindowRect,IsIconic,CopyRect,MonitorFromPoint,GetMonitorInfoA,CopyRect,CopyRect,SystemParametersInfoA,OffsetRect,GetSystemMetrics,GetSystemMetrics,	0_2_000000014011562C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140115954 IsIconic,PostMessageA,	0_2_0000000140115954
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014011609C IsWindowVisible,ScreenToClient,IsIconic,GetSystemMetrics,PtInRect,PtInRect,GetSystemMetrics,PtInRect,	0_2_000000014011609C
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001401168BC GetFocus,IsChild,SendMessageA,IsChild,SendMessageA,GetFocus,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,	0_2_00000001401168BC
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140116BC0 IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,PtInRect,SendMessageA,IsWindow,GetWindowRect,PtInRect,SendMessageA,ScreenToClient,PtInRect,GetParent,SendMessageA,GetFocus,WindowFromPoint,SendMessageA,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageA,	0_2_0000000140116BC0
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140002E00 IsIconic,	0_2_0000000140002E00
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014003EF44 IsWindowVisible,IsIconic,	0_2_000000014003EF44
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E2FD4 SetForegroundWindow,IsIconic,PostMessageA,IsIconic,	0_2_00000001400E2FD4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400E2FD4 SetForegroundWindow,IsIconic,PostMessageA,IsIconic,	0_2_00000001400E2FD4
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_00000001400D7198 GetClientRect,IsRectEmpty,IsWindow,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,GetWindowRect,GetParent,IsRectEmpty,EqualRect,EndDeferWindowPos,	0_2_00000001400D7198
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_000000014007F5A8 SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,GetParent,SendMessageA,UpdateWindow,GetParent,SendMessageA,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,	0_2_000000014007F5A8
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140017760 IsIconic,	0_2_0000000140017760

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_000000014019A694 VirtualQuery,GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_000000014019A694

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0000000140196A38

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_000000014006C43C OutputDebugStringA,ActivateActCtx,GetLastError,DeactivateActCtx,SetLastError,

0_2_000000014006C43C

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140039024 LoadLibraryW,GetProcAddress,GetLastError,DeactivateActCtx,SetLastError,

0_2_0000000140039024

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140196A38 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_0000000140196A38
Source: C:\Users\user\Desktop\EXPLORER.EXE.exe	Code function: 0_2_0000000140192D94 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0000000140192D94

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0040E850 cpuid

0_2_0040E850

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: GetModuleHandleW,GetProcAddress,EncodePointer,DecodePointer,GetLocaleInfoW,

0_2_000000014001E3DC

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_0000000140193434 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0000000140193434

Source: C:\Users\user\Desktop\EXPLORER.EXE.exe

Code function: 0_2_000000014003CAC0 GetVersionExA,CoInitializeEx,CoCreateInstance,

0_2_000000014003CAC0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Software Packing	21 Input Capture	1 System Time Discovery	Remote Services	21 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Deobfuscate/Decode Files or Information	LSASS Memory	2 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Clipboard Data	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	25 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
EXPLORER.EXE.exe	42%	ReversingLabs	Win64.Trojan.Generic
EXPLORER.EXE.exe	60%	Virustotal		Browse
EXPLORER.EXE.exe	100%	Avira	TR/AVI.Agent.nsnwa

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525468
Start date and time:	2024-10-04 09:18:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 2s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	EXPLORER.EXE.exe
Detection:	MAL
Classification:	mal68.evad.winEXE@1/0@0/0
EGA Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Execution Graph export aborted for target EXPLORER.EXE.exe, PID 2736 because there are no executed function
Report size exceeded maximum capacity and may have missing disassembly code.

File type:	PE32+ executable (GUI) x86-64, for MS Windows
Entropy (8bit):	6.359887273713797
TrID:	Win64 Executable GUI (202006/5) 92.65% Win64 Executable (generic) (12005/4) 5.51% Generic Win/DOS Executable (2004/3) 0.92% DOS Executable Generic (2002/1) 0.92% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EXPLORER.EXE.exe
File size:	2'791'424 bytes
MD5:	2e5dc3f90227ea0fd2e0d23d8b330ddf
SHA1:	779d453a60404f03c3aab508be972f609b6fa879
SHA256:	12bf9fe2a68acb56eb01ca97388a1269b391f07831fd37a1371852ed5df44444
SHA512:	267f6dc19ed979b8cf64eb40a3b28eba8d4eebf21ccc449dfcee375a5f80bd19978d53c73b58e4d76436dbe34f1612df046d62a471816f0b7527be34c8ef1c10
SSDEEP:	49152:UWloiaXmVQDg/xrTYp3Rp8Z7iOOSaIOzd9nLgUvSSP88O5RsQ2Cfz8kIL+hlaDOR:UWv0yOSQbnLLSSP8L5yzYqkr
TLSH:	EAD57D5F66F851D9C5A7C178C5268A8FE7F3B8A10930C38F40A54B9E5FB32628D1B721
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$........o..E...E...E.....+.J.....).......(.S.......H.......D.......G.......f...E...e....W..S....W..L....W..#....W..A....W%.D...E.M.D..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x140192ac4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x140000000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
DLL Characteristics:	HIGH_ENTROPY_VA, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x65DED2FB [Wed Feb 28 06:30:19 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	4bade2e1888301494cad31f926c065b8

Entrypoint Preview

Instruction
dec eax
sub esp, 28h
call 00007F38F44FC4ECh
dec eax
add esp, 28h
jmp 00007F38F44FB9F7h
int3
int3
dec eax
sub esp, 28h
dec ebp
mov eax, dword ptr [ecx+38h]
dec eax
mov ecx, edx
dec ecx
mov edx, ecx
call 00007F38F44FBB92h
mov eax, 00000001h
dec eax
add esp, 28h
ret
int3
int3
int3
inc eax
push ebx
inc ebp
mov ebx, dword ptr [eax]
dec eax
mov ebx, edx
inc ecx
and ebx, FFFFFFF8h
dec esp
mov ecx, ecx
inc ecx
test byte ptr [eax], 00000004h
dec esp
mov edx, ecx
je 00007F38F44FBB95h
inc ecx
mov eax, dword ptr [eax+08h]
dec ebp
arpl word ptr [eax+04h], dx
neg eax
dec esp
add edx, ecx
dec eax
arpl ax, cx
dec esp
and edx, ecx
dec ecx
arpl bx, ax
dec edx
mov edx, dword ptr [eax+edx]
dec eax
mov eax, dword ptr [ebx+10h]
mov ecx, dword ptr [eax+08h]
dec eax
add ecx, dword ptr [ebx+08h]
test byte ptr [ecx+03h], 0000000Fh
je 00007F38F44FBB8Eh
movzx eax, byte ptr [ecx+03h]
and eax, FFFFFFF0h
dec eax
cwde
dec esp
add ecx, eax
dec esp
xor ecx, edx
dec ecx
mov ecx, ecx
pop ebx
jmp 00007F38F44FB572h
int3
dec eax
mov eax, esp
dec eax
mov dword ptr [eax+08h], ebx
dec eax
mov dword ptr [eax+10h], ebp
dec eax
mov dword ptr [eax+18h], esi
dec eax
mov dword ptr [eax+20h], edi
inc ecx
push esi
dec eax
sub esp, 20h
dec ebp
mov edx, dword ptr [ecx+38h]
dec eax
mov esi, edx
dec ebp
mov esi, eax
dec eax
mov ebp, ecx
dec ecx
mov edx, ecx
dec eax
mov ecx, esi
dec ecx
mov edi, ecx
inc ecx
mov ebx, dword ptr [edx]
dec eax
shl ebx, 04h
dec ecx

Rich Headers

Programming Language:

[C++] VS2015 build 23026
[RES] VS2015 build 23026
[LNK] VS2015 build 23026

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x25da00	0x17c
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x288000	0x5350	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x271000	0x15c60	.pdata
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x28e000	0xef3c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x2211f0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x2212a8	0x28	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x221210	0x94	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1bc2e0	0x1bc400	332b67d565ae93eb6c612b047021f66c	False	0.5292177388154192	zlib compressed data	6.432200269224173	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x1be000	0x9f926	0x9fc00	01fe337831f149dba16856eeaa271c22	False	0.27001723884976525	data	4.542614441694581	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x25e000	0x127b4	0x7800	df3e929c55c7972dbff0d4164cdad5e7	False	0.19547526041666666	data	4.147628436363404	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.pdata	0x271000	0x15c60	0x15e00	37f832ba1a326f736003396574f5ffd9	False	0.5044084821428572	data	6.16397692708684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x287000	0x9	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x288000	0x5350	0x5400	de4a622308b569a04ac320601bc87ecd	False	0.23502604166666666	data	3.598198897236614	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x28e000	0xef3c	0xf000	af5c9342690516674eda0363f0bd45c9	False	0.10154622395833333	data	5.444310130802154	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x288ac0	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4805194805194805
RT_CURSOR	0x288bf4	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	English	United States	0.7
RT_CURSOR	0x288ca8	0x134	AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.36363636363636365
RT_CURSOR	0x288ddc	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.35714285714285715
RT_CURSOR	0x288f10	0x134	data	English	United States	0.37337662337662336
RT_CURSOR	0x289044	0x134	data	English	United States	0.37662337662337664
RT_CURSOR	0x289178	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x2892ac	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	English	United States	0.37662337662337664
RT_CURSOR	0x2893e0	0x134	Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.36688311688311687
RT_CURSOR	0x289514	0x134	Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x289648	0x134	data	English	United States	0.44155844155844154
RT_CURSOR	0x28977c	0x134	data	English	United States	0.4155844155844156
RT_CURSOR	0x2898b0	0x134	AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rd	English	United States	0.5422077922077922
RT_CURSOR	0x2899e4	0x134	data	English	United States	0.2662337662337662
RT_CURSOR	0x289b18	0x134	data	English	United States	0.2824675324675325
RT_CURSOR	0x289c4c	0x134	data	English	United States	0.3246753246753247
RT_BITMAP	0x289d80	0x220	Device independent bitmap graphic, 85 x 10 x 4, image size 440	Portuguese	Brazil	0.15441176470588236
RT_BITMAP	0x289fa0	0xe8	Device independent bitmap graphic, 28 x 8 x 4, image size 128	Portuguese	Brazil	0.3706896551724138
RT_BITMAP	0x28a088	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	English	United States	0.44565217391304346
RT_BITMAP	0x28a140	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	English	United States	0.37962962962962965
RT_DIALOG	0x28a284	0x33e	data	English	United States	0.4072289156626506
RT_DIALOG	0x28a5c4	0xe8	data	English	United States	0.6336206896551724
RT_DIALOG	0x28a6ac	0x34	data	English	United States	0.9038461538461539
RT_STRING	0x28a6e0	0x82	StarOffice Gallery theme p, 536899072 objects, 1st n	English	United States	0.7153846153846154
RT_STRING	0x28a764	0x2a	data	English	United States	0.5476190476190477
RT_STRING	0x28a790	0x184	data	English	United States	0.48711340206185566
RT_STRING	0x28a914	0x4ee	data	English	United States	0.375594294770206
RT_STRING	0x28ae04	0x264	data	English	United States	0.3333333333333333
RT_STRING	0x28b068	0x2da	data	English	United States	0.3698630136986301
RT_STRING	0x28b344	0x8a	data	English	United States	0.6594202898550725
RT_STRING	0x28b3d0	0xac	data	English	United States	0.45348837209302323
RT_STRING	0x28b47c	0xde	data	English	United States	0.536036036036036
RT_STRING	0x28b55c	0x4a8	data	English	United States	0.3221476510067114
RT_STRING	0x28ba04	0x228	data	English	United States	0.4003623188405797
RT_STRING	0x28bc2c	0x2c	data	English	United States	0.5227272727272727
RT_STRING	0x28bc58	0x53e	data	English	United States	0.2965722801788376
RT_GROUP_CURSOR	0x28c198	0x22	Lotus unknown worksheet or configuration, revision 0x2	English	United States	0.9705882352941176
RT_GROUP_CURSOR	0x28c1bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c1f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c20c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c220	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c234	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c248	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c25c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c270	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c284	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c298	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c2ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x28c2c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_VERSION	0x28c2d4	0x72c	OpenPGP Secret Key			0.25381263616557737
RT_VERSION	0x28ca00	0x72c	OpenPGP Secret Key	English	United States	0.25381263616557737
RT_MANIFEST	0x28d12c	0x224	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (488), with CRLF line terminators	English	United States	0.531021897810219

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, IsValidCodePage, SetFilePointerEx, GetConsoleMode, GetConsoleCP, GetTimeZoneInformation, GetStringTypeW, LCMapStringW, FindFirstFileExA, ExitProcess, GetFileType, SetStdHandle, QueryPerformanceFrequency, HeapQueryInformation, VirtualQuery, VirtualAlloc, GetSystemInfo, GetCommandLineW, GetCommandLineA, FreeLibraryAndExitThread, ExitThread, CreateThread, RtlPcToFileHeader, RtlUnwindEx, OutputDebugStringW, FindNextFileA, WriteConsoleW, CreateFileW, InitializeSListHead, GetSystemTimeAsFileTime, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, RtlVirtualUnwind, RtlLookupFunctionEntry, RtlCaptureContext, CreateEventW, WaitForSingleObjectEx, ResetEvent, SearchPathA, GetProfileIntA, GetTempFileNameA, GetTempPathA, FindResourceExW, VerifyVersionInfoA, VerSetConditionMask, GetTickCount, SystemTimeToTzSpecificLocalTime, GetFileTime, GetFileSizeEx, GetFileAttributesExA, GetFileAttributesA, FileTimeToLocalFileTime, SetErrorMode, GetWindowsDirectoryA, GetCPInfo, GetOEMCP, VirtualProtect, lstrcpyA, FileTimeToSystemTime, GetThreadLocale, GetVolumeInformationA, lstrcmpiA, GetCurrentProcess, DuplicateHandle, WriteFile, UnlockFile, SetFilePointer, SetEndOfFile, ReadFile, LockFile, GetFullPathNameA, GetFileSize, FlushFileBuffers, FindFirstFileA, FindClose, CreateFileA, DeleteFileA, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, GetLocaleInfoW, CompareStringW, GetCurrentDirectoryA, LocalReAlloc, LocalAlloc, GlobalHandle, GlobalReAlloc, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, GetACP, InitializeCriticalSection, GlobalFlags, GlobalGetAtomNameA, GlobalFindAtomA, lstrcmpW, GetSystemDirectoryW, EncodePointer, InitializeCriticalSectionAndSpinCount, LeaveCriticalSection, EnterCriticalSection, CopyFileA, FormatMessageA, MulDiv, LocalFree, GlobalSize, GetCurrentProcessId, GlobalAddAtomA, WritePrivateProfileStringA, GetPrivateProfileStringA, GetPrivateProfileIntA, GetProcAddress, GetModuleHandleW, GetModuleHandleA, CompareStringA, WideCharToMultiByte, MultiByteToWideChar, FindResourceW, lstrcmpA, GlobalDeleteAtom, GlobalAlloc, SizeofResource, LoadLibraryExW, GetModuleFileNameA, FreeLibrary, GetVersionExA, GetCurrentThread, ResumeThread, SuspendThread, SetThreadPriority, GetCurrentThreadId, CreateEventA, CloseHandle, QueryActCtxW, FindActCtxSectionStringW, DeactivateActCtx, ActivateActCtx, CreateActCtxW, FindResourceA, LoadLibraryW, GlobalFree, GlobalUnlock, GlobalLock, LockResource, LoadResource, GetModuleHandleExW, GetModuleFileNameW, FreeResource, SetLastError, OutputDebugStringA, Sleep, WaitForSingleObject, SetEvent, DeleteCriticalSection, InitializeCriticalSectionEx, GetProcessHeap, HeapSize, HeapFree, HeapReAlloc, HeapAlloc, GetLastError, RaiseException, GetStdHandle, DecodePointer
USER32.dll	GetAsyncKeyState, GetMenuItemInfoA, DestroyMenu, LoadImageW, TrackMouseEvent, InflateRect, MessageBeep, GetNextDlgGroupItem, IsRectEmpty, IntersectRect, SetRect, InvalidateRgn, CopyAcceleratorTableA, CharNextA, LoadCursorW, WindowFromPoint, ReleaseCapture, SetCapture, WaitMessage, CharUpperA, DestroyIcon, KillTimer, SetTimer, DeleteMenu, SystemParametersInfoA, CopyImage, GetSysColorBrush, RealChildWindowFromPoint, IsDialogMessageA, SetWindowTextA, CheckDlgButton, MoveWindow, ShowWindow, GetMonitorInfoA, MonitorFromWindow, WinHelpA, GetScrollInfo, SetScrollInfo, LoadIconW, LoadIconA, GetTopWindow, GetClassNameA, GetClassLongPtrA, GetClassLongA, SetWindowLongPtrA, GetWindowLongPtrA, SetWindowLongA, PtInRect, EqualRect, MapWindowPoints, AdjustWindowRectEx, GetWindowTextLengthA, GetWindowTextA, RemovePropA, GetPropA, SetPropA, ShowScrollBar, GetScrollRange, SetScrollRange, CreatePopupMenu, SetScrollPos, ScrollWindow, RedrawWindow, SetForegroundWindow, GetForegroundWindow, UpdateWindow, TrackPopupMenu, SetMenu, GetMenu, GetCapture, SetFocus, GetDlgCtrlID, EndDeferWindowPos, DeferWindowPos, BeginDeferWindowPos, SetWindowPlacement, GetWindowPlacement, SetWindowRgn, IsMenu, CreateWindowExA, GetClassInfoExA, RegisterClassA, CallWindowProcA, GetMessageTime, GetMessagePos, RegisterWindowMessageA, OffsetRect, SetRectEmpty, SendDlgItemMessageA, FillRect, ScreenToClient, ClientToScreen, EndPaint, BeginPaint, GetWindowDC, TabbedTextOutA, GrayStringA, DrawTextExA, DrawTextA, UnhookWindowsHookEx, RemoveMenu, SetParent, OpenClipboard, CloseClipboard, SendMessageA, IsIconic, EnableWindow, GetSystemMetrics, DrawIcon, AppendMenuA, InsertMenuA, GetMenuItemCount, GetMenuItemID, GetSubMenu, GetMenuState, GetMenuStringA, CopyRect, MapVirtualKeyA, GetKeyNameTextA, MapDialogRect, GetWindow, SetWindowContextHelpId, SetWindowPos, GetLastActivePopup, GetWindowThreadProcessId, GetMenuDefaultItem, BringWindowToTop, LoadAcceleratorsA, TranslateAcceleratorA, LoadMenuA, InsertMenuItemA, LoadImageA, UnpackDDElParam, ReuseDDElParam, RegisterClipboardFormatA, DrawFocusRect, DrawIconEx, GetIconInfo, MessageBoxA, SetCursor, ShowOwnedPopups, EnableScrollBar, HideCaret, InvertRect, NotifyWinEvent, SetLayeredWindowAttributes, EnumDisplayMonitors, GetScrollPos, SetClassLongPtrA, GetClientRect, UnregisterClassA, DefWindowProcA, GetClassInfoA, IsWindow, GetDC, ReleaseDC, InvalidateRect, GetWindowRect, GetSysColor, LoadCursorA, GetFocus, CheckMenuItem, EnableMenuItem, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, SetMenuItemInfoA, GetParent, LoadBitmapW, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetDlgItem, GetNextDlgTabItem, GetActiveWindow, IsWindowEnabled, SetActiveWindow, GetWindowLongA, GetDesktopWindow, GetMessageA, TranslateMessage, DispatchMessageA, PeekMessageA, IsWindowVisible, GetKeyState, ValidateRect, GetCursorPos, SetWindowsHookExA, CallNextHookEx, PostMessageA, PostQuitMessage, SetClipboardData, EmptyClipboard, DrawStateA, DrawEdge, DrawFrameControl, IsZoomed, LoadMenuW, DestroyCursor, GetWindowRgn, CreateMenu, SubtractRect, TranslateMDISysAccel, DefMDIChildProcA, DefFrameProcA, DrawMenuBar, GetUpdateRect, IsClipboardFormatAvailable, CharUpperBuffA, ModifyMenuA, GetDoubleClickTime, SetMenuDefaultItem, LockWindowUpdate, DestroyAcceleratorTable, CreateAcceleratorTableA, LoadAcceleratorsW, ToAsciiEx, GetKeyboardState, MapVirtualKeyExA, IsCharLowerA, GetKeyboardLayout, GetComboBoxInfo, MonitorFromPoint, UpdateLayeredWindow, PostThreadMessageA, UnionRect, FrameRect, CopyIcon, SetCursorPos, IsChild, GetSystemMenu
GDI32.dll	GetObjectType, GetPixel, GetStockObject, GetViewportExtEx, GetWindowExtEx, IntersectClipRect, LineTo, PtVisible, RectVisible, RestoreDC, SaveDC, SelectClipRgn, ExtSelectClipRgn, SelectObject, SelectPalette, SetBkColor, SetBkMode, SetMapMode, SetLayout, GetLayout, SetPolyFillMode, SetROP2, SetTextColor, SetTextAlign, GetObjectA, MoveToEx, TextOutA, ExtTextOutA, SetViewportExtEx, SetViewportOrgEx, SetWindowExtEx, SetWindowOrgEx, OffsetViewportOrgEx, OffsetWindowOrgEx, ScaleViewportExtEx, ScaleWindowExtEx, CreateFontIndirectA, GetTextExtentPoint32A, GetTextMetricsA, GetClipBox, GetTextColor, GetRgnBox, CombineRgn, GetMapMode, SetRectRgn, DPtoLP, CreateCompatibleBitmap, CreatePalette, GetNearestPaletteIndex, GetPaletteEntries, GetSystemPaletteEntries, RealizePalette, CreateDIBitmap, EnumFontFamiliesA, GetTextCharsetInfo, SetPixel, StretchBlt, CreateDIBSection, SetDIBColorTable, CreateEllipticRgn, Ellipse, CreatePolygonRgn, Polygon, Polyline, CreateRoundRectRgn, LPtoDP, EnumFontFamiliesExA, OffsetRgn, RoundRect, FillRgn, FrameRgn, GetBoundsRect, PtInRegion, ExtFloodFill, SetPaletteEntries, SetPixelV, GetWindowOrgEx, GetViewportOrgEx, GetTextFaceA, ExcludeClipRect, Escape, DeleteObject, DeleteDC, CreateSolidBrush, CreateRectRgn, CreatePatternBrush, CreatePen, CreateHatchBrush, CreateCompatibleDC, BitBlt, GetDeviceCaps, CreateDCA, CopyMetaFileA, PatBlt, CreateRectRgnIndirect, CreateBitmap, GetBkColor, Rectangle
MSIMG32.dll	AlphaBlend, TransparentBlt
WINSPOOL.DRV	DocumentPropertiesA, OpenPrinterA, ClosePrinter
ADVAPI32.dll	SystemFunction036, RegOpenKeyExA, RegQueryValueExA, RegEnumKeyExA, RegEnumValueA, RegQueryValueA, RegEnumKeyA, RegSetValueExA, RegDeleteValueA, RegDeleteKeyA, RegCreateKeyExA, RegCloseKey
SHELL32.dll	SHBrowseForFolderA, SHGetFileInfoA, SHGetPathFromIDListA, SHGetSpecialFolderLocation, SHGetDesktopFolder, DragQueryFileA, SHAppBarMessage, ShellExecuteA, DragFinish
COMCTL32.dll	ImageList_Draw, ImageList_GetImageCount
SHLWAPI.dll	PathFindFileNameA, PathIsUNCA, PathStripToRootA, StrFormatKBSizeA, PathFindExtensionA, PathRemoveFileSpecW
UxTheme.dll	GetThemeSysColor, GetWindowTheme, IsAppThemed, GetThemePartSize, DrawThemeText, DrawThemeParentBackground, OpenThemeData, CloseThemeData, DrawThemeBackground, GetThemeColor, GetCurrentThemeName, IsThemeBackgroundPartiallyTransparent
ole32.dll	CoGetClassObject, CoRevokeClassObject, OleFlushClipboard, OleIsCurrentClipboard, CoRegisterMessageFilter, DoDragDrop, OleGetClipboard, CoLockObjectExternal, RegisterDragDrop, RevokeDragDrop, OleLockRunning, OleCreateMenuDescriptor, OleDestroyMenuDescriptor, OleTranslateAccelerator, IsAccelerator, CreateStreamOnHGlobal, OleUninitialize, OleInitialize, CoFreeUnusedLibraries, CoInitializeEx, CreateILockBytesOnHGlobal, StgOpenStorageOnILockBytes, StgCreateDocfileOnILockBytes, CoDisconnectObject, ReleaseStgMedium, OleDuplicateData, CoTaskMemFree, CoTaskMemAlloc, CLSIDFromProgID, CLSIDFromString, CoInitialize, CoCreateInstance, CoCreateGuid, CoUninitialize
OLEAUT32.dll	SysAllocString, SysStringLen, SystemTimeToVariantTime, VariantTimeToSystemTime, SafeArrayDestroy, LoadTypeLib, OleCreateFontIndirect, VariantCopy, VarBstrFromDate, VariantChangeType, VariantClear, SysAllocStringByteLen, VariantInit, SysAllocStringLen, SysFreeString
oledlg.dll
gdiplus.dll	GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdipCreateBitmapFromHBITMAP, GdipDrawImageI, GdipDeleteGraphics, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePaletteSize, GdipGetImagePalette, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipGetImageGraphicsContext, GdipDisposeImage, GdipCloneImage, GdiplusStartup, GdipFree, GdipAlloc, GdiplusShutdown
OLEACC.dll	AccessibleObjectFromWindow, LresultFromObject, CreateStdAccessibleObject
IMM32.dll	ImmGetContext, ImmGetOpenStatus, ImmReleaseContext
WINMM.dll	PlaySoundA
kernel32.dll	LoadLibraryA, VirtualFree

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Portuguese	Brazil

Target ID:	0
Start time:	03:19:06
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\EXPLORER.EXE.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\EXPLORER.EXE.exe"
Imagebase:	0x140000000
File size:	2'791'424 bytes
MD5 hash:	2E5DC3F90227EA0FD2E0D23D8B330DDF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 00000001400351AC Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 425windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoA.USER32 ref: 0000000140035248
GetMenuItemInfoA.USER32 ref: 00000001400352AB
CopyRect.USER32 ref: 0000000140035306
GetObjectA.GDI32 ref: 0000000140035335
GetSystemMetrics.USER32 ref: 000000014003534E
GetSystemMetrics.USER32 ref: 000000014003535A
GetSysColor.USER32 ref: 00000001400353A0
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400353AD
CreateCompatibleDC.GDI32 ref: 00000001400353B5
GetTextExtentPoint32A.GDI32 ref: 00000001400353EC
CopyRect.USER32 ref: 0000000140035404
GetSysColor.USER32 ref: 0000000140035418
GetSysColor.USER32 ref: 0000000140035449
GetSysColor.USER32 ref: 0000000140035456
GetSysColor.USER32 ref: 0000000140035495
GetSysColor.USER32 ref: 00000001400354B4

Part of subcall function 0000000140031BF0: SetBkColor.GDI32 ref: 0000000140031C16
Part of subcall function 0000000140031BF0: ExtTextOutA.GDI32 ref: 0000000140031C41

GetSysColor.USER32 ref: 00000001400354F5

Part of subcall function 0000000140010EAC: SetBkMode.GDI32 ref: 0000000140010EC7
Part of subcall function 0000000140010EAC: SetBkMode.GDI32 ref: 0000000140010ED8

ExtTextOutA.GDI32 ref: 0000000140035568
GetSysColor.USER32 ref: 0000000140035576
GetSysColor.USER32 ref: 00000001400355B9
GetSysColor.USER32 ref: 00000001400355C6
GetSysColor.USER32 ref: 000000014003560D
ExtTextOutA.GDI32 ref: 0000000140035666
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400356C8
CreateCompatibleDC.GDI32 ref: 00000001400356D0
InflateRect.USER32 ref: 0000000140035701
BitBlt.GDI32 ref: 0000000140035738

Strings

, xrefs: 0000000140035707

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Color$HashText$Rect$CompatibleCopyCreateImplImpl::InfoItemMenuMetricsModeSystem$ExtentInflateObjectPoint32
String ID:
API String ID: 685336545-3916222277
Opcode ID: 52984164dd85a8137efffa19e3e0f784c133bd3ead6e9b81c5759d5b364726c2
Instruction ID: 8178aa0cc4af684bc39b1513171c89f1f1e9bc3269fea81fb5c781bb34890d1b
Opcode Fuzzy Hash: 52984164dd85a8137efffa19e3e0f784c133bd3ead6e9b81c5759d5b364726c2
Instruction Fuzzy Hash: E4127C36310A808BE716DF2AD4847DE77A1F788B99F144215EF4A87BA8DF78D844CB40

Function 0000000140090DE4 Relevance: 36.8, APIs: 24, Instructions: 830windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140090E91

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

FillRect.USER32 ref: 0000000140090FAB
InflateRect.USER32 ref: 00000001400910B2
PatBlt.GDI32 ref: 0000000140091105
PatBlt.GDI32 ref: 0000000140091126
PatBlt.GDI32 ref: 000000014009114E
PatBlt.GDI32 ref: 0000000140091172
InflateRect.USER32 ref: 00000001400915C6
CreateRectRgnIndirect.GDI32 ref: 00000001400915DF
IsRectEmpty.USER32 ref: 0000000140091913
FillRect.USER32 ref: 0000000140091935
InflateRect.USER32 ref: 0000000140091963
PatBlt.GDI32 ref: 00000001400911B0

Part of subcall function 0000000140010848: MoveToEx.GDI32 ref: 0000000140010871

FrameRect.USER32 ref: 000000014009102C

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

IsRectEmpty.USER32 ref: 00000001400919FD

Part of subcall function 0000000140010898: MoveToEx.GDI32 ref: 00000001400108D1
Part of subcall function 0000000140010898: MoveToEx.GDI32 ref: 00000001400108E8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$InflateMove$EmptyFillObjectSelect$ClientCreateExceptionFrameIndirectThrow
String ID:
API String ID: 3883674191-0
Opcode ID: fbe390542f402c8ba6730c2e0aa29e8042b5a258d9892ed33966a6fbbbeda6fd
Instruction ID: ea88b88ad62fd7f8af402ddb7ed87288cdc83b3e4a55123347c869a68bdf6c83
Opcode Fuzzy Hash: fbe390542f402c8ba6730c2e0aa29e8042b5a258d9892ed33966a6fbbbeda6fd
Instruction Fuzzy Hash: 2D827832710A518AEB1ADB66D480BED77B0F78DB88F408116EF5A67B68DF34D954CB00

Function 00000001400400EC Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 580windowCOMMON

Download Yara Rule

APIs

GetClassNameA.USER32 ref: 00000001400401B0
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400402D0

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

SendMessageA.USER32 ref: 0000000140040314
SendMessageA.USER32 ref: 000000014004032E
GetClassNameA.USER32 ref: 000000014004037E
SendMessageA.USER32 ref: 000000014004042D
SendMessageA.USER32 ref: 0000000140040451
IntersectRect.USER32 ref: 000000014004046C
SendMessageA.USER32 ref: 00000001400404A0
CreatePopupMenu.USER32 ref: 00000001400404DB
CreateCompatibleDC.GDI32 ref: 00000001400404F1
CopyRect.USER32 ref: 00000001400405F1
OffsetRect.USER32 ref: 000000014004061C
CreateCompatibleBitmap.GDI32 ref: 0000000140040650
GetSysColor.USER32 ref: 00000001400406B6
InsertMenuItemA.USER32 ref: 000000014004079D

Part of subcall function 0000000140031BF0: SetBkColor.GDI32 ref: 0000000140031C16
Part of subcall function 0000000140031BF0: ExtTextOutA.GDI32 ref: 0000000140031C41

Part of subcall function 0000000140043148: OutputDebugStringA.KERNEL32 ref: 0000000140043194
Part of subcall function 0000000140043148: ActivateActCtx.KERNEL32 ref: 00000001400431B9

CopyRect.USER32 ref: 00000001400407DA

Strings

ReBarWindow32, xrefs: 0000000140040165, 00000001400401E7
ToolbarWindow32, xrefs: 0000000140040334, 00000001400403B9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Rect$Create$ClassColorCompatibleCopyHashMenuName$ActivateBitmapDebugImplImpl::InsertIntersectItemOffsetOutputPopupStringText
String ID: ReBarWindow32$ToolbarWindow32
API String ID: 4200770845-2283011909
Opcode ID: 38f64543f3f30167383209ef9d3bb7cb3df0775a8105467743d172233b1691a8
Instruction ID: af3b5d037ba77f3f1d5bff304295e1f85c26273473929589269746b36c7db709
Opcode Fuzzy Hash: 38f64543f3f30167383209ef9d3bb7cb3df0775a8105467743d172233b1691a8
Instruction Fuzzy Hash: 6E427976701A4086EB12EB26E8943DE77A1FB88BD8F014126EB5E57BBADF34C544C740

Function 000000014005098C Relevance: 30.3, APIs: 20, Instructions: 342keyboardwindowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 00000001400509D5
GetKeyState.USER32 ref: 0000000140050A1C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: BeepMessageState
String ID:
API String ID: 1934685646-0
Opcode ID: fc931e0d4d489493d3a3bc891a145045a1a074b0d9f30a1deb1ff7ce5e6e586f
Instruction ID: a89231eb77aee0a6d376696c1c338f74446f33e2204c56a99e6c98176aab3c01
Opcode Fuzzy Hash: fc931e0d4d489493d3a3bc891a145045a1a074b0d9f30a1deb1ff7ce5e6e586f
Instruction Fuzzy Hash: DEF16076B00A419AFB25CFA6D4807EC37B1F788B9CF504566EF1967AA8CB35CA45C700

Function 0000000140068CB4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 260COMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140068D43
CreateCompatibleDC.GDI32 ref: 0000000140068D4B
GetObjectA.GDI32 ref: 0000000140068D72
SelectObject.GDI32 ref: 0000000140068D99
SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140068DB4
CreateCompatibleDC.GDI32 ref: 0000000140068DBF
CreateDIBSection.GDI32 ref: 0000000140068E19
SelectObject.GDI32 ref: 0000000140068E2F

Strings

, xrefs: 0000000140068E6C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Hash$CreateObject$CompatibleImplImpl::Select$Section
String ID:
API String ID: 3132754825-3916222277
Opcode ID: 3264a89f32e66692b2534c7ccf59e85b500556e9b275993a2246e63ea95f20b0
Instruction ID: 7c8f6fc79a6aa3ee6842bcc9373f36831d0372b40c09dece2d5fce30170c4aa2
Opcode Fuzzy Hash: 3264a89f32e66692b2534c7ccf59e85b500556e9b275993a2246e63ea95f20b0
Instruction Fuzzy Hash: 5BC1BC32700A808AE716DF66D8447ED77B5F788B88F104626EB4A9BBB5DF78C445CB00

Function 00000001400A06F8 Relevance: 28.6, APIs: 15, Strings: 1, Instructions: 615windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A07A9
CreateCompatibleDC.GDI32 ref: 00000001400A07C2
CreateCompatibleBitmap.GDI32 ref: 00000001400A07F9
SelectObject.GDI32 ref: 00000001400A086B
BitBlt.GDI32 ref: 00000001400A08AE
OffsetRect.USER32 ref: 00000001400A08C5
InflateRect.USER32 ref: 00000001400A0F14

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

Part of subcall function 0000000140010E10: GetStockObject.GDI32 ref: 0000000140010E1F
Part of subcall function 0000000140010E10: SelectObject.GDI32 ref: 0000000140010E37
Part of subcall function 0000000140010E10: SelectObject.GDI32 ref: 0000000140010E49

Ellipse.GDI32 ref: 00000001400A0AA2
Ellipse.GDI32 ref: 00000001400A0AC3
Ellipse.GDI32 ref: 00000001400A0AE4
Rectangle.GDI32 ref: 00000001400A0B67
BitBlt.GDI32 ref: 00000001400A0F88
DeleteObject.GDI32 ref: 00000001400A0FAB

Strings

, xrefs: 00000001400A0F5A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Object$Select$CreateEllipse$CompatibleHashRect$BitmapBrushDeleteImplImpl::InflateOffsetRectangleSolidStock
String ID:
API String ID: 3053867852-3916222277
Opcode ID: 30b94484fe5e6c3ad1a472e2924060417abd0ed72535ed640bbd8a770e0d7d8d
Instruction ID: b4b56f718099b0902b2e6d70588895fc80a1a66bd0874c504da7fdd41073d29e
Opcode Fuzzy Hash: 30b94484fe5e6c3ad1a472e2924060417abd0ed72535ed640bbd8a770e0d7d8d
Instruction Fuzzy Hash: EF42E432610A948AE712DF3AD4407AD77A4FB5D7D8F008316FF4AA7A64DB34D892CB40

Function 00000001400F53C8 Relevance: 28.4, APIs: 15, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400F54DC
IsRectEmpty.USER32 ref: 00000001400F5516
IsRectEmpty.USER32 ref: 00000001400F554A
IsRectEmpty.USER32 ref: 00000001400F5567
GetWindowRect.USER32 ref: 00000001400F5594
GetWindowRect.USER32 ref: 00000001400F55D1
PtInRect.USER32 ref: 00000001400F5615
OffsetRect.USER32 ref: 00000001400F562D

Part of subcall function 000000014012A950: SetRectEmpty.USER32 ref: 000000014012AA5C
Part of subcall function 000000014012A950: SetRectEmpty.USER32 ref: 000000014012AA65

SetRectEmpty.USER32 ref: 00000001400F564D

Strings

, xrefs: 00000001400F5491

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$Window$CursorOffset
String ID:
API String ID: 2038239707-3916222277
Opcode ID: 69474bf41362d36532d87cad9e3ff1b06826d31f4e934e950c31c5569a509ad2
Instruction ID: 06eeb9fefbca414fe21cc172f702b6a9f7a24db773b261719acbbf2f0976d8a2
Opcode Fuzzy Hash: 69474bf41362d36532d87cad9e3ff1b06826d31f4e934e950c31c5569a509ad2
Instruction Fuzzy Hash: 52F14836600A408AEB16EF67E8A43DD33A0F74CB89F04412AEF0A977A5DF78D455D704

Function 00000001400380F4 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140038132
GetDlgItem.USER32 ref: 000000014003816D
GetWindowRect.USER32 ref: 0000000140038185
MapDialogRect.USER32 ref: 00000001400381AC
SetWindowPos.USER32 ref: 00000001400381E6
GetDlgItem.USER32 ref: 00000001400381F8
GetWindowRect.USER32 ref: 000000014003820D
SetWindowPos.USER32 ref: 0000000140038241
GetWindowRect.USER32 ref: 000000014003825E
GetWindowRect.USER32 ref: 00000001400382CA
GetDlgItem.USER32 ref: 00000001400382E1
GetWindowRect.USER32 ref: 00000001400382F3
GetDlgItem.USER32 ref: 000000014003832E
ShowWindow.USER32 ref: 0000000140038341
EnableWindow.USER32 ref: 000000014003834C

Strings

, xrefs: 00000001400382AA

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Rect$Item$DialogEnableShow
String ID:
API String ID: 763981185-3916222277
Opcode ID: af9053ecf1a1f3ffb787edeb91d705d854cdcb6170102644c5e352010da2fbbe
Instruction ID: fefeb67712eed8592489a16acf5041009f2038ebd924d60c1c97dd9ee9e1c726
Opcode Fuzzy Hash: af9053ecf1a1f3ffb787edeb91d705d854cdcb6170102644c5e352010da2fbbe
Instruction Fuzzy Hash: 75714E32B106508AFB16DF76E8947AE77B1FB8CB88F045124EE4A5BB68DF39D4418700

Function 00000001400D8088 Relevance: 27.5, APIs: 18, Instructions: 487windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400D8171
GetMenuItemCount.USER32 ref: 00000001400D82E1
AppendMenuA.USER32 ref: 00000001400D82FA
AppendMenuA.USER32 ref: 00000001400D8319
SendMessageA.USER32 ref: 00000001400D83B0
SendMessageA.USER32 ref: 00000001400D83EE
GetMenuItemCount.USER32 ref: 00000001400D8449
AppendMenuA.USER32 ref: 00000001400D8462
AppendMenuA.USER32 ref: 00000001400D8481
GetMenuItemCount.USER32 ref: 00000001400D84E6
AppendMenuA.USER32 ref: 00000001400D84FF
AppendMenuA.USER32 ref: 00000001400D851E
GetWindow.USER32 ref: 00000001400D85D7
AppendMenuA.USER32 ref: 00000001400D866A
AppendMenuA.USER32 ref: 00000001400D873C
GetMenuItemCount.USER32 ref: 00000001400D8798
AppendMenuA.USER32 ref: 00000001400D87B1
AppendMenuA.USER32 ref: 00000001400D87CB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Menu$Append$CountItem$MessageSendWindow
String ID:
API String ID: 1330099508-0
Opcode ID: 725843a4f6448a8138adfd4e2b9fdeeb24689e216078e12dff81e7db9e10e415
Instruction ID: f45d8fdd629357a463e78bcfa77575248bf134656ccbd68978182e2da89a1fa1
Opcode Fuzzy Hash: 725843a4f6448a8138adfd4e2b9fdeeb24689e216078e12dff81e7db9e10e415
Instruction Fuzzy Hash: 24124B72700A4182EA66DB27E9543EE63A1FB89FD4F448125EF1A4BBB5DF38C542C710

Function 000000014001C178 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 219COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 000000014001C1C0
MultiByteToWideChar.KERNEL32 ref: 000000014001C234
GlobalUnlock.KERNEL32 ref: 000000014001C30A

Strings

, xrefs: 000000014001C21C
System, xrefs: 000000014001C17F, 000000014001C383, 000000014001C39E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: $System
API String ID: 231414890-3632600494
Opcode ID: 3ab1e29aaa9e6a89db5527978f3eca0b188af0102a0d3d10894cbabf790a5c68
Instruction ID: a4f9702f887cbaa91b3bd3e0d7c7abb6c9c21272f21f9707fef31d8521dcf876
Opcode Fuzzy Hash: 3ab1e29aaa9e6a89db5527978f3eca0b188af0102a0d3d10894cbabf790a5c68
Instruction Fuzzy Hash: E881A13221069086EB2ADB63E8547EA73A0FB4CFD4F158625EF5A4B7A5DF39C905C700

Function 0000000140158C9C Relevance: 23.4, APIs: 12, Strings: 1, Instructions: 603COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140158D22
IsRectEmpty.USER32 ref: 0000000140158E40
FillRect.USER32 ref: 0000000140158F01
InflateRect.USER32 ref: 0000000140158F3E
GetParent.USER32 ref: 00000001401590E7
MapWindowPoints.USER32 ref: 000000014015912A

Part of subcall function 0000000140010978: OffsetWindowOrgEx.GDI32 ref: 00000001400109B1
Part of subcall function 0000000140010978: OffsetWindowOrgEx.GDI32 ref: 00000001400109C8

GetClientRect.USER32 ref: 0000000140159163

Part of subcall function 000000014001119C: SetWindowOrgEx.GDI32 ref: 00000001400111D5
Part of subcall function 000000014001119C: SetWindowOrgEx.GDI32 ref: 00000001400111EC

InflateRect.USER32 ref: 00000001401591C2
SetRectEmpty.USER32 ref: 000000014015930D
DrawThemeBackground.UXTHEME ref: 0000000140158E16

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

IsRectEmpty.USER32 ref: 000000014015941D
GetWindowRect.USER32 ref: 0000000140159468

Strings

#, xrefs: 0000000140158F51

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$Empty$InflateOffsetParent$BackgroundClientDrawExceptionFillPointsThemeThrow
String ID: #
API String ID: 2250837001-1885708031
Opcode ID: 15ff3a3b4c5838edc8b8a55646a971f067324bf1d5e3ab2128a0895cf74a70e7
Instruction ID: aa8b516be07e76786385a2bd9a7268ff87cca93a54eccdbd6e7ee5770ef781a5
Opcode Fuzzy Hash: 15ff3a3b4c5838edc8b8a55646a971f067324bf1d5e3ab2128a0895cf74a70e7
Instruction Fuzzy Hash: EC52AC32B146508AEB12DF6AD4447ED73B0F78CB88F044616EF496BAA8EF79C540CB40

Function 0000000140140BFC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140140C83
SendMessageA.USER32 ref: 0000000140140CEF
GetClientRect.USER32 ref: 0000000140140D05
GetWindowRect.USER32 ref: 0000000140140E43
MonitorFromPoint.USER32 ref: 0000000140140E9B
GetMonitorInfoA.USER32 ref: 0000000140140EA8
CopyRect.USER32 ref: 0000000140140EBA
SystemParametersInfoA.USER32 ref: 0000000140140ECE
GetSystemMetrics.USER32 ref: 0000000140140EE1
GetSystemMetrics.USER32 ref: 0000000140140EFA
GetWindowRect.USER32 ref: 0000000140140F6B
GetWindowTheme.UXTHEME ref: 0000000140140FF0

Strings

3, xrefs: 000000014014101B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$SystemWindow$InfoMetricsMonitor$ClientCopyCursorFromMessageParametersPointSendTheme
String ID: 3
API String ID: 381205858-1842515611
Opcode ID: 5497c936605e68873105c14b2a4959fe4c5c12e76dba084c875ff1e32e8e7e3f
Instruction ID: 5b6b7a2708d1684448928a88f77c480fda80eefec9143419feb68aa642b9c039
Opcode Fuzzy Hash: 5497c936605e68873105c14b2a4959fe4c5c12e76dba084c875ff1e32e8e7e3f
Instruction Fuzzy Hash: C9D16932A10B948AEB12CF6AD8443DC37B1F788B58F154236DF496BBA8DB74D845CB40

Function 00000001401310A0 Relevance: 22.8, APIs: 15, Instructions: 282COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140131144
GetClientRect.USER32 ref: 0000000140131186
GetWindowRect.USER32 ref: 00000001401311E6
EqualRect.USER32 ref: 00000001401311F4
GetWindowRect.USER32 ref: 0000000140131216
CopyRect.USER32 ref: 0000000140131276

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$ClientCopyEqual
String ID:
API String ID: 201738312-0
Opcode ID: ec68ebff05b70208c813a92f1abdfd18ef6be5dd295ce6fe3666648f66a78846
Instruction ID: d8799f2095e8f90f73661e4a8c28c4dc765f4167cff017bc18479dc7c34df9be
Opcode Fuzzy Hash: ec68ebff05b70208c813a92f1abdfd18ef6be5dd295ce6fe3666648f66a78846
Instruction Fuzzy Hash: 50D17932B10A418AEB15DF7AD4847ED37B1F788B88F048625EF4A5BA69EF38C545C740

Function 0000000140104874 Relevance: 21.6, APIs: 14, Instructions: 626COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e37453c140aa93ba34e215af4399bdc17d1908c09b6815abeafea15aa2ac5f9b
Instruction ID: b8b6eec4c481ef3cf7aeb88451b1e67b4077f3c2383160e25a5ffeb3b8049523
Opcode Fuzzy Hash: e37453c140aa93ba34e215af4399bdc17d1908c09b6815abeafea15aa2ac5f9b
Instruction Fuzzy Hash: 315254B2701A8086EB5ADB67C5943ED23A1FB8DF84F188126CF9A57BA6DF35C455C300

Function 00000001400E8C04 Relevance: 21.4, APIs: 11, Strings: 1, Instructions: 387keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 00000001400E8C81
GetAsyncKeyState.USER32 ref: 00000001400E8CEF
IsRectEmpty.USER32 ref: 00000001400E8DCE
IsRectEmpty.USER32 ref: 00000001400E8E94
SendMessageA.USER32 ref: 00000001400E8FCB
GetParent.USER32 ref: 00000001400E90B8
SendMessageA.USER32 ref: 00000001400E90D8
GetClientRect.USER32 ref: 00000001400E9140
InvalidateRect.USER32 ref: 00000001400E917A
InvalidateRect.USER32 ref: 00000001400E918B
UpdateWindow.USER32 ref: 00000001400E9195

Strings

(, xrefs: 00000001400E8C6F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientParentUpdateWindow
String ID: (
API String ID: 85486465-3887548279
Opcode ID: 5f7c8500b988e7b18bdcd1da70209da81e5c87922fcd524e9ae87c48189aaab7
Instruction ID: 064f0ef662b3240b9956673af7926283610f2e33efa2e84d069be9368563815f
Opcode Fuzzy Hash: 5f7c8500b988e7b18bdcd1da70209da81e5c87922fcd524e9ae87c48189aaab7
Instruction Fuzzy Hash: 6AF14C72A01A5186FB769B27D8547ED23A0E748FE8F044036EF1A677A8DB34CC81C790

Function 00000001400A8E58 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 188timeCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400A8EA7
ScreenToClient.USER32 ref: 00000001400A8EB6
PtInRect.USER32 ref: 00000001400A8EEA
PtInRect.USER32 ref: 00000001400A8F10
KillTimer.USER32 ref: 00000001400A8F57
InvalidateRect.USER32 ref: 00000001400A8F70
InvalidateRect.USER32 ref: 00000001400A8F83
KillTimer.USER32 ref: 00000001400A90C0
ValidateRect.USER32 ref: 00000001400A90F5
RedrawWindow.USER32 ref: 00000001400A913B

Strings

d, xrefs: 00000001400A9087
_, xrefs: 00000001400A90D4

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow
String ID: _$d
API String ID: 1459077570-597095544
Opcode ID: 64ea469ed0e31c43e2c50161bdda5d94d6bada57ef6540d9bc792a3740f567d0
Instruction ID: 3ffbc5217de99d5cd8a4e0b658626875fd4275014b10760887c6b0d846040dde
Opcode Fuzzy Hash: 64ea469ed0e31c43e2c50161bdda5d94d6bada57ef6540d9bc792a3740f567d0
Instruction Fuzzy Hash: D3915A366006818AEB56DF3698547ED77A1F799FC4F088235EF0A47669CF39C581CB00

Function 00000001400DC8D4 Relevance: 20.0, APIs: 10, Strings: 1, Instructions: 767COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400DCD80
GetParent.USER32 ref: 00000001400DCD92
SetParent.USER32 ref: 00000001400DCDBC
SetParent.USER32 ref: 00000001400DCE48
GetParent.USER32 ref: 00000001400DCFBF
GetParent.USER32 ref: 00000001400DCFD1
SetParent.USER32 ref: 00000001400DCFF6
GetParent.USER32 ref: 00000001400DD182
GetParent.USER32 ref: 00000001400DD194
SetParent.USER32 ref: 00000001400DD1B9

Strings

4, xrefs: 00000001400DCEB1

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Parent
String ID: 4
API String ID: 975332729-4088798008
Opcode ID: b46a05a754aa7350ac51f5f52ba3e108db897e5fa8c0e9002ebfdf09c3182abf
Instruction ID: 0fc9aff2b319548c8c0f1ecbfff9a5cd0d725beb95a573b4cc2258864a098a2a
Opcode Fuzzy Hash: b46a05a754aa7350ac51f5f52ba3e108db897e5fa8c0e9002ebfdf09c3182abf
Instruction Fuzzy Hash: C5624772310A4182EA6ADB27D4547ED67A1FB8DFC4F088026EF0A4BBA5DF39C546C710

Function 00000001400C5348 Relevance: 19.9, APIs: 10, Strings: 1, Instructions: 652windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400C53F4
CreateRectRgnIndirect.GDI32 ref: 00000001400C5401
IsWindowVisible.USER32 ref: 00000001400C543D
GetWindowRect.USER32 ref: 00000001400C5470
GetClientRect.USER32 ref: 00000001400C549E
OffsetRect.USER32 ref: 00000001400C54CC
OffsetRect.USER32 ref: 00000001400C550A

Strings

2, xrefs: 00000001400C5A5F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$OffsetWindow$ClientCreateEmptyIndirectVisible
String ID: 2
API String ID: 398194487-450215437
Opcode ID: 5cd7a31930975879ee2e8cb4fd7e262a8275aabdc64b61c8055bde2c28dd0585
Instruction ID: cc4d7c4c7a48f1fa0b10aab36d3ea7f568344c0f555ac0b86c8fec09b7667f85
Opcode Fuzzy Hash: 5cd7a31930975879ee2e8cb4fd7e262a8275aabdc64b61c8055bde2c28dd0585
Instruction Fuzzy Hash: 17629072604B818AEB25DF3AD8807DD77A1F788BE8F004216EB5957AB9EF34C585C740

Function 00000001400481D8 Relevance: 19.6, APIs: 1, Strings: 10, Instructions: 395windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014019A840: _invalid_parameter_noinfo.LIBCMT ref: 000000014019A881

LoadIconA.USER32 ref: 00000001400485A0

Strings

MFCButton_ImageType, xrefs: 00000001400484AB
MFCButton_Tooltip, xrefs: 0000000140048353
TRUE, xrefs: 00000001400483D2
MFCButton_ImageID, xrefs: 0000000140048528
MFCButton_FullTextTool, xrefs: 00000001400483AB
MFCButton_ImageOnRight, xrefs: 000000014004862B
MFCButton_Style, xrefs: 0000000140048284
MFCButton_Autosize, xrefs: 00000001400482EE
MFCButton_ImageOnTop, xrefs: 0000000140048606
MFCButton_CursorType, xrefs: 000000014004842E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: IconLoad_invalid_parameter_noinfo
String ID: MFCButton_Autosize$MFCButton_CursorType$MFCButton_FullTextTool$MFCButton_ImageID$MFCButton_ImageOnRight$MFCButton_ImageOnTop$MFCButton_ImageType$MFCButton_Style$MFCButton_Tooltip$TRUE
API String ID: 4060274358-3825445498
Opcode ID: b76eb30b528a9a35324d07c5efd8f740d36d1371a834fca9281228119ad40618
Instruction ID: d462ce3384fe4644cb63f7d4454abd15e57d530b9b472fdcbfcf853240fdaa36
Opcode Fuzzy Hash: b76eb30b528a9a35324d07c5efd8f740d36d1371a834fca9281228119ad40618
Instruction Fuzzy Hash: 36F1BE72701A4286EB25AF7AC4503ED23A1EB89BD8F058536AF19A7BF5DF34C905C344

Function 000000014009035C Relevance: 18.6, APIs: 12, Instructions: 630windowCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140090564
InvalidateRect.USER32 ref: 00000001400906F3
UpdateWindow.USER32 ref: 00000001400906FD
SendMessageA.USER32 ref: 0000000140090746

Part of subcall function 00000001400088C8: FindResourceW.KERNEL32 ref: 0000000140008904
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 0000000140008951
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 000000014000899F

CreateSolidBrush.GDI32 ref: 0000000140090C11
LoadCursorW.USER32 ref: 0000000140090CC1

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

LoadCursorW.USER32 ref: 0000000140090D20

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ByteCharCursorLoadMultiWideWindow$BrushCreateExceptionFindInvalidateMessageRectRedrawResourceSendSolidThrowUpdate
String ID:
API String ID: 248893609-0
Opcode ID: d25b7f222531cf2190fd38577e826736b34b611cf8e6e09f20d5dafb3c351a58
Instruction ID: ccee259ca3edc22d7b7cea8ef7cbf139b57001007bbdc2526ece554873a32bd1
Opcode Fuzzy Hash: d25b7f222531cf2190fd38577e826736b34b611cf8e6e09f20d5dafb3c351a58
Instruction Fuzzy Hash: D852DE76301A408BEB2ADB26D554BED37A5F788BC8F444229EB1A477B1CF38D565CB00

Function 000000014005943C Relevance: 18.2, APIs: 12, Instructions: 220windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400594B9
ClientToScreen.USER32 ref: 00000001400594F7
SendMessageA.USER32 ref: 000000014005955B
SHGetDesktopFolder.SHELL32 ref: 0000000140059586
GetParent.USER32 ref: 00000001400595B2
CreatePopupMenu.USER32 ref: 0000000140059609

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$ClientCreateDesktopFolderMenuParentPopupScreen
String ID:
API String ID: 2994660099-0
Opcode ID: a358c8fbbc696ef9d7e74d667fdd4b04779c37bc4186f0878e247356c90e7142
Instruction ID: dce9e0c9a556397cb36f7c66068bbc36386e5b1227d21402758ef42d0b5da3ee
Opcode Fuzzy Hash: a358c8fbbc696ef9d7e74d667fdd4b04779c37bc4186f0878e247356c90e7142
Instruction Fuzzy Hash: 38A12576711B4186EB16DFA6E8907ED33A1FB88B88F044526EF0A4BBA4DF39C455C740

Function 00000001400E4E64 Relevance: 16.8, APIs: 11, Instructions: 267COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400E4F1B
GetParent.USER32 ref: 00000001400E4F25
IsZoomed.USER32 ref: 00000001400E4F94
SetWindowRgn.USER32 ref: 00000001400E5007
GetClientRect.USER32 ref: 00000001400E5027
GetClientRect.USER32 ref: 00000001400E503D
GetWindowRect.USER32 ref: 00000001400E505F
IsZoomed.USER32 ref: 00000001400E5116
GetWindowRect.USER32 ref: 00000001400E5179
GetParent.USER32 ref: 00000001400E5183
SetWindowRgn.USER32 ref: 00000001400E51F9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectWindow$ClientParentZoomed
String ID:
API String ID: 3600561642-0
Opcode ID: 17a024e7ab5bef55a9cb5a924ecff5646df8a349e7cb6b9cf3ee2911f2badcc5
Instruction ID: 0dedb8fbaba82eadaa5afcc146e66efc2ca5633390a04993fc1a7d749475b9db
Opcode Fuzzy Hash: 17a024e7ab5bef55a9cb5a924ecff5646df8a349e7cb6b9cf3ee2911f2badcc5
Instruction Fuzzy Hash: C1D14B32A106518AFB55DF76D4847ED37B0F788B99F044529EF0A676A9EF38C840CB90

Function 0000000140054054 Relevance: 15.4, APIs: 10, Instructions: 378COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014005409B
FillRect.USER32 ref: 0000000140054172
FillRect.USER32 ref: 0000000140054291

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Fill$Empty
String ID:
API String ID: 11351758-0
Opcode ID: f43a4b6b73a4f8b188bf5648620ce672bb7bfdc9a971ce6c2899dabd7dc77cb0
Instruction ID: f689ec3001f7ccf5877b74f3eee6086367968789548b70b41b0fe486141ca389
Opcode Fuzzy Hash: f43a4b6b73a4f8b188bf5648620ce672bb7bfdc9a971ce6c2899dabd7dc77cb0
Instruction Fuzzy Hash: B1026A72710A908AEB16CF66D8403ED73B2F748B88F004626EF4A67BA4DF35D595C780

Function 0040AFC0 Relevance: 14.8, APIs: 9, Instructions: 1310COMMON

Download Yara Rule

APIs

fegetenv.LIBCMT ref: 0040B009
_invalid_parameter_noinfo.LIBCMT ref: 0040B682
memcpy_s.LIBCMT ref: 0040C02F
memcpy_s.LIBCMT ref: 0040C0D6

Part of subcall function 0040C32C: _invalid_parameter_noinfo.LIBCMT ref: 0040C35E

memcpy_s.LIBCMT ref: 0040C19F

Part of subcall function 0040580C: _invalid_parameter_noinfo.LIBCMT ref: 00405831

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfomemcpy_s$fegetenv
String ID:
API String ID: 281475176-0
Opcode ID: f5e7edce2c09ed7e6b5fe974fd999580fe06eb9ee1872a697213f8295781e408
Instruction ID: 610cd3e50e0b4eafa29e197613cb362266da141454d1d64e709355ead094a9f4
Opcode Fuzzy Hash: f5e7edce2c09ed7e6b5fe974fd999580fe06eb9ee1872a697213f8295781e408
Instruction Fuzzy Hash: 79A2F3726102818BD725CF69D940BEE37A5F38478CF50523ADB1677B88DB39CA45CB88

Function 0000000140080090 Relevance: 13.7, APIs: 9, Instructions: 189COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

GetClientRect.USER32 ref: 00000001400B510F
GetWindowRect.USER32 ref: 00000001400B5129

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

OffsetRect.USER32 ref: 00000001400B514C

Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010641
Part of subcall function 0000000140010614: ExcludeClipRect.GDI32 ref: 0000000140010661

GetWindowRect.USER32 ref: 00000001400B51AD
GetRgnBox.GDI32 ref: 00000001400B51C8
OffsetRect.USER32 ref: 00000001400B51E2
CreateRectRgnIndirect.GDI32 ref: 00000001400B51FB

Part of subcall function 0000000140010C90: ExtSelectClipRgn.GDI32 ref: 0000000140010CC8
Part of subcall function 0000000140010C90: ExtSelectClipRgn.GDI32 ref: 0000000140010CE6

OffsetRgn.GDI32 ref: 00000001400B5246
OffsetRect.USER32 ref: 00000001400B526E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClipOffset$ClientWindow$ExcludeScreenSelect$CreateIndirect
String ID:
API String ID: 3873550030-0
Opcode ID: 41095521a9693b30ad7f4674a6f1bd05d8fbc3dc30d697eeba0f6c1f17b0db03
Instruction ID: d91efae64722732532180b6a297a36e6849dee5596fa53c345100694aaec30ac
Opcode Fuzzy Hash: 41095521a9693b30ad7f4674a6f1bd05d8fbc3dc30d697eeba0f6c1f17b0db03
Instruction Fuzzy Hash: A7913832B00A859AEB01DFB6D4807EC7371F789B8CF548212EB496BA68DF75C645C380

Function 0000000140114B5C Relevance: 13.6, APIs: 9, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400EFAD0: IsWindow.USER32 ref: 00000001400EFAFC

IsIconic.USER32 ref: 0000000140114BA1
GetWindowRect.USER32 ref: 0000000140114BE4
IsIconic.USER32 ref: 0000000140114C08
GetSystemMetrics.USER32 ref: 0000000140114C15
OffsetRect.USER32 ref: 0000000140114C27
GetSystemMetrics.USER32 ref: 0000000140114C32
IsIconic.USER32 ref: 0000000140114C70
GetSystemMetrics.USER32 ref: 0000000140114C7F
GetSystemMetrics.USER32 ref: 0000000140114C8D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MetricsSystem$Iconic$RectWindow$Offset
String ID:
API String ID: 9552200-0
Opcode ID: 1f2fcb5db18c203a9c361825f0b88c0681175a4557d3f82e0b5e189d4dca2d3e
Instruction ID: d87c77130b245f33f94f64145fc6debc08e34459336e6321ad50caf74d9e63b2
Opcode Fuzzy Hash: 1f2fcb5db18c203a9c361825f0b88c0681175a4557d3f82e0b5e189d4dca2d3e
Instruction Fuzzy Hash: 9841F572B10A448AEB49DF66C8953EC77B0F788F98F048415CF0A9B665EF38C456C790

Function 000000014011C638 Relevance: 12.9, APIs: 8, Instructions: 916COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014011C72E
GetTextExtentPoint32A.GDI32 ref: 000000014011C7A6
GetTextMetricsA.GDI32 ref: 000000014011C89E
OffsetRect.USER32 ref: 000000014011CECB
SetRectEmpty.USER32 ref: 000000014011D08F
SetRectEmpty.USER32 ref: 000000014011D0D1
GetTextColor.GDI32 ref: 000000014011D178
GetTextColor.GDI32 ref: 000000014011D195

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectText$ColorEmpty$ExtentInflateMetricsOffsetPoint32
String ID:
API String ID: 1739790009-0
Opcode ID: b6ac0e5def1305fede8512330e15f8194dad5708987078da0f7b633bd2702ba8
Instruction ID: bf5ec8eb5a5d547f77b12244c7aab81707973024fa93ef6a6605ab620224b803
Opcode Fuzzy Hash: b6ac0e5def1305fede8512330e15f8194dad5708987078da0f7b633bd2702ba8
Instruction Fuzzy Hash: C592AF726246908BE729CF7AD4447DD37A5F74CB88F144226EF599BBA8DB34D844CB00

Function 00000001400FCCD4 Relevance: 12.7, APIs: 6, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

!, xrefs: 00000001400FD0A5

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 6833f3ff229be1125a6d8a109b857c0e9008e8136413fddca07d0b6e1e83e63c
Instruction ID: b95a13f0faf144b5cf12d6ccdc657103afc618f4ae739c5bec89af2c89573bf2
Opcode Fuzzy Hash: 6833f3ff229be1125a6d8a109b857c0e9008e8136413fddca07d0b6e1e83e63c
Instruction Fuzzy Hash: 3A129D72710B4486EB11CF6AE8907EE77B1FB88B84F44422AEB5A537A4EF78D445C740

Function 000000014006C43C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014006C477
ActivateActCtx.KERNEL32 ref: 000000014006C49C
GetLastError.KERNEL32 ref: 000000014006C4EA
DeactivateActCtx.KERNEL32 ref: 000000014006C4FD
SetLastError.KERNEL32 ref: 000000014006C509

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014006C470
ImageList_GetImageCount, xrefs: 000000014006C4B9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_GetImageCount$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3851965670
Opcode ID: ba1baf22a16c33384c9177f32ea901a877d021e546db2c3b10391ffbb1e3503a
Instruction ID: 292a002f544c7071a1172ea45cf9ca8d212b712621d19e9c48243e690df24f4c
Opcode Fuzzy Hash: ba1baf22a16c33384c9177f32ea901a877d021e546db2c3b10391ffbb1e3503a
Instruction Fuzzy Hash: DC213D32210B1186FB12DB67AC907BA67E5BB9CBD0F550829EF4E873B4DF78C8448240

Function 0000000140124158 Relevance: 12.3, APIs: 8, Instructions: 312windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001401241C9
SetRectEmpty.USER32 ref: 0000000140124220
OffsetRect.USER32 ref: 00000001401242BB
SetRectEmpty.USER32 ref: 000000014012430D

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

LoadMenuW.USER32 ref: 00000001401243F5
GetMenuItemCount.USER32 ref: 0000000140124422
GetMenuItemID.USER32 ref: 000000014012443B
GetSubMenu.USER32 ref: 00000001401244B7

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MenuRect$EmptyItem$ClientCountExceptionLoadOffsetThrow
String ID:
API String ID: 3889270008-0
Opcode ID: aa2858af30df6669a617dc77839ea0b3d9bf7c78b7b3f23d35b12f8b91f247dd
Instruction ID: 6273f6daabc243467196f3f8bdca6d72f056a8eade08b5dc19f52e0c137a531a
Opcode Fuzzy Hash: aa2858af30df6669a617dc77839ea0b3d9bf7c78b7b3f23d35b12f8b91f247dd
Instruction Fuzzy Hash: EAD19A72701A5086FB1ADB67D8543ED27A0FB8CF98F044629EF5A67AA5DF34C485C340

Function 00000001400692F0 Relevance: 12.2, APIs: 8, Instructions: 237COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32 ref: 0000000140069409

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FileModuleName
String ID:
API String ID: 514040917-0
Opcode ID: 031d0bc3336fd69a1de65b303ec3b7285dd3f007157d7cdc16a2819171a5183d
Instruction ID: dfeb04b44a9ff052f7f893c9cb6cd09fe52c4c5c652ab2f9e189caf575da3923
Opcode Fuzzy Hash: 031d0bc3336fd69a1de65b303ec3b7285dd3f007157d7cdc16a2819171a5183d
Instruction Fuzzy Hash: 27A19F32300B8086EB22DB26E8507DE73A6F788BE4F544615EB9E47BA9DF78C545C700

Function 0000000140174C9C Relevance: 12.2, APIs: 8, Instructions: 172COMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140174CFB
CreateCompatibleDC.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?), ref: 0000000140174D0E
GetBoundsRect.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?), ref: 0000000140174D3A
CreateSolidBrush.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,?), ref: 0000000140174D56
FillRect.USER32 ref: 0000000140174D74
FillRgn.GDI32 ref: 0000000140174E14
FrameRgn.GDI32 ref: 0000000140174E6F
FrameRgn.GDI32 ref: 0000000140174EB8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CreateFillFrameHashRect$BoundsBrushCompatibleImplImpl::Solid
String ID:
API String ID: 2800056643-0
Opcode ID: 12621268861abf8cc3007c18fa5335a6ef5013f1861563b68ca7175ba88cd71a
Instruction ID: 31cc6a4787c8da5962735057bda9633cf59cbe4624b0685001b4bcbb6c51b776
Opcode Fuzzy Hash: 12621268861abf8cc3007c18fa5335a6ef5013f1861563b68ca7175ba88cd71a
Instruction Fuzzy Hash: 66719C32714A409AFB66CF22D4847ED6364F758B98F508226DF5A17AF4DF38C54AC300

Function 00000001400ACD60 Relevance: 10.8, APIs: 7, Instructions: 284COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400ACDAA
GetClientRect.USER32 ref: 00000001400ACDD5
InflateRect.USER32 ref: 00000001400ACDFE
SetRectEmpty.USER32 ref: 00000001400ACE71
SetRectEmpty.USER32 ref: 00000001400ACF25
SetRectEmpty.USER32 ref: 00000001400ACF82
InflateRect.USER32 ref: 00000001400AD12C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$Inflate$ClientWindow
String ID:
API String ID: 3039100667-0
Opcode ID: 3a5701205b8162b9556a0fb09d99b196400dcf540de778325d973fc2e72f347f
Instruction ID: 1b074dfa384324fbec5ac408388ca84f527353a28f3ac66cf3ae39fc6cf097b2
Opcode Fuzzy Hash: 3a5701205b8162b9556a0fb09d99b196400dcf540de778325d973fc2e72f347f
Instruction Fuzzy Hash: C4D14D72B206808FE715CF7AD4417DC77A1F758B88F144226EF0AABA68DB74D981CB40

Function 000000014012C33C Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

APIs

LockWindowUpdate.USER32 ref: 000000014012C369
IsWindow.USER32 ref: 000000014012C395
GetWindowRect.USER32 ref: 000000014012C3FC
CopyRect.USER32 ref: 000000014012C572
LockWindowUpdate.USER32 ref: 000000014012C5B1

Strings

6, xrefs: 000000014012C595

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$LockRectUpdate$Copy
String ID: 6
API String ID: 2992910783-498629140
Opcode ID: 4d6a3289b2fd81335fc4d53e188b7e5284f9bfb655fe198b03cb7f908bf136fc
Instruction ID: cfc95d3d66fc2e60152338ed25c138621c711d77f12e5f0a7a72364a72a9fd67
Opcode Fuzzy Hash: 4d6a3289b2fd81335fc4d53e188b7e5284f9bfb655fe198b03cb7f908bf136fc
Instruction Fuzzy Hash: 10815B767106808AEB55DF66D694BAE77A1F78CFC8F058029DF0A57B68DF38C5058B00

Function 00000001401742B8 Relevance: 10.7, APIs: 7, Instructions: 201COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32 ref: 0000000140174319
CombineRgn.GDI32 ref: 0000000140174371
GetRgnBox.GDI32 ref: 0000000140174407
InflateRect.USER32 ref: 000000014017441F
CreatePolygonRgn.GDI32 ref: 0000000140174478
CombineRgn.GDI32 ref: 00000001401744A4
GetRgnBox.GDI32 ref: 00000001401744BC

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CombineCreateRect$InflatePolygon
String ID:
API String ID: 918227291-0
Opcode ID: 6ee9063c946cb388bf9ba35c811201631310bb19ce41503075973d9f5b39c932
Instruction ID: 9776c65117733d0510a3cd3ea46e553623fa194e85b9700c1a442a36716be0d2
Opcode Fuzzy Hash: 6ee9063c946cb388bf9ba35c811201631310bb19ce41503075973d9f5b39c932
Instruction Fuzzy Hash: ED919A72710A408AE712DF62D950BED37A6F78DB88F504125EF099BBA8DF38C515CB40

Function 000000014003944C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400394AC
SendMessageA.USER32 ref: 00000001400394DD
SendMessageA.USER32 ref: 000000014003952F
RedrawWindow.USER32 ref: 0000000140039544
GetParent.USER32 ref: 000000014003958D
GetParent.USER32 ref: 00000001400395A4
SendMessageA.USER32 ref: 00000001400395C2

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Parent$RedrawWindow
String ID:
API String ID: 601679388-0
Opcode ID: 45fd1688354b0cf314ada523b5c5d258c32253bbebe8fa8120a8736b50a7d99d
Instruction ID: 1dd735088318ee55d533705335fb4a73570cc79f40e69f3840eef345e49ea78d
Opcode Fuzzy Hash: 45fd1688354b0cf314ada523b5c5d258c32253bbebe8fa8120a8736b50a7d99d
Instruction Fuzzy Hash: 47412836210A5082FB57DB67E8547EA27A1EBC9FD4F085121EF0A47BB9DF39C8858700

Function 00000001400792EC Relevance: 9.3, APIs: 6, Instructions: 273COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140079375
GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140078C4D), ref: 000000014007938B
GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140078C4D), ref: 00000001400793D7
GetParent.USER32 ref: 00000001400793E1
GetParent.USER32 ref: 000000014007966A
RedrawWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,0000000140078C4D), ref: 0000000140079698

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Parent$RectWindow$ClientRedraw
String ID:
API String ID: 443302174-0
Opcode ID: 2a7e63b5a80cf60eba9437985346652f5a15eacc14b39fae1c5fe5b722a558ea
Instruction ID: b6375354f7441a4257c4a41deecd1980770a8793297832eb5e84f5e5306f0ed8
Opcode Fuzzy Hash: 2a7e63b5a80cf60eba9437985346652f5a15eacc14b39fae1c5fe5b722a558ea
Instruction Fuzzy Hash: EEC10732B20A508AFB65DF6AD494BAD77B0F78CB88F044125EF4A57BA4DB39D541CB00

Function 0000000140115184 Relevance: 9.2, APIs: 6, Instructions: 241windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001401151CE
IsWindowVisible.USER32 ref: 00000001401151E3
GetWindowRect.USER32 ref: 0000000140115250
IsZoomed.USER32 ref: 0000000140115261
SetWindowRgn.USER32 ref: 00000001401152F0
GetSystemMetrics.USER32 ref: 000000014011536A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Visible$MetricsRectSystemZoomed
String ID:
API String ID: 3738653960-0
Opcode ID: da4dd46bd225e6ad4a5d130fa6b59c25846d49bcf34bcea0f6a8c4362d0b9f09
Instruction ID: be6c68e8294d13864ae87594114d1aa1095a889c22f8194fca1e90103f74748e
Opcode Fuzzy Hash: da4dd46bd225e6ad4a5d130fa6b59c25846d49bcf34bcea0f6a8c4362d0b9f09
Instruction Fuzzy Hash: B4B10572A10640DAE769DF6AD450BDD37B5F78CB88F04412A9F0AABB68DB35C941CB40

Function 00000001400E00A4 Relevance: 9.1, APIs: 6, Instructions: 145keyboardwindowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 00000001400E00F8
GetAsyncKeyState.USER32 ref: 00000001400E0106
WindowFromPoint.USER32 ref: 00000001400E0148
ScreenToClient.USER32 ref: 00000001400E0193
SendMessageA.USER32 ref: 00000001400E01EE
ScreenToClient.USER32 ref: 00000001400E025B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientScreen$AsyncFromMessageMetricsPointSendStateSystemWindow
String ID:
API String ID: 1550688781-0
Opcode ID: 50592880a4a484d7e48e0f0f9a7af8a9fbf122de5113cb76cfaf96fc79009d52
Instruction ID: 0fc4f39412acd311e7cab3cb75f146460b082fff3b5384d68989fa6ce1b86742
Opcode Fuzzy Hash: 50592880a4a484d7e48e0f0f9a7af8a9fbf122de5113cb76cfaf96fc79009d52
Instruction Fuzzy Hash: 18510B36711A4586FF569B66D9583E827B0F78CBE4F104029EF4A6BBA4DF35C8858340

Function 0000000140134D48 Relevance: 8.1, APIs: 5, Instructions: 609windowCOMMON

Download Yara Rule

APIs

GetWindow.USER32 ref: 0000000140134DAD
GetWindow.USER32 ref: 0000000140134E59
SendMessageA.USER32 ref: 0000000140134E83
GetParent.USER32 ref: 000000014013519A
SendMessageA.USER32 ref: 0000000140135557

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSendWindow$Parent
String ID:
API String ID: 604417809-0
Opcode ID: e00d6d9a8c8d8a627f17e59ef40d81dc8a9474563b428dba1dd7ef8e766b9a55
Instruction ID: dd23ab6dcbe6d31daca37e2e54713b2d98fb200c12828822c89745264ca3a5df
Opcode Fuzzy Hash: e00d6d9a8c8d8a627f17e59ef40d81dc8a9474563b428dba1dd7ef8e766b9a55
Instruction Fuzzy Hash: 14426676701A4097EB5AEB2BD5903AD23A1FB89FD4F044116EB0E07BA5DF38D8A1C740

Function 0000000140169268 Relevance: 7.8, APIs: 5, Instructions: 349COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401692A3
SetRectEmpty.USER32 ref: 00000001401692E9
SetRectEmpty.USER32 ref: 00000001401692FB
GetWindowRect.USER32 ref: 000000014016932D
GetWindowRect.USER32 ref: 000000014016939D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$Window
String ID:
API String ID: 444217639-0
Opcode ID: 996282249dfd034c6ce7f1eb4c36225426953a745f73db01acce9dcea46d469c
Instruction ID: 29f4e2c32f9133247141904bf63f3047fdc69bdd5dab46cf801d1cc440c7e784
Opcode Fuzzy Hash: 996282249dfd034c6ce7f1eb4c36225426953a745f73db01acce9dcea46d469c
Instruction Fuzzy Hash: C4E15E7271161087EB1A9F76CD507AC27A9BB88F88F158A26DF0E977A8DF34D841C740

Function 00000001401451AC Relevance: 7.7, APIs: 5, Instructions: 245COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140145423
GetWindowRect.USER32 ref: 000000014014547F
GetWindowRect.USER32 ref: 0000000140145533
GetWindowRect.USER32 ref: 000000014014556F
LoadCursorW.USER32 ref: 0000000140145602

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectWindow$CursorLoad
String ID:
API String ID: 3444235573-0
Opcode ID: 89dd02550b8853d84d11835f1b2b2c66f1816f3b58aa9370c10416c8eb5aed13
Instruction ID: 6f848904e3f6bd7a25350eadd51c9b2bef458c6171e416e3aecc0fc566d38658
Opcode Fuzzy Hash: 89dd02550b8853d84d11835f1b2b2c66f1816f3b58aa9370c10416c8eb5aed13
Instruction Fuzzy Hash: B3C18E32200AC196EB2AEF76E9907ED73A1F78DB84F444226DB4E47BA6DF74D1508700

Function 0000000140039024 Relevance: 7.6, APIs: 5, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400064F8: OutputDebugStringA.KERNEL32 ref: 0000000140006516
Part of subcall function 00000001400064F8: ActivateActCtx.KERNEL32 ref: 0000000140006537

LoadLibraryW.KERNEL32(?,?,?,?,00000000,0000000140038EC9,?,?,?,?,?,000000014003705A), ref: 000000014003906A
GetProcAddress.KERNEL32(?,?,?,?,00000000,0000000140038EC9,?,?,?,?,?,000000014003705A), ref: 0000000140039081
GetLastError.KERNEL32(?,?,?,?,00000000,0000000140038EC9,?,?,?,?,?,000000014003705A), ref: 0000000140039098
DeactivateActCtx.KERNEL32(?,?,?,?,00000000,0000000140038EC9,?,?,?,?,?,000000014003705A), ref: 00000001400390AB
SetLastError.KERNEL32(?,?,?,?,00000000,0000000140038EC9,?,?,?,?,?,000000014003705A), ref: 00000001400390B8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateAddressDeactivateDebugLibraryLoadOutputProcString
String ID:
API String ID: 1219406697-0
Opcode ID: 57842c243ea82f52de7b48b57f95dbbe9324d0cda45c9a4c9ca743f57eff4182
Instruction ID: ec8ce6a36adc079ed70aaa5028404ea0f68b5abd2611b4c074be6f8673996966
Opcode Fuzzy Hash: 57842c243ea82f52de7b48b57f95dbbe9324d0cda45c9a4c9ca743f57eff4182
Instruction Fuzzy Hash: AA112B31204B0086FA1B9B27A8843AAB3E5BB8CFD0F184439DB5D47774EF38C8018740

Function 0000000140054B9C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 431keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 0000000140054C0E

Part of subcall function 0000000140057B08: IsRectEmpty.USER32 ref: 0000000140057B55
Part of subcall function 0000000140057B08: InvertRect.USER32 ref: 0000000140057B6E
Part of subcall function 0000000140057B08: SetRectEmpty.USER32 ref: 0000000140057B7C

GetAsyncKeyState.USER32 ref: 0000000140055063
GetAsyncKeyState.USER32 ref: 00000001400550E1

Strings

(, xrefs: 00000001400550F0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: AsyncRectState$Empty$Invert
String ID: (
API String ID: 3412082714-3887548279
Opcode ID: 0ab88edac6b161dfda5a39faa307ef6c4cf35feff61ddb3551682271f21797b4
Instruction ID: d8ed51488051b78faec0a5cc22369f0791aa534b9fabc37421dacc461dfbc1e8
Opcode Fuzzy Hash: 0ab88edac6b161dfda5a39faa307ef6c4cf35feff61ddb3551682271f21797b4
Instruction Fuzzy Hash: 0502BC72302A508AEB6ADF3AC5943EC63A1F78DFD9F144126AB1D577B5CB36C8618700

Function 00000001400ECE24 Relevance: 6.4, APIs: 4, Instructions: 427COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400ECEAA
RedrawWindow.USER32 ref: 00000001400ECF5D
GetWindowRect.USER32 ref: 00000001400ED24F
EqualRect.USER32 ref: 00000001400ED269

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

Part of subcall function 00000001400EC258: SetRectEmpty.USER32 ref: 00000001400EC26B
Part of subcall function 00000001400EC258: GetWindowRect.USER32(?,?,?,00000001400EBEDD,?,?,?,00000001400EBC6C), ref: 00000001400EC281

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$ClientEmptyScreen$EqualRedraw
String ID:
API String ID: 2731924176-0
Opcode ID: ca66931d4bc4aa684596687817eb0a8c16edbecd2ba284e0a76f055559a98edc
Instruction ID: cd776d4ceb49e7c2f476cbaba04d7379f45dc82c01177d7aedd7263ed4cfdac9
Opcode Fuzzy Hash: ca66931d4bc4aa684596687817eb0a8c16edbecd2ba284e0a76f055559a98edc
Instruction Fuzzy Hash: 6C028832B106418AEB26DB7795407ED77A1FB88BD8F044526EF0A67BA9DF34C845C780

Function 000000014010CF78 Relevance: 6.4, APIs: 4, Instructions: 397COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014010D070
OffsetRect.USER32 ref: 000000014010D08F
InflateRect.USER32 ref: 000000014010D1B3
InflateRect.USER32 ref: 000000014010D275

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Inflate$Offset
String ID:
API String ID: 2214210088-0
Opcode ID: bf57374c3fbbf09c9d72cb4e16dffb7745228c24f5761e2cddcfed0aec5c6c7d
Instruction ID: 580d4729b99016323290d8f87d4f6fdbcd4c0ca3d8a4e8f353edb8b1361f9bc9
Opcode Fuzzy Hash: bf57374c3fbbf09c9d72cb4e16dffb7745228c24f5761e2cddcfed0aec5c6c7d
Instruction Fuzzy Hash: FB0259B27007908BE725CF6AD8847ED77A1F788B88F144615EF8997EA8DB34D954CB00

Function 0000000140124AA0 Relevance: 6.3, APIs: 4, Instructions: 319windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0000000140124C70
GetMenuItemID.USER32 ref: 0000000140124C8E
GetSubMenu.USER32 ref: 0000000140124D3B
GetFocus.USER32 ref: 0000000140124B00

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Menu$Item$CountExceptionFocusThrow
String ID:
API String ID: 3653897745-0
Opcode ID: 0930fc3d9dbea3886d3d045f95850e882de38599af3b2ed954a3d383a305acc1
Instruction ID: 2c76dc042883db7d78f73ab81765313a7f578150d6065394dcbc43b3dab9e600
Opcode Fuzzy Hash: 0930fc3d9dbea3886d3d045f95850e882de38599af3b2ed954a3d383a305acc1
Instruction Fuzzy Hash: 35D19172201A8182EB16DF27D8547ED6391FB89FE4F455229AF2A67BF5DF38C4418700

Function 00000001400A8198 Relevance: 6.3, APIs: 4, Instructions: 287keyboardCOMMON

Download Yara Rule

APIs

GetAsyncKeyState.USER32 ref: 00000001400A82DB
GetClientRect.USER32 ref: 00000001400A8470
SetScrollPos.USER32 ref: 00000001400A855B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: AsyncClientRectScrollState
String ID:
API String ID: 1386077005-0
Opcode ID: 30ad183b2a2920bfb1e12f071c0e0d19359371925079fb690cc914d98b534557
Instruction ID: 8e4e157c7d1c771779f180b7b71d5556c2a608a25cc15e08c5edf83f38cb7b5c
Opcode Fuzzy Hash: 30ad183b2a2920bfb1e12f071c0e0d19359371925079fb690cc914d98b534557
Instruction Fuzzy Hash: 73B16F32A01A5586EB7A9B7685543FD63E1EB9DFC0F088235EF1A477A4DF34C9908B40

Function 00000001400A4464 Relevance: 6.3, APIs: 4, Instructions: 252COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00000001400A44B2
FillRect.USER32 ref: 00000001400A457E
FillRect.USER32 ref: 00000001400A4635

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FillRect$BrushCreateSolid
String ID:
API String ID: 248659410-0
Opcode ID: c9788fb2b08945975c72553134e556a9dede10f1470dc488d84e4e2c79d30c61
Instruction ID: fe01d17434abfa09c75bea483d5fd87a912de9e9834109b026791cf72bde91a5
Opcode Fuzzy Hash: c9788fb2b08945975c72553134e556a9dede10f1470dc488d84e4e2c79d30c61
Instruction Fuzzy Hash: A8911672F106608AE709DF76C8513EC7BB4F798788F54921AEF069BA68DB34C581C740

Function 0000000140100148 Relevance: 6.2, APIs: 4, Instructions: 203COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140100225
OffsetRect.USER32 ref: 00000001401002D2
GetSysColor.USER32 ref: 00000001401002E6
InflateRect.USER32 ref: 00000001401003BF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Inflate$ColorOffset
String ID:
API String ID: 3313136937-0
Opcode ID: d559a888b2f9f56cc360bf34663d95ad9ccb243741002f1ea213c509619498b4
Instruction ID: 90f9a3f32a4ca6958fd5d6e1b257c791591f2e41e7b3da01bb9737d7b845346b
Opcode Fuzzy Hash: d559a888b2f9f56cc360bf34663d95ad9ccb243741002f1ea213c509619498b4
Instruction Fuzzy Hash: 8B817272B14A508AE752CB79D4547DD77B0F789B98F00422AEF4AA7BA4DF38C44AC740

Function 0000000140094878 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140094895
GetParent.USER32 ref: 00000001400948D5
GetDlgCtrlID.USER32 ref: 000000014009494F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Parent$Ctrl
String ID:
API String ID: 2540549881-0
Opcode ID: a319d7f4b4db70985af59fe4c4bef505b51f00bb8c7a9ad0ace6d2de394b5949
Instruction ID: 55374f3b56a8cecdbb59917fa5e67c9b359e1d4f2bfd3a18ca7bdf98e6d89f47
Opcode Fuzzy Hash: a319d7f4b4db70985af59fe4c4bef505b51f00bb8c7a9ad0ace6d2de394b5949
Instruction Fuzzy Hash: B531B631B11A8182FB569727E8507EE5290AB8DBD4F084534FF0A4BBB9EF39C4414340

Function 0000000140014264 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142A1
LoadResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142B2
LockResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142C3
FreeResource.KERNEL32(?,?,?,00000001400060F4), ref: 00000001400142E6

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: a969457507a0f340cc5b2f75d6a8b31ed2c22013bcaa416e4faccc093d01875c
Instruction ID: b33a70c6116f2cfd5668806adb93cbf4799a3ded3be66a2513baeaf937ccea57
Opcode Fuzzy Hash: a969457507a0f340cc5b2f75d6a8b31ed2c22013bcaa416e4faccc093d01875c
Instruction Fuzzy Hash: 5C116935311F8185EF5AAF97A944399A6E4AB8DFD0F4C4025EF0A4BB79DE39C8818700

Function 000000014011D340 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32 ref: 000000014011D7BE
GetTextExtentPoint32A.GDI32 ref: 000000014011D7E1

Strings

$, xrefs: 000000014011D789

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ExtentPoint32Text
String ID: $
API String ID: 223599850-3993045852
Opcode ID: 9d420d8d778bd02c9cb0ba45c7e067dc7851bc374373c22db32973f45130051b
Instruction ID: 3cb724add2d96836b0e46eccd172e3bd60d6c4884173f04772577fd80d945457
Opcode Fuzzy Hash: 9d420d8d778bd02c9cb0ba45c7e067dc7851bc374373c22db32973f45130051b
Instruction Fuzzy Hash: D8F15C72B106508BE75ACF6AD844BED77B1F74CB88F404616EF0A9BAA4DB38D454CB40

Function 00000001401606C0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 221COMMON

Download Yara Rule

Strings

UUUU, xrefs: 0000000140160B5F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID: UUUU
API String ID: 0-1798160573
Opcode ID: a4babae64460a354512ade75c8deafdc9e41fe93b075af336f5fd54210bfe970
Instruction ID: 4a2226d66e9d8a0b942fc86394febb1441506d72d2a750bfcc4e3a7f2ddc4bd3
Opcode Fuzzy Hash: a4babae64460a354512ade75c8deafdc9e41fe93b075af336f5fd54210bfe970
Instruction Fuzzy Hash: B6918B76A106548AFB56CF66CC447EE37B1B348B98F11891ADF1E57AA8DB30D881C740

Function 00407C98 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 00407CC8

Strings

., xrefs: 004080E8
*?, xrefs: 00407CEF

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: *?$.
API String ID: 3215553584-3972193922
Opcode ID: 5433074f20d27304593988c8c0c0866b681a65e2a7da71073b887630cbd23c18
Instruction ID: 550d515597eca45ab497aa7bd4195725959ee4537fd8bb0d7572f98dc96a7267
Opcode Fuzzy Hash: 5433074f20d27304593988c8c0c0866b681a65e2a7da71073b887630cbd23c18
Instruction Fuzzy Hash: A1512262B15B9885EF10DFB2D9004AE73A4FB58BD87444537EE1927B84EB3CD442C309

Function 0040AAF0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 0040AB7B

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction ID: 2e52f615ded612e2f0af646f9850da60ed4dacb3cb457cbd7dc7455c5d36a7d1
Opcode Fuzzy Hash: 7c95d79a6932f591ae303023ad9bcf5e3cdb31da0663f78c422ae26a9081d948
Instruction Fuzzy Hash: 3EC1CD7271878587CB34CF15E188AAAB761F798784F148236DB4A67B44DB3CE861CB09

Function 00000001401A05F0 Relevance: 4.8, APIs: 3, Instructions: 340COMMON

Download Yara Rule

APIs

memcpy_s.LIBCMT ref: 00000001401A067B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: memcpy_s
String ID:
API String ID: 1502251526-0
Opcode ID: 5f74570c7e06965f6a33a9577543d7e73e180dd4273b264fce28b5b44df58a71
Instruction ID: 888d341c0877e2af2c0d7dc9aa12b5f890d4eba1cf9727885f261c7797bd1f1e
Opcode Fuzzy Hash: 5f74570c7e06965f6a33a9577543d7e73e180dd4273b264fce28b5b44df58a71
Instruction Fuzzy Hash: 56D1DF3271468487EB76CF16E1887AAB7E1F388B88F148124CB8A57B54D73CE985CF00

Function 00000001401007D8 Relevance: 4.8, APIs: 3, Instructions: 286windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400FA7B8: GetParent.USER32 ref: 00000001400FA7CF
Part of subcall function 00000001400FA7B8: SendMessageA.USER32 ref: 00000001400FA805

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

SetRectEmpty.USER32 ref: 0000000140100A5E

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

GetParent.USER32 ref: 0000000140100B75
SendMessageA.USER32 ref: 0000000140100B9F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientMessageParentScreenSend$EmptyExceptionRectThrow
String ID:
API String ID: 3589519406-0
Opcode ID: f907090225d917fb6d6e011d07cca86588f3d0bef2481184ce24703bfe3b4f7a
Instruction ID: 2373cbb418405145bc69290961272395e326051fdbb444ce90f7a3675eddd56e
Opcode Fuzzy Hash: f907090225d917fb6d6e011d07cca86588f3d0bef2481184ce24703bfe3b4f7a
Instruction Fuzzy Hash: 78C135B6701A808AEB56DF27D4547ED33A0FB49F88F089525AF4A1BBA5DF38C944C740

Function 000000014003CAC0 Relevance: 4.7, APIs: 3, Instructions: 239comCOMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 000000014003CB8B

Part of subcall function 000000014000DB14: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB30

CoInitializeEx.OLE32 ref: 000000014003CD7F
CoCreateInstance.OLE32 ref: 000000014003CDD2

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CreateExceptionInitializeInstanceThrowVersion
String ID:
API String ID: 95949155-0
Opcode ID: 134afba3826fa093455f6d22ee09d004b2ee91db3e03e243544ad68fad55c905
Instruction ID: 3586c495c6b8678180ca66241efde295532fa3a61c69c2dc8253e80371d45b0e
Opcode Fuzzy Hash: 134afba3826fa093455f6d22ee09d004b2ee91db3e03e243544ad68fad55c905
Instruction Fuzzy Hash: 28B14576211B8086EB06DF2AE4947DA77A0F788B98F144126EF4A8B7A9DF38C550C750

Function 000000014008CA04 Relevance: 4.7, APIs: 3, Instructions: 233COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

GetClientRect.USER32 ref: 000000014008CABB

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

RedrawWindow.USER32 ref: 000000014008CD21
RedrawWindow.USER32 ref: 000000014008CD36

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ConditionMaskRedrawWindow$ClientExceptionInfoMetricsRectSystemThrowVerifyVersion
String ID:
API String ID: 3428588656-0
Opcode ID: 8e8c2ed4177ab61d56793995fcdfe76fc4eb223b5b3081289659a8b6abe57a0b
Instruction ID: de992d8000182983019737ba653c2c92d49a26be83c02d4d2b020e63e574a983
Opcode Fuzzy Hash: 8e8c2ed4177ab61d56793995fcdfe76fc4eb223b5b3081289659a8b6abe57a0b
Instruction Fuzzy Hash: 3AA15773720A408AEB15DF7AE894BDC37B0F348788F054626EF1997AA9DB38D555C700

Function 0000000140114F8C Relevance: 4.5, APIs: 3, Instructions: 27keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32 ref: 0000000140114FB2
GetKeyState.USER32 ref: 0000000140114FC0
GetKeyState.USER32 ref: 0000000140114FCE

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: bf71ff51d73a1e3332b3069a1b6e83896e8644b8d97d305b7cfdf239788754dc
Instruction ID: 9f2147a72fc8d15b5a5f23201ee83dd719750024e2c78331e5558efc1deb786a
Opcode Fuzzy Hash: bf71ff51d73a1e3332b3069a1b6e83896e8644b8d97d305b7cfdf239788754dc
Instruction Fuzzy Hash: F0F0FE35200A5587FB2EAF6AD8413E82220E71CF68F500428DBA10A2B5DF75DAABD710

Function 00000001400D4340 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00000001400D470A

Strings

DUMMY, xrefs: 00000001400D44F2

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientScreen
String ID: DUMMY
API String ID: 3917795285-3097505935
Opcode ID: c37ed174ae41f8b15b9e3288af0c5b9e4e7b47bcac6cd5b0f000cfb641a98add
Instruction ID: 44e4ef64b67e2f18db7f272c15841dacf8b17cc24fa4e3964c103fb125def24c
Opcode Fuzzy Hash: c37ed174ae41f8b15b9e3288af0c5b9e4e7b47bcac6cd5b0f000cfb641a98add
Instruction Fuzzy Hash: 05D15B76305A8082EB26DB26E4543EE73A0FB89BE4F444225EB5E47BE5DF78C545C700

Function 0000000140078CA0 Relevance: 3.4, APIs: 2, Instructions: 420COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140078D1B

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

OffsetRect.USER32 ref: 0000000140079161

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientOffset
String ID:
API String ID: 3549191583-0
Opcode ID: dc3b8776c1044120a38e5216a457fd7b58e748e7abc0109a2a25d6e1b378157d
Instruction ID: 1325ebe68805e81a9468a8f1b2b0148a1a1d26aedd8e7d152e7b55e65cfed302
Opcode Fuzzy Hash: dc3b8776c1044120a38e5216a457fd7b58e748e7abc0109a2a25d6e1b378157d
Instruction Fuzzy Hash: 32123C726147418AEB66DF6AD4847EE77E0F78CB84F144129EF4A47BA4DB38D885CB00

Function 000000014013C2B0 Relevance: 1.9, APIs: 1, Instructions: 425COMMON

Download Yara Rule

APIs

OffsetRect.USER32 ref: 000000014013C313

Part of subcall function 0000000140068560: IsRectEmpty.USER32 ref: 000000014006859C
Part of subcall function 0000000140068560: IsRectEmpty.USER32 ref: 00000001400685D6
Part of subcall function 0000000140068560: IntersectRect.USER32 ref: 0000000140068659
Part of subcall function 0000000140068560: IntersectRect.USER32 ref: 0000000140068702

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$EmptyIntersect$Offset
String ID:
API String ID: 836864506-0
Opcode ID: 25deb7a69fad88c8e6dbe7de4c3fa084e8c642e397d74b44b0bca496dd4fa3c6
Instruction ID: 1786d1b2df407845115a2e66ba9a565e87e2928bdb74c7fb9ea35594a7268b7f
Opcode Fuzzy Hash: 25deb7a69fad88c8e6dbe7de4c3fa084e8c642e397d74b44b0bca496dd4fa3c6
Instruction Fuzzy Hash: E02234B3F186908EF711CFB9D0407ED7BB1A35875CF10522AEE49A6B58DB34954ACB40

Function 000000014013C8CC Relevance: 1.8, APIs: 1, Instructions: 328COMMON

Download Yara Rule

APIs

OffsetRect.USER32 ref: 000000014013C933

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: OffsetRect
String ID:
API String ID: 177026234-0
Opcode ID: 661e5d692054f2eaa601db5a5544255719f7e899f20f4a9b06d2a492abba3b69
Instruction ID: 3d86512d6cdb220eed7320947dcb740e422efa9072179b919b26b1d83f0417de
Opcode Fuzzy Hash: 661e5d692054f2eaa601db5a5544255719f7e899f20f4a9b06d2a492abba3b69
Instruction Fuzzy Hash: 60F11377B187808EE711CFB9D4416ED7BB1B35879CF10121AAE89ABB58E734914ACB40

Function 00000001400BCCC4 Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 00000001400BCF13

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: InflateRect
String ID:
API String ID: 2073123975-0
Opcode ID: 38d426379d8e708d92716e0eb086b935ff94e942642f6c61a5dc325ebeb140fb
Instruction ID: 56912125dc985f80fd0e7a0847a11a1dfe1c7506c7522fb15ef9ab817ec1c349
Opcode Fuzzy Hash: 38d426379d8e708d92716e0eb086b935ff94e942642f6c61a5dc325ebeb140fb
Instruction Fuzzy Hash: 03B1C172710A868AEB6ACFB69540BED77B1B74C7C4F444125AF1A677A4DB38E845C300

Function 0040EC78 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

_clrfp.LIBCMT ref: 0040EEC5

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _clrfp
String ID:
API String ID: 3618594692-0
Opcode ID: d6b0318fff3cb9dfd3937546595f591b5523580b243301b9513abd2bc9207a4a
Instruction ID: 3e64989d8907ebcc7f07a1394eee2ee11861b9c385ba49a245eec4a14ea2dae4
Opcode Fuzzy Hash: d6b0318fff3cb9dfd3937546595f591b5523580b243301b9513abd2bc9207a4a
Instruction Fuzzy Hash: 60A12C77610B888BDB19CF2AC8463597BA0F384B58F198D26DB5D97BA4CB39C461C704

Function 00000001401745E4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 000000014017466A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fbb74db56036cbbfaf091470ef6f3f57234a45fbb8891ea4fe7e16ae191821e
Instruction ID: 365799995b075a53de47d41a55fd55710138137240b465cb4f0df80c806da757
Opcode Fuzzy Hash: 8fbb74db56036cbbfaf091470ef6f3f57234a45fbb8891ea4fe7e16ae191821e
Instruction Fuzzy Hash: DB41713261468087EB62DF26E9457DE77A0F78DB88F544126EF494BAA9CF79C844CB00

Function 000000014019844C Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

0, xrefs: 0000000140198603

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 9aa5d31da8e9b742e66d6e17522b45fc3cef3508fc62b0449a032d7f3c5ebead
Instruction ID: 76314936d5f29107022717314254fda495c6163246521f4bb3c3d473f4c5a9d2
Opcode Fuzzy Hash: 9aa5d31da8e9b742e66d6e17522b45fc3cef3508fc62b0449a032d7f3c5ebead
Instruction Fuzzy Hash: 6381D27231024086FBAA9A2B91407EE23E0F74DF48F555516EF029B6FAC735C94ADF41

Function 00403838 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 004039D2

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: de99c99e3a8e1be8b44c6470d2ee38e7724187a617930e05d31601bc3c75af85
Instruction ID: e9b8ece96858dc261a123ff0e6ea43f388aa687a3f44623aca9261126aab035d
Opcode Fuzzy Hash: de99c99e3a8e1be8b44c6470d2ee38e7724187a617930e05d31601bc3c75af85
Instruction Fuzzy Hash: 115170A230468046DB288E2A904476F6F5DE382B5AF140537DD81BB7D5C7BDCB47C749

Function 00000001401981D0 Relevance: 1.4, Strings: 1, Instructions: 199COMMON

Download Yara Rule

Strings

0, xrefs: 000000014019836A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: 0
API String ID: 3215553584-4108050209
Opcode ID: 3438229716e7fd8099c00b289effaaee81d327f6e4b72b7012497641e3d3e19a
Instruction ID: 1a02935a022a19bad6d28762aebb10cc47c0ed1a508da647a1f45c417330eace
Opcode Fuzzy Hash: 3438229716e7fd8099c00b289effaaee81d327f6e4b72b7012497641e3d3e19a
Instruction Fuzzy Hash: F1712331214A8046FBBB8B2B90403EE6791B74AF48F681616DF05DBBFAC635C946CF45

Function 004051FC Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

@, xrefs: 00405238

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e4a8117d6d094b5da0d5e7dbd0072f6309bb71f2b4948167169585134df03e85
Instruction ID: b1933b7081d2be15e4addd07c85a3a5f0ae8bb26efabe8115341c652a6af22aa
Opcode Fuzzy Hash: e4a8117d6d094b5da0d5e7dbd0072f6309bb71f2b4948167169585134df03e85
Instruction Fuzzy Hash: FF417C72311A4486EB04DF2AE95839AB3A5F388FD4F49A027DF0D97794EA7CC456C304

Function 00400740 Relevance: .3, Instructions: 270COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 278f5a59de966716d93efcbe1206cd01fe937afbc7cfe022395c55ce15ecd580
Instruction ID: 1aa14b35f2018a1d74c788182f7d1d1b0f36020467659b4a84e42335028665a0
Opcode Fuzzy Hash: 278f5a59de966716d93efcbe1206cd01fe937afbc7cfe022395c55ce15ecd580
Instruction Fuzzy Hash: 05C12E72310B8496EB10DF62EC947DE3761F788798F40412ADB4E57AA8EF78C585CB44

Function 000000014007C650 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b50b50fb20f74cd5eee63b83465de6fe33194ae8bcd4b6157c05af97e0ec362
Instruction ID: 29989a7bd7593131c0cc83ec21945473d6f6f77f442c633b9395cd789b5dc781
Opcode Fuzzy Hash: 0b50b50fb20f74cd5eee63b83465de6fe33194ae8bcd4b6157c05af97e0ec362
Instruction Fuzzy Hash: 8071F135320211A2F762CB2B9890FDA23A5FB9D7C4F54951DAF0D839E5EB39D414CB40

Function 00000001401A0C4C Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f7872feb2b14e108d1f4cb6f61f0a15a08e3ec90392c4c67b6928a1fa577d94
Instruction ID: ae4a05c3b4c6ca7258734d35534426a0996ecf54fe42e11bd5d3d44d640c4270
Opcode Fuzzy Hash: 7f7872feb2b14e108d1f4cb6f61f0a15a08e3ec90392c4c67b6928a1fa577d94
Instruction Fuzzy Hash: DA319F7362415086F6B79AFF89547FD12C2E78EF90F248211870606ABEC932E8C69E00

Function 0040E850 Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ecbd91572756d3882d4cd198b5002328ff43c002d57702262226e1de57a5bf
Instruction ID: 29ed091ff052a771afb08b6e4ceb0511a47cd56ecb17d9ef52e09f8c48f1d5f5
Opcode Fuzzy Hash: 37ecbd91572756d3882d4cd198b5002328ff43c002d57702262226e1de57a5bf
Instruction Fuzzy Hash: B6F096B27153948BDBA5DF2CA8027997BE1F7083C0F808029D78983B04D37D84A08F48

Function 00000001400D1370 Relevance: 49.9, APIs: 33, Instructions: 356COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400D13C8
PtInRect.USER32 ref: 00000001400D13D6
GetClientRect.USER32 ref: 00000001400D13F0
PtInRect.USER32 ref: 00000001400D140A

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientExceptionThrowWindow
String ID:
API String ID: 3289646156-0
Opcode ID: 895963b884832e035802939366218c904f13841c35db135fcab58f598cd55bff
Instruction ID: 5d77943245c42263072f8d46908b19ae8175e8133039e9d6ca0a7089effc8ac5
Opcode Fuzzy Hash: 895963b884832e035802939366218c904f13841c35db135fcab58f598cd55bff
Instruction Fuzzy Hash: B0F12C36B10A419BEB21CF76E4947DD33B1FB88B98F104215AF1A57AA8DF38D506C750

Function 0000000140001460 Relevance: 42.0, APIs: 12, Strings: 12, Instructions: 45registrywindowCOMMON

Download Yara Rule

APIs

RegisterWindowMessageA.USER32 ref: 000000014004638C
RegisterWindowMessageA.USER32 ref: 000000014004639B
RegisterWindowMessageA.USER32 ref: 00000001400463AB
RegisterWindowMessageA.USER32 ref: 00000001400463BB
RegisterWindowMessageA.USER32 ref: 00000001400463CB
RegisterWindowMessageA.USER32 ref: 00000001400463DB
RegisterWindowMessageA.USER32 ref: 00000001400463EB
RegisterWindowMessageA.USER32 ref: 00000001400463FB
RegisterWindowMessageA.USER32 ref: 000000014004640B
RegisterWindowMessageA.USER32 ref: 000000014004641B
RegisterWindowMessageA.USER32 ref: 000000014004642B
RegisterWindowMessageA.USER32 ref: 000000014004643B

Strings

Link Source, xrefs: 00000001400463D1
Embedded Object, xrefs: 00000001400463B1
FileNameW, xrefs: 0000000140046411
Native, xrefs: 0000000140046385
Rich Text Format, xrefs: 0000000140046421
ObjectLink, xrefs: 00000001400463A1
Embed Source, xrefs: 00000001400463C1
Link Source Descriptor, xrefs: 00000001400463F1
Object Descriptor, xrefs: 00000001400463E1
FileName, xrefs: 0000000140046401
OwnerLink, xrefs: 0000000140046392
RichEdit Text and Objects, xrefs: 0000000140046431

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageRegisterWindow
String ID: Embed Source$Embedded Object$FileName$FileNameW$Link Source$Link Source Descriptor$Native$Object Descriptor$ObjectLink$OwnerLink$Rich Text Format$RichEdit Text and Objects
API String ID: 1814269913-2889995556
Opcode ID: 562527047f32b194420e4ddc9832e0189e623a2e4b5b8259cb7777078e842278
Instruction ID: f93e7a3d8be8b825f5893b9ee5151a4500cb1841ce23b130d32cea8f5a735f35
Opcode Fuzzy Hash: 562527047f32b194420e4ddc9832e0189e623a2e4b5b8259cb7777078e842278
Instruction Fuzzy Hash: 292179B6911B0596FB46AF72E89879837B0FB5CF19F844416CA0E87274EB78D18AC704

Function 000000014003017C Relevance: 31.9, APIs: 21, Instructions: 387windowkeyboardCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 00000001400301C2
GetParent.USER32 ref: 0000000140030215
GetParent.USER32 ref: 000000014003022C
GetKeyState.USER32 ref: 000000014003031F
SendMessageA.USER32 ref: 000000014003035A
SendMessageA.USER32 ref: 00000001400303ED
SendMessageA.USER32 ref: 0000000140030469
GetNextDlgGroupItem.USER32 ref: 00000001400304EE
GetWindowLongA.USER32 ref: 0000000140030530
SendMessageA.USER32 ref: 0000000140030547
SendMessageA.USER32 ref: 000000014003055E
MessageBeep.USER32 ref: 0000000140030670

Part of subcall function 00000001400310C8: SendMessageA.USER32 ref: 00000001400310DB

IsDialogMessageA.USER32 ref: 00000001400306CE
GetFocus.USER32 ref: 00000001400306DA
GetFocus.USER32 ref: 00000001400306ED
IsWindow.USER32 ref: 000000014003070C
GetFocus.USER32 ref: 0000000140030716
IsWindow.USER32 ref: 0000000140030734
GetFocus.USER32 ref: 000000014003073E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$Send$Focus$Window$Parent$BeepDialogGroupItemLongNextState
String ID:
API String ID: 1817911776-0
Opcode ID: b38a25859ad1fa00081079634831d3ac9b8f33ffd77ef6ec2280e3bb72e49038
Instruction ID: d608c971f5de22f1e14da5992ad17e3e9a0d7e8fb008115e89eeeb61e57fcdf9
Opcode Fuzzy Hash: b38a25859ad1fa00081079634831d3ac9b8f33ffd77ef6ec2280e3bb72e49038
Instruction Fuzzy Hash: 13F16A71206B4082FE6B9B5395A47EB67A1AB8CFC4F144529FF4A4B7B5DF79C8418300

Function 00000001400184D8 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 181COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 000000014001854A

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

GetClassLongA.USER32 ref: 0000000140018592
GlobalGetAtomNameA.KERNEL32 ref: 00000001400185C9
CompareStringA.KERNEL32 ref: 00000001400185F3
SetWindowLongPtrA.USER32 ref: 000000014001864E
GetClassNameA.USER32 ref: 00000001400186C1

Part of subcall function 000000014019A840: _invalid_parameter_noinfo.LIBCMT ref: 000000014019A881

GetClassLongPtrA.USER32 ref: 00000001400186F3
GetWindowLongPtrA.USER32 ref: 000000014001870A
GetPropA.USER32 ref: 0000000140018725
SetPropA.USER32 ref: 0000000140018739
GetPropA.USER32 ref: 0000000140018745
GlobalAddAtomA.KERNEL32 ref: 0000000140018753
SetWindowLongPtrA.USER32 ref: 0000000140018768

Part of subcall function 0000000140019E80: OutputDebugStringA.KERNEL32 ref: 0000000140019EBA
Part of subcall function 0000000140019E80: ActivateActCtx.KERNEL32 ref: 0000000140019EDF

CallNextHookEx.USER32 ref: 000000014001877D
UnhookWindowsHookEx.USER32 ref: 000000014001878F

Strings

#32768, xrefs: 0000000140018696, 00000001400186D3
AfxOldWndProc423, xrefs: 0000000140018718
ime, xrefs: 00000001400185E0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Long$ClassHookPropWindow$AtomCallGlobalNameNextString$ActivateCompareDebugExceptionOutputThrowUnhookWindows_invalid_parameter_noinfo
String ID: #32768$AfxOldWndProc423$ime
API String ID: 2071670248-4034971020
Opcode ID: 747dc8ac1d5893e7172ea6335c42f330a762538ae5c5b9d96100c4dac6eb6982
Instruction ID: 191d4ff228a53118fc77ec4e012e97623c85d388d390fa9037096af708ffdb28
Opcode Fuzzy Hash: 747dc8ac1d5893e7172ea6335c42f330a762538ae5c5b9d96100c4dac6eb6982
Instruction Fuzzy Hash: 05716E72204A8186FA269B27E8547DA33A1BB8DFD0F644625EF5A0B7F5DF39C945C300

Function 000000014006C72C Relevance: 28.6, APIs: 19, Instructions: 92COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C98E
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C99D
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9AC
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9BB
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9CA
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9D9
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9E8
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9F7
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA06
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA15
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA24
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA33
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA42
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA51
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA60
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA72
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA84
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA96
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CAA8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: 47b1c073c2efbe2db297774675f4cea43fed58c0ed35c163442df1a0ebd90449
Instruction ID: 7ea57da2b3cb3230a2381ef4efeb4ecf8fd8ee3a0141a3226b5a3c10be615ff0
Opcode Fuzzy Hash: 47b1c073c2efbe2db297774675f4cea43fed58c0ed35c163442df1a0ebd90449
Instruction Fuzzy Hash: 9541BC35212E0095EF5ADFA6D8A47B82371AF8CFA5F18491ADF0E476B48F39C4449211

Function 000000014006C71C Relevance: 28.6, APIs: 19, Instructions: 86COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C98E
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C99D
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9AC
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9BB
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9CA
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9D9
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9E8
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9F7
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA06
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA15
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA24
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA33
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA42
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA51
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA60
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA72
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA84
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA96
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CAA8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: b4c0caf5280881ea91040c1d30b2cc213ae7ef9bcd607696fa33fe9cde2c9f51
Instruction ID: f77266410e85049347739b717b1920e225630cd94c49338327f971b30756a35d
Opcode Fuzzy Hash: b4c0caf5280881ea91040c1d30b2cc213ae7ef9bcd607696fa33fe9cde2c9f51
Instruction Fuzzy Hash: CC41AB39212E00D5EF5ADFA7D8A47B82371AF8CFA5F18491ADF0E476A48F39C4849251

Function 000000014006C97C Relevance: 28.6, APIs: 19, Instructions: 83COMMON

Download Yara Rule

APIs

CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C98E
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C99D
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9AC
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9BB
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9CA
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9D9
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9E8
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006C9F7
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA06
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA15
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA24
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA33
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA42
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA51
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA60
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA72
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA84
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CA96
CloseThemeData.UXTHEME(?,?,?,?,?,?,?,0000000140077A2E), ref: 000000014006CAA8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CloseDataTheme
String ID:
API String ID: 2797872399-0
Opcode ID: efdee714d9ba5ee4fbd13745e371895e2038c435d453ad5cf73d5880d2a27135
Instruction ID: e497aa228a7244f8d0afed181bb509b919b3381af6a5d6a4e4f6a7d2a9557d30
Opcode Fuzzy Hash: efdee714d9ba5ee4fbd13745e371895e2038c435d453ad5cf73d5880d2a27135
Instruction Fuzzy Hash: E741AC39312E0095EF5ADFA7D8A47B82371AF8CFA5F18491ADE0F476A48F39C4849251

Function 00000001400547F4 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140054851
GetClientRect.USER32 ref: 0000000140054869
GetSystemMetrics.USER32 ref: 000000014005488E
GetSystemMetrics.USER32 ref: 00000001400548BE
InvalidateRect.USER32 ref: 00000001400548E8
UpdateWindow.USER32 ref: 00000001400548F2
RedrawWindow.USER32 ref: 0000000140054B14

Part of subcall function 0000000140052D2C: SendMessageA.USER32 ref: 0000000140052DB3
Part of subcall function 0000000140052D2C: SendMessageA.USER32 ref: 0000000140052DE9

Strings

MFCPropertyGrid_VSDotNetLook, xrefs: 0000000140054B21
MFCPropertyGrid_AlphabeticMode, xrefs: 0000000140054ABD
MFCPropertyGrid_DescriptionRows, xrefs: 0000000140054A50
Property, xrefs: 0000000140054AA3
MFCPropertyGrid_HeaderCtrl, xrefs: 0000000140054A88
Value, xrefs: 0000000140054A9C
MFCPropertyGrid_ModifiedProperties, xrefs: 0000000140054AE3
MFCPropertyGrid_DescriptionArea, xrefs: 00000001400549FA

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$MetricsRectSystemWindow$ClientInvalidateRedrawUpdate
String ID: MFCPropertyGrid_AlphabeticMode$MFCPropertyGrid_DescriptionArea$MFCPropertyGrid_DescriptionRows$MFCPropertyGrid_HeaderCtrl$MFCPropertyGrid_ModifiedProperties$MFCPropertyGrid_VSDotNetLook$Property$Value
API String ID: 3900036962-2695045869
Opcode ID: 5a7f640cd479229010d17705601f9c014a6b12e1cd2703c44eef8eab6b16f570
Instruction ID: 073eaac70e10153c570b31bb26ff97a2a18c594b665f24b0d1c3a6f2141efba2
Opcode Fuzzy Hash: 5a7f640cd479229010d17705601f9c014a6b12e1cd2703c44eef8eab6b16f570
Instruction Fuzzy Hash: 75B18E72700A458BFB15DF7AE8907DD37A1FB88B98F045225EB1A47AA9DF38C445CB40

Function 0000000140068560 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 312windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 000000014006859C
IsRectEmpty.USER32 ref: 00000001400685D6
IntersectRect.USER32 ref: 0000000140068659
IntersectRect.USER32 ref: 0000000140068702
IsRectEmpty.USER32 ref: 000000014006873F
IsRectEmpty.USER32 ref: 0000000140068751
SelectObject.GDI32 ref: 000000014006876D
IsRectEmpty.USER32 ref: 0000000140068789
IsRectEmpty.USER32 ref: 00000001400687A3
AlphaBlend.MSIMG32 ref: 0000000140068842
StretchBlt.GDI32 ref: 00000001400688A6
SelectObject.GDI32 ref: 00000001400688BD
SetRectEmpty.USER32 ref: 0000000140068979

Strings

, xrefs: 0000000140068871

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$IntersectObjectSelect$AlphaBlendStretch
String ID:
API String ID: 3434778532-3916222277
Opcode ID: 73a70fb746fe8eaeb0de52f48b6c9341521c273086cb9924ca1b805c325e2354
Instruction ID: 68f7bb375df8e28703d8a69e2447eacc52b6ad1e5543518cbb9dc3b293d3e9d1
Opcode Fuzzy Hash: 73a70fb746fe8eaeb0de52f48b6c9341521c273086cb9924ca1b805c325e2354
Instruction Fuzzy Hash: 2FE13676B146408FE721CFBAD8407AD7BB1F348B88F144615EF4AA7A68DB38E445CB50

Function 0000000140024298 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON

Download Yara Rule

APIs

PeekMessageA.USER32 ref: 0000000140024329
GetCapture.USER32 ref: 000000014002433C
ReleaseCapture.USER32 ref: 0000000140024347
PeekMessageA.USER32 ref: 0000000140024366
PeekMessageA.USER32 ref: 0000000140024381
GetMessageA.USER32 ref: 000000014002439B
TranslateMessage.USER32 ref: 00000001400243BB
PeekMessageA.USER32 ref: 000000014002442D
SendMessageA.USER32 ref: 0000000140024450
PeekMessageA.USER32 ref: 0000000140024489
ReleaseCapture.USER32 ref: 00000001400244B7
GetMessageA.USER32 ref: 00000001400244CB
DispatchMessageA.USER32 ref: 00000001400244D4
GetCursorPos.USER32 ref: 00000001400244E2
PeekMessageA.USER32 ref: 0000000140024510
DispatchMessageA.USER32 ref: 0000000140024519

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$Peek$Capture$DispatchRelease$CursorSendTranslate
String ID:
API String ID: 605349011-0
Opcode ID: 8682a7a2f194126b60761d600e311353843621d26c66ac5a826e08a462d4674e
Instruction ID: 18dbc39062217b1d38bd860f85da0745a6c5d20de0849a0abc7af766fb96ff3c
Opcode Fuzzy Hash: 8682a7a2f194126b60761d600e311353843621d26c66ac5a826e08a462d4674e
Instruction Fuzzy Hash: E6619D32700A9086F766EF27E8547AD67A0F74DFC4F548129EB4A47AA5DF38C8858B00

Function 00000001400A5380 Relevance: 22.7, APIs: 15, Instructions: 212timeCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400A53D2
InflateRect.USER32 ref: 00000001400A5407
SetRectEmpty.USER32 ref: 00000001400A54AA
SetRectEmpty.USER32 ref: 00000001400A54B3
GetSystemMetrics.USER32 ref: 00000001400A54DA
KillTimer.USER32 ref: 00000001400A558D
EqualRect.USER32 ref: 00000001400A55A6
EqualRect.USER32 ref: 00000001400A55B7
EqualRect.USER32 ref: 00000001400A561A
InvalidateRect.USER32 ref: 00000001400A5633
InvalidateRect.USER32 ref: 00000001400A5643
EqualRect.USER32 ref: 00000001400A5653
InvalidateRect.USER32 ref: 00000001400A5668
InvalidateRect.USER32 ref: 00000001400A5678
UpdateWindow.USER32 ref: 00000001400A5689

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
String ID:
API String ID: 2140115980-0
Opcode ID: 83b4d6306087e7e9e7b47aeba74701c652eff63bb0cb0f8229bab453f2bbf9f8
Instruction ID: 49bf4c0a5aed536de3d31888a5d3d38fe9454e9526ee4725521cf019569e4d1a
Opcode Fuzzy Hash: 83b4d6306087e7e9e7b47aeba74701c652eff63bb0cb0f8229bab453f2bbf9f8
Instruction Fuzzy Hash: 3FA15A36A00A50CAE701DF7AD8947ED37B1F758B89F088625EF0A5B668DF39C485CB10

Function 00000001400887AC Relevance: 21.2, APIs: 14, Instructions: 189windowCOMMON

Download Yara Rule

APIs

RedrawWindow.USER32 ref: 0000000140088805
PtInRect.USER32 ref: 0000000140088812
SendMessageA.USER32 ref: 000000014008883F
GetParent.USER32 ref: 0000000140088860
SendMessageA.USER32 ref: 0000000140088889
SendMessageA.USER32 ref: 00000001400888DA
ReleaseCapture.USER32 ref: 00000001400888F4
ReleaseCapture.USER32 ref: 00000001400889A5
ReleaseCapture.USER32 ref: 00000001400889F4
IsRectEmpty.USER32 ref: 0000000140088A4F
InvalidateRect.USER32 ref: 0000000140088A64
IsRectEmpty.USER32 ref: 0000000140088A6E
InvalidateRect.USER32 ref: 0000000140088A83
UpdateWindow.USER32 ref: 0000000140088A8D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$CaptureMessageReleaseSend$EmptyInvalidateWindow$ParentRedrawUpdate
String ID:
API String ID: 1443145988-0
Opcode ID: 8170c69812470fcad09f5667f3cb3f8cd2d66caeb5f4611708d30993146573b8
Instruction ID: fb9c1f2e2f6086b516037bcc6752005354e7192a46351b9cbec26efbfda5ebfb
Opcode Fuzzy Hash: 8170c69812470fcad09f5667f3cb3f8cd2d66caeb5f4611708d30993146573b8
Instruction Fuzzy Hash: E3914236300A8197EB1A8B26DA847ED77B9F788BC4F044426DF1A4B7A4DF38D665C740

Function 00000001401390A0 Relevance: 19.9, APIs: 13, Instructions: 365windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F73C: BeginPaint.USER32(?,?,?,?,?,00000001400061B8), ref: 000000014000F776

Part of subcall function 000000014005C57C: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
Part of subcall function 000000014005C57C: GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

GetClientRect.USER32 ref: 0000000140139130
FillRect.USER32 ref: 0000000140139167
PatBlt.GDI32 ref: 00000001401391DD
PatBlt.GDI32 ref: 0000000140139204
PatBlt.GDI32 ref: 0000000140139232
PatBlt.GDI32 ref: 000000014013925C
GetParent.USER32 ref: 0000000140139341
IsRectEmpty.USER32 ref: 00000001401393EC
FillRect.USER32 ref: 0000000140139451

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

InflateRect.USER32 ref: 0000000140139508
IsRectEmpty.USER32 ref: 0000000140139566
InflateRect.USER32 ref: 000000014013927F

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

FillRect.USER32 ref: 0000000140139607

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Fill$ClientConditionEmptyHashInflateMask$BeginExceptionImplImpl::InfoMetricsPaintParentSystemThrowVerifyVersion
String ID:
API String ID: 1719801302-0
Opcode ID: 2fb9c24971c6b442ce91f3b648e1d66714abaef3e38974bc3d331fe6bc1c0821
Instruction ID: 26b100204331f0167f349f7c72030f0ee3b298d6c0c9617a35a2aac8ea140d58
Opcode Fuzzy Hash: 2fb9c24971c6b442ce91f3b648e1d66714abaef3e38974bc3d331fe6bc1c0821
Instruction Fuzzy Hash: 27026B36610A508AEB12DF66D8447ED37A5F78DF88F004126EF4A97BA9DF78C944CB40

Function 00000001400E1094 Relevance: 19.8, APIs: 13, Instructions: 279windowkeyboardCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400E11BF
SendMessageA.USER32 ref: 00000001400E11EF

Part of subcall function 0000000140161688: GetWindowRect.USER32(?,?,?,?,?,?,00000001,00000001400DEE26), ref: 00000001401616CB
Part of subcall function 0000000140161688: KillTimer.USER32(?,?,?,?,?,?,00000001,00000001400DEE26), ref: 0000000140161705

SendMessageA.USER32 ref: 00000001400E12D0
GetKeyState.USER32 ref: 00000001400E1322
GetKeyState.USER32 ref: 00000001400E133B
ImmGetContext.IMM32 ref: 00000001400E1350
ImmGetOpenStatus.IMM32 ref: 00000001400E1360
ImmReleaseContext.IMM32 ref: 00000001400E137D
GetFocus.USER32 ref: 00000001400E13A9
IsWindow.USER32 ref: 00000001400E1478
ClientToScreen.USER32 ref: 00000001400E148B
IsWindow.USER32 ref: 00000001400E14B3
ClientToScreen.USER32 ref: 00000001400E14EC

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$ClientContextMessageScreenSendState$CaptureFocusKillOpenRectReleaseStatusTimer
String ID:
API String ID: 1337522018-0
Opcode ID: 759a9a70a024a7f107741997943d9f0423788726b5cef5b30025924c39904232
Instruction ID: 857d04f0e219dac09d3a52476f2a458fb539084bc213141799bf2357153eb55b
Opcode Fuzzy Hash: 759a9a70a024a7f107741997943d9f0423788726b5cef5b30025924c39904232
Instruction Fuzzy Hash: 0CC16E3260060086FB669B63D9843ED62A1E7CDBE0F004426EF1AA76F5DB78CC90C781

Function 00000001400B0C4C Relevance: 19.7, APIs: 13, Instructions: 186windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001400B0C83
GetParent.USER32 ref: 00000001400B0CC9
GetParent.USER32 ref: 00000001400B0CF5
OffsetRect.USER32 ref: 00000001400B0D4C
OffsetRect.USER32 ref: 00000001400B0D5E
OffsetRect.USER32 ref: 00000001400B0D6C
SendMessageA.USER32 ref: 00000001400B0DC2
GetWindowRect.USER32 ref: 00000001400B0DDD
GetParent.USER32 ref: 00000001400B0DFD
MapWindowPoints.USER32 ref: 00000001400B0E2C
InflateRect.USER32 ref: 00000001400B0E71
SetRectEmpty.USER32 ref: 00000001400B0F02
SetRectEmpty.USER32 ref: 00000001400B0F0F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$EmptyOffsetParent$Window$InflateMessagePointsSend
String ID:
API String ID: 2895032312-0
Opcode ID: 878e182e87298f58024a7562fb029ba8b0bf13f548f044f62303f589af81a472
Instruction ID: 0f7ae6f79d35d4d4c07bf772134a50b16e53abaaf1036a37cb9acf5e1ac87829
Opcode Fuzzy Hash: 878e182e87298f58024a7562fb029ba8b0bf13f548f044f62303f589af81a472
Instruction Fuzzy Hash: BC814B36600A418AEB56DF6AD4847AD77A1F789F84F088125EF4A4B7A9DF38D845C700

Function 00000001400647E8 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 176COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140064904

Part of subcall function 0000000140061D68: GetWindowRect.USER32 ref: 0000000140061D83

Strings

%TsPane-%d%x, xrefs: 0000000140064892
RectRecentFloat, xrefs: 0000000140064966
PinState, xrefs: 00000001400649EC
RectRecentDocked, xrefs: 000000014006497D
RecentFrameAlignment, xrefs: 0000000140064994
MRUWidth, xrefs: 00000001400649D5
Panes, xrefs: 000000014006481E
RecentRowIndex, xrefs: 00000001400649AB
IsFloating, xrefs: 00000001400649BE
%TsPane-%d, xrefs: 000000014006487F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectWindow
String ID: %TsPane-%d$%TsPane-%d%x$IsFloating$MRUWidth$Panes$PinState$RecentFrameAlignment$RecentRowIndex$RectRecentDocked$RectRecentFloat
API String ID: 861336768-2628993547
Opcode ID: cacd904b97d86d1eba95ded1579f6770c4ef25dc25ec3d3ba0c6d6cb3abc3c3c
Instruction ID: 77868240798182432c8581466370ad210f319c8e1e0e41d609370073c1bca2f1
Opcode Fuzzy Hash: cacd904b97d86d1eba95ded1579f6770c4ef25dc25ec3d3ba0c6d6cb3abc3c3c
Instruction Fuzzy Hash: A7716776310A4192EB0AEB2AD8847EC37A1FB89FE4F448616DF29137A4DF34C856C340

Function 00000001400953B4 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 103timeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32 ref: 00000001400953F7
GetSystemMetrics.USER32 ref: 0000000140095404
GetSystemMetrics.USER32 ref: 000000014009541C
GetSystemMetrics.USER32 ref: 0000000140095437
GetSystemMetrics.USER32 ref: 000000014009544C
CreateEllipticRgn.GDI32 ref: 00000001400954F1
SetWindowRgn.USER32 ref: 0000000140095513
SetCapture.USER32 ref: 000000014009551D
SetTimer.USER32 ref: 000000014009553B

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Strings

, xrefs: 000000014009549A
, xrefs: 0000000140095492

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MetricsSystem$CaptureClientCreateEllipticExceptionScreenThrowTimerWindow
String ID: $
API String ID: 3301921535-227171996
Opcode ID: 75c6f2d3cc1605f7b56df1dab96143ec99f983c7f883cf3b321fb04f22183348
Instruction ID: 77b986b6aa66ddbcf9342e25ed384f10e9b3729abf7ea61e98fa8eb4628149ec
Opcode Fuzzy Hash: 75c6f2d3cc1605f7b56df1dab96143ec99f983c7f883cf3b321fb04f22183348
Instruction Fuzzy Hash: 30418D72600B80C7E751CF26E898B9E77B5F788B94F158225DB5A87BA5DF39C405CB00

Function 00000001400E8394 Relevance: 18.2, APIs: 12, Instructions: 247timewindowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 00000001400E83C0
GetCursorPos.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E83DD
ScreenToClient.USER32 ref: 00000001400E83EC
GetParent.USER32 ref: 00000001400E8491
SetTimer.USER32 ref: 00000001400E84FD
InvalidateRect.USER32 ref: 00000001400E8511
UpdateWindow.USER32 ref: 00000001400E851B
KillTimer.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E852C
KillTimer.USER32(?,?,?,00000001400ADFD4), ref: 00000001400E8600
GetParent.USER32 ref: 00000001400E8618
GetParent.USER32 ref: 00000001400E8697
SendMessageA.USER32 ref: 00000001400E8726

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
String ID:
API String ID: 2010726786-0
Opcode ID: 64d268d5e3e0e19df1f8f1878da38bffd9721068c46f013a626b0bf2d954a19c
Instruction ID: 24165bae613907c7bfd52497d383519468396d3868a9b197ea670969325ae87e
Opcode Fuzzy Hash: 64d268d5e3e0e19df1f8f1878da38bffd9721068c46f013a626b0bf2d954a19c
Instruction Fuzzy Hash: 4DB13772301A5082EA6A9B53E5543E963A0FB8DFE0F044525EF1E2BBB5EF39D851C340

Function 000000014004CFC4 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 218stringwindowCOMMON

Download Yara Rule

APIs

CopyRect.USER32 ref: 000000014004D03B
DrawFocusRect.USER32 ref: 000000014004D04F
CreateSolidBrush.GDI32 ref: 000000014004D09D
GetBkColor.GDI32 ref: 000000014004D0DF
CreateSolidBrush.GDI32 ref: 000000014004D0E7
FillRect.USER32 ref: 000000014004D10F
GetObjectA.GDI32 ref: 000000014004D1C7
lstrcpyA.KERNEL32 ref: 000000014004D1D5
CreateFontIndirectA.GDI32 ref: 000000014004D202

Strings

$, xrefs: 000000014004D26A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CreateRect$BrushSolid$ColorCopyDrawFillFocusFontIndirectObjectlstrcpy
String ID: $
API String ID: 841727867-3993045852
Opcode ID: 70abd073fc41e0bb6536c334a3a373a9cfd6244ee6d7def14bb2ccdb2bb1fb9c
Instruction ID: e1b6f7c66c015eb881422aa58add108f8e8c85db8f32aa80f1433e4dd985a7d8
Opcode Fuzzy Hash: 70abd073fc41e0bb6536c334a3a373a9cfd6244ee6d7def14bb2ccdb2bb1fb9c
Instruction Fuzzy Hash: D4A14472710A509AEB12DBA6D8543DD33B1F788B98F414626EF1A57BB8DF78C809C740

Function 0000000140178BFC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 213windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140178C76

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Part of subcall function 00000001400FA7B8: GetParent.USER32 ref: 00000001400FA7CF
Part of subcall function 00000001400FA7B8: SendMessageA.USER32 ref: 00000001400FA805

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

SendMessageA.USER32 ref: 0000000140178DA8

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

GetTextExtentPoint32A.GDI32 ref: 0000000140178DF7
GetTextExtentPoint32A.GDI32 ref: 0000000140178E55
GetTextExtentPoint32A.GDI32 ref: 0000000140178E79
GetTextExtentPoint32A.GDI32 ref: 0000000140178E9B
GetTextExtentPoint32A.GDI32 ref: 0000000140178EBF
GetTextExtentPoint32A.GDI32 ref: 0000000140178EE1
GetTextExtentPoint32A.GDI32 ref: 0000000140178F05

Strings

$, xrefs: 0000000140178CBD

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ExtentPoint32Text$MessageObjectSelectSend$ExceptionInflateParentRectThrow
String ID: $
API String ID: 2625211087-3993045852
Opcode ID: f42a36e286bdb419417dd3283e0acf350f70693f45374ed3b3f5cdaeed2bf7b8
Instruction ID: d1251fb3f636ef4d5e370deda51f2547f9d49f329fb57b2306268a37cba1d8f4
Opcode Fuzzy Hash: f42a36e286bdb419417dd3283e0acf350f70693f45374ed3b3f5cdaeed2bf7b8
Instruction Fuzzy Hash: 07A14572700A849BEB69DF26D9847ED77A0F748B98F004126EF6947BA4DF34D4A5CB00

Function 00000001400B08C4 Relevance: 15.2, APIs: 10, Instructions: 230windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400B097C
SendMessageA.USER32 ref: 00000001400B099D
SendMessageA.USER32 ref: 00000001400B09BC
SendMessageA.USER32 ref: 00000001400B09D8
SendMessageA.USER32 ref: 00000001400B09F7
SendMessageA.USER32 ref: 00000001400B0B38
SendMessageA.USER32 ref: 00000001400B0BAE
SendMessageA.USER32 ref: 00000001400B0BCD
SendMessageA.USER32 ref: 00000001400B0BE9
SendMessageA.USER32 ref: 00000001400B0C08

Part of subcall function 000000014001AEEC: IsWindow.USER32 ref: 000000014001AF05
Part of subcall function 000000014001AEEC: SetWindowTextA.USER32 ref: 000000014001AF2C

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Window$ExceptionTextThrow
String ID:
API String ID: 604127595-0
Opcode ID: 40a93ad119b34c9ff6b1f16184f799140ebfbbb9e31b164235dc69cd6297ce83
Instruction ID: d54b49463c2959654c800cf3884960c8b2100f6c542279a542246626f71f6827
Opcode Fuzzy Hash: 40a93ad119b34c9ff6b1f16184f799140ebfbbb9e31b164235dc69cd6297ce83
Instruction Fuzzy Hash: 07917F35300A8082EA5ADF97D8507E9A761FB89FD4F548122EF2D8B7A5DF35C4528300

Function 000000014012CEF8 Relevance: 15.2, APIs: 10, Instructions: 205COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014012CF34
PtInRect.USER32 ref: 000000014012CF42
OffsetRect.USER32 ref: 000000014012CFCD
PtInRect.USER32 ref: 000000014012CFDB
GetClientRect.USER32 ref: 000000014012D008
PtInRect.USER32 ref: 000000014012D022
GetCursorPos.USER32 ref: 000000014012D105
GetParent.USER32 ref: 000000014012D10F

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientCursorExceptionOffsetParentThrowWindow
String ID:
API String ID: 2639127842-0
Opcode ID: eaf30c06b2bcd2997de5724f89c3291f11461a8b5050bd7cd0791bfcfd30aec4
Instruction ID: 632525820d0631617980676bbae9b55c3f9e5ee0aec766d4079a42cf2e02cd70
Opcode Fuzzy Hash: eaf30c06b2bcd2997de5724f89c3291f11461a8b5050bd7cd0791bfcfd30aec4
Instruction Fuzzy Hash: EF815976710A5586EB569B27D8943ED37A0F788F89F04852AEF0A57BB9DF38C446C300

Function 0000000140170578 Relevance: 15.2, APIs: 10, Instructions: 171COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 000000014017060A
PtInRect.USER32 ref: 000000014017063C
PtInRect.USER32 ref: 0000000140170652
PtInRect.USER32 ref: 000000014017069F
GetParent.USER32 ref: 00000001401706AD
InflateRect.USER32 ref: 00000001401706F1
PtInRect.USER32 ref: 00000001401706FF
GetWindowRect.USER32 ref: 0000000140170788
InflateRect.USER32 ref: 0000000140170798
PtInRect.USER32 ref: 00000001401707A6

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$InflateWindow$Parent
String ID:
API String ID: 1237301043-0
Opcode ID: 7b2323966c53abbe645a9b9253b4fa9f012fb9c5224e1b9852bce6a3fee02f91
Instruction ID: ea8f44ca63c9189592d7ce7932e429a49697e4fa7a1c9ef581b166ed050ac28c
Opcode Fuzzy Hash: 7b2323966c53abbe645a9b9253b4fa9f012fb9c5224e1b9852bce6a3fee02f91
Instruction Fuzzy Hash: 52712636700B4089EB56CFA6D4947ED37B1BB48F98F148026EF4A57AA8EB35D485C700

Function 0000000140161018 Relevance: 15.2, APIs: 10, Instructions: 151windowtimeCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140160178: RedrawWindow.USER32 ref: 0000000140160211

PtInRect.USER32 ref: 00000001401610BB
ClientToScreen.USER32 ref: 00000001401610DF

Part of subcall function 0000000140161464: InvalidateRect.USER32 ref: 0000000140161574
Part of subcall function 0000000140161464: InvalidateRect.USER32 ref: 00000001401615DE
Part of subcall function 0000000140161464: UpdateWindow.USER32 ref: 00000001401615FC

InflateRect.USER32 ref: 000000014016114E
RedrawWindow.USER32 ref: 0000000140161165
PtInRect.USER32 ref: 000000014016117E
SendMessageA.USER32 ref: 00000001401611A2
PtInRect.USER32 ref: 00000001401611B3
GetParent.USER32 ref: 00000001401611C5
SendMessageA.USER32 ref: 00000001401611F2
SetTimer.USER32 ref: 0000000140161257

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$InvalidateMessageRedrawSend$ClientInflateParentScreenTimerUpdate
String ID:
API String ID: 570668372-0
Opcode ID: 636bb9df486a912c1e0ffc55c25f74f2f909f09e0738c6aa05b917b4a417273c
Instruction ID: 7f469574ca631fb12aa1c4ce9a060cedda86ee67f773266bdb3426c5a9fa236b
Opcode Fuzzy Hash: 636bb9df486a912c1e0ffc55c25f74f2f909f09e0738c6aa05b917b4a417273c
Instruction Fuzzy Hash: 19614636B10A9086FB518F76D8A57ED27A0FB89F88F085425DF0E47BA9DF34C4848350

Function 000000014001C728 Relevance: 15.1, APIs: 10, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001C74B
GlobalAlloc.KERNEL32 ref: 000000014001C7C8
GlobalHandle.KERNEL32 ref: 000000014001C7D0
GlobalUnlock.KERNEL32 ref: 000000014001C7DC
GlobalReAlloc.KERNEL32 ref: 000000014001C802
GlobalLock.KERNEL32 ref: 000000014001C822
LeaveCriticalSection.KERNEL32 ref: 000000014001C874
GlobalHandle.KERNEL32 ref: 000000014001C8AD
GlobalLock.KERNEL32 ref: 000000014001C8B6
LeaveCriticalSection.KERNEL32 ref: 000000014001C8BF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 54217362eb0da77aaf70f06517880fa8dcee85ed3f6d6c6329e42f93384c802d
Instruction ID: 8f02ca93e8a882d5454026eae1076cfc1a908aea47187eb683201359d45e125e
Opcode Fuzzy Hash: 54217362eb0da77aaf70f06517880fa8dcee85ed3f6d6c6329e42f93384c802d
Instruction Fuzzy Hash: 7A41AE75710B8487EA19DF16A1943A873A1F78CB80F048425EB6B4BBA1CF39D4618300

Function 0000000140144FA0 Relevance: 15.1, APIs: 10, Instructions: 103windowCOMMON

Download Yara Rule

APIs

SetCursor.USER32 ref: 0000000140144FEE
std::bad_exception::bad_exception.LIBCMT ref: 000000014014500E
SetForegroundWindow.USER32 ref: 0000000140145035
BringWindowToTop.USER32 ref: 000000014014503F
SetCapture.USER32 ref: 0000000140145049
PeekMessageA.USER32 ref: 0000000140145077
TranslateMessage.USER32 ref: 00000001401450D4
DispatchMessageA.USER32 ref: 00000001401450DF

Part of subcall function 0000000140145B44: GetNearestPaletteIndex.GDI32 ref: 0000000140145B93
Part of subcall function 0000000140145B44: InvalidateRect.USER32 ref: 0000000140145BBD

WaitMessage.USER32 ref: 0000000140145109
ReleaseCapture.USER32 ref: 000000014014511C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$CaptureWindow$BringCursorDispatchForegroundIndexInvalidateNearestPalettePeekRectReleaseTranslateWaitstd::bad_exception::bad_exception
String ID:
API String ID: 95895181-0
Opcode ID: 45b1dcb1c900c2d0d8fe4b44ac5189f79d3f8e102ce632b22bf654533872f120
Instruction ID: 47144638a629b43e654cc9003f7ee6efc6be0fc0aad34277681a6e604124f233
Opcode Fuzzy Hash: 45b1dcb1c900c2d0d8fe4b44ac5189f79d3f8e102ce632b22bf654533872f120
Instruction Fuzzy Hash: 34416636205A4082FB22AF26E4583AD37A0FB89F94F194135EB5B4B7B6CF79C8458341

Function 0000000140024524 Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0000000140024553
WindowFromPoint.USER32 ref: 0000000140024561
GetActiveWindow.USER32 ref: 0000000140024589
GetCurrentThreadId.KERNEL32 ref: 00000001400245A5
GetWindowThreadProcessId.USER32 ref: 00000001400245B8
GetDesktopWindow.USER32 ref: 00000001400245C9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
String ID:
API String ID: 1298419125-0
Opcode ID: 5a3b57759c518054463acd2af469e7b0ea0d2ecae5ee8bcfd1a86dc12b7f1e32
Instruction ID: d2a8981b69ef4ff39e8bf1af636f78ab6cff15cdd1dfb424f03a4e52a7d32a4b
Opcode Fuzzy Hash: 5a3b57759c518054463acd2af469e7b0ea0d2ecae5ee8bcfd1a86dc12b7f1e32
Instruction Fuzzy Hash: 0E313E31601A5096FF67AFA3A8983EA66E0B74DBC4F040429EF4B0B7B1DF79C8458601

Function 000000014014145C Relevance: 15.1, APIs: 10, Instructions: 70COMMON

Download Yara Rule

APIs

Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00000001401414E5
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00000001401414F2
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00000001401414FF
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 000000014014150C
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140141519
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140141526
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140141533
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 0000000140141540
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 000000014014154D
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 000000014014155A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ContextExternal$BaseBase::~Concurrency::details::
String ID:
API String ID: 1690591649-0
Opcode ID: 1b0577778a66d40deaa949aa7f287c08271006eac1648fd2bb680bc9fba0203e
Instruction ID: d2726622b9602723f01f8d6792fed0dcdd03e9aab11f465c9c56655a7d04ac2c
Opcode Fuzzy Hash: 1b0577778a66d40deaa949aa7f287c08271006eac1648fd2bb680bc9fba0203e
Instruction Fuzzy Hash: C9212E3625198092DB42AF79C8903DD2360F7CAFA4F499631AB2D872F6DF35C946C350

Function 0000000140018310 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 0000000140018364
CallWindowProcA.USER32 ref: 00000001400183E1

Part of subcall function 0000000140018A10: GetWindowRect.USER32 ref: 0000000140018A58
Part of subcall function 0000000140018A10: GetWindow.USER32 ref: 0000000140018A78

SetWindowLongPtrA.USER32 ref: 000000014001840F
RemovePropA.USER32 ref: 000000014001841F
GlobalFindAtomA.KERNEL32 ref: 000000014001842C
GlobalDeleteAtom.KERNEL32 ref: 0000000140018435

Part of subcall function 0000000140018ACC: GetWindowRect.USER32 ref: 0000000140018AE0

CallWindowProcA.USER32 ref: 00000001400184A1

Strings

AfxOldWndProc423, xrefs: 000000014001835D, 0000000140018415, 0000000140018425

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindLongRemove
String ID: AfxOldWndProc423
API String ID: 3892049428-1060338832
Opcode ID: d2a81f24cc1573d3e7d2d4c1cc669ef196a9526d2e9d64fceac170b8de95413f
Instruction ID: 78fe286bd9fb68c80d46a47bb8c6bef4467a238a6714f0d43b4e05638bbcdf3f
Opcode Fuzzy Hash: d2a81f24cc1573d3e7d2d4c1cc669ef196a9526d2e9d64fceac170b8de95413f
Instruction Fuzzy Hash: 48419E32204A4182EA669B67A8543EAB7A0F78EFD4F404115BF9A0FBB9DF3DC1458700

Function 00000001400412B8 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72windowthreadCOMMON

Download Yara Rule

APIs

SetFocus.USER32 ref: 00000001400412E2
GetParent.USER32 ref: 00000001400412F1
GetWindowThreadProcessId.USER32 ref: 0000000140041312
GetCurrentProcessId.KERNEL32 ref: 0000000140041318
GetActiveWindow.USER32 ref: 000000014004136E
SendMessageA.USER32 ref: 0000000140041387
SendMessageA.USER32 ref: 00000001400413A6

Strings

, xrefs: 000000014004138D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageProcessSendWindow$ActiveCurrentFocusParentThread
String ID:
API String ID: 4099184364-3916222277
Opcode ID: 158b5f6960aa978b6ee66bd7affbedf902c58918d651c99aa4fff21b9188c4f1
Instruction ID: 41da9127485c930f1d05e233afddc6ea691456c68e3fbc055fe3985132e2deea
Opcode Fuzzy Hash: 158b5f6960aa978b6ee66bd7affbedf902c58918d651c99aa4fff21b9188c4f1
Instruction Fuzzy Hash: EB318132210A5082EB569F26D4847DD37A1EBC8FC9F198034EB4A4BAB9DF38C845C704

Function 000000014001C374 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C3B0
GetStockObject.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C3BE
GetObjectA.GDI32 ref: 000000014001C3D6
GetDC.USER32 ref: 000000014001C3E7
GetDeviceCaps.GDI32 ref: 000000014001C406
MulDiv.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001400059DA), ref: 000000014001C418
ReleaseDC.USER32 ref: 000000014001C426

Strings

System, xrefs: 000000014001C17F, 000000014001C383, 000000014001C39E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: 0e934a0196a4440941dfe2dc45839e12f0cafee23271c606fa13148edb515ba0
Instruction ID: f9dbb477e6af988df83a4ec679ef4aad5530ae4a78cbb75a90288a3cb5249ab4
Opcode Fuzzy Hash: 0e934a0196a4440941dfe2dc45839e12f0cafee23271c606fa13148edb515ba0
Instruction Fuzzy Hash: ED213931314B5482FB169B22F8547AA73E0F74CF80F44452AAE9A5BBA8DF3DD506CB04

Function 00000001401104CC Relevance: 13.7, APIs: 9, Instructions: 244windowCOMMON

Download Yara Rule

APIs

DestroyMenu.USER32 ref: 0000000140110555
DestroyMenu.USER32 ref: 0000000140110571
ClientToScreen.USER32 ref: 00000001401105CF
GetWindowRect.USER32 ref: 00000001401105E5
ClientToScreen.USER32 ref: 000000014011065A
ClientToScreen.USER32 ref: 00000001401106B9
GetParent.USER32 ref: 0000000140110742
GetParent.USER32 ref: 0000000140110802
GetParent.USER32 ref: 0000000140110830

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientParentScreen$DestroyMenu$RectWindow
String ID:
API String ID: 3328890127-0
Opcode ID: 1a67bf9ecd5ca4e56e38c75f8ce450b983039749733a770eb0ac123eed4ec495
Instruction ID: db72d4f5fbc0636724be853e1797e7459980346324e1e840306b0027f03569ef
Opcode Fuzzy Hash: 1a67bf9ecd5ca4e56e38c75f8ce450b983039749733a770eb0ac123eed4ec495
Instruction Fuzzy Hash: DFB10372B11A548AEB5A9F66D8547EC33A0F78CF88F084525DF0A4B7A9EF78C445C700

Function 0000000140088AC0 Relevance: 13.7, APIs: 9, Instructions: 187COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 0000000140088B09
RedrawWindow.USER32 ref: 0000000140088B29
ClientToScreen.USER32 ref: 0000000140088B5D
WindowFromPoint.USER32 ref: 0000000140088B67
ReleaseCapture.USER32 ref: 0000000140088B84
SetCapture.USER32 ref: 0000000140088C05
ReleaseCapture.USER32 ref: 0000000140088C37
ClientToScreen.USER32 ref: 0000000140088D34
SetCursorPos.USER32 ref: 0000000140088D40

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Capture$ClientReleaseScreenWindow$CursorFromPointRectRedraw
String ID:
API String ID: 2024412728-0
Opcode ID: 22a70fd3f5e309dd1fcf97432df89c3fd5da659cd1dbbdbc8e943fe2b236ad53
Instruction ID: 7f4903fd88f4916f2b342cf60514f634cf5bedbbd8ae650d8e5ed6712cbdd49b
Opcode Fuzzy Hash: 22a70fd3f5e309dd1fcf97432df89c3fd5da659cd1dbbdbc8e943fe2b236ad53
Instruction Fuzzy Hash: 79811672301A81D7EB299B26CA843EC77A5F788BC5F048426EF19577A4CF34D661C740

Function 000000014003C010 Relevance: 13.6, APIs: 9, Instructions: 148timeCOMMON

Download Yara Rule

APIs

GetFileTime.KERNEL32 ref: 000000014003C0A5
GetFileSizeEx.KERNEL32 ref: 000000014003C0BE
GetFileAttributesA.KERNEL32 ref: 000000014003C100

Part of subcall function 000000014003BD08: GetModuleHandleA.KERNEL32 ref: 000000014003BD3A
Part of subcall function 000000014003BD08: GetProcAddress.KERNEL32 ref: 000000014003BD4F

FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C117
FileTimeToSystemTime.KERNEL32 ref: 000000014003C129
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C157
FileTimeToSystemTime.KERNEL32 ref: 000000014003C169
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C199
FileTimeToSystemTime.KERNEL32 ref: 000000014003C1AB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Time$File$LocalSystem$AddressAttributesHandleModuleProcSize
String ID:
API String ID: 461657242-0
Opcode ID: 530e8852f118ca2e27282b072913caa5eb63dd3687bcad63cdb64cd1a11a2856
Instruction ID: 87081f45d203f1b7fd6a9ec6d3adc3ab29b45fec011108cf088263c1bba8b5ed
Opcode Fuzzy Hash: 530e8852f118ca2e27282b072913caa5eb63dd3687bcad63cdb64cd1a11a2856
Instruction Fuzzy Hash: D7615C32310A0596FB229F76D8907EE23B0F749BD8F444612EB1AC7AA9EF34C565C350

Function 00000001400389B8 Relevance: 13.6, APIs: 9, Instructions: 73windowkeyboardCOMMON

Download Yara Rule

APIs

GetPropA.USER32 ref: 00000001400389F2
GlobalLock.KERNEL32 ref: 00000001400389FE
SendMessageA.USER32 ref: 0000000140038A1D
GlobalUnlock.KERNEL32 ref: 0000000140038A2B
RemovePropA.USER32 ref: 0000000140038A3C
GlobalFree.KERNEL32 ref: 0000000140038A4A
GlobalUnlock.KERNEL32 ref: 0000000140038A64
GetAsyncKeyState.USER32 ref: 0000000140038A78
SendMessageA.USER32 ref: 0000000140038AA6

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$MessagePropSendUnlock$AsyncFreeLockRemoveState
String ID:
API String ID: 723318029-0
Opcode ID: fed856cb2c051ec7a76a4d43933293b66d9f50d4ae167e2b76424080403050f3
Instruction ID: 695ccb5aeaca69494a01a328a8ebe120b71cba8bab1ab5d9a6fe299ae43845bb
Opcode Fuzzy Hash: fed856cb2c051ec7a76a4d43933293b66d9f50d4ae167e2b76424080403050f3
Instruction Fuzzy Hash: 7831FA35304F4086FB679B63E8547AA27A0EB8DFD0F085466EF5A0B7A8DF39C8458705

Function 00000001400386F8 Relevance: 13.6, APIs: 9, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32 ref: 0000000140038726
GetWindowLongA.USER32 ref: 000000014003873C
IsWindowEnabled.USER32 ref: 000000014003874B
GetDlgItem.USER32 ref: 0000000140038767
GetWindowLongA.USER32 ref: 0000000140038778
IsWindowEnabled.USER32 ref: 0000000140038787
GetFocus.USER32 ref: 00000001400387C1
IsWindowEnabled.USER32 ref: 00000001400387CA
SetFocus.USER32 ref: 00000001400387D7

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Enabled$FocusItemLong
String ID:
API String ID: 1558694495-0
Opcode ID: e6a114331f19151876a43837126eeded3317e7b1b2a011428d7ce0c38d2edf6d
Instruction ID: d1df8497db9188f41e7f8931666302d18fe34a8811a69c7e8bb85201cbfdabc0
Opcode Fuzzy Hash: e6a114331f19151876a43837126eeded3317e7b1b2a011428d7ce0c38d2edf6d
Instruction Fuzzy Hash: 45215135204B8086FB169F17A8883AA63A1AB8DFD4F644424EF5A4B7B4DF3DC4428300

Function 00000001401493C4 Relevance: 13.6, APIs: 9, Instructions: 51COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 000000014014940A
GetSystemMetrics.USER32 ref: 0000000140149418
GetSystemMetrics.USER32 ref: 0000000140149426
GetSystemMetrics.USER32 ref: 0000000140149434
GetSystemMetrics.USER32 ref: 0000000140149442
GetSystemMetrics.USER32 ref: 0000000140149450
GetSystemMetrics.USER32 ref: 000000014014945E
GetSystemMetrics.USER32 ref: 000000014014946C
GetSystemMetrics.USER32 ref: 000000014014947C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MetricsSystem
String ID:
API String ID: 4116985748-0
Opcode ID: 34fd52684bce99d1bcbb49c49ab86006792288d44e135a6f07b0e880f469c38c
Instruction ID: ce8ec6c914fc416e5c5a47db5df4f0299d9d0bab6758a702aa94fbb2769396ee
Opcode Fuzzy Hash: 34fd52684bce99d1bcbb49c49ab86006792288d44e135a6f07b0e880f469c38c
Instruction Fuzzy Hash: 05217876601B40DBEB559FB6EA9839837F5F748B41F004829D74A87BA0EF79E4748B00

Function 00000001400A13B8 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 261windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A1469
CreateCompatibleDC.GDI32 ref: 00000001400A147E
CreateCompatibleBitmap.GDI32 ref: 00000001400A14B4
SelectObject.GDI32 ref: 00000001400A151F
BitBlt.GDI32 ref: 00000001400A16AE
DeleteObject.GDI32 ref: 00000001400A1708

Part of subcall function 000000014009F994: AlphaBlend.MSIMG32(?,?,?,?,?,?,?,?,?,?), ref: 000000014009FA1D

Part of subcall function 000000014000F898: DeleteDC.GDI32 ref: 000000014000F8BF

Strings

, xrefs: 00000001400A1681

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CompatibleCreateDeleteHashObject$AlphaBitmapBlendImplImpl::Select
String ID:
API String ID: 2567705260-3916222277
Opcode ID: 7bdc0d0ee9c99415e8468c6718083e4f253327891c230712ab55cea29a3fb498
Instruction ID: e4844d12e235250ad8be72f718c79aa12345330ba7395b25029b97c0f3ebd229
Opcode Fuzzy Hash: 7bdc0d0ee9c99415e8468c6718083e4f253327891c230712ab55cea29a3fb498
Instruction Fuzzy Hash: BCA1C272B10A508AE711CF6AE4407DC77B1B798BD8F144226EF5DA7BA8DB74C846C740

Function 00000001400689F8 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 145COMMON

Download Yara Rule

APIs

CopyImage.USER32 ref: 0000000140068B8C
SelectObject.GDI32 ref: 0000000140068A19

Part of subcall function 000000014001B214: DeleteObject.GDI32 ref: 000000014001B22A

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

SelectObject.GDI32 ref: 0000000140068A32
DeleteObject.GDI32 ref: 0000000140068AA1
DeleteDC.GDI32 ref: 0000000140068AB3
LeaveCriticalSection.KERNEL32 ref: 0000000140068ACD

Strings

, xrefs: 0000000140068A48

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Object$Delete$Select$CopyCriticalExceptionImageLeaveSectionThrow
String ID:
API String ID: 3024931075-3916222277
Opcode ID: 4183f4da40368fe04ed0da6d749788eb5be9b02a5bf5244e6948ae801b0f9715
Instruction ID: a7c9eb88468e39790fc6ff05553d4cef777f844f59955da03866ab01e9dfb9a9
Opcode Fuzzy Hash: 4183f4da40368fe04ed0da6d749788eb5be9b02a5bf5244e6948ae801b0f9715
Instruction Fuzzy Hash: 02618F3261064082FB22CB67E88479D73A1F78CB94F245626EF5D476BACF78C881CB40

Function 0000000140004FEC Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116windowCOMMON

Download Yara Rule

APIs

CheckMenuItem.USER32 ref: 0000000140005026

Part of subcall function 000000014001B284: GetWindowTextA.USER32 ref: 000000014001B2F4
Part of subcall function 000000014001B284: lstrcmpA.KERNEL32 ref: 000000014001B306
Part of subcall function 000000014001B284: SetWindowTextA.USER32 ref: 000000014001B316

SendMessageA.USER32 ref: 0000000140005046
SendMessageA.USER32 ref: 0000000140005066
SetMenuItemBitmaps.USER32 ref: 00000001400050E9
SetMenuItemInfoA.USER32 ref: 0000000140005143

Strings

@, xrefs: 0000000140005131
P, xrefs: 0000000140005127

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ItemMenu$MessageSendTextWindow$BitmapsCheckInfolstrcmp
String ID: @$P
API String ID: 72408025-358147200
Opcode ID: 38c1f25f56e8611d4f4725d68bf91588203f59908436569db490409fe4cf0b17
Instruction ID: b2910b4b0b642a4a4c4f48606ed753f50fb92fdbbd787494d12a80cdeb48664a
Opcode Fuzzy Hash: 38c1f25f56e8611d4f4725d68bf91588203f59908436569db490409fe4cf0b17
Instruction Fuzzy Hash: 0141B27130054486FB66EB67E4947AE33A0FB89FC9F248811EB4D4BAB5CF39C8418740

Function 00000001400592D4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014005932D
SendMessageA.USER32 ref: 0000000140059378
SendMessageA.USER32 ref: 00000001400593CE

Part of subcall function 0000000140058A54: SendMessageA.USER32 ref: 0000000140058AB0

SendMessageA.USER32 ref: 000000014005942F

Strings

@, xrefs: 0000000140059359

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend
String ID: @
API String ID: 3850602802-2766056989
Opcode ID: 87dc5e71fbee52ee5c6449ec6f40d767f9d3f5bf361369e1f41be8aabfbb627e
Instruction ID: 44864140c275b0fc05d418cb02bf9207773d183f8af189e862bd1af77391fc80
Opcode Fuzzy Hash: 87dc5e71fbee52ee5c6449ec6f40d767f9d3f5bf361369e1f41be8aabfbb627e
Instruction Fuzzy Hash: 89315E76714A4083FB26DB53E4947EA6761FB8CFC4F144025EB490BBA5CB7ACA958B00

Function 000000014000CE7C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014000D8B3
ActivateActCtx.KERNEL32 ref: 000000014000D8D8

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014000D8AC
ImageList_Destroy, xrefs: 000000014000D8F5

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ActivateDebugOutputString
String ID: ImageList_Destroy$IsolationAware function called after IsolationAwareCleanup
API String ID: 396653078-542355955
Opcode ID: 27cee79104b74bf5df40ca018185e30a6a4282db2b1a454aa804219dd3d4f263
Instruction ID: 3e555dc213822f9310a7e5e873eaca2dabc95ff00ae5f141a58ce40f830734af
Opcode Fuzzy Hash: 27cee79104b74bf5df40ca018185e30a6a4282db2b1a454aa804219dd3d4f263
Instruction Fuzzy Hash: 69317375610B1286FB12DB67E88039973E4FB9CBD0F444426EB0A873B0DF78C9458750

Function 0000000140038D28 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,0000000140036FE5), ref: 0000000140038D64
ActivateActCtx.KERNEL32(?,?,?,?,?,0000000140036FE5), ref: 0000000140038D89
GetLastError.KERNEL32(?,?,?,?,?,0000000140036FE5), ref: 0000000140038E00
DeactivateActCtx.KERNEL32(?,?,?,?,?,0000000140036FE5), ref: 0000000140038E13
SetLastError.KERNEL32(?,?,?,?,?,0000000140036FE5), ref: 0000000140038E1F

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140038D5D
CreatePropertySheetPageA, xrefs: 0000000140038DA9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: CreatePropertySheetPageA$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-882666801
Opcode ID: 30a747587544f41283e9ab9896c1fd9fb045ba24229aeebc92f9961dbae56447
Instruction ID: 21ead058b83e610d65f6afb2c2366e32f693628d6daa4423a2bd232d1ba3a6d9
Opcode Fuzzy Hash: 30a747587544f41283e9ab9896c1fd9fb045ba24229aeebc92f9961dbae56447
Instruction Fuzzy Hash: 19313836200B5186FB679B27E9443AAA3E5FB9CB80F550465EF4E877B4DF78C8518340

Function 0000000140034878 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00000001400348BF
ActivateActCtx.KERNEL32 ref: 00000001400348E4
GetLastError.KERNEL32 ref: 000000014003493A
DeactivateActCtx.KERNEL32 ref: 000000014003494D
SetLastError.KERNEL32 ref: 0000000140034959

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 00000001400348B8
ImageList_AddMasked, xrefs: 0000000140034902

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_AddMasked$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-4170123302
Opcode ID: ca0e7272dd2424c86d44475379c3875bb2fce7fe9d31a39de30bf2a809fe850d
Instruction ID: 14033dc45e128cdc0a448c89edbbab7a7342dc11aa7db89a11585a432ff4c2b7
Opcode Fuzzy Hash: ca0e7272dd2424c86d44475379c3875bb2fce7fe9d31a39de30bf2a809fe850d
Instruction Fuzzy Hash: 6C317336210B5182FB139B67AC8439A67E4B78CBE0F450526AF1A9B3F0DF78D805C340

Function 000000014003497C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 00000001400349C2
ActivateActCtx.KERNEL32 ref: 00000001400349E7
GetLastError.KERNEL32 ref: 0000000140034A3E
DeactivateActCtx.KERNEL32 ref: 0000000140034A51
SetLastError.KERNEL32 ref: 0000000140034A5D

Strings

ImageList_GetIcon, xrefs: 0000000140034A04
IsolationAware function called after IsolationAwareCleanup, xrefs: 00000001400349BB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_GetIcon$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-494412531
Opcode ID: 0cdb29ddfd5afa191229d1a43afffd05ecd8d7b8e93359a84a3a91fc7408f6e4
Instruction ID: c8b26f35049a5e959659b648147db507b0efeb4f3d45a5da705a455ba7b4bed3
Opcode Fuzzy Hash: 0cdb29ddfd5afa191229d1a43afffd05ecd8d7b8e93359a84a3a91fc7408f6e4
Instruction Fuzzy Hash: 37315E36210F5182FB139B97AC8439AA3E4BB8CFD0F450426AF4A5B7B4DF78D8458344

Function 000000014004CB24 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 000000014004CB6B
ActivateActCtx.KERNEL32 ref: 000000014004CB90
GetLastError.KERNEL32 ref: 000000014004CBE6
DeactivateActCtx.KERNEL32 ref: 000000014004CBF9
SetLastError.KERNEL32 ref: 000000014004CC05

Strings

ImageList_ReplaceIcon, xrefs: 000000014004CBAE
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014004CB64

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ImageList_ReplaceIcon$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-1849858154
Opcode ID: 7ab09a44a6aa75350b1f6f030297f1180b360972c0b4995297e6a1653e184c64
Instruction ID: 2d154c297c3965d24d024822e91df6c22cdbafd4b5eab4ea9033986e4db16494
Opcode Fuzzy Hash: 7ab09a44a6aa75350b1f6f030297f1180b360972c0b4995297e6a1653e184c64
Instruction Fuzzy Hash: 64316F36620F1182FA529B67AC94799A6E4F78CBE0F450625AF1A873F0DF78C8458384

Function 0000000140015000 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 0000000140015034
FindResourceA.KERNEL32(?,?,?,0000000140006113), ref: 0000000140015068
SizeofResource.KERNEL32(?,?,?,0000000140006113), ref: 000000014001507C
LoadResource.KERNEL32(?,?,?,0000000140006113), ref: 000000014001508B
LockResource.KERNEL32(?,?,?,0000000140006113), ref: 000000014001509C
FreeResource.KERNEL32(?,?,?,0000000140006113), ref: 00000001400150C2

Strings

AFX_DIALOG_LAYOUT, xrefs: 0000000140015057

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$FindFreeLoadLockSizeofWindow
String ID: AFX_DIALOG_LAYOUT
API String ID: 4180966417-2436846380
Opcode ID: 2f0ad50b5ee557c3dfb3d6bcffb9e86e87282bd27debc32d1103031f72015039
Instruction ID: e24d9e263a10a58bf679f2320befb32c25aaf644a5b6fcc4be1396ed732a2118
Opcode Fuzzy Hash: 2f0ad50b5ee557c3dfb3d6bcffb9e86e87282bd27debc32d1103031f72015039
Instruction Fuzzy Hash: CF216F71301B5085FE57ABE368543AAA2E0AF4DFD1F584424AF0A5FB74DF3AC9468380

Function 0000000140144B08 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140144B43
ActivateActCtx.KERNEL32 ref: 0000000140144B68
GetLastError.KERNEL32 ref: 0000000140144BB6
DeactivateActCtx.KERNEL32 ref: 0000000140144BC9
SetLastError.KERNEL32 ref: 0000000140144BD5

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140144B3C
ChooseColorA, xrefs: 0000000140144B85

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: ChooseColorA$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-1070732121
Opcode ID: 01a338a6f235aed7124f5c0257d75ccb54828b850da7e9a1273961e9ebe7ea2d
Instruction ID: 160c2d8ec579ddd9ec4f7083ea575c2cba57f8870f6706fa9b1d90c8855484c3
Opcode Fuzzy Hash: 01a338a6f235aed7124f5c0257d75ccb54828b850da7e9a1273961e9ebe7ea2d
Instruction Fuzzy Hash: 5A212A32600F1187FB529F67A8943A9A6E4FB9CF94F4A4529DF4A973B4DF78C8058340

Function 0000000140038E40 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32(?,?,?,?,?,000000014003705A), ref: 0000000140038E7B
ActivateActCtx.KERNEL32(?,?,?,?,?,000000014003705A), ref: 0000000140038EA0
GetLastError.KERNEL32(?,?,?,?,?,000000014003705A), ref: 0000000140038EEE
DeactivateActCtx.KERNEL32(?,?,?,?,?,000000014003705A), ref: 0000000140038F01
SetLastError.KERNEL32(?,?,?,?,?,000000014003705A), ref: 0000000140038F0D

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140038E74
DestroyPropertySheetPage, xrefs: 0000000140038EBD

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: DestroyPropertySheetPage$IsolationAware function called after IsolationAwareCleanup
API String ID: 2188249819-3999949316
Opcode ID: 8c5c1f04f599c9f57c948bd55f089759171a3c902723d28fa85ba395c04a96f6
Instruction ID: c7db3512ca41e7254454acff0ec3e7385af8e9aeb32d5faae433775f36cc18d2
Opcode Fuzzy Hash: 8c5c1f04f599c9f57c948bd55f089759171a3c902723d28fa85ba395c04a96f6
Instruction Fuzzy Hash: DC213E36604B1186FB639B67A8843AAA7E5BB9CBC0F450465EF0A873B4DF78C845C340

Function 0000000140038F2C Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140038F6B
ActivateActCtx.KERNEL32 ref: 0000000140038F90
GetLastError.KERNEL32 ref: 0000000140038FE4
DeactivateActCtx.KERNEL32 ref: 0000000140038FF7
SetLastError.KERNEL32 ref: 0000000140039003

Strings

IsolationAware function called after IsolationAwareCleanup, xrefs: 0000000140038F64
PropertySheetA, xrefs: 0000000140038FAF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: IsolationAware function called after IsolationAwareCleanup$PropertySheetA
API String ID: 2188249819-4071968836
Opcode ID: 4b425e6147b93affcb646e024d14a6377e356e7b86822c8f620732dff37f6e30
Instruction ID: deb311f513bafb9e8621ac64ec136ef2d52382ec1d3e7be4ed19d9d4dbe9603b
Opcode Fuzzy Hash: 4b425e6147b93affcb646e024d14a6377e356e7b86822c8f620732dff37f6e30
Instruction Fuzzy Hash: F9212836200B5186FA279B67A88439AA7E5A74CBF0F540725AF6A477F4DF78C8448340

Function 0000000140149258 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

OutputDebugStringA.KERNEL32 ref: 0000000140149293
ActivateActCtx.KERNEL32 ref: 00000001401492B8
GetLastError.KERNEL32 ref: 0000000140149306
DeactivateActCtx.KERNEL32 ref: 0000000140149319
SetLastError.KERNEL32 ref: 0000000140149325

Strings

PrintDlgA, xrefs: 00000001401492D5
IsolationAware function called after IsolationAwareCleanup, xrefs: 000000014014928C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ErrorLast$ActivateDeactivateDebugOutputString
String ID: IsolationAware function called after IsolationAwareCleanup$PrintDlgA
API String ID: 2188249819-990059121
Opcode ID: 0b092702337e73c3902eaaa60eb6361edab0c827c55f6e0afea482896ec0bedf
Instruction ID: 50b800a10a0c1f8ef31bee008cf071f44e15d0d63cabf54ccc3b843e807ef2e0
Opcode Fuzzy Hash: 0b092702337e73c3902eaaa60eb6361edab0c827c55f6e0afea482896ec0bedf
Instruction Fuzzy Hash: 72210732600B5196FB12DF67A8847AAA6E5BB9CF80F460525DB0A877B4DFB9C8058240

Function 000000014002C398 Relevance: 12.2, APIs: 8, Instructions: 220windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 000000014002C3F3
GetDesktopWindow.USER32 ref: 000000014002C414
GetWindowRect.USER32 ref: 000000014002C42A
GetWindowRect.USER32 ref: 000000014002C438
IntersectRect.USER32 ref: 000000014002C668
EqualRect.USER32 ref: 000000014002C676
IsRectEmpty.USER32 ref: 000000014002C681
InvalidateRect.USER32 ref: 000000014002C6A2

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$DesktopEmptyEqualIntersectInvalidateVisible
String ID:
API String ID: 1271683057-0
Opcode ID: 384b43eccf172b077e2f0592fb3c22ef8e6c1ae54a333ecea26eede25789a2c7
Instruction ID: be0d743b65ee016a4e2b173fe4a0f53007aaf8ab0a3f1a9df6ac02ba69317282
Opcode Fuzzy Hash: 384b43eccf172b077e2f0592fb3c22ef8e6c1ae54a333ecea26eede25789a2c7
Instruction Fuzzy Hash: 59A16276710A0586EB16CB6AD4947ED27B0FB8CB88F444126EF0E97B69DF38C9858740

Function 00000001401300B0 Relevance: 12.2, APIs: 8, Instructions: 215timeCOMMON

Download Yara Rule

APIs

KillTimer.USER32 ref: 00000001401300FC
KillTimer.USER32 ref: 0000000140130112
GetWindowRect.USER32 ref: 0000000140130130
ShowWindow.USER32 ref: 00000001401301C3
ShowWindow.USER32 ref: 0000000140130227
BringWindowToTop.USER32 ref: 0000000140130231
BringWindowToTop.USER32 ref: 000000014013023E
SetTimer.USER32 ref: 0000000140130279

Part of subcall function 00000001400D79A8: GetWindowRect.USER32 ref: 00000001400D79E9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Timer$BringKillRectShow
String ID:
API String ID: 411157578-0
Opcode ID: 170f047fc413d3c8f0aa85d2f3a8dfad3c1f9e12988d0987d88dae201c42f0d5
Instruction ID: f8104873e5332d622bcaa3de354a10279e611eab608bec9eac5400c82b76ee64
Opcode Fuzzy Hash: 170f047fc413d3c8f0aa85d2f3a8dfad3c1f9e12988d0987d88dae201c42f0d5
Instruction Fuzzy Hash: 60A12772700A448BFB5ACB66CAA87ED73E5F78CB84F044125DB1A576A5DF38D860C704

Function 00000001400E411C Relevance: 12.1, APIs: 8, Instructions: 137windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400E4177
GetParent.USER32 ref: 00000001400E41AA
SetParent.USER32 ref: 00000001400E4208
GetTopWindow.USER32 ref: 00000001400E42B5
GetWindow.USER32 ref: 00000001400E42D4
IsWindow.USER32 ref: 00000001400E42FB
GetParent.USER32 ref: 00000001400E4308
DestroyWindow.USER32 ref: 00000001400E4317

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Parent$DestroyMessageSend
String ID:
API String ID: 2635554982-0
Opcode ID: 1c86137fa4a56430e7a2086d4ea2b5e490838ec8247494047093383d790d008d
Instruction ID: 74d3e61f2ca7c91189e02b5a6b7a943266a658bd417abf59e0b3b44f372cf499
Opcode Fuzzy Hash: 1c86137fa4a56430e7a2086d4ea2b5e490838ec8247494047093383d790d008d
Instruction Fuzzy Hash: B3514732601A4482EB56DF67D4943E963A0FB89FE4F480525EF1E1BBB5DF39D8418390

Function 0000000140048A4C Relevance: 12.1, APIs: 8, Instructions: 108COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140048ABD
ClientToScreen.USER32 ref: 0000000140048AD6
PtInRect.USER32 ref: 0000000140048AE6
WindowFromPoint.USER32 ref: 0000000140048AF9
SetCapture.USER32 ref: 0000000140048B5D
ReleaseCapture.USER32 ref: 0000000140048BA5
InvalidateRect.USER32 ref: 0000000140048BC1
UpdateWindow.USER32 ref: 0000000140048BCB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$CaptureClientWindow$FromInvalidatePointReleaseScreenUpdate
String ID:
API String ID: 1999979895-0
Opcode ID: 967c38c6692938d1c1a58329f98888d67b38e8f1b42b68fdd5c9454ccfd94145
Instruction ID: 15a4119cd7347e6430743070e31b747ed1d6466e71c0f2e7a396b8fba753c0c1
Opcode Fuzzy Hash: 967c38c6692938d1c1a58329f98888d67b38e8f1b42b68fdd5c9454ccfd94145
Instruction Fuzzy Hash: 57512BB2500B848AEB669F16E4453ED77A0F78CF85F194939EF4A1B764CB34C541CB84

Function 00000001400488B8 Relevance: 12.1, APIs: 8, Instructions: 98windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014004896C
SendMessageA.USER32 ref: 000000014004899E
IsWindow.USER32 ref: 00000001400489A7
RedrawWindow.USER32 ref: 00000001400489C0
IsWindow.USER32 ref: 00000001400489D1
ReleaseCapture.USER32 ref: 00000001400489E4
KillTimer.USER32 ref: 0000000140048A03
SendMessageA.USER32 ref: 0000000140048A2A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
String ID:
API String ID: 3014619129-0
Opcode ID: fc5f7073b87ffd7439a0a6fd334a506171688a41e29c4d49563b10d2254994d3
Instruction ID: 4352e8bea2776b8310c392d947df775572282aba44613dd5afa983df9e1bcf8e
Opcode Fuzzy Hash: fc5f7073b87ffd7439a0a6fd334a506171688a41e29c4d49563b10d2254994d3
Instruction Fuzzy Hash: 73412732300A8197EB6E8F2296503EC76A5F78DFC0F090425EF5667661CF35D8B1870A

Function 00000001400891A8 Relevance: 12.1, APIs: 8, Instructions: 87windowCOMMON

Download Yara Rule

APIs

MessageBeep.USER32 ref: 000000014008920D
ReleaseCapture.USER32 ref: 0000000140089253
GetClientRect.USER32 ref: 000000014008927B
MapWindowPoints.USER32 ref: 000000014008929B
GetCursorPos.USER32 ref: 00000001400892B0
ScreenToClient.USER32 ref: 00000001400892BF
PtInRect.USER32 ref: 00000001400892CF
SendMessageA.USER32 ref: 00000001400892EF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientMessageRect$BeepCaptureCursorPointsReleaseScreenSendWindow
String ID:
API String ID: 1719883865-0
Opcode ID: 034105e1cb4b4e3894b0bec68319957208e17875f8656dab5207c8ae53c88506
Instruction ID: 536b1d7a975ac0a65e80f39fcb164a01cd4efed35f86ebb3443546f791a0eb33
Opcode Fuzzy Hash: 034105e1cb4b4e3894b0bec68319957208e17875f8656dab5207c8ae53c88506
Instruction Fuzzy Hash: D8412B36204A4492EB66DF56E4983AD77B0F78CFD8F184221EB4A4B6B4DF38C695C700

Function 00000001401042F4 Relevance: 10.8, APIs: 7, Instructions: 308COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 000000014010437D
SetRectEmpty.USER32 ref: 000000014010438F
IsRectEmpty.USER32 ref: 000000014010439F
IsRectEmpty.USER32 ref: 000000014010444A
CreateRectRgnIndirect.GDI32 ref: 0000000140104568

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

IsRectEmpty.USER32 ref: 0000000140104727
IsRectEmpty.USER32 ref: 0000000140104763

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$CreateExceptionIndirectThrow
String ID:
API String ID: 668937991-0
Opcode ID: d1dc9a1a79f7ebe3cd4b564553c3df85bcf19ee7ce0338b04d77c145d647e4a9
Instruction ID: 4fa78d4eb9629cb1b2137781e6ea10e3979f4d0458074150cb42b92f096b8c18
Opcode Fuzzy Hash: d1dc9a1a79f7ebe3cd4b564553c3df85bcf19ee7ce0338b04d77c145d647e4a9
Instruction Fuzzy Hash: 8BE17BB6B00B8096EB16DB66C4843ED73A1F78DB88F044226DF5957B66EF34D5A4C380

Function 00000001400285B8 Relevance: 10.7, APIs: 7, Instructions: 249COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 00000001400286D6
CoTaskMemFree.OLE32 ref: 00000001400287A9
CoTaskMemFree.OLE32 ref: 00000001400287B9
CoTaskMemFree.OLE32 ref: 00000001400287F9
CoTaskMemFree.OLE32 ref: 0000000140028808
CoTaskMemFree.OLE32 ref: 0000000140028843
CoTaskMemFree.OLE32 ref: 0000000140028852

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FreeTask$ClearVariant
String ID:
API String ID: 903088277-0
Opcode ID: 6b6d3038be07a0a35ccce8172134dab15b0e2a3f0fb3c460cb8a8cfafc029c82
Instruction ID: 0b0d54c6f3a753077958bdf3026fedac4755858d4bbb2517c69e4000ae342c9e
Opcode Fuzzy Hash: 6b6d3038be07a0a35ccce8172134dab15b0e2a3f0fb3c460cb8a8cfafc029c82
Instruction Fuzzy Hash: DEA12636302A0086EB6ADF2AD4A47AD63A4FB89F94F145529DF4E63B75CF34C865C304

Function 0000000140070E94 Relevance: 10.7, APIs: 7, Instructions: 232windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140070ECA
GetTextExtentPoint32A.GDI32 ref: 00000001400710BC

Part of subcall function 00000001400EFB38: SendMessageA.USER32 ref: 00000001400EFB6F
Part of subcall function 00000001400EFB38: SendMessageA.USER32 ref: 00000001400EFB8F
Part of subcall function 00000001400EFB38: GetClassLongPtrA.USER32 ref: 00000001400EFC14
Part of subcall function 00000001400EFB38: GetClassLongPtrA.USER32 ref: 00000001400EFC29

GetSystemMetrics.USER32 ref: 0000000140070F24
GetSystemMetrics.USER32 ref: 0000000140070F32
GetSystemMetrics.USER32 ref: 0000000140070F48
GetSystemMetrics.USER32 ref: 0000000140070F57
DrawIconEx.USER32 ref: 0000000140070FF2

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MetricsSystem$ClassLongMessageSend$DrawExtentIconParentPoint32Text
String ID:
API String ID: 928954478-0
Opcode ID: 00d6a66ae3f78cb7c53e7ceecb256ea83b7e7405a9b0917d3abe58c3079a5afb
Instruction ID: 1d63a01d0264cbe41842509643cec496c40622e73d0c14accaf26dd0324a66e3
Opcode Fuzzy Hash: 00d6a66ae3f78cb7c53e7ceecb256ea83b7e7405a9b0917d3abe58c3079a5afb
Instruction Fuzzy Hash: C7916D76710A418BEB15DFBAE4847AC37A1F788BD8F008229EF5A57BA5DF38D4458700

Function 000000014009C820 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 185windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0000000140011CC8: GetForegroundWindow.USER32 ref: 0000000140011CD1
Part of subcall function 0000000140011CC8: IsChild.USER32 ref: 0000000140011CF1
Part of subcall function 0000000140011CC8: SetForegroundWindow.USER32 ref: 0000000140011D0C

GetClientRect.USER32 ref: 000000014013DEDA
GetWindowRect.USER32 ref: 000000014013DEF0
OffsetRect.USER32 ref: 000000014013DF12
OffsetRect.USER32 ref: 000000014013DF35
SendMessageA.USER32 ref: 000000014013DF6B

Strings

@, xrefs: 000000014009C8C7

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Window$ForegroundOffset$ChildClientMessageSend
String ID: @
API String ID: 2015933643-2766056989
Opcode ID: 2310adb0bfa284a0eac4d395bb641e824f7f0078bc221a62098387edf2b55917
Instruction ID: aef859f6fce198b3cd78924d48442090c2b24d507a42f4d4915c430fd7087f2f
Opcode Fuzzy Hash: 2310adb0bfa284a0eac4d395bb641e824f7f0078bc221a62098387edf2b55917
Instruction Fuzzy Hash: 1C717E72B21A5586FF06DB66E4957ED2360FB8CB88F544525EF4E0BAAADF38C4058340

Function 0000000140098A30 Relevance: 10.7, APIs: 7, Instructions: 156windowCOMMON

Download Yara Rule

APIs

SelectObject.GDI32 ref: 0000000140098A94
SendMessageA.USER32 ref: 0000000140098AFC
SelectObject.GDI32 ref: 0000000140098B36
GetClientRect.USER32 ref: 0000000140098BDB
SendMessageA.USER32 ref: 0000000140098C0C
MapWindowPoints.USER32 ref: 0000000140098C30
FillRect.USER32 ref: 0000000140098C66

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageObjectRectSelectSend$ClientFillPointsWindow
String ID:
API String ID: 1511390007-0
Opcode ID: 6c98226c28c9a23d4945fb2ed078fdd3c69f199a2898cfaead498ae1e171abb9
Instruction ID: c914c8fdce31199268c5407ec01fc405415728a25babb433b9edf9c0e026bedc
Opcode Fuzzy Hash: 6c98226c28c9a23d4945fb2ed078fdd3c69f199a2898cfaead498ae1e171abb9
Instruction Fuzzy Hash: 83714576700B848AEB199F66E5983AC77B1F78CBC4F144126EF4917B64DB38D4A1C740

Function 00000001401292DC Relevance: 10.6, APIs: 7, Instructions: 136COMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014012930C
IsWindow.USER32 ref: 0000000140129323
MonitorFromPoint.USER32 ref: 00000001401293B2
GetMonitorInfoA.USER32 ref: 00000001401293BF
CopyRect.USER32 ref: 00000001401293D1
SystemParametersInfoA.USER32 ref: 00000001401293E5
GetWindowRect.USER32 ref: 0000000140129446

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$InfoMonitorRect$CopyFromParametersPointSystem
String ID:
API String ID: 731732153-0
Opcode ID: 38ee21356c31cb87ee09c049ebe09e7195225b88d57f00ad01c3aa13cd4f7156
Instruction ID: f8da79d1ea0c107fce002ba6ebd4f4dc0a75fd4982a119e3b9f06d702274f0e4
Opcode Fuzzy Hash: 38ee21356c31cb87ee09c049ebe09e7195225b88d57f00ad01c3aa13cd4f7156
Instruction Fuzzy Hash: 3A6148B2710A818AEB55DF6AD494BDC33A5F788F88F448129DF0A9BB68DF34C545CB00

Function 000000014003C224 Relevance: 10.6, APIs: 7, Instructions: 123timeCOMMON

Download Yara Rule

APIs

FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C2B5
FileTimeToSystemTime.KERNEL32 ref: 000000014003C2CA
GetFileAttributesExA.KERNEL32 ref: 000000014003C2F5
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C309
FileTimeToSystemTime.KERNEL32 ref: 000000014003C31B
FileTimeToLocalFileTime.KERNEL32 ref: 000000014003C34B
FileTimeToSystemTime.KERNEL32 ref: 000000014003C35D

Part of subcall function 000000014003BD08: GetModuleHandleA.KERNEL32 ref: 000000014003BD3A
Part of subcall function 000000014003BD08: GetProcAddress.KERNEL32 ref: 000000014003BD4F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Time$File$LocalSystem$AddressAttributesHandleModuleProc
String ID:
API String ID: 1857739635-0
Opcode ID: 4f93ae82b809553cbeeef9687e188f7d757e22ff581b62ee826febbe5bc3086a
Instruction ID: d32a96e57b1f9206397bc19fb2f8ea740b3796b149bc9578628cd8f6eb236056
Opcode Fuzzy Hash: 4f93ae82b809553cbeeef9687e188f7d757e22ff581b62ee826febbe5bc3086a
Instruction Fuzzy Hash: 50514A72720A1595FB12CFB6D8907EE23B1B748BD8F908015EF0A9B6A8EF74C655C350

Function 0000000140058A54 Relevance: 10.6, APIs: 7, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140058AB0
SendMessageA.USER32 ref: 0000000140058AD8
SHGetDesktopFolder.SHELL32 ref: 0000000140058B05
SendMessageA.USER32 ref: 0000000140058B3D
SendMessageA.USER32 ref: 0000000140058B83
SendMessageA.USER32 ref: 0000000140058B98
RedrawWindow.USER32 ref: 0000000140058BAD

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$DesktopFolderRedrawWindow
String ID:
API String ID: 898402146-0
Opcode ID: 878e17c378ad0b8a2a37b4b23226a58c65e5403bdaa1c770e09eae0244c25b8e
Instruction ID: 9c153c2ef2c8513aaa07560a4f2175b916228885ef28b269cfdd92369722db27
Opcode Fuzzy Hash: 878e17c378ad0b8a2a37b4b23226a58c65e5403bdaa1c770e09eae0244c25b8e
Instruction Fuzzy Hash: 31415A77310A41DAFB21DF62E8907DD27A1E788B88F409521EF0D4BAA8DF35C949C700

Function 0000000140048F9C Relevance: 10.6, APIs: 7, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140048FE6
GetParent.USER32 ref: 000000014004900D
SendMessageA.USER32 ref: 000000014004903F
GetParent.USER32 ref: 0000000140049061
RedrawWindow.USER32 ref: 00000001400490ED
GetParent.USER32 ref: 00000001400490F7
GetWindowLongA.USER32 ref: 000000014004911A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Parent$MessageSendWindow$LongRedraw
String ID:
API String ID: 4271267155-0
Opcode ID: 887d725721f172a308384425722ff54134a2163b8b9a4126183bef98cb517c72
Instruction ID: 1761233a1e055f2f60ecf39385a2b42b0a9855083ecd416cf63f6c4203a1e2c7
Opcode Fuzzy Hash: 887d725721f172a308384425722ff54134a2163b8b9a4126183bef98cb517c72
Instruction Fuzzy Hash: 60414A35201B4086FA66DB67E4443EDA2A1EB8DFC0F194135EF5A477B5DF7AC8818208

Function 000000014016127C Relevance: 10.6, APIs: 7, Instructions: 89timeCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014006395C: ReleaseCapture.USER32 ref: 000000014006399E
Part of subcall function 000000014006395C: IsWindow.USER32 ref: 00000001400639BF
Part of subcall function 000000014006395C: DestroyWindow.USER32 ref: 00000001400639D0
Part of subcall function 000000014006395C: GetParent.USER32 ref: 00000001400639F0
Part of subcall function 000000014006395C: IsRectEmpty.USER32 ref: 0000000140063AAF

KillTimer.USER32 ref: 00000001401612B8
IsWindow.USER32 ref: 00000001401612FD
RedrawWindow.USER32 ref: 0000000140161331
IsWindow.USER32 ref: 0000000140161354
RedrawWindow.USER32 ref: 00000001401613A1
GetCursorPos.USER32 ref: 00000001401613B0
ScreenToClient.USER32 ref: 00000001401613BF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Redraw$CaptureClientCursorDestroyEmptyKillParentRectReleaseScreenTimer
String ID:
API String ID: 2874279545-0
Opcode ID: 80b2e13cdd66543a9becee4312917210f9e5a414d3bef90ce86c03f36fa09009
Instruction ID: 90207268e31551b66773442213fe4a41f90fa87ef57409edb5a8a6884b531490
Opcode Fuzzy Hash: 80b2e13cdd66543a9becee4312917210f9e5a414d3bef90ce86c03f36fa09009
Instruction Fuzzy Hash: 9F413632614B8483EB568F2AE8547AA67A0FB8CF89F485125DF4E07B68DF38C045CB00

Function 0000000140014B68 Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0000000140014BDC
SetActiveWindow.USER32 ref: 0000000140014BE9
SendMessageA.USER32 ref: 0000000140014C06
IsWindow.USER32 ref: 0000000140014C0F
SetActiveWindow.USER32 ref: 0000000140014C1C
IsWindow.USER32 ref: 0000000140014C25
SetFocus.USER32 ref: 0000000140014C32

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$ActiveFocus$MessageSend
String ID:
API String ID: 1556911595-0
Opcode ID: e583a2560d4b0a7ac42d609aaa849823342d5d45483565b0c8462efac812470a
Instruction ID: 9b30ff0e856983e3f166a86b3452bcc90cb04419cd45cd3fb437b1acf2228189
Opcode Fuzzy Hash: e583a2560d4b0a7ac42d609aaa849823342d5d45483565b0c8462efac812470a
Instruction Fuzzy Hash: 62214F31311A4085FBAA9F27A5447ED66A0AB9DFC4F180035EF1A4FBB5CF3AC9418340

Function 0000000140094334 Relevance: 10.6, APIs: 7, Instructions: 65windowCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140094373
ReleaseCapture.USER32 ref: 000000014009439B
GetWindowRect.USER32 ref: 00000001400943B7
GetParent.USER32 ref: 00000001400943F2
SendMessageA.USER32 ref: 0000000140094412
SetRectEmpty.USER32 ref: 000000014009441B
SetRectEmpty.USER32 ref: 0000000140094428

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$CaptureMessageParentReleaseSendWindow
String ID:
API String ID: 2026794321-0
Opcode ID: 612de6c83303f14ba7b01e7bf65efad0f2e10313e95250234140461c58827fb8
Instruction ID: 81cb96a4a5cff18e626326e3fb37320f412b65a0b0792915e51ffd3de682f922
Opcode Fuzzy Hash: 612de6c83303f14ba7b01e7bf65efad0f2e10313e95250234140461c58827fb8
Instruction Fuzzy Hash: C6314836614A8482EB11CF22E4847AD73B0F78CF88F554625EF994B728DF79C945CB40

Function 00000001400241B8 Relevance: 10.6, APIs: 7, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400241C5
SendMessageA.USER32 ref: 00000001400241DB
GetFocus.USER32(?,?,?,00000001400241AF,?,?,00000000,000000014000B515), ref: 00000001400241FA
SendMessageA.USER32 ref: 0000000140024210

Part of subcall function 0000000140012330: GetParent.USER32 ref: 0000000140012359

GetLastActivePopup.USER32 ref: 000000014002423C
SendMessageA.USER32 ref: 0000000140024252

Part of subcall function 0000000140012330: GetWindowLongA.USER32 ref: 000000014001237D
Part of subcall function 0000000140012330: GetParent.USER32 ref: 000000014001238C

SendMessageA.USER32 ref: 000000014002427F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Parent$ActiveCaptureFocusLastLongPopupWindow
String ID:
API String ID: 3194460488-0
Opcode ID: b61d15ef9ca980beb28f3bf8acff6c6f008ade9a9baf740c94563c7844846f26
Instruction ID: b4134cd19e12dbccf35b1be88bca45655c619be53e29b8062babe0662babc4c5
Opcode Fuzzy Hash: b61d15ef9ca980beb28f3bf8acff6c6f008ade9a9baf740c94563c7844846f26
Instruction Fuzzy Hash: 68213334315A4182FF6B9B63A951BE91695AB9DFC4F481438BF0A0FBA1EE3DC8544300

Function 00000001400A93E8 Relevance: 10.6, APIs: 7, Instructions: 58windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400A9422
IsRectEmpty.USER32 ref: 00000001400A943F
IsRectEmpty.USER32 ref: 00000001400A9450
GetCursorPos.USER32 ref: 00000001400A9469
ScreenToClient.USER32 ref: 00000001400A9478
PtInRect.USER32 ref: 00000001400A9486
PtInRect.USER32 ref: 00000001400A949C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$ClientCursorMessageScreenSend
String ID:
API String ID: 703117857-0
Opcode ID: c80fffc32b47d788c5ea171f146fadb8ad9e607c39113cdbf505d6c2a43414ef
Instruction ID: 7dfb3781ae7a011c59ee1fd6bdfced8ae2a9ba9f9f26fee486e204c959d8e33c
Opcode Fuzzy Hash: c80fffc32b47d788c5ea171f146fadb8ad9e607c39113cdbf505d6c2a43414ef
Instruction Fuzzy Hash: C8213D76324A4082FB51CB53E8947E963A1FB9DFD5F445125EF0A4BAA8DF38C586CB00

Function 00000001400082BC Relevance: 10.6, APIs: 7, Instructions: 56memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00000001400082DC
lstrcmpA.KERNEL32 ref: 00000001400082EC
DocumentPropertiesA.WINSPOOL.DRV ref: 000000014000833B
GlobalAlloc.KERNEL32 ref: 0000000140008348
GlobalLock.KERNEL32 ref: 0000000140008358
DocumentPropertiesA.WINSPOOL.DRV ref: 0000000140008379
ClosePrinter.WINSPOOL.DRV ref: 000000014000839C

Part of subcall function 000000014001B240: GlobalFlags.KERNEL32(?,?,?,?,?,?,?,00000001400666D0,?,?,?,000000014009EF32), ref: 000000014001B252
Part of subcall function 000000014001B240: GlobalUnlock.KERNEL32 ref: 000000014001B262
Part of subcall function 000000014001B240: GlobalFree.KERNEL32 ref: 000000014001B270

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreePrinter.Unlocklstrcmp
String ID:
API String ID: 992435789-0
Opcode ID: beb639c678da0addad8fc662929d67eb676ea3125c368d6263fb682b4a5ef6fd
Instruction ID: 24bb22d11aeb24d1f248ac47737e953fecc81ec1b61c2858d6db9537e3c7a991
Opcode Fuzzy Hash: beb639c678da0addad8fc662929d67eb676ea3125c368d6263fb682b4a5ef6fd
Instruction Fuzzy Hash: 35215471210A8086EB65DB23E5553AE62A0FB8DFC4F148525EF8E4BAB6CF3DC5448700

Function 000000014008D440 Relevance: 10.6, APIs: 7, Instructions: 50windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 000000014008D477
EnableMenuItem.USER32 ref: 000000014008D489
EnableMenuItem.USER32 ref: 000000014008D49B
EnableMenuItem.USER32 ref: 000000014008D4AD
EnableMenuItem.USER32 ref: 000000014008D4BF
EnableMenuItem.USER32 ref: 000000014008D4D1
EnableMenuItem.USER32 ref: 000000014008D4E3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 26adcd5a1906d7086e2da00d95cac258d255ca5ce115e861cc9cefce741bb090
Instruction ID: f453891dbe963abf6778a79a723a2347fa386b219f075810dde73ab862a1ab9d
Opcode Fuzzy Hash: 26adcd5a1906d7086e2da00d95cac258d255ca5ce115e861cc9cefce741bb090
Instruction Fuzzy Hash: 7D114C35300B8086EB109F63E444369B7A0E38EFD0F94802DAF490BBA8CE38C881CB54

Function 0000000140128D98 Relevance: 9.2, APIs: 6, Instructions: 237windowCOMMON

Download Yara Rule

APIs

TrackMouseEvent.USER32 ref: 0000000140128EB1
UpdateWindow.USER32 ref: 0000000140128FA1
GetParent.USER32 ref: 0000000140128FFE
SendMessageA.USER32 ref: 000000014012901E
GetClientRect.USER32 ref: 00000001401290A6
InflateRect.USER32 ref: 00000001401290F4

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientEventInflateMessageMouseParentSendTrackUpdateWindow
String ID:
API String ID: 2492745705-0
Opcode ID: b7f207eb6472e10eb51eee6d709fe43c5d3f914720321798604b2e5907698a96
Instruction ID: c6228b9fef0a39ecec084cc767647bbfdeed741d583f1c4d90a2594979064098
Opcode Fuzzy Hash: b7f207eb6472e10eb51eee6d709fe43c5d3f914720321798604b2e5907698a96
Instruction Fuzzy Hash: 04B15E7221164486EB269F27E4847E977A1F788F94F184539EF09577B9DF38C885CB00

Function 0000000140078A68 Relevance: 9.2, APIs: 6, Instructions: 156windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140078B0D
SendMessageA.USER32 ref: 0000000140078B50
SendMessageA.USER32 ref: 0000000140078B80
SetRectEmpty.USER32 ref: 0000000140078BDA
SendMessageA.USER32 ref: 0000000140078C3D
RedrawWindow.USER32 ref: 0000000140078C68

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$EmptyParentRectRedrawWindow
String ID:
API String ID: 3879113052-0
Opcode ID: 180336033cadc592df06f274172b1710c3e1c6de03b04178abda9f778ca87d92
Instruction ID: e281da06991ef610d4f1e51badf8647d3caccadf6b6c8a2619470039e27e88e4
Opcode Fuzzy Hash: 180336033cadc592df06f274172b1710c3e1c6de03b04178abda9f778ca87d92
Instruction Fuzzy Hash: 36614976701A408AEB69CF6AC4907ED37A1F78CB88F45402AEF0D57B64DF39D4518740

Function 0000000140088DA0 Relevance: 9.1, APIs: 6, Instructions: 131windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

GetParent.USER32 ref: 0000000140088EEF
GetCursorPos.USER32 ref: 0000000140088F16
ScreenToClient.USER32 ref: 0000000140088F25
PtInRect.USER32 ref: 0000000140088F37
SendMessageA.USER32 ref: 0000000140088F78
SendMessageA.USER32 ref: 0000000140088F9C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$ClientCriticalCursorEnterParentRectScreenSection
String ID:
API String ID: 3338680560-0
Opcode ID: 0a3b3af6a3d206fcfd3007738f54e80ecbe2bc02136616b239ef9900bf06268d
Instruction ID: 6d9b1731027eb956566be2582af684e039b9026148f5c1653373fd2135d22d2c
Opcode Fuzzy Hash: 0a3b3af6a3d206fcfd3007738f54e80ecbe2bc02136616b239ef9900bf06268d
Instruction Fuzzy Hash: 06517576201A4096EA269B13E8847E973A1FB8CBD0F440526EF5E47BF6DFB9C950C740

Function 00000001400552A4 Relevance: 9.1, APIs: 6, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140055311
SendMessageA.USER32 ref: 0000000140055353
SendMessageA.USER32 ref: 0000000140055381
SendMessageA.USER32 ref: 0000000140055410
SendMessageA.USER32 ref: 0000000140055433
PtInRect.USER32 ref: 0000000140055451

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Rect$Client
String ID:
API String ID: 4194289498-0
Opcode ID: 6d6fff2cb174f9c18d6a7b66efd92aea812056d17efc52dbe45110992225c26e
Instruction ID: 75ff0d802c3701a8febe7a9845b4a305307545dac7786ec626a6bd25fa1ba207
Opcode Fuzzy Hash: 6d6fff2cb174f9c18d6a7b66efd92aea812056d17efc52dbe45110992225c26e
Instruction Fuzzy Hash: 63510636601A44CAEB51DF3AC4547ED37A1FB88F89F585122EF0A8B769DF76C4858B00

Function 000000014006D2F8 Relevance: 9.1, APIs: 6, Instructions: 118COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014006D354

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

GetParent.USER32 ref: 000000014006D37A
GetWindowRect.USER32 ref: 000000014006D39D
GetClientRect.USER32 ref: 000000014006D446
MapWindowPoints.USER32 ref: 000000014006D45F
DrawThemeBackground.UXTHEME ref: 000000014006D48E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ConditionMaskWindow$BackgroundClientDrawFillInfoMetricsParentPointsSystemThemeVerifyVersion
String ID:
API String ID: 3218022401-0
Opcode ID: 2bdb26a17d542d536ceaf0d7f658d350c0adcb1f7ec1f71ebbe8a573272dcf12
Instruction ID: 64c3bd4a3381b5b1bae0574a9b527524425a98c600d73bf14a46d38636fb3a65
Opcode Fuzzy Hash: 2bdb26a17d542d536ceaf0d7f658d350c0adcb1f7ec1f71ebbe8a573272dcf12
Instruction Fuzzy Hash: DA515772611A8086EB56DF23E8947AA77A1FB8CFC4F148426EF4A47765EF38D840C700

Function 000000014012CD5C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 000000014012CE23
PtInRect.USER32 ref: 000000014012CE39
GetWindowRect.USER32(?,?,?,?,?,?,?,?,00000000,?,?,000000014008BB93), ref: 000000014012CE5D
PtInRect.USER32 ref: 000000014012CE95
InflateRect.USER32 ref: 000000014012CEAD
PtInRect.USER32 ref: 000000014012CEBB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$InflateWindow
String ID:
API String ID: 906816026-0
Opcode ID: a262eb3436d6c1c0760f2b2a1580e98e560e95b168c76aabf3c5f3ebc8c632ae
Instruction ID: 76f24ef8a9de64725b436c77f849b50139050ddf64e6a8ece842de6c7aca3c3f
Opcode Fuzzy Hash: a262eb3436d6c1c0760f2b2a1580e98e560e95b168c76aabf3c5f3ebc8c632ae
Instruction Fuzzy Hash: D4416C76B10A548AEB528B76D9843EC27B1BB4CF98F04812ADF1A677A8EF34C545C340

Function 000000014001CCF8 Relevance: 9.1, APIs: 6, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 000000014001CD28
TlsGetValue.KERNEL32 ref: 000000014001CD41
LocalAlloc.KERNEL32 ref: 000000014001CDC3
LocalReAlloc.KERNEL32 ref: 000000014001CDE7
LeaveCriticalSection.KERNEL32 ref: 000000014001CDF8
TlsSetValue.KERNEL32 ref: 000000014001CE2F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 49f4c850c8760c6683d5f895ff2cdd769952a82a6130dcce74e6da1b57f2794a
Instruction ID: d91a241fd79d10ec9cc9bec68d7a8cfb3040411579abc68e3b2f983193da7f93
Opcode Fuzzy Hash: 49f4c850c8760c6683d5f895ff2cdd769952a82a6130dcce74e6da1b57f2794a
Instruction Fuzzy Hash: 50417C36611B4086EB1ADF26E494BA873A0F74CF94F104526EB294B7B4DF39D862C380

Function 00000001401384E4 Relevance: 9.1, APIs: 6, Instructions: 96windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 000000014013851B
SendMessageA.USER32 ref: 000000014013857D
SendMessageA.USER32 ref: 00000001401385A4
SendMessageA.USER32 ref: 00000001401385C9
SendMessageA.USER32 ref: 00000001401385E7
SendMessageA.USER32 ref: 000000014013860C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b2f44b0aa5592fc01d1d23721a18a97ebd6b21421d37a50412c39155ddfcbafe
Instruction ID: 7523807c16d2b9d9f2e651a80314135f6a944ee43ed9fb982ed31cb1a8ef81c9
Opcode Fuzzy Hash: b2f44b0aa5592fc01d1d23721a18a97ebd6b21421d37a50412c39155ddfcbafe
Instruction Fuzzy Hash: 7131A276701A9082E7019B67E854B8E67A1FBC8FE4F8182259F2D47BB5DE78C9468340

Function 00000001401248D0 Relevance: 9.1, APIs: 6, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 0000000140124917
CreateCompatibleDC.GDI32 ref: 000000014012491F
GetSystemMetrics.USER32 ref: 0000000140124938
GetSystemMetrics.USER32 ref: 0000000140124942
CreateCompatibleBitmap.GDI32 ref: 0000000140124965

Part of subcall function 0000000140010D04: SelectObject.GDI32 ref: 0000000140010D08

DrawFrameControl.USER32 ref: 00000001401249A3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CompatibleCreateHashMetricsSystem$BitmapControlDrawFrameImplImpl::ObjectSelectWindow
String ID:
API String ID: 1591615987-0
Opcode ID: c64d0df7f4ccf49e9b169b8497248043c337b6aa3b10c50085a8a3aab31bc6b1
Instruction ID: 4f76fe98c1ec2a49d0dfdc9f22261d25b6fe1f0b380b578e4c0bfee3054bc031
Opcode Fuzzy Hash: c64d0df7f4ccf49e9b169b8497248043c337b6aa3b10c50085a8a3aab31bc6b1
Instruction Fuzzy Hash: FE412732701A409AE711EF76E8907DD33B5F788B98F41452AAE1E57BA9DE34C50AC340

Function 000000014016D164 Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014016D18B
GetWindowRect.USER32 ref: 000000014016D1B9
GetParent.USER32 ref: 000000014016D1C3

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

OffsetRect.USER32 ref: 000000014016D20A
BeginDeferWindowPos.USER32 ref: 000000014016D215
EndDeferWindowPos.USER32 ref: 000000014016D24A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$ClientDeferParentRectScreen$BeginOffset
String ID:
API String ID: 645747577-0
Opcode ID: 1b493544fe3045940b7830e4b875da07afb1241f37d260cb449b09ba8dcb69c3
Instruction ID: 9a5879f6eb1ff791a78a453ae1858ae9802204c39e3895485d774cbda9e1265a
Opcode Fuzzy Hash: 1b493544fe3045940b7830e4b875da07afb1241f37d260cb449b09ba8dcb69c3
Instruction Fuzzy Hash: 31316732B10A448AEB15CBAAD8947AD77B1FB8CF88F044125DF4E1BB69DF38C4408740

Function 00000001400E0360 Relevance: 9.1, APIs: 6, Instructions: 89COMMON

Download Yara Rule

APIs

DestroyAcceleratorTable.USER32 ref: 00000001400E0390
GetTopWindow.USER32 ref: 00000001400E03DD
GetWindow.USER32 ref: 00000001400E042B
IsWindow.USER32 ref: 00000001400E045B
GetParent.USER32 ref: 00000001400E0468
DestroyWindow.USER32 ref: 00000001400E0477

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Destroy$AcceleratorParentTable
String ID:
API String ID: 3451810566-0
Opcode ID: 8a60a8c03e2872724cc266959311ffb317f804d966576e785583c3f2b6a366fa
Instruction ID: 26b505a7da75dc27f1ca09e6cb227c545c0d28ba057f1c9a5eaa9d5e0b43eb63
Opcode Fuzzy Hash: 8a60a8c03e2872724cc266959311ffb317f804d966576e785583c3f2b6a366fa
Instruction Fuzzy Hash: 1B4141B2611B4082EA269B23E5443A963B4F78CFE0F140225EF9A57BF5DF38C995C340

Function 0000000140030FA4 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140030FD3
GetWindow.USER32 ref: 0000000140031006
GetWindow.USER32 ref: 0000000140031022
GetWindowLongA.USER32 ref: 000000014003103C
IsWindowVisible.USER32 ref: 0000000140031052
GetTopWindow.USER32(?,?,00000000,0000000140030B69), ref: 000000014003107F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$LongParentVisible
String ID:
API String ID: 506644340-0
Opcode ID: 9de63366193d6f498583814dcfd3d0658f905a157fe0b587585da333b1ff87cb
Instruction ID: 7c014e6622d47e14363e856005f34c467e5630ce4d95b50e0987f5bb40280243
Opcode Fuzzy Hash: 9de63366193d6f498583814dcfd3d0658f905a157fe0b587585da333b1ff87cb
Instruction Fuzzy Hash: 7F31DB31705A4085FE5B9B63A5553EA63A1ABCCFC0F084524BF1E4B7B6EEB9C4918240

Function 000000014009C668 Relevance: 9.1, APIs: 6, Instructions: 81COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014009C6A7
IsThemeBackgroundPartiallyTransparent.UXTHEME ref: 000000014009C6C4
DrawThemeParentBackground.UXTHEME ref: 000000014009C6DA
SetRectEmpty.USER32 ref: 000000014009C6EC
SystemParametersInfoA.USER32 ref: 000000014009C6FE
DrawThemeBackground.UXTHEME ref: 000000014009C746

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: BackgroundTheme$DrawRect$ClientEmptyInfoParametersParentPartiallySystemTransparent
String ID:
API String ID: 3870343638-0
Opcode ID: f2a5cf92459e566e834c9d50ac5cef6b62362c5e5aa7093cb48db557960703e0
Instruction ID: 8826ba32f2c8849f7a9ba9d2bc0e2806bdab26da01694472bbaf8e85c8b3a8ae
Opcode Fuzzy Hash: f2a5cf92459e566e834c9d50ac5cef6b62362c5e5aa7093cb48db557960703e0
Instruction Fuzzy Hash: B3313D76B20A548AFB11DB62D894BDD77B0FB4CB88F544521EF0967A28DB34C544C740

Function 00000001400A8674 Relevance: 9.1, APIs: 6, Instructions: 67timeCOMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 00000001400A8699
ReleaseCapture.USER32 ref: 00000001400A86A7
PtInRect.USER32 ref: 00000001400A86F8
InvalidateRect.USER32 ref: 00000001400A875E
SetTimer.USER32 ref: 00000001400A8786

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$CaptureInvalidateReleaseTimer
String ID:
API String ID: 2903485716-0
Opcode ID: 05ba7cfb7c42a4418c401342e810f43dbe435cf8e48eebe1a1882f71db991369
Instruction ID: aaa7c8dc2bd94924866484808fc33ce8bd57150d488edc75160e70228842eea2
Opcode Fuzzy Hash: 05ba7cfb7c42a4418c401342e810f43dbe435cf8e48eebe1a1882f71db991369
Instruction Fuzzy Hash: 61314F7A204A4182EB658F23D9583ED27A1F758FC9F188235EF460B6A4DF39C584CB11

Function 00000001401753A4 Relevance: 9.1, APIs: 6, Instructions: 57windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 00000001401753DC
ScreenToClient.USER32 ref: 00000001401753F3
PtInRegion.GDI32 ref: 0000000140175415
CreateRectRgn.GDI32 ref: 0000000140175438
GetWindowRgn.USER32 ref: 0000000140175454
PtInRegion.GDI32 ref: 000000014017546C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RegionWindow$ClientCreateRectScreenVisible
String ID:
API String ID: 937284771-0
Opcode ID: 7213fdab3c23fb21341309dc87e5808cf242f180491a61587724cb5847613eb3
Instruction ID: 8676de446be9805287ba9412e3849d5974f38556ad0f996227f70847235b2b5a
Opcode Fuzzy Hash: 7213fdab3c23fb21341309dc87e5808cf242f180491a61587724cb5847613eb3
Instruction Fuzzy Hash: D7214F72214B4082D7619B56F48079EB3B1F78CFA5F040225EB5A47AB8DF78C485CB00

Function 00000001400487D4 Relevance: 9.1, APIs: 6, Instructions: 54windowtimeCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 00000001400487F3
SendMessageA.USER32 ref: 0000000140048829
SetCapture.USER32 ref: 0000000140048855
InvalidateRect.USER32 ref: 0000000140048872
UpdateWindow.USER32 ref: 000000014004887C
SetTimer.USER32 ref: 000000014004889A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CaptureInvalidateMessageParentRectSendTimerUpdateWindow
String ID:
API String ID: 3683363781-0
Opcode ID: 32537d589d6da56e7f63cd049dea78263d0a82d5554c78dfd1009b903560a915
Instruction ID: e0563a391f8bf94345c0a7c631e6993b2937ea0bcd0c1e921f26c5253727a4d8
Opcode Fuzzy Hash: 32537d589d6da56e7f63cd049dea78263d0a82d5554c78dfd1009b903560a915
Instruction Fuzzy Hash: D5210735711A4083EB2A9B67E5953ED66A0F78CFC4F544039EF4A0BBA1CF3AD4528700

Function 000000014008C3EC Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

GetParent.USER32 ref: 000000014008C631

Part of subcall function 0000000140024810: _CxxThrowException.LIBVCRUNTIME ref: 000000014002485E

Strings

MFCOutlookBars, xrefs: 000000014008C46A
%TsMFCOutlookBar-%d, xrefs: 000000014008C4D1
MFCOutlookCustomPages, xrefs: 000000014008C7A2
%TsMFCOutlookBar-%d%x, xrefs: 000000014008C4E4

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ExceptionThrow$Parent
String ID: %TsMFCOutlookBar-%d$%TsMFCOutlookBar-%d%x$MFCOutlookBars$MFCOutlookCustomPages
API String ID: 1716319653-3944741965
Opcode ID: 25be3a37f9808b88fdb346669e3cfc6483e883f1b1409ac1f2ea058ac07ed236
Instruction ID: 3253d468f5158c5adff518e5a0b1a64e8cd6f884bca30d691c11e71427df6dd1
Opcode Fuzzy Hash: 25be3a37f9808b88fdb346669e3cfc6483e883f1b1409ac1f2ea058ac07ed236
Instruction Fuzzy Hash: 4CC19F72215A8182EB12EB16E4507EE6361F789BE0F409126FB5E57BF5DF38C949CB00

Function 00000001400B83F0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206fileCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 00000001400B8455
GetTempPathA.KERNEL32 ref: 00000001400B84C5
GetTempFileNameA.KERNEL32 ref: 00000001400B8556
CreateFileA.KERNEL32 ref: 00000001400B85A6

Strings

AFX, xrefs: 00000001400B854C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FileTemp$CloseCreateHandleNamePath
String ID: AFX
API String ID: 777972874-1300893600
Opcode ID: ba5931f420265958fdebdbad2f170ed648374a9b8f4f1dd0f0f1e1a64e86296c
Instruction ID: 59bc10f2b77634c82a0551760ca0cad9fb1883aef669d0f20c815cf6df352cd3
Opcode Fuzzy Hash: ba5931f420265958fdebdbad2f170ed648374a9b8f4f1dd0f0f1e1a64e86296c
Instruction Fuzzy Hash: 57819172300A8182EB259F66E8547DE63A1F788BE5F048215EF6A877F5DF78C845C740

Function 0000000140059090 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

SHGetFileInfoA.SHELL32 ref: 00000001400590D5
SHGetFileInfoA.SHELL32 ref: 000000014005914C

Strings

???, xrefs: 000000014005915F
TRUE, xrefs: 000000014005925C
MFCShellTreeCtrl_EnableShellContextMenu, xrefs: 0000000140059235

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FileInfo
String ID: ???$MFCShellTreeCtrl_EnableShellContextMenu$TRUE
API String ID: 4041567068-3649263699
Opcode ID: 9e0f8ee2ea03bf7942b0eb111d8fdc31c8f6ab28d1564fbd35384ea657f3f89a
Instruction ID: 16e31097b0d1c275fa060e4ee7b794274db56d9ebe458cbd4f379d3dc086fa2d
Opcode Fuzzy Hash: 9e0f8ee2ea03bf7942b0eb111d8fdc31c8f6ab28d1564fbd35384ea657f3f89a
Instruction Fuzzy Hash: 6651B072701B4586FB15DB2AE8517DA33A0EB88BE8F444225AB2E47BE5DF38C445C740

Function 000000014006D00C Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

DrawThemeBackground.UXTHEME ref: 000000014006D065
InflateRect.USER32 ref: 000000014006D091
DrawThemeBackground.UXTHEME ref: 000000014006D0DA

Strings

%d%%, xrefs: 000000014006D12D
%, xrefs: 000000014006D176

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: BackgroundDrawTheme$InflateRect
String ID: %$%d%%
API String ID: 3554894645-2837939378
Opcode ID: f3fbedff4a1f11bdfb4cdc0342472260b128941d71db815da2fab62d25249181
Instruction ID: 6f95e6da4055ac5a80cd18ad132e5be9c8b53d8ba6e12688ee23de8a0646d67f
Opcode Fuzzy Hash: f3fbedff4a1f11bdfb4cdc0342472260b128941d71db815da2fab62d25249181
Instruction Fuzzy Hash: B4518F32704A8087EB21DB2AE85479E73A1F79DB94F104216EB8D47BA8DF79C845CB40

Function 0000000140114D34 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SHAppBarMessage.SHELL32 ref: 0000000140114D8A
SHAppBarMessage.SHELL32 ref: 0000000140114DAE
SHAppBarMessage.SHELL32 ref: 0000000140114DCF
SHAppBarMessage.SHELL32 ref: 0000000140114DF3

Strings

0, xrefs: 0000000140114D75

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message
String ID: 0
API String ID: 2030045667-4108050209
Opcode ID: 500317f6f711a44246c2fe8ba212c419d211859983bc11c8a6936c00eeb610cb
Instruction ID: b50d6c80a8903baa0063ca61da8e9b29c0138a6b926a6811843471113b22b267
Opcode Fuzzy Hash: 500317f6f711a44246c2fe8ba212c419d211859983bc11c8a6936c00eeb610cb
Instruction Fuzzy Hash: 32214D7231668087FB5A9F11E19939A77A4FB8CF08F481428D78A0FAA4DFBCD505CB11

Function 0000000140050F9C Relevance: 7.8, APIs: 5, Instructions: 268windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140050FD5
SendMessageA.USER32 ref: 0000000140050FF1
MessageBeep.USER32 ref: 0000000140051236
SendMessageA.USER32 ref: 0000000140051280
SendMessageA.USER32 ref: 0000000140051295

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 6201badc92d03996c19d047152bec0a03901d7462d60b61572d659f376179e3c
Instruction ID: 2c427a11f861876e687659309c75c6727b263fdc0dc504243a7b070ddfdaa0e9
Opcode Fuzzy Hash: 6201badc92d03996c19d047152bec0a03901d7462d60b61572d659f376179e3c
Instruction Fuzzy Hash: DBB17E76701A4186EB15DF3AC8507DD33A1EB89BE8F444226AB2E47BE9DF39C845C340

Function 00000001400A103C Relevance: 7.8, APIs: 5, Instructions: 260windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400A1136
CreateCompatibleDC.GDI32 ref: 00000001400A1150
CreateCompatibleBitmap.GDI32 ref: 00000001400A118A
SelectObject.GDI32 ref: 00000001400A11F2
DeleteObject.GDI32 ref: 00000001400A136F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CompatibleCreateHashObject$BitmapDeleteImplImpl::Select
String ID:
API String ID: 352266559-0
Opcode ID: 3282c8a9a342d4d19957f356b06d07c82f3195bd9054309f47b3259bfd13cb16
Instruction ID: 9ca96070ad8c682213cfe26f79fad71ec1e91db5a106f9c33fabd00fa555c346
Opcode Fuzzy Hash: 3282c8a9a342d4d19957f356b06d07c82f3195bd9054309f47b3259bfd13cb16
Instruction Fuzzy Hash: 8FB15C72B01A508EEB15CFB6E4503ED37F5F798B98F10462AAF09A7BA8DA74C445C740

Function 0000000140118F34 Relevance: 7.7, APIs: 5, Instructions: 235COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140118FE8
InflateRect.USER32 ref: 0000000140119058
InflateRect.USER32 ref: 0000000140119082
InflateRect.USER32 ref: 0000000140119130
InflateRect.USER32 ref: 000000014011918D

Part of subcall function 0000000140010898: MoveToEx.GDI32 ref: 00000001400108D1
Part of subcall function 0000000140010898: MoveToEx.GDI32 ref: 00000001400108E8

Part of subcall function 0000000140010848: MoveToEx.GDI32 ref: 0000000140010871

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: InflateRect$Move$ObjectSelect
String ID:
API String ID: 3947384530-0
Opcode ID: 6387754c9d04cfd5d44531a76b4947480dc9bb76554f94165e7f480015eeb16c
Instruction ID: ff36acbf1722797a7c603aac273271386054e92ceef73ca308336dec3805eb64
Opcode Fuzzy Hash: 6387754c9d04cfd5d44531a76b4947480dc9bb76554f94165e7f480015eeb16c
Instruction Fuzzy Hash: C2B14933B10A918AE701CFBAC8446DD77B0F789B98F548216EF4967B68DF34A585CB40

Function 000000014014082C Relevance: 7.7, APIs: 5, Instructions: 209windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001401408B5
SendMessageA.USER32 ref: 00000001401408D3
InflateRect.USER32 ref: 0000000140140915
GetSysColor.USER32 ref: 000000014014092D
GetSysColor.USER32 ref: 0000000140140944

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ColorRect$ClientInflateMessageSend
String ID:
API String ID: 1205032120-0
Opcode ID: 39f9ce9c5ab8e507cebfb5c8c662030d85478e17ebebceb6840b86dd79506212
Instruction ID: a61af6a62a16f2c95199589d9ecea9da74efd8d4aa9bd06ab23fb81e2ca7d454
Opcode Fuzzy Hash: 39f9ce9c5ab8e507cebfb5c8c662030d85478e17ebebceb6840b86dd79506212
Instruction Fuzzy Hash: EDA14932624B848AE751CF7AD8447ED73B0F789B88F145226EF8957AA8DF38D544CB00

Function 00000001400F03F4 Relevance: 7.7, APIs: 5, Instructions: 175windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400F0492
SendMessageA.USER32 ref: 00000001400F05B3
IsWindow.USER32 ref: 00000001400F05BC
ScreenToClient.USER32 ref: 00000001400F0626

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientCursorMessageScreenSendWindow
String ID:
API String ID: 349605733-0
Opcode ID: a900042a59854e25450bc35fab0bfce4235478b89012159f270d900607a8d148
Instruction ID: 1f028cb54e2554757e4b228f8cd79d42639c41ab77aa142942bc4a662d5dea8d
Opcode Fuzzy Hash: a900042a59854e25450bc35fab0bfce4235478b89012159f270d900607a8d148
Instruction Fuzzy Hash: ED718972710A4186EB16CB66D8643ED37A0FB8CBE8F44812AEF0A57BA4DF79C545C700

Function 000000014011101C Relevance: 7.7, APIs: 5, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140061894: SetRectEmpty.USER32 ref: 0000000140061976
Part of subcall function 0000000140061894: SetRectEmpty.USER32 ref: 00000001400619A0

Part of subcall function 00000001400654CC: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400654F5

SetRectEmpty.USER32 ref: 000000014011127F
SetRectEmpty.USER32 ref: 0000000140111288
SetRectEmpty.USER32 ref: 0000000140111291
SetRectEmpty.USER32 ref: 000000014011129A
SetRectEmpty.USER32 ref: 00000001401112BF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EmptyRect$Hash$ImplImpl::
String ID:
API String ID: 4196698580-0
Opcode ID: 09452e578f72deff187b3d5949e2361bef72a5551cae2a1ec18e61c3810e4838
Instruction ID: e51f6813746875d5683bbbb9b9e328a6ea8f7b5e05f85ed1bb149dc7341ef8bf
Opcode Fuzzy Hash: 09452e578f72deff187b3d5949e2361bef72a5551cae2a1ec18e61c3810e4838
Instruction Fuzzy Hash: D5718E76201B858BEB2DDF26F85439EB3A5FB88B80F504519DBAA473A1DF38D460C740

Function 00000001400C12EC Relevance: 7.7, APIs: 5, Instructions: 175COMMON

Download Yara Rule

APIs

IntersectRect.USER32 ref: 00000001400C13DD
IsRectEmpty.USER32 ref: 00000001400C13E6
CreateRectRgnIndirect.GDI32 ref: 00000001400C1415
IsRectEmpty.USER32 ref: 00000001400C1436

Part of subcall function 0000000140156144: DrawThemeBackground.UXTHEME ref: 000000014015617E
Part of subcall function 0000000140156144: IsRectEmpty.USER32 ref: 0000000140156187
Part of subcall function 0000000140156144: InflateRect.USER32 ref: 000000014015619A
Part of subcall function 0000000140156144: DrawThemeBackground.UXTHEME ref: 00000001401561C3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$BackgroundDrawTheme$CreateIndirectInflateIntersect
String ID:
API String ID: 3293656562-0
Opcode ID: 2e4e512f836c65787e77c0f5df4c08f4e0e5bf40b57b8ce1ede03d456b96cfac
Instruction ID: 7d40ebabebc21bbc79bf9dc89a93028b7a9216c3c717c96fa38bd8582ca4ff00
Opcode Fuzzy Hash: 2e4e512f836c65787e77c0f5df4c08f4e0e5bf40b57b8ce1ede03d456b96cfac
Instruction Fuzzy Hash: CA819A73B04A908AE311CF7AE4447EC73B1F799B98F008215EF9963AA5EB34C245C380

Function 0000000140165254 Relevance: 7.7, APIs: 5, Instructions: 167windowCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014005C57C: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
Part of subcall function 000000014005C57C: GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

IsRectEmpty.USER32 ref: 00000001401652DD
CreateRectRgnIndirect.GDI32 ref: 00000001401652EC

Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C5C
Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C77

SendMessageA.USER32 ref: 0000000140165321
GetClientRect.USER32 ref: 000000014016536E
InflateRect.USER32 ref: 0000000140165389

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientClipHashSelect$CreateEmptyImplImpl::IndirectInflateMessageSend
String ID:
API String ID: 1936899919-0
Opcode ID: da166bbb941fd2234afa5497a62e661ff3bbdc68a499bd6d11383985c59360c7
Instruction ID: de542b1425f54d71c6d6cd97c2f597dd2f3031e7898ea828248c2efedd8ae0ee
Opcode Fuzzy Hash: da166bbb941fd2234afa5497a62e661ff3bbdc68a499bd6d11383985c59360c7
Instruction Fuzzy Hash: 99716B36614F8482EB01DB66E8547EEA3B0F789BC8F505216EF8A57BA5EF78C145C700

Function 000000014012460C Relevance: 7.7, APIs: 5, Instructions: 166COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401246DD
IsRectEmpty.USER32 ref: 00000001401246FC
GetParent.USER32 ref: 0000000140124716
GetClientRect.USER32 ref: 000000014012472C
SetRectEmpty.USER32 ref: 000000014012473E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$ClientParent
String ID:
API String ID: 4012213158-0
Opcode ID: a38c2228907b3a68814c9b1ac14b947ad483c9362f6e3b31f723acbacb76cd24
Instruction ID: 923dc83cd166ed7979a002b7b348c7e949ef18735f847966c3e37b8b02b1f41c
Opcode Fuzzy Hash: a38c2228907b3a68814c9b1ac14b947ad483c9362f6e3b31f723acbacb76cd24
Instruction Fuzzy Hash: B8616C72B10A508AEB11DF7AD8917EC3BB0B789F98F045529DF1A6BA68DF34D441CB00

Function 00000001401511F8 Relevance: 7.6, APIs: 5, Instructions: 147COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 000000014015123C
InflateRect.USER32 ref: 000000014015124C
InflateRect.USER32 ref: 00000001401512E0
InflateRect.USER32 ref: 000000014015138D
FillRect.USER32 ref: 00000001401513AA

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Inflate$ConditionFillMask$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 3817743921-0
Opcode ID: aee708701ed6255b84e59542e4e3c29757e7115c7b30d7123390e5b13d43ec0e
Instruction ID: 9671297e393bf9f209e7078549d2663fc962b139f2164f4d9cfc009cb5c41445
Opcode Fuzzy Hash: aee708701ed6255b84e59542e4e3c29757e7115c7b30d7123390e5b13d43ec0e
Instruction Fuzzy Hash: A951AC32610A5486EB52CF26D864BE963A1F7CDFA8F588211DF0A4BBB4DF79C845C700

Function 0000000140044B94 Relevance: 7.6, APIs: 5, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

SysAllocString.OLEAUT32 ref: 0000000140044C1B
SysAllocString.OLEAUT32 ref: 0000000140044C5D
SysAllocString.OLEAUT32 ref: 0000000140044CCC
SysAllocString.OLEAUT32 ref: 0000000140044D14
SysAllocString.OLEAUT32 ref: 0000000140044D69

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: AllocString
String ID:
API String ID: 2525500382-0
Opcode ID: cf210e106cd76d048f233b35dd113651efc9bc37591d32fc1d2d8f768727a943
Instruction ID: 9d4787d52f7dcb86fa14c0fec3ee2d5cd7856373e7d4dbb96239469852e600ed
Opcode Fuzzy Hash: cf210e106cd76d048f233b35dd113651efc9bc37591d32fc1d2d8f768727a943
Instruction Fuzzy Hash: A9613AB6601A8082E755DF2AD48139D73E1F788BE4F458221EB2D877E4DF78C895C740

Function 000000014004CDF0 Relevance: 7.6, APIs: 5, Instructions: 136windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014004CE01
SendMessageA.USER32 ref: 000000014004CE29
SendMessageA.USER32 ref: 000000014004CE42
SendMessageA.USER32 ref: 000000014004CE6D
SendMessageA.USER32 ref: 000000014004CE86

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: 4205741a8edd491d53eebb90dd69964abaefe4a0cf852ec83b65cfb6238b8ce6
Instruction ID: 1fb06c2453bd0daf499cdb531673600b4b9c11023587d06ddc58fc7433989bf8
Opcode Fuzzy Hash: 4205741a8edd491d53eebb90dd69964abaefe4a0cf852ec83b65cfb6238b8ce6
Instruction Fuzzy Hash: 5051B176710A4082EB559B6BE4907AE63A1EBC9FE4F514326EF2947BF5DF38C8418304

Function 0000000140161464 Relevance: 7.6, APIs: 5, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 0000000140063B84: GetCursorPos.USER32 ref: 0000000140063BC0
Part of subcall function 0000000140063B84: OffsetRect.USER32 ref: 0000000140063BF5
Part of subcall function 0000000140063B84: RedrawWindow.USER32 ref: 0000000140063C37

TrackMouseEvent.USER32 ref: 00000001401614FB
InvalidateRect.USER32 ref: 0000000140161574
InvalidateRect.USER32 ref: 00000001401615DE
UpdateWindow.USER32 ref: 00000001401615FC
RedrawWindow.USER32 ref: 000000014016163D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectWindow$InvalidateRedraw$CursorEventMouseOffsetTrackUpdate
String ID:
API String ID: 359670716-0
Opcode ID: 1d18c3fc80710267517d678e0b4e464576381168a586ba96ba37f95ebf3da653
Instruction ID: 8c07382daf70b503c36dd572347dbbb278ee87323b0d0dc8dac621d8572032b8
Opcode Fuzzy Hash: 1d18c3fc80710267517d678e0b4e464576381168a586ba96ba37f95ebf3da653
Instruction Fuzzy Hash: 0451E5B6A10A948AEB518F26C8803ED27B0F789F99F489535DF0E17768DF34C585CB14

Function 0000000140168720 Relevance: 7.6, APIs: 5, Instructions: 129COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001401687A1

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

SetRectEmpty.USER32 ref: 0000000140168801

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientEmptyRectScreen
String ID:
API String ID: 3814305177-0
Opcode ID: 080e8c435b68b368db12d98e125b1ed88f98a57bbc424665509508e73de2e7c2
Instruction ID: 4c38e94419671c86bd2f57e815ff56c87868f62f402a6d85f28d21cf1a5157d8
Opcode Fuzzy Hash: 080e8c435b68b368db12d98e125b1ed88f98a57bbc424665509508e73de2e7c2
Instruction Fuzzy Hash: 55512832B04A508AFB11DBBAD8907EC33B1A748B88F514625DF0D67A69EF34D955C780

Function 00000001400846C4 Relevance: 7.6, APIs: 5, Instructions: 127COMMON

Download Yara Rule

APIs

CallNextHookEx.USER32 ref: 00000001400846E4

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Part of subcall function 00000001400B7938: GetKeyboardState.USER32 ref: 00000001400B7963
Part of subcall function 00000001400B7938: GetKeyboardLayout.USER32 ref: 00000001400B797C
Part of subcall function 00000001400B7938: MapVirtualKeyA.USER32 ref: 00000001400B7989
Part of subcall function 00000001400B7938: ToAsciiEx.USER32 ref: 00000001400B79A6

WindowFromPoint.USER32 ref: 0000000140084708
ScreenToClient.USER32 ref: 000000014008473E
GetParent.USER32 ref: 00000001400847B1
UpdateWindow.USER32 ref: 0000000140084818

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: KeyboardWindow$AsciiCallClientExceptionFromHookLayoutNextParentPointScreenStateThrowUpdateVirtual
String ID:
API String ID: 3488867240-0
Opcode ID: c15f93272a27c68edad4a6a1612b127cfacf21c2eaf72dc12ca73b7786ddaa71
Instruction ID: 2ae3e1ade39ca8862cb88713347e1a34e9d1cfd5c0ce1882d244eac6f2b89c36
Opcode Fuzzy Hash: c15f93272a27c68edad4a6a1612b127cfacf21c2eaf72dc12ca73b7786ddaa71
Instruction Fuzzy Hash: DF513D76604B8082EB16DB5BE8947E967A1FB8DBC0F24842AFB0D477B6DF79C5418700

Function 00000001400F9074 Relevance: 7.6, APIs: 5, Instructions: 124windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400F90E9
SendMessageA.USER32 ref: 00000001400F9102
SendMessageA.USER32 ref: 00000001400F914A
SendMessageA.USER32 ref: 00000001400F91F7
SendMessageA.USER32 ref: 00000001400F920F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2a2e2c8808b29e57081a27f14c43ce0e5c5160a46eec7eb9aee26f350e12ea6e
Instruction ID: 21aac9cfccfeebd7ddf8a0289c9f4287faacd7e6e4fe46d837a0a47182b35fdb
Opcode Fuzzy Hash: 2a2e2c8808b29e57081a27f14c43ce0e5c5160a46eec7eb9aee26f350e12ea6e
Instruction Fuzzy Hash: 7E51CF36300A4182EB55DB6AD8A47E97361F789FD4F544125EB1A47BF1DF78C845C340

Function 0000000140058C30 Relevance: 7.6, APIs: 5, Instructions: 121windowmemoryCOMMON

Download Yara Rule

APIs

SHGetDesktopFolder.SHELL32 ref: 0000000140058C7E
GlobalAlloc.KERNEL32 ref: 0000000140058C97
SHGetSpecialFolderLocation.SHELL32 ref: 0000000140058C69

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

SendMessageA.USER32 ref: 0000000140058D9B
SendMessageA.USER32 ref: 0000000140058DB3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FolderMessageSend$AllocDesktopExceptionGlobalLocationSpecialThrow
String ID:
API String ID: 748411832-0
Opcode ID: af000853e20f5dfac4e3fa14ac4f9b97f0189c24c6814ad90d210a3672e7c5c5
Instruction ID: 7cf150dabb6d0ccbe2b66e6b472719bf470348e4b290a530d5bfa98524b25f06
Opcode Fuzzy Hash: af000853e20f5dfac4e3fa14ac4f9b97f0189c24c6814ad90d210a3672e7c5c5
Instruction Fuzzy Hash: 3F515876701A408AE715CF7AD8957EC23B1FB48BA8F008625EF2A57BE9DF35C5948340

Function 000000014014474C Relevance: 7.6, APIs: 5, Instructions: 120windowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 0000000140144784
GetCursorPos.USER32 ref: 0000000140144794

Part of subcall function 0000000140102538: IsRectEmpty.USER32 ref: 0000000140102551

PtInRect.USER32 ref: 00000001401447E4
PostMessageA.USER32 ref: 0000000140144878
PtInRect.USER32 ref: 00000001401448C3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$CursorEmptyMessagePostWindow
String ID:
API String ID: 1800939087-0
Opcode ID: 9e94b904b8dddab969e8c3e27fdc21cd9d1affc3ce3a6142e111dcf92ea82aa7
Instruction ID: 9b064fb671d5ed3ad1ef1f2271a96cf13f8e134aaa1eef514498870c05b06758
Opcode Fuzzy Hash: 9e94b904b8dddab969e8c3e27fdc21cd9d1affc3ce3a6142e111dcf92ea82aa7
Instruction Fuzzy Hash: D5518A32B106828BEB16CBB6D5843ED63B0F74CB88F154536DB4A97AB9DB34D4918740

Function 00000001400AC0B0 Relevance: 7.6, APIs: 5, Instructions: 109keyboardCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,00000000,?,00000001400A8903), ref: 00000001400AC0F7
GetSystemMetrics.USER32 ref: 00000001400AC102
GetSystemMetrics.USER32 ref: 00000001400AC10F
GetKeyState.USER32 ref: 00000001400AC13B
InflateRect.USER32 ref: 00000001400AC175

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MetricsRectSystem$InflateStateWindow
String ID:
API String ID: 1515687257-0
Opcode ID: 2b5f41a5e012e64d44b9a5094076c930134a9058869f6dfcd0afccc4dc08ecbb
Instruction ID: 9f893b3fada5d662ea5c4a8b9418f8cf34baea7be2049ba9e994097b778d5a71
Opcode Fuzzy Hash: 2b5f41a5e012e64d44b9a5094076c930134a9058869f6dfcd0afccc4dc08ecbb
Instruction Fuzzy Hash: 1B41DD727206408AFF168B67D844BE972A0F39DBC4F554626EF1B57BA5DB38C881CB00

Function 00000001401583F8 Relevance: 7.6, APIs: 5, Instructions: 104COMMON

Download Yara Rule

APIs

FillRect.USER32 ref: 00000001401584BA

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

GetParent.USER32 ref: 00000001401584F2
GetClientRect.USER32 ref: 0000000140158508
GetParent.USER32 ref: 0000000140158512
MapWindowPoints.USER32 ref: 0000000140158532

Part of subcall function 000000014015141C: FillRect.USER32 ref: 00000001401514FC

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ConditionFillMaskParent$ClientInfoMetricsPointsSystemVerifyVersionWindow
String ID:
API String ID: 2091702480-0
Opcode ID: 8aada0df580945041fe246db96c05cce877e7bc9a6fdf8a954c6e3375c14ed85
Instruction ID: ce663a88422d57f52a47c67802b1eb107350e5ae5644295e1eefcfb1234c82ff
Opcode Fuzzy Hash: 8aada0df580945041fe246db96c05cce877e7bc9a6fdf8a954c6e3375c14ed85
Instruction Fuzzy Hash: 89413932620A658AFB16DB63DC457EC33A4B78CF98F044622DF0A6B6B4EB75C545C740

Function 000000014004C5D0 Relevance: 7.6, APIs: 5, Instructions: 102COMMON

Download Yara Rule

APIs

Part of subcall function 000000014000F7F4: GetWindowDC.USER32(?,?,?,?,?,000000014005E114), ref: 000000014000F833

GetWindowRect.USER32 ref: 000000014004C633
GetClientRect.USER32 ref: 000000014004C666

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

OffsetRect.USER32 ref: 000000014004C68A
OffsetRect.USER32 ref: 000000014004C6C0
CreateRectRgnIndirect.GDI32 ref: 000000014004C6DA

Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C5C
Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C77

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

Part of subcall function 000000014000F910: ReleaseDC.USER32 ref: 000000014000F939

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientRect$Screen$ClipOffsetSelectWindow$CreateIndirectRelease
String ID:
API String ID: 1821481394-0
Opcode ID: af329ba80a06732795bc08cf6e8e9a5ea05fcbd50cb436fb9d29d82436771518
Instruction ID: 2f9639f04b3ca0138b6bb4e651a7f9e70051d28a9923d9408c59df8b35f933fe
Opcode Fuzzy Hash: af329ba80a06732795bc08cf6e8e9a5ea05fcbd50cb436fb9d29d82436771518
Instruction Fuzzy Hash: 7D515733B00A809AE715DF76D5847EC33B1F798B88F408212EB5967AA9EF34D665C740

Function 0000000140080488 Relevance: 7.6, APIs: 5, Instructions: 92COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400804BD
ScreenToClient.USER32 ref: 00000001400804EC
ScreenToClient.USER32 ref: 000000014008054A
PtInRect.USER32 ref: 000000014008057A
SetCursor.USER32 ref: 00000001400805E3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientCursorScreen$Rect
String ID:
API String ID: 1082406499-0
Opcode ID: 8cc6fa2f49ce395e2c4438767a5626a68cf7dc8aa26fcd7cb25c671d6b78ba22
Instruction ID: 8a30683682ee77cf32c3fbcf77e3047f59c6aba1e00ac3d1a2b507810b0fcde9
Opcode Fuzzy Hash: 8cc6fa2f49ce395e2c4438767a5626a68cf7dc8aa26fcd7cb25c671d6b78ba22
Instruction Fuzzy Hash: D6412632710A108AFB56DB66E8947ED33B0F74CB98F40442AEB0A876B5CF78D555CB60

Function 000000014005CE30 Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON

Download Yara Rule

APIs

CreateRectRgnIndirect.GDI32 ref: 000000014005CE74

Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C5C
Part of subcall function 0000000140010C2C: SelectClipRgn.GDI32 ref: 0000000140010C77

GetParent.USER32 ref: 000000014005CE96
DrawThemeParentBackground.UXTHEME ref: 000000014005CEBA
MapWindowPoints.USER32 ref: 000000014005CEEA
SendMessageA.USER32 ref: 000000014005CF1A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClipParentSelect$BackgroundCreateDrawIndirectMessagePointsRectSendThemeWindow
String ID:
API String ID: 776726685-0
Opcode ID: 766c8ea92ba1b4ff65a32b7fce4c20680599b418f225cd4217b2feac539f5dbd
Instruction ID: b5ad476c3e7c7cee78b5248b0bfea3d8f5009bc3da9ae929d9963ac63b238534
Opcode Fuzzy Hash: 766c8ea92ba1b4ff65a32b7fce4c20680599b418f225cd4217b2feac539f5dbd
Instruction Fuzzy Hash: C4315836711A5096EB01DF63E981BE83764F788BE4F444522EF1A5BBA8CF31C842C380

Function 000000014014C2F0 Relevance: 7.6, APIs: 5, Instructions: 84COMMON

Download Yara Rule

APIs

Part of subcall function 000000014014B0DC: GetParent.USER32 ref: 000000014014B0E4
Part of subcall function 000000014014B0DC: GetParent.USER32 ref: 000000014014B0ED

GetWindowLongA.USER32 ref: 000000014014C362
RedrawWindow.USER32(?,?,?,?,?,?,?,000000014014B790), ref: 000000014014C3AF
SetWindowLongA.USER32(?,?,?,?,?,?,?,000000014014B790), ref: 000000014014C3C4
SetWindowPos.USER32 ref: 000000014014C3EB
GetClientRect.USER32 ref: 000000014014C400

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$LongParent$ClientRectRedraw
String ID:
API String ID: 556606033-0
Opcode ID: 397c607618acfd39c1e9322ce520092df7925e47856d58cc9964f4b99ed8dbe7
Instruction ID: 6ef36dd66c9bab86892d46333446fe3036203309a56966c7d9d08fe998e4370f
Opcode Fuzzy Hash: 397c607618acfd39c1e9322ce520092df7925e47856d58cc9964f4b99ed8dbe7
Instruction Fuzzy Hash: B6316D36324B8086FBA29F2798547E963A1B78CF94F098535DF0A4B7B5DF78C5418704

Function 0000000140080894 Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00000001400838C0: GetWindowRect.USER32 ref: 000000014008392B
Part of subcall function 00000001400838C0: CreateRoundRectRgn.GDI32 ref: 0000000140083967
Part of subcall function 00000001400838C0: SetWindowRgn.USER32 ref: 0000000140083984

GetSystemMenu.USER32 ref: 000000014008092F
DeleteMenu.USER32 ref: 0000000140080951
DeleteMenu.USER32 ref: 0000000140080963
DeleteMenu.USER32 ref: 0000000140080975
EnableMenuItem.USER32 ref: 0000000140080998

Part of subcall function 000000014007D724: SetRectEmpty.USER32 ref: 000000014007D755
Part of subcall function 000000014007D724: ReleaseCapture.USER32 ref: 000000014007D75B
Part of subcall function 000000014007D724: SetCapture.USER32 ref: 000000014007D771
Part of subcall function 000000014007D724: GetCapture.USER32 ref: 000000014007D7B6
Part of subcall function 000000014007D724: ReleaseCapture.USER32 ref: 000000014007D7C9
Part of subcall function 000000014007D724: SetCapture.USER32 ref: 000000014007D7DF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CaptureMenu$DeleteRect$ReleaseWindow$CreateEmptyEnableItemRoundSystem
String ID:
API String ID: 2896308491-0
Opcode ID: 1119c9234f9db61fbcc30bd0bf5a2b9821c473ce917a6b128b998cb53dff9677
Instruction ID: c31056ce87e504705644a515ea8933d950ddfe41b2869efa33083bfcb8ee3f57
Opcode Fuzzy Hash: 1119c9234f9db61fbcc30bd0bf5a2b9821c473ce917a6b128b998cb53dff9677
Instruction Fuzzy Hash: F431C136710A8182EBA2DB27D4547A967A0FBCDFC0F489426EF4A07B65DE38C981C750

Function 000000014015141C Relevance: 7.6, APIs: 5, Instructions: 72COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014015147E
GetClientRect.USER32 ref: 0000000140151494
GetParent.USER32 ref: 000000014015149E
MapWindowPoints.USER32 ref: 00000001401514BE
FillRect.USER32 ref: 00000001401514FC

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ParentRect$ClientFillPointsWindow
String ID:
API String ID: 3058756167-0
Opcode ID: 1703b95670ddfc70daf73c1c6f8ac28053b1fb455279920f1f6c91d0014aaf18
Instruction ID: 88d2037fc7924afa25e8eb781c2d2bb2f0b80968fa2394d74dad45c52c123cee
Opcode Fuzzy Hash: 1703b95670ddfc70daf73c1c6f8ac28053b1fb455279920f1f6c91d0014aaf18
Instruction Fuzzy Hash: 3B310632610A658AFB16DB66E8957EC27B0BB8CF98F044122DF0A5B6A4EF35C546C740

Function 0000000140050E88 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140050EB6
SendMessageA.USER32 ref: 0000000140050EEF
SendMessageA.USER32 ref: 0000000140050F1F
SendMessageA.USER32 ref: 0000000140050F6E
SendMessageA.USER32 ref: 0000000140050F83

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 58f4a02ad2df39c94a0c06e1a4fa04b857d2eb4b160b0c832edc9d01797ced8e
Instruction ID: 4b3cc52de611d366865443305cb20996b0dfe679d97734e896bc4d261e6e08f7
Opcode Fuzzy Hash: 58f4a02ad2df39c94a0c06e1a4fa04b857d2eb4b160b0c832edc9d01797ced8e
Instruction Fuzzy Hash: C9314C76300B919AEB21CFA2E844BDC3761F788B9DF445522EB194BF98CB79C945C780

Function 00000001400A8A74 Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400A8AA0
ScreenToClient.USER32 ref: 00000001400A8AAF
PtInRect.USER32 ref: 00000001400A8AC1
LoadCursorA.USER32 ref: 00000001400A8B0D
SetCursor.USER32 ref: 00000001400A8B53

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Cursor$ConditionMask$ClientInfoLoadMetricsRectScreenSystemVerifyVersion
String ID:
API String ID: 506465941-0
Opcode ID: 927e10f155abe3e9c3634a5514d3fa0b48d6cf9bf23f35bf3b3e339ad245d597
Instruction ID: 7969f31dee424e3ed63e98e014d044dce3cad0a0914ba2473689045c7f4aab87
Opcode Fuzzy Hash: 927e10f155abe3e9c3634a5514d3fa0b48d6cf9bf23f35bf3b3e339ad245d597
Instruction Fuzzy Hash: 5F311631220A6086EB529B17E8547D977A4FB9DFD4F084526AB0A877B1DF78C941CB40

Function 0000000140041048 Relevance: 7.6, APIs: 5, Instructions: 61windowCOMMON

Download Yara Rule

APIs

GlobalGetAtomNameA.KERNEL32 ref: 00000001400410CF
GlobalAddAtomA.KERNEL32 ref: 00000001400410DA
GlobalGetAtomNameA.KERNEL32 ref: 00000001400410EF
GlobalAddAtomA.KERNEL32 ref: 00000001400410FA
SendMessageA.USER32 ref: 0000000140041123

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: AtomGlobal$Name$MessageSend
String ID:
API String ID: 1515195355-0
Opcode ID: 546a292d1409f17a7b3c182fffeb088927d1554ed3de14037c28aedaa08d6013
Instruction ID: 5e410b6e8869b2d5aca38eb48909b6274f5c4e43c167cc1c4b462150f72b1939
Opcode Fuzzy Hash: 546a292d1409f17a7b3c182fffeb088927d1554ed3de14037c28aedaa08d6013
Instruction Fuzzy Hash: FD219A32211AA482FB629F16F4547E963B1F78CF84F4A4032EF480B674DB38CA46C740

Function 0040E650 Relevance: 7.6, APIs: 5, Instructions: 56COMMON

Download Yara Rule

APIs

_set_statfp.LIBCMT ref: 0040E677
_set_statfp.LIBCMT ref: 0040E692
_set_statfp.LIBCMT ref: 0040E6AE
_set_statfp.LIBCMT ref: 0040E6EA

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _set_statfp
String ID:
API String ID: 1156100317-0
Opcode ID: 858cc68c38e69dceb8269c686c70b1b9d13bf478a1312c8084512ba032045dc1
Instruction ID: 202097ed13d4a9c000065c98f7d1e501f247fc6cf8370336df65c6dd40fbcff1
Opcode Fuzzy Hash: 858cc68c38e69dceb8269c686c70b1b9d13bf478a1312c8084512ba032045dc1
Instruction Fuzzy Hash: 53014C72A0560042F62C112BF59232621016B763B4FC94E3AEA7677BD7CA3DC465820D

Function 00000001400D0AA8 Relevance: 7.6, APIs: 5, Instructions: 51COMMON

Download Yara Rule

APIs

SetCapture.USER32 ref: 00000001400D0AC9
GetCursorPos.USER32 ref: 00000001400D0B07
LoadCursorA.USER32 ref: 00000001400D0B39
SetCursor.USER32 ref: 00000001400D0B42
GetCursorPos.USER32 ref: 00000001400D0B4F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Cursor$CaptureLoad
String ID:
API String ID: 1460996051-0
Opcode ID: 159335eec6704a5c12eee9d6e35a0aa40d2bc2e8321c838af4466b9ba68ebcbd
Instruction ID: d680749238455864db47338b8535e5b874344956ca44bbe9f2da2cab3e7a4aa7
Opcode Fuzzy Hash: 159335eec6704a5c12eee9d6e35a0aa40d2bc2e8321c838af4466b9ba68ebcbd
Instruction Fuzzy Hash: EC21DD35604A8581EF469F66E4983ED23A0FB99FC9F588035EB4E4B3B6DF39C5468310

Function 0000000140024668 Relevance: 7.5, APIs: 5, Instructions: 41windowCOMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 0000000140024682
SendMessageA.USER32 ref: 00000001400246A5
ClientToScreen.USER32 ref: 00000001400246B6
GetWindowLongA.USER32 ref: 00000001400246C4
GetParent.USER32 ref: 00000001400246D3

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientScreen$LongMessageParentSendWindow
String ID:
API String ID: 4240056119-0
Opcode ID: 260d0dc07bdc63e946010c716fbf04969a552b68f2b540d6c7fec75ce4b4b09e
Instruction ID: e0c7bc0dbb15dd733f6d74535f21822486bac28c0d2573732cd99ed7ffdeac7d
Opcode Fuzzy Hash: 260d0dc07bdc63e946010c716fbf04969a552b68f2b540d6c7fec75ce4b4b09e
Instruction Fuzzy Hash: 15014435314A8082FB458B6BAAD437A62E2EB8DFE0F449524FE5647BB8DF7CC4458700

Function 0000000140148EE8 Relevance: 7.5, APIs: 5, Instructions: 41COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140148F06
GlobalLock.KERNEL32 ref: 0000000140148F17
CreateDCA.GDI32 ref: 0000000140148F3E
GlobalUnlock.KERNEL32 ref: 0000000140148F4A
GlobalUnlock.KERNEL32 ref: 0000000140148F58

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$LockUnlock$Create
String ID:
API String ID: 2536725124-0
Opcode ID: 1fe70cb051fa946b1be5079fbdff700b86f9a225dd7ff5cb4ebf51e2dd20bae8
Instruction ID: c996f38fc62bda3ace275ba43e78bccd71a65727e53ca562d8c76914e7170c9c
Opcode Fuzzy Hash: 1fe70cb051fa946b1be5079fbdff700b86f9a225dd7ff5cb4ebf51e2dd20bae8
Instruction Fuzzy Hash: A9012131705A9182EA5A9B57AA543B9A2E2AB4DFC1F084430AF4607B78EF38C4558710

Function 0000000140048C74 Relevance: 7.5, APIs: 5, Instructions: 37COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 0000000140048CAB
GetCursorPos.USER32 ref: 0000000140048CC0
ScreenToClient.USER32 ref: 0000000140048CCF
PtInRect.USER32 ref: 0000000140048CDF
SetCursor.USER32 ref: 0000000140048CF0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientCursorRect$Screen
String ID:
API String ID: 1023402310-0
Opcode ID: 80e2d01cdd1375b8d3ee840e9e42ed8ceb1e5910208549f20cbadb9d2eac1fd6
Instruction ID: 888e3661d6fc25a7d86dd6a7dded5e0ba5c8038948fe56a294a6ea38182184d9
Opcode Fuzzy Hash: 80e2d01cdd1375b8d3ee840e9e42ed8ceb1e5910208549f20cbadb9d2eac1fd6
Instruction Fuzzy Hash: 26113932214A4482EB629F12E4953AA77B0F78CB99F040521EB8E4B6B8DF7CC645CB04

Function 000000014004C438 Relevance: 7.5, APIs: 5, Instructions: 36COMMON

Download Yara Rule

APIs

PtInRect.USER32 ref: 000000014004C454
RedrawWindow.USER32 ref: 000000014004C477
PtInRect.USER32 ref: 000000014004C492
ReleaseCapture.USER32 ref: 000000014004C4A2
RedrawWindow.USER32 ref: 000000014004C4B7

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectRedrawWindow$CaptureRelease
String ID:
API String ID: 1080614547-0
Opcode ID: 533066ff917525ea24b8eae20450df4bcee678d187447748bd8f40d84352e16c
Instruction ID: 9596c728aba896a70a7b5cac42bfbd0ebbea3f507a18a74110866a0e733ec5dc
Opcode Fuzzy Hash: 533066ff917525ea24b8eae20450df4bcee678d187447748bd8f40d84352e16c
Instruction Fuzzy Hash: 93018F76A11641C2FB668F37D568FB826B1E798F85F088430DF020B6B4EF3AC4459704

Function 0000000140128508 Relevance: 7.5, APIs: 5, Instructions: 30windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140128526
EnableMenuItem.USER32 ref: 0000000140128538
EnableMenuItem.USER32 ref: 000000014012854A
EnableMenuItem.USER32 ref: 000000014012855C
EnableMenuItem.USER32 ref: 000000014012856E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EnableItemMenu
String ID:
API String ID: 1841910628-0
Opcode ID: 4fc6857faa428bb25dfd8f69a187776df76f2e0737d0f38118c1934e480d6e6b
Instruction ID: 96bc014de1ea77de1a991b72c44ed380d299c9669ec6c67c384f9e136a6c9679
Opcode Fuzzy Hash: 4fc6857faa428bb25dfd8f69a187776df76f2e0737d0f38118c1934e480d6e6b
Instruction Fuzzy Hash: 71F01235310E8087FB109B67E480669A271EBDEF94F549029AF494BB78CE79C882CB50

Function 0000000140008CA0 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

CoCreateGuid.OLE32 ref: 0000000140008DBA
SysFreeString.OLEAUT32 ref: 0000000140009047

Strings

RestartByRestartManager, xrefs: 0000000140008E9E, 0000000140008EAD
%08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X, xrefs: 0000000140008E49

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CreateFreeGuidString
String ID: %08lX-%04X-%04x-%02X%02X-%02X%02X%02X%02X%02X%02X$RestartByRestartManager
API String ID: 3088903017-5890034
Opcode ID: 35659d9c5d7a33e8488143cf711348ef50df83e4ba83b7185ee4ddc2a3865341
Instruction ID: 4b573f41d1f1a60cd16ae8cbf0c9440a8d2f1a32dac66a0a41ccd1ae7aabf82e
Opcode Fuzzy Hash: 35659d9c5d7a33e8488143cf711348ef50df83e4ba83b7185ee4ddc2a3865341
Instruction Fuzzy Hash: 27D1CEB2701A818AEB25DF26E4103ED63A1FB89BD8F444626EF5D47BA5EF38C450C740

Function 0000000140150E7C Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON

Download Yara Rule

APIs

GetTextColor.GDI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0000000140150F64
GetBkColor.GDI32 ref: 000000014015114D
Rectangle.GDI32 ref: 000000014015116B

Strings

$, xrefs: 0000000140151061

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Color$RectangleText
String ID: $
API String ID: 3043262415-3993045852
Opcode ID: 4b4ff9a112647cb31ed75be150df2f976ff3f857b27b30e6919004bd7783ed8d
Instruction ID: 3390e1c8f219b53e5c15d52c8d340dfc09db8465eed03fb94eb55e515457a8c8
Opcode Fuzzy Hash: 4b4ff9a112647cb31ed75be150df2f976ff3f857b27b30e6919004bd7783ed8d
Instruction Fuzzy Hash: 32B17F32710A508BE726DFA6E484BDD33B5B78CB88F454216EF0A5BBA4CB75D845CB40

Function 0040339C Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 153COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo.LIBCMT ref: 004033C9
_invalid_parameter_noinfo.LIBCMT ref: 004035A5

Strings

*, xrefs: 004034CE
, xrefs: 00403523

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: _invalid_parameter_noinfo
String ID: $*
API String ID: 3215553584-3982473090
Opcode ID: c242011e9dde3f45eeaba66a3bc084c5d572bd73d451647bb940f6377aabfb92
Instruction ID: 2c6bf31ef643e7e249e72dc6d13582494a8084bf72f82e15d7ebbea183694a18
Opcode Fuzzy Hash: c242011e9dde3f45eeaba66a3bc084c5d572bd73d451647bb940f6377aabfb92
Instruction Fuzzy Hash: 5E51B472108650DAC7298F39849512E3F69F306F1EB18123BDB46763A8C73CCA82CB0D

Function 00000001401081A4 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 126COMMON

Download Yara Rule

APIs

OffsetRect.USER32 ref: 0000000140108246

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 000000014001039D
Part of subcall function 0000000140010384: ClientToScreen.USER32 ref: 00000001400103AE

Strings

group, xrefs: 00000001401082C6, 00000001401082DC
Open, xrefs: 0000000140108328, 000000014010833E
Close, xrefs: 0000000140108362, 000000014010836E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClientScreen$ExceptionOffsetRectThrow
String ID: Close$Open$group
API String ID: 1301811384-1548409829
Opcode ID: ffbf8e5c798d3bf5c8dd7a83f911720c698a45a08ebf0d787bce4386759fde00
Instruction ID: a61cfb2256915eebf8d775dd0fc0416b53cd455a9e8455d33e2a60d7d5343d9f
Opcode Fuzzy Hash: ffbf8e5c798d3bf5c8dd7a83f911720c698a45a08ebf0d787bce4386759fde00
Instruction Fuzzy Hash: D351DF72304A8186EB26DF27E5807E9B760F788F80F444125EF8947AB5EF78D591C740

Function 00000001401282D8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014012848A
ReleaseCapture.USER32 ref: 00000001401284DF
SetCapture.USER32 ref: 00000001401284EC

Strings

', xrefs: 000000014012834B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Capture$ParentRelease
String ID: '
API String ID: 149653543-1754440256
Opcode ID: 6ca664329ee3fe15c8043a737c7a91b3c3260a9063291a775b1469edb3450a09
Instruction ID: ac4ee5c5d4cfa41aefa4960c7ee9fc74fd77585afbb5f92cda0499a8fe4f0f4a
Opcode Fuzzy Hash: 6ca664329ee3fe15c8043a737c7a91b3c3260a9063291a775b1469edb3450a09
Instruction Fuzzy Hash: 04512872601F8681EB459F2AD8943E92361FB89FC8F585135EF0E9B7A9EF39C1458310

Function 000000014008009C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 0000000140080174
ScreenToClient.USER32 ref: 0000000140080183
SendMessageA.USER32 ref: 0000000140080237

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

Part of subcall function 0000000140192458: _onexit.LIBCMT ref: 000000014019245C

Part of subcall function 00000001401926AC: EnterCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926BC
Part of subcall function 00000001401926AC: LeaveCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926FC

Strings

@, xrefs: 00000001400801A9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CriticalSection$Enter$ClientCursorLeaveMessageScreenSend_onexit
String ID: @
API String ID: 3388613480-2766056989
Opcode ID: cf23ea55641dad5ceeaa38559011d791160b16cec5476b22b3cda6a759d94387
Instruction ID: 7eab887813dce70daffc65f3f81bfb74160905e56d62feecd4d2136e7ebe1d21
Opcode Fuzzy Hash: cf23ea55641dad5ceeaa38559011d791160b16cec5476b22b3cda6a759d94387
Instruction Fuzzy Hash: 92514B72214A8082EBA2DB16E8587D973A0F78CB94F400526EB5D477F5DFBDC954CB40

Function 0000000140120F90 Relevance: 6.5, APIs: 4, Instructions: 458windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32 ref: 0000000140121003
GetMenuItemID.USER32 ref: 0000000140121023

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

CharUpperBuffA.USER32 ref: 00000001401211BB
GetSubMenu.USER32 ref: 000000014012134F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Menu$Item$BuffCharCountExceptionThrowUpper
String ID:
API String ID: 2670402443-0
Opcode ID: 20c86d86ccc365d6d0659321ddad071f76d0404e2f0c6fd81650d9b4d20137f6
Instruction ID: 3e7c77cc1aaf8e1ef4380006aa548a801748e848dafd47a38f347d2f73941d62
Opcode Fuzzy Hash: 20c86d86ccc365d6d0659321ddad071f76d0404e2f0c6fd81650d9b4d20137f6
Instruction Fuzzy Hash: 851280B2705A8086EB15DB6AD8403DD63A1F7D9BA4F144219EB6E97BF9DF38C841C700

Function 00404540 Relevance: 6.4, Strings: 5, Instructions: 154COMMON

Download Yara Rule

Strings

", xrefs: 00404647
, xrefs: 004045FE
", xrefs: 00404639
\, xrefs: 00404634
", xrefs: 00404588

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID:
String ID: $"$"$"$\
API String ID: 0-3782655950
Opcode ID: 77a4becaf02a624d85ed2c32f3a1bc7e55b5959445e4005b1030223f1acea3cc
Instruction ID: cdff7cbe9bd4509453e3722d0da2162bb076043e7dea790414ea4205739b7933
Opcode Fuzzy Hash: 77a4becaf02a624d85ed2c32f3a1bc7e55b5959445e4005b1030223f1acea3cc
Instruction Fuzzy Hash: 264181E2504B8455E7264F24C61433A6FA1F796B98F1D4923CF91227C5FB3E8483C31A

Function 000000014014CE3C Relevance: 6.3, APIs: 4, Instructions: 291COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014014CF60
InflateRect.USER32 ref: 000000014014CF73
FillRect.USER32 ref: 000000014014D001
GetTextMetricsA.GDI32 ref: 000000014014D12D

Part of subcall function 000000014006E478: InflateRect.USER32 ref: 000000014006E54E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Inflate$FillMetricsText
String ID:
API String ID: 2822850320-0
Opcode ID: 71152634f2dd1857f04e8636072cf739dfdea7c641947448693c395c5c67b3fb
Instruction ID: e1de43652ce8dfb7e5dfd00cd0585a1da05d8c5b022023f31b3e6819ffabb1ae
Opcode Fuzzy Hash: 71152634f2dd1857f04e8636072cf739dfdea7c641947448693c395c5c67b3fb
Instruction Fuzzy Hash: D1C15872710A418AEB55CF6AD8447ED33A1F788BA8F055226EF1A57BA8DF78C449C700

Function 0000000140188E2C Relevance: 6.2, APIs: 4, Instructions: 226COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140189131
SetRectEmpty.USER32 ref: 000000014018915F
SetRectEmpty.USER32 ref: 000000014018916E
SetRectEmpty.USER32 ref: 0000000140189177

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EmptyRect$ConditionMask$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 3235142165-0
Opcode ID: 922e0737e05f81ea39e410928037217d05c6a5579d00c608c01adb18d978df7e
Instruction ID: 0628f07fd0d9c85c807d022d83273d80dd1534fa7342cd26965dd3444b8932ee
Opcode Fuzzy Hash: 922e0737e05f81ea39e410928037217d05c6a5579d00c608c01adb18d978df7e
Instruction Fuzzy Hash: D3B1FA72601F8086D769DF26F8403DAB7A8F748795F54452ADBAA837A1DF38E161CB00

Function 000000014008CF50 Relevance: 6.2, APIs: 4, Instructions: 226COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 000000014008CF9D
GetClientRect.USER32 ref: 000000014008CFB3

Part of subcall function 000000014005C57C: SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
Part of subcall function 000000014005C57C: GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

InflateRect.USER32 ref: 000000014008D21F

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

IntersectRect.USER32 ref: 000000014008D126

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Client$ConditionHashMask$ImplImpl::InflateInfoIntersectMetricsSystemVerifyVersion
String ID:
API String ID: 3490507370-0
Opcode ID: 33b7cddad3e90dae3af885efc2abbc85b5890a10a5bd44b34f6063fc060c39fb
Instruction ID: 57dbd21d6f184f8e22a1b6097621c654a4d24277bb91457df7029c19cf76e23b
Opcode Fuzzy Hash: 33b7cddad3e90dae3af885efc2abbc85b5890a10a5bd44b34f6063fc060c39fb
Instruction Fuzzy Hash: E9A1AA72600A809AEB16DF66E8447DD77A1F78CBC4F004626EF5A57AB4DF38C595CB00

Function 00000001400D8804 Relevance: 6.2, APIs: 4, Instructions: 218keyboardCOMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400D883E
GetKeyState.USER32 ref: 00000001400D8849
IsRectEmpty.USER32 ref: 00000001400D88AF
GetWindowRect.USER32 ref: 00000001400D8A66

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty$StateWindow
String ID:
API String ID: 2684165152-0
Opcode ID: b98d00e605d758d99cd8bcc59f4244e4d8711f7a382d79a5780693bfaf132f02
Instruction ID: 613a7aed3a875118ea1c8338ac12f3c185de5a1cc4dd7a7b645d828d2986a4d5
Opcode Fuzzy Hash: b98d00e605d758d99cd8bcc59f4244e4d8711f7a382d79a5780693bfaf132f02
Instruction Fuzzy Hash: 0D914772600A408AEB66DB27D854BED67A4FB4CFD8F484016EF0A5BBA4DF39C546C710

Function 000000014007CF78 Relevance: 6.2, APIs: 4, Instructions: 196COMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 000000014007CFBF
LoadResource.KERNEL32 ref: 000000014007CFD7
LockResource.KERNEL32 ref: 000000014007CFED

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: 736055a5f086364621e8ac181a949fbeac9b166451fd962e69d3312fe1315377
Instruction ID: d97c2aeed7994c9d9dc4affc8b3a665780980f5b163476d5d1061a0b242b9a4a
Opcode Fuzzy Hash: 736055a5f086364621e8ac181a949fbeac9b166451fd962e69d3312fe1315377
Instruction Fuzzy Hash: 4081B47221565086E762DB27A8507EA77A4FB8CBD4F449127FF0A47BB5DB38C841CB00

Function 00000001400F4EE4 Relevance: 6.2, APIs: 4, Instructions: 195COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00000001400F4F29
SetRectEmpty.USER32 ref: 00000001400F504B
SetRect.USER32 ref: 00000001400F5092
CopyRect.USER32 ref: 00000001400F5115

Part of subcall function 00000001400F4DF0: GetDesktopWindow.USER32 ref: 00000001400F4E1E
Part of subcall function 00000001400F4DF0: CopyRect.USER32 ref: 00000001400F4E73

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$CopyWindow$DesktopEmpty
String ID:
API String ID: 1322824190-0
Opcode ID: 995610f57f9bb5cc3d5d880a6edb628dde63941352a5ed308a74b039b95d1e71
Instruction ID: 3407f55cb8c7307646688c624591d2b73337fc1de9ad9bfaa101bd3a4854c6c9
Opcode Fuzzy Hash: 995610f57f9bb5cc3d5d880a6edb628dde63941352a5ed308a74b039b95d1e71
Instruction Fuzzy Hash: 68915E72B106509BE722DF66D894BDD77B0F74C78CF40451AAF0A57AA8DBB8C608DB40

Function 0000000140179238 Relevance: 6.2, APIs: 4, Instructions: 187COMMON

Download Yara Rule

APIs

EnableWindow.USER32 ref: 0000000140179285
CopyRect.USER32 ref: 0000000140179301
OffsetRect.USER32 ref: 00000001401793D9

Part of subcall function 0000000140179AB0: GetClientRect.USER32 ref: 0000000140179B17
Part of subcall function 0000000140179AB0: GetSystemMetrics.USER32 ref: 0000000140179B2B
Part of subcall function 0000000140179AB0: InflateRect.USER32 ref: 0000000140179B46
Part of subcall function 0000000140179AB0: GetClientRect.USER32 ref: 0000000140179CAA
Part of subcall function 0000000140179AB0: InflateRect.USER32 ref: 0000000140179CBB
Part of subcall function 0000000140179AB0: GetSystemMetrics.USER32 ref: 0000000140179CC6

InflateRect.USER32 ref: 000000014017949E

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Inflate$ClientMetricsSystem$CopyEnableExceptionOffsetThrowWindow
String ID:
API String ID: 4014177440-0
Opcode ID: dc34c5022ddbde670ca5513f07606271fc9b3026c1e3f495de992f33a1b2965d
Instruction ID: 0bae4119abcde2dc88e4b61fdf5c43802ae7e52ab3d2f51496e0c0989d4ed7be
Opcode Fuzzy Hash: dc34c5022ddbde670ca5513f07606271fc9b3026c1e3f495de992f33a1b2965d
Instruction Fuzzy Hash: CF816A72600A8086EB26DF66E9447ED73A0F78CBD4F144226EF5A57BA6DF38C445CB00

Function 00000001400D4A9C Relevance: 6.2, APIs: 4, Instructions: 186COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400D4AF3
CopyRect.USER32 ref: 00000001400D4B00
GetClientRect.USER32 ref: 00000001400D4B16
SystemParametersInfoA.USER32 ref: 00000001400D4CA9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientCopyInfoParametersSystemWindow
String ID:
API String ID: 1264264222-0
Opcode ID: 4317c313ca549762615fbfe2f5a0af46be456c3543955396a07308eaa5398240
Instruction ID: 6742eb6e074fc8a162c5756780319e5f43939a4a3a7abf484d821ba72787ae8e
Opcode Fuzzy Hash: 4317c313ca549762615fbfe2f5a0af46be456c3543955396a07308eaa5398240
Instruction Fuzzy Hash: D5814433B116418FEB61CFBAD484BED37B1EB48788F415125EF0657A58DA38E44ACB50

Function 0000000140148A68 Relevance: 6.2, APIs: 4, Instructions: 185stringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140148AAC

Part of subcall function 000000014000DAF0: _CxxThrowException.LIBVCRUNTIME ref: 000000014000DB0C

lstrcmpA.KERNEL32 ref: 0000000140148B6C
lstrcmpA.KERNEL32 ref: 0000000140148B9E
lstrcmpA.KERNEL32 ref: 0000000140148BCF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: lstrcmp$ExceptionGlobalLockThrow
String ID:
API String ID: 3637365843-0
Opcode ID: d883438bd2b701ee0670299262da62f241fcf7adfad4d4a825c6225533195f11
Instruction ID: a9149d580aeb07caad167a072cc3858718aaced2d0ae074a77a87a7e1ca3dfc8
Opcode Fuzzy Hash: d883438bd2b701ee0670299262da62f241fcf7adfad4d4a825c6225533195f11
Instruction Fuzzy Hash: 7E915D72602A8485EB66DF2AC4907ED33A0FB88FA8F154625AF1E4B6F5DF74C544C340

Function 0000000140049248 Relevance: 6.2, APIs: 4, Instructions: 150COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 000000014004931B

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

DeleteObject.GDI32 ref: 000000014004945F
DeleteObject.GDI32 ref: 0000000140049468
DeleteObject.GDI32 ref: 0000000140049481

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Object$Delete$ConditionMask$InfoMetricsSystemVerifyVersion
String ID:
API String ID: 2200431252-0
Opcode ID: dbd2277ce5bd0abe2a989594deac7a2fc92dadd14aaf094ad9b85f95d1a65578
Instruction ID: 3b094e414f935f3f3459dea131ba8fb8ccd6e9d5ba46fdd171475e46550a789a
Opcode Fuzzy Hash: dbd2277ce5bd0abe2a989594deac7a2fc92dadd14aaf094ad9b85f95d1a65578
Instruction Fuzzy Hash: 4B516E3220468086EBB2CF17D8407EA72A1F789B88F550535FF4A47AE5DB38CA85CB44

Function 0000000140020EEC Relevance: 6.1, APIs: 4, Instructions: 141registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000000014000996C: RegCloseKey.ADVAPI32 ref: 0000000140009AF3
Part of subcall function 000000014000996C: RegCloseKey.ADVAPI32 ref: 0000000140009B02

Part of subcall function 0000000140020B08: RegCloseKey.ADVAPI32 ref: 0000000140020B6E

RegEnumValueA.ADVAPI32 ref: 0000000140021064
RegCloseKey.ADVAPI32 ref: 000000014002107E
RegCloseKey.ADVAPI32 ref: 00000001400210D3
RegCloseKey.ADVAPI32 ref: 00000001400210E4

Part of subcall function 0000000140020E74: RegQueryValueExA.ADVAPI32 ref: 0000000140020EA7

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Close$Value$EnumQuery
String ID:
API String ID: 4149552890-0
Opcode ID: e9357dcc52660042bd2f02a3ec900223668638e2371c7696d8e4a0c089b42940
Instruction ID: 2aa9ee3826a96caf6929ae70b347a475dff8ca7a6254cf5728f22ca4932af597
Opcode Fuzzy Hash: e9357dcc52660042bd2f02a3ec900223668638e2371c7696d8e4a0c089b42940
Instruction Fuzzy Hash: 20517E32204B8086EB11DF66E8807DE77A4F789BE4F504216EFA947BA9DF38C545CB00

Function 00000001400089F0 Relevance: 6.1, APIs: 4, Instructions: 137registryCOMMON

Download Yara Rule

APIs

FindResourceW.KERNEL32 ref: 0000000140008A2C

Part of subcall function 000000014000975C: LoadResource.KERNEL32 ref: 0000000140009779

RegOpenKeyExA.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 0000000140009847
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 00000001400098BF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$CloseFindLoadOpen
String ID:
API String ID: 1355102840-0
Opcode ID: 1ebcecb9f56118ffaa9ae1269d817291744c0bf3b32eefad5094b28d8a573bca
Instruction ID: 1d7d5f8653a800842bea15e8ffd5a4fc5aed081be3aaaf8ccd52f8aa88e082ac
Opcode Fuzzy Hash: 1ebcecb9f56118ffaa9ae1269d817291744c0bf3b32eefad5094b28d8a573bca
Instruction Fuzzy Hash: C4517AB2610A508AFB65CF26E8847ED37A0F748BD8F548129EB4E47BA4DF39C4858740

Function 000000014005C57C Relevance: 6.1, APIs: 4, Instructions: 124windowCOMMON

Download Yara Rule

APIs

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 000000014005C5C5
GetClientRect.USER32(?,?,?,?,0000000140047659), ref: 000000014005C5F3

Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D417
Part of subcall function 000000014005D3BC: VerSetConditionMask.KERNEL32 ref: 000000014005D428
Part of subcall function 000000014005D3BC: VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
Part of subcall function 000000014005D3BC: GetSystemMetrics.USER32 ref: 000000014005D44C

CreateCompatibleDC.GDI32(?,?,?,?,0000000140047659), ref: 000000014005C6CE
CreateCompatibleBitmap.GDI32 ref: 000000014005C6FA

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CompatibleConditionCreateHashMask$BitmapClientImplImpl::InfoMetricsRectSystemVerifyVersion
String ID:
API String ID: 2548309268-0
Opcode ID: e724527dd1ed046717e969e3d93e6a1e9652f2db9a446efa8db194de34dd05f4
Instruction ID: 2bdf77065ff7854f418837f4edaf1b77250ec1693b0d41b2f6e8ce6507a3a78e
Opcode Fuzzy Hash: e724527dd1ed046717e969e3d93e6a1e9652f2db9a446efa8db194de34dd05f4
Instruction Fuzzy Hash: B4514C36210B508AEA26DB13E944B9973E8F78CBD4F148526AF9D47BB1DF39D941C700

Function 00000001400E09C8 Relevance: 6.1, APIs: 4, Instructions: 123windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 00000001400E0A19
AppendMenuA.USER32 ref: 00000001400E0AA1
CheckMenuItem.USER32 ref: 00000001400E0AB3
IsWindow.USER32 ref: 00000001400E0AEF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Menu$AppendCheckCreateItemPopupWindow
String ID:
API String ID: 2012662573-0
Opcode ID: 4f1ebc0e52580eec163f738c16d57270a2a2dd5695a92539dfae6bede0efd4a6
Instruction ID: 44bd6c15b15538d711eb1659f089f75808c27af5554badb5b42601c22839a8a7
Opcode Fuzzy Hash: 4f1ebc0e52580eec163f738c16d57270a2a2dd5695a92539dfae6bede0efd4a6
Instruction Fuzzy Hash: 2B515C36710A0086EB169B63D8543AD23A1F74DBE4F04462AEF2D67BB9DF34C985C380

Function 000000014002CFF0 Relevance: 6.1, APIs: 4, Instructions: 119COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 000000014002D082
SysFreeString.OLEAUT32 ref: 000000014002D122
SysFreeString.OLEAUT32 ref: 000000014002D131
SysFreeString.OLEAUT32 ref: 000000014002D140

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FreeString$ClearVariant
String ID:
API String ID: 3349467263-0
Opcode ID: e0a0376c276e7610f4bb73636109ec74b51d9ee552f1cdf2319fc3ee6125c461
Instruction ID: 76e117907d86d3fb57420618592bd9796fc95ab88e609b19f9d1668188ec408c
Opcode Fuzzy Hash: e0a0376c276e7610f4bb73636109ec74b51d9ee552f1cdf2319fc3ee6125c461
Instruction Fuzzy Hash: DC51C236701A409AEB16DF76E4903DD33B0FB88B98F404526EF0A57AA4DF74C869C300

Function 0000000140138BC8 Relevance: 6.1, APIs: 4, Instructions: 117windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140138CA1
SendMessageA.USER32 ref: 0000000140138CBC
SendMessageA.USER32 ref: 0000000140138D3A
GetParent.USER32 ref: 0000000140138D53

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: MessageSend$Parent
String ID:
API String ID: 1020955656-0
Opcode ID: 30941ca6d82c6d576f8080d294d3cfc0d993f708598f2a8f7ff8df6456c15563
Instruction ID: be4623bdceb2eade76cd4a706039d6f37fe99e50cc1cb43e0b79fe39178942e3
Opcode Fuzzy Hash: 30941ca6d82c6d576f8080d294d3cfc0d993f708598f2a8f7ff8df6456c15563
Instruction Fuzzy Hash: D2419E76701B8082EA4A9B66E9543ED63A1FB8DFE0F444225EF2E477E5DF39C4518300

Function 0000000140040E94 Relevance: 6.1, APIs: 4, Instructions: 115windowCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 0000000140040EF2
GlobalUnlock.KERNEL32 ref: 0000000140040F55
ReuseDDElParam.USER32 ref: 0000000140040F97
PostMessageA.USER32 ref: 0000000140040FA9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Global$LockMessageParamPostReuseUnlock
String ID:
API String ID: 1233369038-0
Opcode ID: fbdf404f47466c9f3e654bd4342cf1d9c5b144da2d1de93b090bfa51808147ec
Instruction ID: 711a7a86a6d2259d0b2f9abd4b4ca5f78076bf860bbb383bd659930249184d23
Opcode Fuzzy Hash: fbdf404f47466c9f3e654bd4342cf1d9c5b144da2d1de93b090bfa51808147ec
Instruction Fuzzy Hash: 1F418E72210A8482EA26DB26E4443DD67A1FB89FE0F458235EF6A477E6DF38C845C740

Function 0000000140164718 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 0000000140164840
RedrawWindow.USER32 ref: 0000000140164860
IsWindowVisible.USER32 ref: 000000014016488F
Concurrency::details::ExternalContextBase::~ExternalContextBase.LIBCONCRT ref: 00000001401648A9

Part of subcall function 0000000140160178: RedrawWindow.USER32 ref: 0000000140160211

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$ContextExternalRedraw$BaseBase::~Concurrency::details::InflateRectVisible
String ID:
API String ID: 1448133624-0
Opcode ID: 4a3c7b7bcc6207e125554ad96b109152d4a57abaf0626d4064e0b5b22aed49c8
Instruction ID: 61745d97d32be78deaf5fa20fd7170ca8ffe5db4795cc811b7ae48b5284b8c4c
Opcode Fuzzy Hash: 4a3c7b7bcc6207e125554ad96b109152d4a57abaf0626d4064e0b5b22aed49c8
Instruction Fuzzy Hash: 96414C32202B8082EB569B27DC947E923A0EBC9F99F185635DB4E4B7B5DF79C481C700

Function 0000000140004C4C Relevance: 6.1, APIs: 4, Instructions: 107windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32 ref: 0000000140004D3D
GetFocus.USER32 ref: 0000000140004D54
GetParent.USER32 ref: 0000000140004D64
SendMessageA.USER32 ref: 0000000140004D80

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EnableFocusItemMenuMessageParentSend
String ID:
API String ID: 2297321873-0
Opcode ID: 03a14622356e4864672a3f1643d48e35d4920d69af50405137c7a5a5037334f9
Instruction ID: e7017b4ca24b1e4baf99f26e40849aa66937c511e185397bf716c417f9b59602
Opcode Fuzzy Hash: 03a14622356e4864672a3f1643d48e35d4920d69af50405137c7a5a5037334f9
Instruction Fuzzy Hash: C5419CB6610A5083EB65DB22E4847AD7370F788FD4F244221EB590BBA9DF39C891C744

Function 0000000140014D18 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001400150D4), ref: 0000000140014DA0
IsMenu.USER32 ref: 0000000140014DE2
AdjustWindowRectEx.USER32 ref: 0000000140014DFE
GetClientRect.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000001400150D4), ref: 0000000140014E59

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Client$AdjustMenuWindow
String ID:
API String ID: 2631253777-0
Opcode ID: b64f5c6fc179bfdd87c40bc2ff9c0f2b4f00814d9a22ba9d6c17f0f31dc86e37
Instruction ID: 37fa65f0d040003697cf8e89e23c86480f7162c55c5db50e06a3bec438356c17
Opcode Fuzzy Hash: b64f5c6fc179bfdd87c40bc2ff9c0f2b4f00814d9a22ba9d6c17f0f31dc86e37
Instruction Fuzzy Hash: 61414832B106108AFB52DF76E8947ED67B0B78CB88F544525EF0A5BB69DF39C4428740

Function 00400F74 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

__scrt_initialize_crt.LIBCMT ref: 00400F83
__scrt_acquire_startup_lock.LIBCMT ref: 00400F9F
__scrt_release_startup_lock.LIBCMT ref: 00401013
__scrt_uninitialize_crt.LIBCMT ref: 004010B9

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: __scrt_acquire_startup_lock__scrt_initialize_crt__scrt_release_startup_lock__scrt_uninitialize_crt
String ID:
API String ID: 2892345849-0
Opcode ID: a7ce79f2820015bf4cde5d31d0f4047ad7940f56254030372e80c084bccc7e10
Instruction ID: b94de1bf60f0e8af77f74935ac241316311ce6a3a29757be8799e7f259deb139
Opcode Fuzzy Hash: a7ce79f2820015bf4cde5d31d0f4047ad7940f56254030372e80c084bccc7e10
Instruction Fuzzy Hash: EE31706160424186EB25BB72E5623AE2351AB85388F44403FAA4A7B7F3DE7DC885C35D

Function 00000001400F51C8 Relevance: 6.1, APIs: 4, Instructions: 87COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400F522E
IsRectEmpty.USER32 ref: 00000001400F523F
SetRectEmpty.USER32 ref: 00000001400F529F
SetRectEmpty.USER32 ref: 00000001400F52A8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: EmptyRect
String ID:
API String ID: 2270935405-0
Opcode ID: 4a3f1829430b08b1141217a82c1d6ec78128f9b1735a49e0a797224729e72898
Instruction ID: 50f25e496c59f319f18f0512eeff51b4f05f010b230be266f4b98c706c29ab54
Opcode Fuzzy Hash: 4a3f1829430b08b1141217a82c1d6ec78128f9b1735a49e0a797224729e72898
Instruction Fuzzy Hash: 9A31B232611B4086EB96EF26E4603E973A0F78DF95F140625EF4E07668DF78C441C740

Function 00000001400B53F0 Relevance: 6.1, APIs: 4, Instructions: 84COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 00000001400B542F
GetWindowRect.USER32 ref: 00000001400B5470
GetClientRect.USER32 ref: 00000001400B548C

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientEmptyWindow
String ID:
API String ID: 742297903-0
Opcode ID: 80bb8921912e0bc0eb60caec53ee4428a8fa8e0e3e268b23e7095c6af7b43a26
Instruction ID: 71a929c6934cdbd88d9a19148afe6329d7761483be6de280e8cfb1d99fd2e456
Opcode Fuzzy Hash: 80bb8921912e0bc0eb60caec53ee4428a8fa8e0e3e268b23e7095c6af7b43a26
Instruction Fuzzy Hash: 44314D32204A8587EB15EF17E5907AAB3B0F78CBC9F148521EF9A47B65DF38D4918B00

Function 00000001400F0F40 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400F0F7C
BeginDeferWindowPos.USER32 ref: 00000001400F0F87
EndDeferWindowPos.USER32 ref: 00000001400F0FB6
GetWindowRect.USER32 ref: 00000001400F0FEF

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$DeferRect$BeginClient
String ID:
API String ID: 3800593763-0
Opcode ID: 32075a34dba34cf95e71fa0a7a93485a083e5d450843b7032555bcf82290741c
Instruction ID: db3f2377e267321f9f1eaca4a34351442fb2aace91e288839fadd055a5acc31b
Opcode Fuzzy Hash: 32075a34dba34cf95e71fa0a7a93485a083e5d450843b7032555bcf82290741c
Instruction Fuzzy Hash: AB412533620A948EEB21CF3AC484BDC37A0FB9CB88F555226AB4947B18DF75D595CB40

Function 0000000140034BB8 Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140034BEB
GetClientRect.USER32 ref: 0000000140034C31
GetWindowRect.USER32 ref: 0000000140034C78

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

GetSystemMetrics.USER32 ref: 0000000140034C8F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Client$RectScreen$MetricsParentSystemWindow
String ID:
API String ID: 3137288495-0
Opcode ID: 1ca9f8886e930591b155e9e28e875d2d4b129875309863a56333bcf9e33e9bc6
Instruction ID: 3562ee2183dd4b02710bc479cc2bfad305949e89e1916fd89865ea76b58f1af3
Opcode Fuzzy Hash: 1ca9f8886e930591b155e9e28e875d2d4b129875309863a56333bcf9e33e9bc6
Instruction Fuzzy Hash: 52317032B10A548AFB16DB76D8953ED6370BB8DB88F140225EF491BB64EF34D581C300

Function 000000014014C6F4 Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON

Download Yara Rule

APIs

CreateBitmap.GDI32 ref: 000000014014C76A
CreatePatternBrush.GDI32 ref: 000000014014C780
CreateBitmap.GDI32 ref: 000000014014C7CF
CreatePatternBrush.GDI32 ref: 000000014014C7E5

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Create$BitmapBrushPattern
String ID:
API String ID: 3280665104-0
Opcode ID: 0c5fc2efece5f014d41bd509d2d6272c7f8836d668ad40210444fcf7c7a8b2fb
Instruction ID: 3d9afd26d55bbc295913e2fb140eb4ac99bbe31fa01ef7acc0f6b5f399ef43fb
Opcode Fuzzy Hash: 0c5fc2efece5f014d41bd509d2d6272c7f8836d668ad40210444fcf7c7a8b2fb
Instruction Fuzzy Hash: FD311432710B508AE711DF62D858BDC37B8F748B98F514229DE996BBA8CB35C645C740

Function 000000014002C6CC Relevance: 6.1, APIs: 4, Instructions: 73COMMON

Download Yara Rule

APIs

GetRgnBox.GDI32 ref: 000000014002C744
IntersectRect.USER32 ref: 000000014002C759
EqualRect.USER32 ref: 000000014002C767
InvalidateRgn.USER32 ref: 000000014002C799

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$EqualIntersectInvalidate
String ID:
API String ID: 1840461668-0
Opcode ID: 06fc79df5f2ae0c5ab940f99a7fe6a2547cf3d96a412cc57a638a9b104f8f407
Instruction ID: c2ae5403525da65f2dcdf46f4dd03c18dff814452751b13d32550dda61993b6f
Opcode Fuzzy Hash: 06fc79df5f2ae0c5ab940f99a7fe6a2547cf3d96a412cc57a638a9b104f8f407
Instruction Fuzzy Hash: F0314736710A5199EB02DB66E8807ED3BB0B78CB98F444026DF4E57A68DF30C59AC740

Function 000000014005017C Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 00000001400501AB
MessageBeep.USER32 ref: 0000000140050211
SendMessageA.USER32 ref: 000000014005025F
SendMessageA.USER32 ref: 0000000140050274

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 5a70cbd2c377b8b78549c1732e190eb7a9103de722f21762fdaa65f8dc08a5b9
Instruction ID: 207cf5ad97a0c911577fb900d661d90260273ff61a7793c71c61eecbfb1734df
Opcode Fuzzy Hash: 5a70cbd2c377b8b78549c1732e190eb7a9103de722f21762fdaa65f8dc08a5b9
Instruction Fuzzy Hash: CE316D76200B8582EB059F66E8543DE7761FB89FE8F044226EF6A0B7E9CF79C4448740

Function 00000001400502D8 Relevance: 6.1, APIs: 4, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32 ref: 0000000140050307
MessageBeep.USER32 ref: 000000014005036D
SendMessageA.USER32 ref: 00000001400503BB
SendMessageA.USER32 ref: 00000001400503D0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Message$Send$Beep
String ID:
API String ID: 877464050-0
Opcode ID: 6b69f6ba67f6d0ba5f4398ac26d42766fe1c4bdc1bbf637e941dcbff336f142f
Instruction ID: 7f6fc577bc7635b45592b246437e39d8dc2499834dce6e98546856f34e734d96
Opcode Fuzzy Hash: 6b69f6ba67f6d0ba5f4398ac26d42766fe1c4bdc1bbf637e941dcbff336f142f
Instruction Fuzzy Hash: 59315C76210B8582EB059F66E4503DE7761FB89BA8F044226EF6A0B7E9CF79C4458740

Function 00000001400E9354 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400E9388
PtInRect.USER32 ref: 00000001400E93B2

Part of subcall function 00000001400E75B0: ScreenToClient.USER32 ref: 00000001400E75DD
Part of subcall function 00000001400E75B0: GetParent.USER32 ref: 00000001400E75F1
Part of subcall function 00000001400E75B0: GetClientRect.USER32 ref: 00000001400E7691
Part of subcall function 00000001400E75B0: MapWindowPoints.USER32 ref: 00000001400E76A9
Part of subcall function 00000001400E75B0: PtInRect.USER32 ref: 00000001400E76B7

MapWindowPoints.USER32 ref: 00000001400E93E4
SendMessageA.USER32 ref: 00000001400E9408

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: 6a988cc47e98961960853efc371cd61f23cb4b9dce5fac70bdcccd5e98b6d9c7
Instruction ID: c75408f09a62026876b27fa0e73148ed8677dbb9575bfa3ba71ab3d4e4efaae9
Opcode Fuzzy Hash: 6a988cc47e98961960853efc371cd61f23cb4b9dce5fac70bdcccd5e98b6d9c7
Instruction Fuzzy Hash: 48314D72214A40C3FB119B26E458BE967E0F788FD5F545125EF0A0B7E5DB39C846CB50

Function 00000001400E53B0 Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00000001400652DC: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,000000014006972B,?,000000014006A800), ref: 000000014006532D
Part of subcall function 00000001400652DC: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,000000014006972B,?,000000014006A800), ref: 000000014006533A

Part of subcall function 000000014006BAD0: GetObjectA.GDI32 ref: 000000014006BB02

Part of subcall function 000000014000F6BC: GetDC.USER32 ref: 000000014000F6FB

SrcHashImpl::SrcHashImpl.MSPDB140-MSVCRT ref: 00000001400E541F
CreateCompatibleDC.GDI32 ref: 00000001400E5429
SelectObject.GDI32 ref: 00000001400E5442
SelectObject.GDI32 ref: 00000001400E546F

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Object$CriticalHashSectionSelect$CompatibleCreateEnterImplImpl::Leave
String ID:
API String ID: 2286582997-0
Opcode ID: d70b27d1353156eb1f40f405dddb9eb985c1a8e8760644841b9c96ca83758615
Instruction ID: 0e240a3fc0400855b5ec516a123a1fd0b400b55ba2a468013d620e2b5a78574b
Opcode Fuzzy Hash: d70b27d1353156eb1f40f405dddb9eb985c1a8e8760644841b9c96ca83758615
Instruction Fuzzy Hash: E1215972700A4095EB11EBA2D8447DC2371E799BE8F598532AF1DA7BB9DF30CA06C340

Function 0000000140034CEC Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 0000000140034D1D
GetWindowRect.USER32 ref: 0000000140034D6E
OffsetRect.USER32 ref: 0000000140034D8B
GetWindow.USER32 ref: 0000000140034DC0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RectWindow$OffsetParent
String ID:
API String ID: 3516746122-0
Opcode ID: c1fd703a2ab28a75470b5b38ea64137f6cbef2d575d9e6f10672d65b91ace5d5
Instruction ID: d34b60dd40f442bd73cdeb7affdae51462b879dcf254b895d55fba32da2bf925
Opcode Fuzzy Hash: c1fd703a2ab28a75470b5b38ea64137f6cbef2d575d9e6f10672d65b91ace5d5
Instruction Fuzzy Hash: BE214B32604B8482EA11DB62E44439A73A0FB8DB90F144225EF9D4BBA5EF79D9418B40

Function 00000001400388C0 Relevance: 6.1, APIs: 4, Instructions: 61COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,?,?,0000000140036FB1), ref: 00000001400388F7
LoadResource.KERNEL32(?,?,?,0000000140036FB1), ref: 0000000140038911
LockResource.KERNEL32(?,?,?,0000000140036FB1), ref: 0000000140038927
GlobalFree.KERNEL32 ref: 000000014003896D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$FindFreeGlobalLoadLock
String ID:
API String ID: 3898064442-0
Opcode ID: 3b5b30af0758f363be24a8daa4369783377979b7d47baa09e238038ac17228d6
Instruction ID: 54c675d3b192e77bffa5a5d20ad3889ec4470696e3ac6d854a272fec489c6902
Opcode Fuzzy Hash: 3b5b30af0758f363be24a8daa4369783377979b7d47baa09e238038ac17228d6
Instruction Fuzzy Hash: DA212C71201F9185EA67AB13A5543EAA3E1EB48FC4F188465EF8D0BBA9DF38C4518341

Function 00000001400E926C Relevance: 6.1, APIs: 4, Instructions: 60windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400E92B6
PtInRect.USER32 ref: 00000001400E92CD

Part of subcall function 00000001400E75B0: ScreenToClient.USER32 ref: 00000001400E75DD
Part of subcall function 00000001400E75B0: GetParent.USER32 ref: 00000001400E75F1
Part of subcall function 00000001400E75B0: GetClientRect.USER32 ref: 00000001400E7691
Part of subcall function 00000001400E75B0: MapWindowPoints.USER32 ref: 00000001400E76A9
Part of subcall function 00000001400E75B0: PtInRect.USER32 ref: 00000001400E76B7

MapWindowPoints.USER32 ref: 00000001400E9305
SendMessageA.USER32 ref: 00000001400E9327

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Client$PointsWindow$MessageParentScreenSend
String ID:
API String ID: 2689702638-0
Opcode ID: c3ece223694b727b39b2389ae834909b55378fafc37d636b3b4731259fabcac0
Instruction ID: 6e4ce1718dd60d50080e4ffe103d469054a6f6083ed7e94e49afc0d11755676f
Opcode Fuzzy Hash: c3ece223694b727b39b2389ae834909b55378fafc37d636b3b4731259fabcac0
Instruction Fuzzy Hash: B0217876710B0086FB118B66E8557ED2BB0F788FC8F005421EF0A1BBA9DF39C5418780

Function 00000001401383EC Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

SetRectEmpty.USER32 ref: 0000000140138422
SetRectEmpty.USER32 ref: 0000000140138434

Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BED
Part of subcall function 0000000140010BD4: ScreenToClient.USER32 ref: 0000000140010BFE

PtInRect.USER32 ref: 000000014013846E
PtInRect.USER32 ref: 0000000140138480

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$ClientEmptyScreen
String ID:
API String ID: 2023098818-0
Opcode ID: ca5ecf003ae659c348673b2d4a09c9fd84d5fa5ec0555089ba8ebb3a05ecfa1b
Instruction ID: dc3f6c33d49d0fed4364ef1386f26fdf16fb77a92b8f4a7c16ced3ac8bc09763
Opcode Fuzzy Hash: ca5ecf003ae659c348673b2d4a09c9fd84d5fa5ec0555089ba8ebb3a05ecfa1b
Instruction Fuzzy Hash: 9921F432710B1589FB00DBA6E8913ED73B5F798B88F444422DF4A5BA68DF78C115C740

Function 0000000140014AB4 Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetObjectA.GDI32 ref: 0000000140014B12
SetBkColor.GDI32 ref: 0000000140014B1F
GetSysColor.USER32 ref: 0000000140014B33
SetTextColor.GDI32 ref: 0000000140014B3E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Color$ObjectText
String ID:
API String ID: 829078354-0
Opcode ID: 3669113fd3a0173eaa950f93cb9024977df045252db071987d9670b2f875daf7
Instruction ID: 668035de02e98088e7a95a78211d16de6edf6825618bdf7c208e6bed4ec02676
Opcode Fuzzy Hash: 3669113fd3a0173eaa950f93cb9024977df045252db071987d9670b2f875daf7
Instruction Fuzzy Hash: C9117C30718A4042FB569B27A4D07A662E0AB9CBD4F680121FB5B4B7F5DF39C8418A00

Function 000000014009934C Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32 ref: 0000000140099390
LoadResource.KERNEL32 ref: 00000001400993A1
LockResource.KERNEL32 ref: 00000001400993B2
FreeResource.KERNEL32 ref: 00000001400993D0

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Resource$FindFreeLoadLock
String ID:
API String ID: 1078018258-0
Opcode ID: 80bfa5c753741117672088d35279f149a178710115f7b19801148716ae9dffa8
Instruction ID: e03ec80b551ef5bebed6e58f0783fbbebdde53e71d7efda158962c429ab04ab6
Opcode Fuzzy Hash: 80bfa5c753741117672088d35279f149a178710115f7b19801148716ae9dffa8
Instruction Fuzzy Hash: B8116D71311F8085EA5A9F57A9443A966E0FB8DFC0F488428EF4E47BA5DF38C5418300

Function 0000000140100678 Relevance: 6.0, APIs: 4, Instructions: 48COMMON

Download Yara Rule

APIs

IsRectEmpty.USER32 ref: 00000001401006CA
PtInRect.USER32 ref: 00000001401006DC
IsRectEmpty.USER32 ref: 00000001401006F0
PtInRect.USER32 ref: 0000000140100702

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Rect$Empty
String ID:
API String ID: 4257549173-0
Opcode ID: b0febeb1954955258cb5f9b9673647dba52a29eab1f78df96fcbba388778989d
Instruction ID: b7a83d78f621cf04056c1f728905472362152e63afe4030f5b3e9a323e51519a
Opcode Fuzzy Hash: b0febeb1954955258cb5f9b9673647dba52a29eab1f78df96fcbba388778989d
Instruction Fuzzy Hash: AE11F875311A4481FBA69B2795543E932A6A788FC9F085035EF868AAB4DF3CC8948E11

Function 0000000140041204 Relevance: 6.0, APIs: 4, Instructions: 47fileCOMMON

Download Yara Rule

APIs

SetActiveWindow.USER32 ref: 000000014004122C
DragQueryFileA.SHELL32 ref: 0000000140041246
DragQueryFileA.SHELL32 ref: 000000014004126D
DragFinish.SHELL32 ref: 000000014004128D

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Drag$FileQuery$ActiveFinishWindow
String ID:
API String ID: 892977027-0
Opcode ID: d76567131eadcca53e39aa903ba5dd09b6b696be955dd1872fcca790e6b1a45b
Instruction ID: 79a23979e4c71885c866f8bc1684cdc6fdcf77726f39fa73328acfdb51ee1442
Opcode Fuzzy Hash: d76567131eadcca53e39aa903ba5dd09b6b696be955dd1872fcca790e6b1a45b
Instruction Fuzzy Hash: 11117C36304A9482EA62AB67B5D47EA63A0FB8DFC4F004121DF5E07B64CE38C1468600

Function 000000014005D3BC Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

VerSetConditionMask.KERNEL32 ref: 000000014005D417
VerSetConditionMask.KERNEL32 ref: 000000014005D428
VerifyVersionInfoA.KERNEL32 ref: 000000014005D43B
GetSystemMetrics.USER32 ref: 000000014005D44C

Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E0B1
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E0C8
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E0E3
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E0EF
Part of subcall function 000000014005E090: GetDeviceCaps.GDI32 ref: 000000014005E11F
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E12D
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E140
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E14F
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E15E
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E16D
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E17C
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E18B
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E197
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1A3
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1AF
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1BB
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1CA
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1D6
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1E5
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E1F4
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E203
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E212
Part of subcall function 000000014005E090: GetSysColor.USER32 ref: 000000014005E221

Part of subcall function 000000014005DA4C: GetDeviceCaps.GDI32 ref: 000000014005DAAA
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DB17
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DB3A
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DB5D
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DB80
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DBA3
Part of subcall function 000000014005DA4C: DeleteObject.GDI32 ref: 000000014005DBC7

Part of subcall function 000000014005D4D0: GetSystemMetrics.USER32 ref: 000000014005D4EE
Part of subcall function 000000014005D4D0: GetSystemMetrics.USER32 ref: 000000014005D4FF
Part of subcall function 000000014005D4D0: SetRectEmpty.USER32 ref: 000000014005D515
Part of subcall function 000000014005D4D0: EnumDisplayMonitors.USER32 ref: 000000014005D529
Part of subcall function 000000014005D4D0: SystemParametersInfoA.USER32 ref: 000000014005D53E
Part of subcall function 000000014005D4D0: SystemParametersInfoA.USER32 ref: 000000014005D575
Part of subcall function 000000014005D4D0: SystemParametersInfoA.USER32 ref: 000000014005D58D
Part of subcall function 000000014005D4D0: SystemParametersInfoA.USER32 ref: 000000014005D5B8

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Color$System$DeleteObject$Info$Parameters$Metrics$CapsConditionDeviceMask$DisplayEmptyEnumMonitorsRectVerifyVersion
String ID:
API String ID: 1661573292-0
Opcode ID: a24349f5e9bca5c8d028a2b28bdd27a92f7576828b7f0a68999a9b86f8f66a08
Instruction ID: 2b7181edf7d7cadf1b869170178d6f83413da571718ff720c30640b657045b94
Opcode Fuzzy Hash: a24349f5e9bca5c8d028a2b28bdd27a92f7576828b7f0a68999a9b86f8f66a08
Instruction Fuzzy Hash: 1D11827560064086FB25DF32E4693DA77A0F78CB88F040525EB4A4B7A6EF7EC0458B40

Function 0000000140168098 Relevance: 6.0, APIs: 4, Instructions: 42timewindowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001401680C0
ScreenToClient.USER32 ref: 00000001401680CF

Part of subcall function 0000000140167B14: PtInRect.USER32 ref: 0000000140167B77

KillTimer.USER32 ref: 00000001401680F0
IsWindowVisible.USER32 ref: 000000014016811B

Part of subcall function 00000001401141F0: IsWindowVisible.USER32 ref: 000000014011420B

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: VisibleWindow$ClientCursorKillRectScreenTimer
String ID:
API String ID: 2528662293-0
Opcode ID: 0dcc92f0fd76d81cd0b4f8e1ef29d78480a8298c1d17fe53bf7cb3500e011b59
Instruction ID: 689709b7a2e70c5d899c2131dcdc496b410c576e98911943c0e58a2133f678d3
Opcode Fuzzy Hash: 0dcc92f0fd76d81cd0b4f8e1ef29d78480a8298c1d17fe53bf7cb3500e011b59
Instruction Fuzzy Hash: B0114872210A4087EB569F12D9983A867A1F78CFDAF084524DF0E0B2A4DF78C859C711

Function 00000001400902BC Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 00000001400902C9
GetParent.USER32 ref: 00000001400902F8
SendMessageA.USER32 ref: 0000000140090316
ReleaseCapture.USER32 ref: 0000000140090348

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Capture$MessageParentReleaseSend
String ID:
API String ID: 1869852667-0
Opcode ID: 28f82acadd7c2a68dc0e6c9e376cb163630421c11a5c108f164e3657b04a597a
Instruction ID: 3a05d2dbe1c08d6763fa9dd6b3af6b3a5eec08ffa55c192b1e217e3e2f3ee98e
Opcode Fuzzy Hash: 28f82acadd7c2a68dc0e6c9e376cb163630421c11a5c108f164e3657b04a597a
Instruction Fuzzy Hash: D3010036610A4187FB569F67E8957E923A4EB8CFD5F089034AF1A0B3B5DE79C5848B00

Function 000000014001C5B4 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32 ref: 000000014001C5F3
GlobalHandle.KERNEL32 ref: 000000014001C603
GlobalUnlock.KERNEL32 ref: 000000014001C610
GlobalFree.KERNEL32 ref: 000000014001C61A

Part of subcall function 000000014001C8CC: EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C95E
Part of subcall function 000000014001C8CC: LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C974
Part of subcall function 000000014001C8CC: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C97E
Part of subcall function 000000014001C8CC: TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C995

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: FreeGlobal$CriticalSection$EnterHandleLeaveLocalUnlockValue
String ID:
API String ID: 1402163063-0
Opcode ID: ebcc847ce0997ad77b914da716e08dbfdff99b3b7cdfb39571aff647ee1d707e
Instruction ID: ecb203bafc02463a9b666fb63fd066c53b9f1be2df1c51e2940f563c28775bfb
Opcode Fuzzy Hash: ebcc847ce0997ad77b914da716e08dbfdff99b3b7cdfb39571aff647ee1d707e
Instruction Fuzzy Hash: 8B018F35211E4082EE168F26E5947A963B1FB4EFE1F0857249B2A0B6F4DF39C461C700

Function 00000001400306A3 Relevance: 6.0, APIs: 4, Instructions: 36windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32 ref: 000000014003070C
GetFocus.USER32 ref: 0000000140030716

Part of subcall function 0000000140030904: IsWindow.USER32 ref: 0000000140030926
Part of subcall function 0000000140030904: GetParent.USER32 ref: 0000000140030949

IsWindow.USER32 ref: 0000000140030734
GetFocus.USER32 ref: 000000014003073E

Part of subcall function 00000001400309C4: IsChild.USER32 ref: 00000001400309F4
Part of subcall function 00000001400309C4: GetWindowLongA.USER32 ref: 0000000140030A10

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Focus$ChildLongParent
String ID:
API String ID: 1766597969-0
Opcode ID: a5753771f1199e9c8e36117d6da16387fba761895e93682ff7dc8cc6d1398e9e
Instruction ID: 0aed740efdb8319282772d49d961474b18002cbb3fed35dcc0f092c5f4a37984
Opcode Fuzzy Hash: a5753771f1199e9c8e36117d6da16387fba761895e93682ff7dc8cc6d1398e9e
Instruction Fuzzy Hash: E2F0FF3270568082FA43EB53A8553EE53A0A78DFE1F004425AF5A4B7B6DF38D5868710

Function 000000014001047C Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 0000000140010495
GetViewportExtEx.GDI32 ref: 00000001400104A4
MulDiv.KERNEL32 ref: 00000001400104C5
MulDiv.KERNEL32 ref: 00000001400104E9

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 4fb12cec3c4a46847ae8079a33c00c3f35a9f978043b80f7e12bc19e564e2700
Instruction ID: 73b35e27834f63d928ea3249d22773f13ba20f6781caf89168dbb760a6963692
Opcode Fuzzy Hash: 4fb12cec3c4a46847ae8079a33c00c3f35a9f978043b80f7e12bc19e564e2700
Instruction Fuzzy Hash: 6D010C3672464087DB09DF66E58469973B1FB8CB90F005425FB5647B65DF38D891CF40

Function 00000001400107C4 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32 ref: 00000001400107DD
GetViewportExtEx.GDI32 ref: 00000001400107EC
MulDiv.KERNEL32 ref: 000000014001080D
MulDiv.KERNEL32 ref: 0000000140010831

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 36bbdfa0f2d2eb987a386c70018409b84310db4f8945d7ea448a6dc373badb99
Instruction ID: d29b15ca48b5bca34cf2704c010c819912baa1cc6bafa92f3f59777079a33ce2
Opcode Fuzzy Hash: 36bbdfa0f2d2eb987a386c70018409b84310db4f8945d7ea448a6dc373badb99
Instruction Fuzzy Hash: 4C010C3672464087DB09DF66E58469973B1FB8CB90F005425FB5647B65DF38D891CF40

Function 000000014004C554 Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

ScreenToClient.USER32 ref: 000000014004C574
PtInRect.USER32 ref: 000000014004C586
SetCapture.USER32 ref: 000000014004C594
RedrawWindow.USER32 ref: 000000014004C5BB

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CaptureClientRectRedrawScreenWindow
String ID:
API String ID: 2178243973-0
Opcode ID: d067b6940d31dbf1278770efb4ec4aa2fcd48076282c23c23ef50970b628feb0
Instruction ID: a0b00f44c955342de2b2f79999bac89ed203c8af48bfe01e70c1afcebb31632b
Opcode Fuzzy Hash: d067b6940d31dbf1278770efb4ec4aa2fcd48076282c23c23ef50970b628feb0
Instruction Fuzzy Hash: 70F0F976621A46C2FF559F67E495BAE27A0F788F89F045031EF0A4B664EF3AC0458700

Function 00402058 Relevance: 6.0, APIs: 4, Instructions: 17COMMON

Download Yara Rule

APIs

__vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 0040205C
__vcrt_initialize_locks.LIBVCRUNTIME ref: 00402066

Part of subcall function 00402928: __vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00402947

__vcrt_initialize_ptd.LIBVCRUNTIME ref: 00402073
__vcrt_uninitialize_locks.LIBVCRUNTIME ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: CriticalInitializeSection__vcrt___vcrt_initialize_locks__vcrt_initialize_ptd__vcrt_initialize_pure_virtual_call_handler__vcrt_uninitialize_locks
String ID:
API String ID: 1318428292-0
Opcode ID: 0676d284ef6a687497b157c7b15ab7bf94fae701930138e61874056bbe220d80
Instruction ID: ffdf00e88b6911977eb0d91dda5b4b4aab11a4971a4a398dda463aeab6fadc0a
Opcode Fuzzy Hash: 0676d284ef6a687497b157c7b15ab7bf94fae701930138e61874056bbe220d80
Instruction Fuzzy Hash: 34D0C984A1134251DC0937F3531F2AA03002E6134CFA000BFAA91336C349FD054BA97F

Function 00000001400D4014 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 208COMMON

Download Yara Rule

APIs

GetClientRect.USER32 ref: 00000001400D4230

Part of subcall function 000000014019270C: EnterCriticalSection.KERNEL32(?,?,?,000000014001184B,?,?,?,?,0000000140069275), ref: 000000014019271C

RedrawWindow.USER32 ref: 00000001400D4307

Part of subcall function 0000000140192458: _onexit.LIBCMT ref: 000000014019245C

Part of subcall function 00000001401926AC: EnterCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926BC
Part of subcall function 00000001401926AC: LeaveCriticalSection.KERNEL32(?,?,?,00000001400118AF,?,?,?,?,0000000140069275), ref: 00000001401926FC

Part of subcall function 00000001400088C8: FindResourceW.KERNEL32 ref: 0000000140008904
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 0000000140008951
Part of subcall function 00000001400088C8: WideCharToMultiByte.KERNEL32(?,?,?,?,?,?,?,?,?,00000000,0000000140007758), ref: 000000014000899F

Strings

4, xrefs: 00000001400D42DD

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CriticalSection$ByteCharEnterMultiWide$ClientFindLeaveRectRedrawResourceWindow_onexit
String ID: 4
API String ID: 3901185068-4088798008
Opcode ID: 1577e6d4ce7f6129cc922b103f483d361c2fbfb2ecdcbce46d4da2b5fcc16e96
Instruction ID: dea328c55d88e8dc9fa738ef3a71bbd0c6dc49f9f1cb63bd0390c04b88a1b9c6
Opcode Fuzzy Hash: 1577e6d4ce7f6129cc922b103f483d361c2fbfb2ecdcbce46d4da2b5fcc16e96
Instruction Fuzzy Hash: 62919C7A70064086FB26DB66D8843ED63A1AB9CBC4F584526EF09477B5DF38C582C750

Function 000000014015CC78 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON

Download Yara Rule

APIs

InflateRect.USER32 ref: 000000014015CD57
InflateRect.USER32 ref: 000000014015CDE4

Strings

VUUU, xrefs: 000000014015CDEE

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: InflateRect
String ID: VUUU
API String ID: 2073123975-2040033107
Opcode ID: 2cebdd2f730ed374111c0af65ce6398921dcbead5422dcf3d7052649e1e4fb4d
Instruction ID: 742922d6dac46532a39c2e936ffe9e6d516a4d68ac627eb1c1494476d9baf6df
Opcode Fuzzy Hash: 2cebdd2f730ed374111c0af65ce6398921dcbead5422dcf3d7052649e1e4fb4d
Instruction Fuzzy Hash: 2371AB76B206908EEB59CF7ACA817EC7BF1F308B48F184129DF155BA60DB3194A5CB00

Function 00000001400F8728 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 000000014012D671
PostMessageA.USER32 ref: 000000014012D6A1

Part of subcall function 0000000140086988: RedrawWindow.USER32 ref: 0000000140086A02

Part of subcall function 000000014008A088: RedrawWindow.USER32 ref: 000000014008A130

Strings

e, xrefs: 00000001400F87DC

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: RedrawWindow$MessageParentPost
String ID: e
API String ID: 1301221577-4024072794
Opcode ID: a99d82d4cec597901e7869a9532a0bbb9b55c937556ea1439e05edfa620f0fd4
Instruction ID: 689f42f651290377ba7a227b13b131bb3eaf80f07c57f4a0ba9ce8a66bd362eb
Opcode Fuzzy Hash: a99d82d4cec597901e7869a9532a0bbb9b55c937556ea1439e05edfa620f0fd4
Instruction Fuzzy Hash: 78715972310A8486EB66EB23D4647EA33A1FB8DF84F584529AB0E4B7A5DF79C4458700

Function 000000014010CD50 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32 ref: 000000014010CDB2
GetTextExtentPoint32A.GDI32 ref: 000000014010CEA6

Strings

, xrefs: 000000014010CD92

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ExtentPoint32Text
String ID:
API String ID: 223599850-1776720792
Opcode ID: 1bf9f1b5f7c75a344d0f6e14d03bea2f1da8b788834e9b4af25f18f9e5ef9d20
Instruction ID: 27f87c5aa18fef6525a3202d47ee0c2ec0b746334b3bf212bb0dd38afb06290c
Opcode Fuzzy Hash: 1bf9f1b5f7c75a344d0f6e14d03bea2f1da8b788834e9b4af25f18f9e5ef9d20
Instruction Fuzzy Hash: BB515B72B10A508FEB14CF6AD98479C7BB1F348B98F148129DF5993BA8DB34D855CB00

Function 00401E68 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 142COMMON

Download Yara Rule

APIs

_IsNonwritableInCurrentImage.LIBCMT ref: 00401F28

Strings

csm, xrefs: 00401F0E
, xrefs: 00401FB7

Memory Dump Source

Source File: 00000000.00000002.1393207444.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_EXPLORER.jbxd

Similarity

API ID: CurrentImageNonwritable
String ID: $csm
API String ID: 3104724169-717980254
Opcode ID: f09e52ecb144757c37968ed6bced4c2a41eb5c07c67fd7066088e439f6b2f4ad
Instruction ID: e06566b7477edc9206f128656c14f6ce579c19782dabf17cd64f6ae39b681c74
Opcode Fuzzy Hash: f09e52ecb144757c37968ed6bced4c2a41eb5c07c67fd7066088e439f6b2f4ad
Instruction Fuzzy Hash: 7A511D327117818BCB24DF26E644B6A77A6F344BD8F548136EF4663798DBB8D881C708

Function 00000001400E4BE8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400E4C6B
SetWindowRgn.USER32 ref: 00000001400E4CBE

Strings

, xrefs: 00000001400E4C98

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Window$Rect
String ID:
API String ID: 3200805268-3916222277
Opcode ID: e9944cc24666f7ba94b1d4eb275bcdd3ba83d7357f47eccd58dd4b44c9e2bfa6
Instruction ID: f636e52002e32573b9d69301a0dea86c9520f05f5f3317e36e42fa6b22565b04
Opcode Fuzzy Hash: e9944cc24666f7ba94b1d4eb275bcdd3ba83d7357f47eccd58dd4b44c9e2bfa6
Instruction Fuzzy Hash: A3517172B0165186EB56DF6798407ED27A0E78CFD8F194136DF0A677A9DE348841C740

Function 00000001400E0BB4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetWindowRect.USER32 ref: 00000001400E0C35
SystemParametersInfoA.USER32 ref: 00000001400E0CDB

Strings

, xrefs: 00000001400E0C62

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: InfoParametersRectSystemWindow
String ID:
API String ID: 85510744-3916222277
Opcode ID: 23f40f653b39d6494c0b2d073536d2ffed2cbb282e3e7d130c4cd8a6704b1e63
Instruction ID: 560f3957fda12a1187d9c6537dc05c4848d961cae4f128b1f7e15e4cabb0b292
Opcode Fuzzy Hash: 23f40f653b39d6494c0b2d073536d2ffed2cbb282e3e7d130c4cd8a6704b1e63
Instruction Fuzzy Hash: 8D417373B00A508AE712DF6AD8847DD37A1F788F98F285136DF0A67A69DF348881C751

Function 00000001400E8754 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

GetCursorPos.USER32 ref: 00000001400E886E

Strings

MenuShowDelay, xrefs: 00000001400E8804
Control Panel\Desktop, xrefs: 00000001400E87B5

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: Cursor
String ID: Control Panel\Desktop$MenuShowDelay
API String ID: 3268636600-702829638
Opcode ID: 7b40138c8dc891e35342e0bc11a5ae3b00ac65ae26586b65084aeb0da56f5264
Instruction ID: 3585451ae1db0ebfa5c80e1ca07172a4e961853455e46ab5be76539adeae5fd5
Opcode Fuzzy Hash: 7b40138c8dc891e35342e0bc11a5ae3b00ac65ae26586b65084aeb0da56f5264
Instruction Fuzzy Hash: B4317E71600A8586EF659B26E94439963A1F788BB5F444329EB6E877F4CF38C840C741

Function 00000001401905CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32 ref: 00000001401905F7

Part of subcall function 000000014000F670: CreateSolidBrush.GDI32 ref: 000000014000F697

Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DB0
Part of subcall function 0000000140010D80: SelectObject.GDI32 ref: 0000000140010DCB

PatBlt.GDI32 ref: 000000014019065F

Strings

!, xrefs: 000000014019064E

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ObjectSelect$BrushColorCreateSolid
String ID: !
API String ID: 3610460338-2657877971
Opcode ID: d758595f8e0f9c9302edf9b86dba424ccda5aecc80144adff84f9f6be37d7fad
Instruction ID: 33776da0a552c38e6cf71461d0d1c6ff8f3a04a881718603f0c93ffa11ea39a4
Opcode Fuzzy Hash: d758595f8e0f9c9302edf9b86dba424ccda5aecc80144adff84f9f6be37d7fad
Instruction Fuzzy Hash: 04116032228A8086E711DB66F4407AEB760FBCDBD0F505215FB9907BB9DF78C4458B00

Function 000000014005D330 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetMonitorInfoA.USER32 ref: 000000014005D355
CopyRect.USER32 ref: 000000014005D369

Strings

(, xrefs: 000000014005D34A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CopyInfoMonitorRect
String ID: (
API String ID: 2119610155-3887548279
Opcode ID: 1a14bea1b0b1e506e0510ac49fbee289c3f07a5a7a948e3d9329db0937567c53
Instruction ID: b3081a23a0a68c0ca3144088eb26bed943888732eab4f8d63597e98e1cdae765
Opcode Fuzzy Hash: 1a14bea1b0b1e506e0510ac49fbee289c3f07a5a7a948e3d9329db0937567c53
Instruction Fuzzy Hash: 7911C276604680CBD750DF35E484649B7F0FB8CB59F448025EA498B628D738D984CF10

Function 0000000140004480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32 ref: 00000001400044A2
LoadCursorA.USER32 ref: 00000001400044ED

Part of subcall function 00000001400124F4: GetClassInfoA.USER32 ref: 000000014001251E

Part of subcall function 00000001400102B4: _CxxThrowException.LIBVCRUNTIME ref: 00000001400102D0

Strings

X_WND_ANIMATE, xrefs: 0000000140004496, 000000014000450A

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: ClassInfo$CursorExceptionLoadThrow
String ID: X_WND_ANIMATE
API String ID: 2350586136-2383826567
Opcode ID: 16830258ddd1389848077405811c82920ec411a0afb243bd1305eb83905aa71a
Instruction ID: 98bb19b31cc42f65204f96367d06727b86bb08230ca54c08de15115b8bb4b4b3
Opcode Fuzzy Hash: 16830258ddd1389848077405811c82920ec411a0afb243bd1305eb83905aa71a
Instruction Fuzzy Hash: 121190B2618B8086E7A29B16F88039AB3B4F789784F500125F7CD47BA9DF7DC518CB40

Function 000000014001C8CC Relevance: 5.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C95E
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C974
LocalFree.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C97E
TlsSetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,000000014000F54B), ref: 000000014001C995

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: f08992a399032c7717582b5229dd33751ff5b0f5e4914cce126d0c1d59bf5e42
Instruction ID: ffe0a2e74273a4ad5531308953ad0c688cb00f45a725e6f31a1c054d3cee22a1
Opcode Fuzzy Hash: f08992a399032c7717582b5229dd33751ff5b0f5e4914cce126d0c1d59bf5e42
Instruction Fuzzy Hash: 76312636210B0492EB258F17E5847A97771F788FD4F444011EF5A0BBA9CF39D9A6C380

Function 000000014001CC08 Relevance: 5.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,000000014001D061), ref: 000000014001CC24
TlsGetValue.KERNEL32(?,?,00000000,000000014001D061), ref: 000000014001CC35
LeaveCriticalSection.KERNEL32(?,?,00000000,000000014001D061), ref: 000000014001CC55
LeaveCriticalSection.KERNEL32 ref: 000000014001CC63

Memory Dump Source

Source File: 00000000.00000002.1393466255.0000000140001000.00000020.00000001.01000000.00000003.sdmp, Offset: 0000000140000000, based on PE: true

Associated: 00000000.00000002.1393448975.0000000140000000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393587295.00000001401BE000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393652230.000000014025E000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393674508.000000014025F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393696267.0000000140260000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393719272.000000014026F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393743874.0000000140271000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1393780933.0000000140288000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_140000000_EXPLORER.jbxd

Similarity

API ID: CriticalSection$Leave$EnterValue
String ID:
API String ID: 3969253408-0
Opcode ID: b0a8d6b898e79cd7099ccf5b66fdff5f93b8d1a53bbfe65475560ef0c3304da5
Instruction ID: dcaca311837ca7e27910ac2b426a8d26fd9a23fd1b766631bf4aac9bb56c2303
Opcode Fuzzy Hash: b0a8d6b898e79cd7099ccf5b66fdff5f93b8d1a53bbfe65475560ef0c3304da5
Instruction Fuzzy Hash: 78014B31314A5482EA56CF13E6C07A967B0EB4CFC0F084464EB4E5B775CF39D8828780

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report EXPLORER.EXE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: EXPLORER.EXE.exePID: 2736, Parent PID: 4084

General

Chronological Activities

Disassembly

Analysis Process: EXPLORER.EXE.exePID: 2736, Parent PID: 4084COMMON

Non-executed Functions

Function 00000001400351AC Relevance: 49.4, APIs: 27, Strings: 1, Instructions: 425windowCOMMON

Function 0000000140090DE4 Relevance: 36.8, APIs: 24, Instructions: 830windowCOMMON

Function 00000001400400EC Relevance: 33.8, APIs: 17, Strings: 2, Instructions: 580windowCOMMON

Function 000000014005098C Relevance: 30.3, APIs: 20, Instructions: 342keyboardwindowCOMMON

Function 0000000140068CB4 Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 260COMMON

Windows Analysis Report
EXPLORER.EXE.exe