Edit tour

Windows Analysis Report
1234.exe

Overview

General Information

Sample name:	1234.exe
Analysis ID:	1562139
MD5:	e4836d25516a1658d3cbad157acaccb2
SHA1:	955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
SHA256:	18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
Tags:	exemalwaretrojanuser-Joker
Infos:

Detection

Score:	48
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

AI detected suspicious sample

Machine Learning detection for sample

Contains functionality for read data from the clipboard

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to read the clipboard data

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Potential key logger detected (key state polling based)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

1234.exe (PID: 7492 cmdline: "C:\Users\user\Desktop\1234.exe" MD5: E4836D25516A1658D3CBAD157ACACCB2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 1234.exe

Joe Sandbox ML: detected

Source: 1234.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418450 FindFirstFileA,FindClose,	0_2_00418450
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004071A0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_004071A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046F5E5 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046F5E5
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040FFE0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040FFE0

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004234A0 ioctlsocket,recvfrom,

0_2_004234A0

Source: global traffic

DNS traffic detected: DNS query: time.windows.com

Source: 1234.exe

String found in binary or memory: http://www.eyuyan.com)DVarFileInfo$

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C540 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042C540

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C540 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,GlobalFree,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_0042C540

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0042C6A0 OpenClipboard,GetClipboardData,CloseClipboard,GlobalSize,GlobalLock,GlobalUnlock,CloseClipboard,

0_2_0042C6A0

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00472198 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,	0_2_00472198
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418600 GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00418600
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004168E0 IsWindowEnabled,TranslateAcceleratorA,IsChild,GetFocus,PostMessageA,PostMessageA,SendMessageA,IsChild,IsWindow,IsWindowVisible,SendMessageA,SendMessageA,SendMessageA,SendMessageA,GetParent,SendMessageA,WinHelpA,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetKeyState,IsWindow,	0_2_004168E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0042ADA0 GetKeyState,GetKeyState,GetKeyState,CopyRect,	0_2_0042ADA0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00473CBF GetKeyState,GetKeyState,GetKeyState,GetKeyState,	0_2_00473CBF

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00444050	0_2_00444050
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044C180	0_2_0044C180
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004482E0	0_2_004482E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040E280	0_2_0040E280
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A390	0_2_0043A390
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044C3B0	0_2_0044C3B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004105F0	0_2_004105F0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00452620	0_2_00452620
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A6C0	0_2_0043A6C0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044A790	0_2_0044A790
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043A850	0_2_0043A850
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004608A0	0_2_004608A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0041A990	0_2_0041A990
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00452AC0	0_2_00452AC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00448AD0	0_2_00448AD0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043CABB	0_2_0043CABB
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418CC0	0_2_00418CC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043ECC0	0_2_0043ECC0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00434C80	0_2_00434C80
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044ACA9	0_2_0044ACA9
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043CDED	0_2_0043CDED
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00436DF0	0_2_00436DF0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044CDF0	0_2_0044CDF0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B166	0_2_0044B166
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004271A0	0_2_004271A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004472E0	0_2_004472E0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043D352	0_2_0043D352
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B451	0_2_0044B451
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045B430	0_2_0045B430
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0047143C	0_2_0047143C
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00457530	0_2_00457530
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045D580	0_2_0045D580
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B604	0_2_0044B604
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046B6CE	0_2_0046B6CE
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00459740	0_2_00459740
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004677D6	0_2_004677D6
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044B87E	0_2_0044B87E
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00447820	0_2_00447820
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0043D8B0	0_2_0043D8B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004518BE	0_2_004518BE
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00443910	0_2_00443910
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00421920	0_2_00421920
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045B9B0	0_2_0045B9B0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00411AE0	0_2_00411AE0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00451B0E	0_2_00451B0E
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00443C20	0_2_00443C20
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0044BCB0	0_2_0044BCB0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00449F50	0_2_00449F50
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00457FD0	0_2_00457FD0

Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00443350 appears 77 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 004430D0 appears 39 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00442F40 appears 85 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 00461528 appears 92 times
Source: C:\Users\user\Desktop\1234.exe	Code function: String function: 004704FC appears 44 times

Source: 1234.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal48.winEXE@1/0@1/0

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0047264E FindResourceA,LoadResource,LockResource,

0_2_0047264E

Source: 1234.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\1234.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\1234.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\1234.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004101E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,CLSIDFromString,UnRegisterTypeLib,

0_2_004101E0

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00461528 push eax; ret		0_2_00461546
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045FD60 push eax; ret		0_2_0045FD8E

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040E280 IsWindow,IsIconic,SetActiveWindow,IsWindow,IsWindow,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,DestroyAcceleratorTable,DestroyMenu,SetParent,SetWindowPos,IsWindow,SendMessageA,SendMessageA,DestroyAcceleratorTable,IsWindow,IsWindow,IsWindow,IsWindow,IsWindow,GetParent,GetFocus,IsWindow,SendMessageA,IsWindow,GetFocus,SetFocus,	0_2_0040E280
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0045E3CF IsIconic,GetWindowPlacement,GetWindowRect,	0_2_0045E3CF
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00413660 DestroyCursor,IsWindowVisible,IsIconic,IsZoomed,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMenu,DeleteMenu,GetSystemMenu,	0_2_00413660
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00417AD0 IsIconic,IsZoomed,LoadLibraryA,GetProcAddress,GetProcAddress,FreeLibrary,SystemParametersInfoA,IsWindow,ShowWindow,	0_2_00417AD0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00413D30 IsIconic,IsZoomed,	0_2_00413D30

Source: C:\Users\user\Desktop\1234.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\1234.exe

API coverage: 3.0 %

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_00418450 FindFirstFileA,FindClose,	0_2_00418450
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_004071A0 FindFirstFileA,SendMessageA,SendMessageA,FindNextFileA,FindClose,SendMessageA,	0_2_004071A0
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046F5E5 __EH_prolog,GetFullPathNameA,lstrcpynA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,	0_2_0046F5E5
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0040FFE0 FindNextFileA,FindClose,FindFirstFileA,FindClose,	0_2_0040FFE0

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_004101E0 LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,LoadTypeLib,LoadTypeLib,RegisterTypeLib,CLSIDFromString,UnRegisterTypeLib,

0_2_004101E0

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_00435AE0 GetProcessHeap,OleInitialize,GetModuleFileNameA,SetCurrentDirectoryA,LoadCursorA,GetStockObject,GetCurrentThreadId,

0_2_00435AE0

Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046A4DD SetUnhandledExceptionFilter,		0_2_0046A4DD
Source: C:\Users\user\Desktop\1234.exe	Code function: 0_2_0046A4EF SetUnhandledExceptionFilter,		0_2_0046A4EF

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_00461A8A GetLocalTime,GetSystemTime,GetTimeZoneInformation,

0_2_00461A8A

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0046A5EB GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,

0_2_0046A5EB

Source: C:\Users\user\Desktop\1234.exe

Code function: 0_2_0047919A GetVersion,GetProcessVersion,LoadCursorA,LoadCursorA,LoadCursorA,

0_2_0047919A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	2 System Time Discovery	Remote Services	1 Input Capture	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	2 Obfuscated Files or Information	LSASS Memory	1 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	1 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	3 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
1234.exe	100%	Joe Sandbox ML

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0035.t-0009.t-msedge.net	13.107.246.63	true	false		high
time.windows.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.eyuyan.com)DVarFileInfo$	1234.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1562139
Start date and time:	2024-11-25 08:54:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	1234.exe
Detection:	MAL
Classification:	mal48.winEXE@1/0@1/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 25 Number of non-executed functions: 248
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 40.81.94.65
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, twc.trafficmanager.net, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 1234.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0035.t-0009.t-msedge.net	file.exe	Get hash	malicious	Unknown	Browse	13.107.246.63
	somes.exe	Get hash	malicious	RedLine	Browse	13.107.246.63
	segura.vbs	Get hash	malicious	Remcos	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC Stealer	Browse	13.107.246.63
	Cargo Invoice_pdf.vbs	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.63
	P0-4856383648383364838364836483.xls	Get hash	malicious	Unknown	Browse	13.107.246.63
	DHL AWB_004673321.vbe	Get hash	malicious	FormBook	Browse	13.107.246.63
	RFQ Nr. 201124559-201124569-201175771.com.exe	Get hash	malicious	Remcos, GuLoader	Browse	13.107.246.63
	Readouts.bat.exe	Get hash	malicious	GuLoader	Browse	13.107.246.63
	file.exe	Get hash	malicious	Amadey, Stealc, Vidar	Browse	13.107.246.63

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.338374260393933
TrID:	Win32 Executable (generic) a (10002005/4) 99.40% InstallShield setup (43055/19) 0.43% Windows Screen Saver (13104/52) 0.13% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	1234.exe
File size:	696'320 bytes
MD5:	e4836d25516a1658d3cbad157acaccb2
SHA1:	955149baa21b6ca3ba8a7716cd0d00db1f4d0cd0
SHA256:	18a21f97bef3fd4c1b1c2c78f592da7b5cb8215cef1474ca9867696ea61cab67
SHA512:	6267d2e883fcf465cb657668fb1c7a0da318b730341801365a684220914cb30d4f7d7d0af6cc9f234d2a11f898dea3a7beeb212913ee31c82f53976a285d68e7
SSDEEP:	6144:BY1WzX3HJXcGn4pp3y91RxPpWZw9B8hyThVO7uhYmemotM5sJLk1yafRQ8ugg2fm:BCUHJsxpp3yft9+cT9hXeXlWfR8LWc
TLSH:	F4E4AF06B5D2C0F6C668253014AA773AEA7A9E160B56CFC39794EE1C1D33162BD37339
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........;...U_..U_..U_m.[_..U_..__U.U_..^_..U_..Y_..U_..F_..U_..F_..U_..T_..U_..^_..U_..__..U_..U_..U_).S_..U_Rich..U_...............

File Icon


Icon Hash:	9eb3c18c2ceea99a

Static PE Info

General

Entrypoint:	0x45e7b5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:
Time Stamp:	0x6741D451 [Sat Nov 23 13:10:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9f3cb3c76db5b3259b273eadead48638

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
push FFFFFFFFh
push 00487C78h
push 0046360Ch
mov eax, dword ptr fs:[00000000h]
push eax
mov dword ptr fs:[00000000h], esp
sub esp, 58h
push ebx
push esi
push edi
mov dword ptr [ebp-18h], esp
call dword ptr [0047E340h]
xor edx, edx
mov dl, ah
mov dword ptr [004B22F0h], edx
mov ecx, eax
and ecx, 000000FFh
mov dword ptr [004B22ECh], ecx
shl ecx, 08h
add ecx, edx
mov dword ptr [004B22E8h], ecx
shr eax, 10h
mov dword ptr [004B22E4h], eax
push 00000001h
call 00007F1ECC809788h
pop ecx
test eax, eax
jne 00007F1ECC8049FAh
push 0000001Ch
call 00007F1ECC804AB8h
pop ecx
call 00007F1ECC809533h
test eax, eax
jne 00007F1ECC8049FAh
push 00000010h
call 00007F1ECC804AA7h
pop ecx
xor esi, esi
mov dword ptr [ebp-04h], esi
call 00007F1ECC809361h
call dword ptr [0047E35Ch]
mov dword ptr [004B39C4h], eax
call 00007F1ECC80921Fh
mov dword ptr [004B2260h], eax
call 00007F1ECC808FC8h
call 00007F1ECC808F0Ah
call 00007F1ECC8081C1h
mov dword ptr [ebp-30h], esi
lea eax, dword ptr [ebp-5Ch]
push eax
call dword ptr [0047E2ECh]
call 00007F1ECC808E9Bh
mov dword ptr [ebp-64h], eax
test byte ptr [ebp-30h], 00000001h
je 00007F1ECC8049F8h
movzx eax, word ptr [ebp+00h]

Rich Headers

Programming Language:

[ C ] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) SP6 build 8804
[C++] VS98 (6.0) build 8168
[ C ] VS98 (6.0) build 8168
[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8f038	0x104	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb4000	0x5958	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7e000	0x6a0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7c3fa	0x7d000	2879601d0762b0283ead213d0332d443	False	0.55673046875	data	6.5764692601460935	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7e000	0x132be	0x14000	f65ac85117974eb276ba64526d4b0823	False	0.31510009765625	OpenPGP Public Key Version 7	4.460503385926835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x92000	0x219c8	0x12000	dd2d4e47f59e9bffbfb437eedb81552a	False	0.3093804253472222	data	5.069301897712027	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xb4000	0x5958	0x6000	1f981b2de3f00a3adb38ec5fd92e236f	False	0.2975260416666667	data	4.819252540216183	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TEXTINCLUDE	0xb4bfc	0xb	ASCII text, with no line terminators	Chinese	China	1.7272727272727273
TEXTINCLUDE	0xb4c08	0x16	data	Chinese	China	1.3636363636363635
TEXTINCLUDE	0xb4c20	0x151	C source, ASCII text, with CRLF line terminators	Chinese	China	0.6201780415430267
RT_CURSOR	0xb4d74	0x134	data	Chinese	China	0.5811688311688312
RT_CURSOR	0xb4ea8	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Chinese	China	0.37662337662337664
RT_CURSOR	0xb4fdc	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	Chinese	China	0.4805194805194805
RT_CURSOR	0xb5110	0xb4	Targa image data - Map 32 x 65536 x 1 +16 "\001"	Chinese	China	0.7
RT_BITMAP	0xb51c4	0x248	Device independent bitmap graphic, 64 x 15 x 4, image size 480	Chinese	China	0.3407534246575342
RT_BITMAP	0xb540c	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.4444444444444444
RT_BITMAP	0xb5550	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.26453488372093026
RT_BITMAP	0xb56a8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2616279069767442
RT_BITMAP	0xb5800	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2441860465116279
RT_BITMAP	0xb5958	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.24709302325581395
RT_BITMAP	0xb5ab0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240, resolution 3780 x 3780 px/m	Chinese	China	0.2238372093023256
RT_BITMAP	0xb5c08	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.19476744186046513
RT_BITMAP	0xb5d60	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.20930232558139536
RT_BITMAP	0xb5eb8	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	Chinese	China	0.18895348837209303
RT_BITMAP	0xb6010	0x5e4	Device independent bitmap graphic, 70 x 39 x 4, image size 1404	Chinese	China	0.34615384615384615
RT_BITMAP	0xb65f4	0xb8	Device independent bitmap graphic, 12 x 10 x 4, image size 80	Chinese	China	0.44565217391304346
RT_BITMAP	0xb66ac	0x16c	Device independent bitmap graphic, 39 x 13 x 4, image size 260	Chinese	China	0.28296703296703296
RT_BITMAP	0xb6818	0x144	Device independent bitmap graphic, 33 x 11 x 4, image size 220	Chinese	China	0.37962962962962965
RT_ICON	0xb695c	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	Chinese	China	0.26344086021505375
RT_ICON	0xb6c44	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	Chinese	China	0.41216216216216217
RT_ICON	0xb6d6c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192			0.3885135135135135
RT_ICON	0xb6e94	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640			0.33198924731182794
RT_ICON	0xb717c	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536			0.22378048780487805
RT_MENU	0xb77e4	0xc	data	Chinese	China	1.5
RT_MENU	0xb77f0	0x284	data	Chinese	China	0.5
RT_DIALOG	0xb7a74	0x98	data	Chinese	China	0.7171052631578947
RT_DIALOG	0xb7b0c	0x17a	data	Chinese	China	0.5185185185185185
RT_DIALOG	0xb7c88	0xfa	data	Chinese	China	0.696
RT_DIALOG	0xb7d84	0xea	data	Chinese	China	0.6239316239316239
RT_DIALOG	0xb7e70	0x8ae	data	Chinese	China	0.39603960396039606
RT_DIALOG	0xb8720	0xb2	data	Chinese	China	0.7359550561797753
RT_DIALOG	0xb87d4	0xcc	data	Chinese	China	0.7647058823529411
RT_DIALOG	0xb88a0	0xb2	data	Chinese	China	0.6629213483146067
RT_DIALOG	0xb8954	0xe2	data	Chinese	China	0.6637168141592921
RT_DIALOG	0xb8a38	0x18c	data	Chinese	China	0.5227272727272727
RT_STRING	0xb8bc4	0x50	data	Chinese	China	0.85
RT_STRING	0xb8c14	0x2c	data	Chinese	China	0.5909090909090909
RT_STRING	0xb8c40	0x78	data	Chinese	China	0.925
RT_STRING	0xb8cb8	0x1c4	data	Chinese	China	0.8141592920353983
RT_STRING	0xb8e7c	0x12a	data	Chinese	China	0.5201342281879194
RT_STRING	0xb8fa8	0x146	data	Chinese	China	0.6288343558282209
RT_STRING	0xb90f0	0x40	data	Chinese	China	0.65625
RT_STRING	0xb9130	0x64	data	Chinese	China	0.73
RT_STRING	0xb9194	0x1d8	data	Chinese	China	0.6758474576271186
RT_STRING	0xb936c	0x114	data	Chinese	China	0.6376811594202898
RT_STRING	0xb9480	0x24	data	Chinese	China	0.4444444444444444
RT_GROUP_CURSOR	0xb94a4	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0xb94b8	0x14	Lotus unknown worksheet or configuration, revision 0x1	Chinese	China	1.25
RT_GROUP_CURSOR	0xb94cc	0x22	Lotus unknown worksheet or configuration, revision 0x2	Chinese	China	1.0294117647058822
RT_GROUP_ICON	0xb94f0	0x30	data			0.9166666666666666
RT_GROUP_ICON	0xb9520	0x14	data	Chinese	China	1.2
RT_GROUP_ICON	0xb9534	0x14	data	Chinese	China	1.25
RT_VERSION	0xb9548	0x240	data	Chinese	China	0.5642361111111112
RT_MANIFEST	0xb9788	0x1cd	XML 1.0 document, ASCII text, with very long lines (461), with no line terminators			0.5878524945770065

Imports

DLL	Import
KERNEL32.dll	SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, GetCurrentProcess, DuplicateHandle, lstrcpynA, SetLastError, FileTimeToLocalFileTime, FileTimeToSystemTime, LocalFree, InterlockedDecrement, CreateSemaphoreA, ResumeThread, ReleaseSemaphore, EnterCriticalSection, LeaveCriticalSection, GetProfileStringA, SetStdHandle, IsBadCodePtr, IsBadReadPtr, CompareStringW, CompareStringA, SetUnhandledExceptionFilter, GetStringTypeW, GetStringTypeA, IsBadWritePtr, VirtualAlloc, LCMapStringW, LCMapStringA, SetEnvironmentVariableA, VirtualFree, HeapCreate, HeapDestroy, GetEnvironmentVariableA, GetFileType, GetStdHandle, SetHandleCount, GetEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsW, FreeEnvironmentStringsA, UnhandledExceptionFilter, GetACP, HeapSize, TerminateProcess, GetLocalTime, GetSystemTime, GetTimeZoneInformation, WriteFile, WaitForMultipleObjects, CreateFileA, SetEvent, FindResourceA, LoadResource, LockResource, ReadFile, GetModuleFileNameA, GetCurrentThreadId, ExitProcess, GlobalSize, GlobalFree, DeleteCriticalSection, InitializeCriticalSection, lstrcatA, lstrlenA, WinExec, lstrcpyA, FindNextFileA, GlobalReAlloc, HeapFree, HeapReAlloc, GetProcessHeap, HeapAlloc, MultiByteToWideChar, WideCharToMultiByte, GetFullPathNameA, FreeLibrary, LoadLibraryA, GetLastError, GetVersionExA, WritePrivateProfileStringA, GetPrivateProfileStringA, CreateThread, CreateEventA, Sleep, GlobalAlloc, GlobalLock, GlobalUnlock, FindFirstFileA, FindClose, GetFileAttributesA, RaiseException, RtlUnwind, GetStartupInfoA, GetOEMCP, GetCPInfo, GetProcessVersion, SetErrorMode, GlobalFlags, GetCurrentThread, GetFileTime, GetFileSize, TlsGetValue, LocalReAlloc, TlsSetValue, TlsFree, GlobalHandle, SetCurrentDirectoryA, GetVolumeInformationA, GetModuleHandleA, GetProcAddress, TlsAlloc, LocalAlloc, lstrcmpA, GetVersion, GlobalGetAtomNameA, GlobalAddAtomA, GlobalFindAtomA, GlobalDeleteAtom, lstrcmpiA, MulDiv, GetCommandLineA, GetTickCount, WaitForSingleObject, CloseHandle, InterlockedIncrement
USER32.dll	OpenClipboard, SetClipboardData, EmptyClipboard, GetSystemMetrics, GetCursorPos, MessageBoxA, SetWindowPos, SendMessageA, DestroyCursor, SetParent, GetClipboardData, PostMessageA, GetTopWindow, GetParent, CloseClipboard, wsprintfA, GetFocus, GetClientRect, InvalidateRect, ValidateRect, UpdateWindow, EqualRect, GetWindowRect, SetForegroundWindow, IsWindow, RegisterClassA, DestroyMenu, IsChild, ReleaseDC, IsRectEmpty, FillRect, GetDC, SetCursor, LoadCursorA, SetCursorPos, SetActiveWindow, GetSysColor, SetWindowLongA, GetWindowLongA, RedrawWindow, EnableWindow, IsWindowVisible, OffsetRect, PtInRect, DestroyIcon, IntersectRect, InflateRect, SetRect, SetScrollPos, SetScrollRange, GetScrollRange, SetCapture, LoadIconA, TranslateMessage, DrawFrameControl, DrawEdge, DrawFocusRect, WindowFromPoint, GetMessageA, DispatchMessageA, SetRectEmpty, RegisterClipboardFormatA, CreateIconFromResourceEx, CreateIconFromResource, DrawIconEx, CreatePopupMenu, AppendMenuA, ModifyMenuA, CreateMenu, CreateAcceleratorTableA, GetDlgCtrlID, GetSubMenu, EnableMenuItem, ClientToScreen, EnumDisplaySettingsA, LoadImageA, SystemParametersInfoA, ShowWindow, IsWindowEnabled, TranslateAcceleratorA, GetKeyState, CopyAcceleratorTableA, PostQuitMessage, IsZoomed, GetClassInfoA, DefWindowProcA, GetSystemMenu, DeleteMenu, GetMenu, SetMenu, PeekMessageA, GetWindowTextA, GetWindowTextLengthA, CharUpperA, GetWindowDC, BeginPaint, EndPaint, TabbedTextOutA, DrawTextA, GrayStringA, GetDlgItem, DestroyWindow, CreateDialogIndirectParamA, EndDialog, GetNextDlgTabItem, GetWindowPlacement, RegisterWindowMessageA, GetForegroundWindow, GetLastActivePopup, GetMessageTime, RemovePropA, CallWindowProcA, GetPropA, UnhookWindowsHookEx, SetPropA, GetClassLongA, CallNextHookEx, SetWindowsHookExA, CreateWindowExA, GetMenuItemID, GetMenuItemCount, UnregisterClassA, GetScrollPos, AdjustWindowRectEx, MapWindowPoints, SendDlgItemMessageA, ScrollWindowEx, IsDialogMessageA, SetWindowTextA, MoveWindow, CheckMenuItem, SetMenuItemBitmaps, GetMenuState, GetMenuCheckMarkDimensions, GetClassNameA, GetDesktopWindow, LoadStringA, GetSysColorBrush, IsIconic, SetFocus, GetActiveWindow, GetWindow, DestroyAcceleratorTable, SetWindowRgn, GetMessagePos, ScreenToClient, ChildWindowFromPointEx, CopyRect, LoadBitmapA, WinHelpA, KillTimer, SetTimer, ReleaseCapture, GetCapture
GDI32.dll	GetClipRgn, CreatePolygonRgn, SelectClipRgn, DeleteObject, CreateDIBitmap, GetSystemPaletteEntries, CreatePalette, StretchBlt, SelectPalette, RealizePalette, GetDIBits, GetWindowExtEx, GetViewportOrgEx, GetWindowOrgEx, BeginPath, EndPath, PathToRegion, CreateEllipticRgn, CreateRoundRectRgn, GetTextColor, GetBkMode, GetBkColor, GetROP2, GetStretchBltMode, GetPolyFillMode, CreateCompatibleBitmap, CreateDCA, CreateBitmap, SelectObject, GetObjectA, CreatePen, PatBlt, SetStretchBltMode, CreateRectRgn, FillRgn, CreateSolidBrush, GetStockObject, CreateFontIndirectA, EndPage, EndDoc, DeleteDC, StartDocA, StartPage, BitBlt, CreateCompatibleDC, Ellipse, Rectangle, LPtoDP, DPtoLP, GetCurrentObject, RoundRect, GetTextExtentPoint32A, GetDeviceCaps, SaveDC, RestoreDC, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, SetMapMode, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, SetWindowExtEx, ScaleWindowExtEx, GetClipBox, ExcludeClipRect, MoveToEx, LineTo, CreateRectRgnIndirect, SetBkColor, CombineRgn, GetTextMetricsA, Escape, ExtTextOutA, TextOutA, RectVisible, PtVisible, GetViewportExtEx, ExtSelectClipRgn
WINMM.dll	midiStreamRestart, midiStreamClose, midiOutReset, midiStreamStop, midiStreamOut, midiOutPrepareHeader, midiStreamProperty, midiStreamOpen, midiOutUnprepareHeader, waveOutOpen, waveOutGetNumDevs, waveOutClose, waveOutReset, waveOutPause, waveOutWrite, waveOutPrepareHeader, waveOutUnprepareHeader
WINSPOOL.DRV	ClosePrinter, DocumentPropertiesA, OpenPrinterA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegSetValueExA, RegQueryValueA, RegCreateKeyExA
SHELL32.dll	ShellExecuteA, Shell_NotifyIconA
ole32.dll	OleInitialize, OleUninitialize, CLSIDFromString
OLEAUT32.dll	UnRegisterTypeLib, RegisterTypeLib, LoadTypeLib
COMCTL32.dll	ImageList_Destroy
WS2_32.dll	ioctlsocket, recv, getpeername, accept, recvfrom, WSAAsyncSelect, closesocket, inet_ntoa, WSACleanup
comdlg32.dll	ChooseColorA, GetSaveFileNameA, GetOpenFileNameA, GetFileTitleA

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	China

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 25, 2024 08:55:18.998697996 CET	50894	53	192.168.2.7	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 25, 2024 08:55:18.998697996 CET	192.168.2.7	1.1.1.1	0x64f8	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 25, 2024 08:55:19.096498013 CET	1.1.1.1	192.168.2.7	0x43dc	No error (0)	shed.dual-low.s-part-0035.t-0009.t-msedge.net	s-part-0035.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 25, 2024 08:55:19.096498013 CET	1.1.1.1	192.168.2.7	0x43dc	No error (0)	s-part-0035.t-0009.t-msedge.net		13.107.246.63	A (IP address)	IN (0x0001)	false
Nov 25, 2024 08:55:19.135847092 CET	1.1.1.1	192.168.2.7	0x64f8	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false

Target ID:	0
Start time:	02:55:22
Start date:	25/11/2024
Path:	C:\Users\user\Desktop\1234.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\1234.exe"
Imagebase:	0x400000
File size:	696'320 bytes
MD5 hash:	E4836D25516A1658D3CBAD157ACACCB2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	7.3%
Total number of Nodes:	533
Total number of Limit Nodes:	39

Executed Functions

Function 00435AE0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
commemorythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcessHeap.KERNEL32 ref: 00435B09
OleInitialize.OLE32(00000000), ref: 00435B45
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00435B63
SetCurrentDirectoryA.KERNEL32(022C5B10,?), ref: 00435BBD
LoadCursorA.USER32(00000000,00007F00), ref: 00435C18
GetStockObject.GDI32(00000005), ref: 00435C39
GetCurrentThreadId.KERNEL32 ref: 00435C61

Strings

_EL_HideOwner, xrefs: 00435C43

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Current$CursorDirectoryFileHeapInitializeLoadModuleNameObjectProcessStockThread
String ID: _EL_HideOwner
API String ID: 3783217854-1487855678
Opcode ID: 12318345393c2ec474186d80e6d6c90b4927b10c6c0fdb3f53d46149b41238ae
Instruction ID: 2dc86200c12e14e658add671d2b0c53a1b1a227cc7d12e314bd0d2e62a02cec9
Opcode Fuzzy Hash: 12318345393c2ec474186d80e6d6c90b4927b10c6c0fdb3f53d46149b41238ae
Instruction Fuzzy Hash: 54E11470A006059BCB14EF55CC85FEE73B4FF58308F14416EE909AB2D2DB786A41CB99

Function 0047919A Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,?,?,00479195), ref: 00479211
GetProcessVersion.KERNELBASE(00000000,?,?,?,00479195), ref: 0047924E
LoadCursorA.USER32(00000000,00007F02), ref: 0047927C
LoadCursorA.USER32(00000000,00007F00), ref: 00479287

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CursorLoadVersion$Process
String ID:
API String ID: 2246821583-0
Opcode ID: 2dcf1923bdee7884480de50b3c800caf402c73c9dd1d173c6af162392ab0cdeb
Instruction ID: f7d1dbc9d0bc89a882a2f6ffdee158b259513b10756e40ba2b1bccc5a3c480db
Opcode Fuzzy Hash: 2dcf1923bdee7884480de50b3c800caf402c73c9dd1d173c6af162392ab0cdeb
Instruction Fuzzy Hash: A6113DB1A007509FD7249F3A889456ABBE5FB487047504E3FE18BC6B91D778E441CB54

Function 0047086D Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0047868A: TlsGetValue.KERNEL32(004B1F0C,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000), ref: 004786C9

CallNextHookEx.USER32(?,00000003,?,?), ref: 00470897
GetClassLongA.USER32(?,000000E6), ref: 004708DE
GlobalGetAtomNameA.KERNEL32(?,?,00000005,?,?,?,Function_00077A10), ref: 0047090A
lstrcmpiA.KERNEL32(?,ime), ref: 00470919
GetWindowLongA.USER32(?,000000FC), ref: 0047098C
SetWindowLongA.USER32(?,000000FC,00000000), ref: 004709AD

Strings

AfxOldWndProc423, xrefs: 004709EE, 004709F3, 004709FE, 00470A06, 00470A0F
ime, xrefs: 00470913

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Long$Window$AtomCallClassGlobalHookNameNextValuelstrcmpi
String ID: AfxOldWndProc423$ime
API String ID: 3731301195-104836986
Opcode ID: a92844cc2f1d43782734ccbe517d2a0bb5e4a838a4f859ab78953bf994098d00
Instruction ID: 08ff92b685b13f398972125f0685fc5eaa27663d3c9961cf4ba4b8bf0aceb77c
Opcode Fuzzy Hash: a92844cc2f1d43782734ccbe517d2a0bb5e4a838a4f859ab78953bf994098d00
Instruction Fuzzy Hash: B551C2B1501214EBDB119F65CC48BAF7BB8FF08364F10866AF919A7292D738DD40CB98

Function 00416580 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetParent.USER32(?), ref: 004165CA

Part of subcall function 00472F8D: IsWindowEnabled.USER32(?), ref: 00472F97

IsWindow.USER32(?), ref: 0041666B
GetParent.USER32(?), ref: 00416686
IsWindowVisible.USER32(?), ref: 0041669A
SetActiveWindow.USER32(?), ref: 004166BB
IsWindow.USER32(?), ref: 004166D8
KiUserCallbackDispatcher.NTDLL(?), ref: 004166E6
IsWindow.USER32(?), ref: 004166ED
IsWindow.USER32(?), ref: 00416748
IsWindow.USER32(?), ref: 004167A2
GetFocus.USER32 ref: 004167B6
IsWindow.USER32(00000000), ref: 004167C3
IsChild.USER32(?,00000000), ref: 004167D2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Parent$ActiveCallbackChildDispatcherEnabledFocusUserVisible
String ID:
API String ID: 416498738-0
Opcode ID: 88317b036ddb85d3a4acb9f09bf24f979aa3b86dc36c958725f93658f4ee4583
Instruction ID: c368f86dfb405411479110e5325bb561c90c330584e5484e470e5d5a0bfd16d6
Opcode Fuzzy Hash: 88317b036ddb85d3a4acb9f09bf24f979aa3b86dc36c958725f93658f4ee4583
Instruction Fuzzy Hash: 6851A271600315DBC7209F62D840AABFBA8FF44348F154A2FF95997250DB38E885CFA9

Function 00470692 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__EH_prolog.LIBCMT ref: 00470697
GetPropA.USER32(?,AfxOldWndProc423), ref: 004706AF
CallWindowProcA.USER32(?,?,00000110,?,00000000), ref: 0047070D

Part of subcall function 0047027A: GetWindowRect.USER32(?,?), ref: 0047029F
Part of subcall function 0047027A: GetWindow.USER32(?,00000004), ref: 004702BC

SetWindowLongA.USER32(?,000000FC,?), ref: 0047073D
RemovePropA.USER32(?,AfxOldWndProc423), ref: 00470745
GlobalFindAtomA.KERNEL32(AfxOldWndProc423), ref: 0047074C
GlobalDeleteAtom.KERNEL32(00000000), ref: 00470753

Part of subcall function 00470257: GetWindowRect.USER32(?,?), ref: 00470263

CallWindowProcA.USER32(?,?,?,?,00000000), ref: 004707A7

Strings

AfxOldWndProc423, xrefs: 004706A5, 004706AD, 00470743, 0047074B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$AtomCallGlobalProcPropRect$DeleteFindH_prologLongRemove
String ID: AfxOldWndProc423
API String ID: 2397448395-1060338832
Opcode ID: 39dd646720293be6dd54f4442a2225d783c911fba6604af8225f5658894bac69
Instruction ID: 948ca25a511b6468cd00258a0452a54c5d0a8d13ad2caa58cb2a85790e418dc5
Opcode Fuzzy Hash: 39dd646720293be6dd54f4442a2225d783c911fba6604af8225f5658894bac69
Instruction Fuzzy Hash: 2E31AE32802109FBCB01AFA5DD49DFF7B78EF49314F04812AF509A6151D7399A109BA9

Function 00478323 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(004B1F28,004B1EFC,00000000,?,004B1F0C,004B1F0C,004786BE,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000), ref: 00478332
GlobalAlloc.KERNELBASE(00002002,00000000,?,?,004B1F0C,004B1F0C,004786BE,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000), ref: 00478387
GlobalHandle.KERNEL32(00572788), ref: 00478390
GlobalUnlock.KERNEL32(00000000), ref: 00478399
GlobalReAlloc.KERNEL32(00000000,00000000,00002002), ref: 004783AB
GlobalHandle.KERNEL32(00572788), ref: 004783C2
GlobalLock.KERNEL32(00000000), ref: 004783C9
LeaveCriticalSection.KERNEL32(0045E895,?,?,004B1F0C,004B1F0C,004786BE,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000), ref: 004783CF
GlobalLock.KERNEL32(00000000), ref: 004783DE
LeaveCriticalSection.KERNEL32(?), ref: 00478427

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
String ID:
API String ID: 2667261700-0
Opcode ID: 2c4eb1686be119b5cf720e565b3b0f73aa0009c3e1fe2f128ffa3051f1054b21
Instruction ID: c33a8ca1bf76eb8412d1f3848a51d32db86b6f76fa2e97ae80e1711f0f96ff83
Opcode Fuzzy Hash: 2c4eb1686be119b5cf720e565b3b0f73aa0009c3e1fe2f128ffa3051f1054b21
Instruction Fuzzy Hash: A231C4752403059FD7209F29DC89A6AB7E9FB48304B044A7EF85AC3661EB75F8448B14

Function 004131A0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20abf32b4f37d6c281fb531ad98dbdc0771082f98ddea6d6723f8f3da4d28045
Instruction ID: 39af21b2f3309e76d78f60731317fde95632f7ad877890eed68fc2d941b65266
Opcode Fuzzy Hash: 20abf32b4f37d6c281fb531ad98dbdc0771082f98ddea6d6723f8f3da4d28045
Instruction Fuzzy Hash: A7B1D270604300AFD724DF65C884BABBBE6BBC4705F10892EF59687390D779E981CB5A

Function 00474B3B Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00474B48
GetSystemMetrics.USER32(0000000C), ref: 00474B4F
GetDC.USER32(00000000), ref: 00474B68
GetDeviceCaps.GDI32(00000000,00000058), ref: 00474B79
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00474B81
ReleaseDC.USER32(00000000,00000000), ref: 00474B89

Part of subcall function 004791BA: GetSystemMetrics.USER32(00000002), ref: 004791CC
Part of subcall function 004791BA: GetSystemMetrics.USER32(00000003), ref: 004791D6

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
String ID:
API String ID: 1031845853-0
Opcode ID: f9010f8f7b6f40b60f0b747dd500037fdb4ad5eff725b2e6240b3208444c5616
Instruction ID: 9139ad8ad4bc7c4ee5c95f252c75ced0f17c7d338a8e1b1fc69cf17292ff6534
Opcode Fuzzy Hash: f9010f8f7b6f40b60f0b747dd500037fdb4ad5eff725b2e6240b3208444c5616
Instruction Fuzzy Hash: 89F090309407009AE2206B728C4DF67BBA4EBC5756F00896AE60946290CBB4AC418EA9

Function 00405E50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColor.USER32(0000000F), ref: 00405F5C
DestroyCursor.USER32(?), ref: 00405FBA
SendMessageA.USER32(?,000000F7,00000001,?), ref: 0040605C
SendMessageA.USER32(?,000000F7,00000000,?), ref: 0040608E

Strings

BUTTON, xrefs: 0040601B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$ColorCursorDestroy
String ID: BUTTON
API String ID: 3592366650-3405671355
Opcode ID: 5c5ac774a331509702de4b18c2855573ce99ba21b17b4b6f7d02fba2a56fb5de
Instruction ID: dbdb469a5d1cbeb389c5e40d211babfe284514c955d10c29dd8328a6098c820f
Opcode Fuzzy Hash: 5c5ac774a331509702de4b18c2855573ce99ba21b17b4b6f7d02fba2a56fb5de
Instruction Fuzzy Hash: DF618CB5604B059FD224DF25C880A6BB7E9FB44704F148A2EF58A937C0DA39E845CF5A

Function 00413080 Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageA.USER32(?,00000080,00000001,?), ref: 00413128
SendMessageA.USER32(?,00000080,00000000,?), ref: 0041313A
DestroyCursor.USER32(?), ref: 0041314D
DestroyCursor.USER32(?), ref: 0041315A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CursorDestroyMessageSend
String ID:
API String ID: 3501257726-0
Opcode ID: 6ba6362be43cbef74935d17fc10841e0aed30d1aca695cf9c1526164656a8700
Instruction ID: e29ab39281d90750293f6381ccc256c181cef5e1b59a19684d71f4954f1213ca
Opcode Fuzzy Hash: 6ba6362be43cbef74935d17fc10841e0aed30d1aca695cf9c1526164656a8700
Instruction Fuzzy Hash: F9312D71604301AFE720DF65C881BD7B7E8AFC8714F00892EF99987340D678E9898B66

Function 0040F1F0 Relevance: 4.6, APIs: 3, Instructions: 110
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F219
IsWindow.USER32 ref: 0040F247
PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 0040F316

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessagePeek$Window
String ID:
API String ID: 1210580970-0
Opcode ID: af07dfd07b9b5a688a0127e434e0eca7ff368b6e9f257fcaa4a840d5375e0b53
Instruction ID: 3c8de120365ae169cd9c4716eb6c7c8fb49355bc55742a9e9e98a68a95a6f4d6
Opcode Fuzzy Hash: af07dfd07b9b5a688a0127e434e0eca7ff368b6e9f257fcaa4a840d5375e0b53
Instruction Fuzzy Hash: 0631DF74604207AFD724DF24D984AABB3A8FF84348F00017EE915A7680D735EE18CBA9

Function 00473E6F Relevance: 4.5, APIs: 3, Instructions: 29
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 00473E7C
TranslateMessage.USER32(?), ref: 00473E9C
DispatchMessageA.USER32(?), ref: 00473EA3

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Message$CallbackDispatchDispatcherTranslateUser
String ID:
API String ID: 2960505505-0
Opcode ID: be3ab02bd2e477da28efeb379915138a659d024b0026003dfbbb9e3fdddcef3c
Instruction ID: db6e84bf89d0f41b040cc42e6b4ab40dd7183525db50c142e2847e8d216cd575
Opcode Fuzzy Hash: be3ab02bd2e477da28efeb379915138a659d024b0026003dfbbb9e3fdddcef3c
Instruction Fuzzy Hash: 2BE09232200500AFE7315F66AC48EBB33ACFF89B02B04446FF445C6110C7649D819AA9

Function 00478EEC Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000000,00000000,00474BBD,00000000,00000000,00000000,00000000,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000,0045E895), ref: 00478EF5
SetErrorMode.KERNELBASE(00000000,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000,0045E895,00000000), ref: 00478EFC

Part of subcall function 00478F4F: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00478F80
Part of subcall function 00478F4F: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00479021
Part of subcall function 00478F4F: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047904E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ErrorMode$FileModuleNamelstrcatlstrcpy
String ID:
API String ID: 3389432936-0
Opcode ID: 2813941e7120b61f0e9c3642a0dd2f5959848cde400cd79b267168fdcabf9ebc
Instruction ID: b84448dbe18aa3599bde46d9989cd5775f4c21dc997065790cf20732382f305d
Opcode Fuzzy Hash: 2813941e7120b61f0e9c3642a0dd2f5959848cde400cd79b267168fdcabf9ebc
Instruction Fuzzy Hash: A1F04FB0A542208FC715EF25D84AA897BD5AF44710F05C88FF44C9B3A2CF78D841CB99

Function 004635A6 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000,0045E813,00000001), ref: 004635B7

Part of subcall function 0046345E: GetVersionExA.KERNEL32 ref: 0046347D

HeapDestroy.KERNEL32 ref: 004635F6

Part of subcall function 00466F85: HeapAlloc.KERNEL32(00000000,00000140,004635DF,000003F8), ref: 00466F92

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Heap$AllocCreateDestroyVersion
String ID:
API String ID: 2507506473-0
Opcode ID: 1a68ecb066cf31f40bdd0cf95a585a700451bec107730a330766bcf3c6f4fbfb
Instruction ID: f542be2139c281de42590f8714e3229101d016502717faae1328097976123ce7
Opcode Fuzzy Hash: 1a68ecb066cf31f40bdd0cf95a585a700451bec107730a330766bcf3c6f4fbfb
Instruction Fuzzy Hash: C5F065B0A052426BEB211F316D4672A3A949744757F10493BF806CA5A4FBB8CAC0990F

Function 004199B0 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadImageA.USER32(?,?,00000001,00000020,00000020,00000000), ref: 004199CB
LoadImageA.USER32(?,?,00000001,00000010,00000010,00000000), ref: 004199DD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ImageLoad
String ID:
API String ID: 306446377-0
Opcode ID: dde0e63943b9c548ee65c660856bb544fb51d23afd6e007c52c42f10269e69c7
Instruction ID: 9b8e005d6f0665b139493f29c319213d9b109869de6b3226bfec06cfd7593da2
Opcode Fuzzy Hash: dde0e63943b9c548ee65c660856bb544fb51d23afd6e007c52c42f10269e69c7
Instruction Fuzzy Hash: 78E0ED3234131177D620CE5A8C85F9BF7A9EB8DB10F100859B344AB1D1C2F1A4458669

Function 00470E2E Relevance: 3.0, APIs: 2, Instructions: 27COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,?,?,?), ref: 00470E55
CallWindowProcA.USER32(?,?,?,?,?), ref: 00470E6A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ProcWindow$Call
String ID:
API String ID: 2316559721-0
Opcode ID: c4c67c92f5915d575ff71f6cb1d7d729ae434e978070313f3b995e738de9890d
Instruction ID: 048fe8811807e309bf50d5e34ea138043eace934b8a5ca52917b812774909004
Opcode Fuzzy Hash: c4c67c92f5915d575ff71f6cb1d7d729ae434e978070313f3b995e738de9890d
Instruction Fuzzy Hash: EAF01536100208FFCF218FA5DC04EDA7BBAFF09350B04896AFA59C6120D732E860AB44

Function 00473912 Relevance: 3.0, APIs: 2, Instructions: 27threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00473925
SetWindowsHookExA.USER32(000000FF,00473C67,00000000,00000000), ref: 00473935

Part of subcall function 0047871F: __EH_prolog.LIBCMT ref: 00478724

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CurrentH_prologHookThreadWindows
String ID:
API String ID: 2183259885-0
Opcode ID: 59893721d11a2e8505da5804c9e584d99e935225abcdbd2258b090a6cba375e1
Instruction ID: 4c73a417642fa327983bf3ca7eac76f68d31046532d224754585aadc3033b64b
Opcode Fuzzy Hash: 59893721d11a2e8505da5804c9e584d99e935225abcdbd2258b090a6cba375e1
Instruction Fuzzy Hash: 20F0A071540210AAC7213BB1AD0EBEA3691AF00715F54CA9FF24E6A5E1CF6C9881876E

Function 00470A63 Relevance: 3.0, APIs: 2, Instructions: 25threadCOMMON

Download Yara Rule

APIs

Part of subcall function 0047868A: TlsGetValue.KERNEL32(004B1F0C,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000), ref: 004786C9

GetCurrentThreadId.KERNEL32 ref: 00470A85
SetWindowsHookExA.USER32(00000005,0047086D,00000000,00000000), ref: 00470A95

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CurrentHookThreadValueWindows
String ID:
API String ID: 933525246-0
Opcode ID: 4b4880eb2d4eb33342b7335882d9e9022a6bd83d17963e5434e62cd68f0010ad
Instruction ID: 3086e46210450a4c675c0cc524bd74b3f96aedea44356f2ad03ad1f568ac8751
Opcode Fuzzy Hash: 4b4880eb2d4eb33342b7335882d9e9022a6bd83d17963e5434e62cd68f0010ad
Instruction Fuzzy Hash: 16E06D71601700EED3309B63AC05B9B7BE4DB94B51F21CA3FE58D92180D77898458BBE

Function 004600A5 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,-0000000F,00000000,?,00000000,00000000,00000000), ref: 0046018C

Part of subcall function 00465D44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D81
Part of subcall function 00465D44: EnterCriticalSection.KERNEL32(?,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D9C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalSection$AllocateEnterHeapInitialize
String ID:
API String ID: 1616793339-0
Opcode ID: 9a6b4113e73637ccff7f8fe1de3f3802b4da747e7f0a5cf5f3913a58852b6dbd
Instruction ID: 424e96c3de164e876a4c556cb04d86a027ecc09fba70e3d04769bec7111bbab1
Opcode Fuzzy Hash: 9a6b4113e73637ccff7f8fe1de3f3802b4da747e7f0a5cf5f3913a58852b6dbd
Instruction Fuzzy Hash: 3F21CB71A00204ABDB10DF69DD42BDF77A4EB02724F244617F810EB2D1E77D9D81965E

Function 004703CA Relevance: 1.6, APIs: 1, Instructions: 73COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004703CF

Part of subcall function 0047868A: TlsGetValue.KERNEL32(004B1F0C,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000), ref: 004786C9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologValue
String ID:
API String ID: 3700342317-0
Opcode ID: eac36acbc42570969176cf00d1e6eb1005f5413cb1b1330084aa6bab5fb8097f
Instruction ID: 30f039f982f502f5a3e74bfe391d02a8202ddba68276e97437038c3088004330
Opcode Fuzzy Hash: eac36acbc42570969176cf00d1e6eb1005f5413cb1b1330084aa6bab5fb8097f
Instruction Fuzzy Hash: D3217C72A01209EFDF01DF54C481AEE7BB9FF44315F10806AF919AB241D378AE54CBA5

Function 00470AF1 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

CreateWindowExA.USER32(00000000,00000080,00435C61,?,?,?,?,?,?,?,?,?), ref: 00470B8F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 6ecf8e30d9d89f4542589aee57d260bbf9e958c65c1fd4476b66a963ee8a65d2
Instruction ID: f0af406e50719a79beefbadbece049394b76bb29be355e11835ebeafb2d55500
Opcode Fuzzy Hash: 6ecf8e30d9d89f4542589aee57d260bbf9e958c65c1fd4476b66a963ee8a65d2
Instruction Fuzzy Hash: 3E318879A00219EFCF01DFA8C8449DEBBF1BF4C314B11846AF918E7210E7359A519FA4

Function 00415500 Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 00415540

Part of subcall function 00415060: CreateRectRgn.GDI32(?,?,?,?), ref: 004150AE
Part of subcall function 00415060: GetClientRect.USER32(?,?), ref: 00415149

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$BeginClientClipCreateEmptyH_prologPaint
String ID:
API String ID: 4024812366-0
Opcode ID: 470bd6908846dfa4e771549446049a6a2d46612859fdeb34bd111263496f774a
Instruction ID: 0a9dea0bc57614821ed5bf5cd4cc0136d90aa9c91e545a6efc8b84f607826d73
Opcode Fuzzy Hash: 470bd6908846dfa4e771549446049a6a2d46612859fdeb34bd111263496f774a
Instruction Fuzzy Hash: 91F08171044B41DFC214DF14C951BDE77E8FB84B24F904A1EF05992290DB789909CBA3

Function 00470641 Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47b349df25041226a57e6eeef82d6962ef2c9a14d70ee86a6b721b4e76cfb2b8
Instruction ID: 66111b52ac265668795f09423bf1c4268ad8d486e193e75c63917317e76e0c23
Opcode Fuzzy Hash: 47b349df25041226a57e6eeef82d6962ef2c9a14d70ee86a6b721b4e76cfb2b8
Instruction Fuzzy Hash: 5EF01C32002619FBCF229E919D10EEB3B29AF48364F00C417FA1855051C37AD571EFAE

Function 004743C2 Relevance: 1.5, APIs: 1, Instructions: 14COMMON

Download Yara Rule

APIs

LoadStringA.USER32(?,?,?,?), ref: 004743D9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: b3fd9b8245cd6a42d06afea6fc49b915b30b5785c8f69990c4a47a8c729af587
Instruction ID: bb78ca9eed384d921fa2aef50382f8dcd182f132930ec63ca2272f9a1478f0b2
Opcode Fuzzy Hash: b3fd9b8245cd6a42d06afea6fc49b915b30b5785c8f69990c4a47a8c729af587
Instruction Fuzzy Hash: 11D0A7761093B1DBC701DFA18C08C8FBBA4BF54314B058C4EF48883151D324D844C765

Function 00472F66 Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?,0040BEBC,00000000), ref: 00472F74

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 4eece4d2fe101d7280f206a01dcf1f417d255802c7efc64b0e46a19000654bd2
Instruction ID: 6d71bd0b4200bc7a011872bd9144de54dbd4bb6b8ad45bc6e156fd7bf4c41a21
Opcode Fuzzy Hash: 4eece4d2fe101d7280f206a01dcf1f417d255802c7efc64b0e46a19000654bd2
Instruction Fuzzy Hash: D8D09E303042019FCB059F61CA44A56BBB6FF94704F6085A9F14A86161D735DC52FB46

Non-executed Functions

Function 004271A0 Relevance: 87.2, APIs: 47, Strings: 2, Instructions: 1494windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

DPtoLP.GDI32 ref: 004272BB
GetClientRect.USER32(?,?), ref: 004272C9
DPtoLP.GDI32(?,?,00000002), ref: 004272E1
IntersectRect.USER32(?,?,?), ref: 00427380
LPtoDP.GDI32(?,?,00000002), ref: 004273C1
IntersectRect.USER32(?,?,?), ref: 0042741E
LPtoDP.GDI32(?,?,00000002), ref: 0042745F
CreateRectRgnIndirect.GDI32(?), ref: 0042748A
IntersectRect.USER32(?,?,?), ref: 004274BE
LPtoDP.GDI32(?,?,00000002), ref: 004274FF
CreateRectRgnIndirect.GDI32(?), ref: 00427525
CreateRectRgnIndirect.GDI32(?), ref: 00427554
GetCurrentObject.GDI32(?,00000006), ref: 00427570
GetCurrentObject.GDI32(?,00000001), ref: 00427589
GetCurrentObject.GDI32(?,00000002), ref: 004275A2

Part of subcall function 00474F30: SetBkMode.GDI32(?,?), ref: 00474F49
Part of subcall function 00474F30: SetBkMode.GDI32(?,?), ref: 00474F57

Part of subcall function 00471D22: GetScrollPos.USER32(00000000,0040AEA3), ref: 00471D40

Part of subcall function 00426DD0: CreateFontIndirectA.GDI32(00000000), ref: 00426E22

FillRgn.GDI32(?,?,?), ref: 00427782
IntersectRect.USER32(?,?,?), ref: 00427867
IsRectEmpty.USER32(?), ref: 00427872
LPtoDP.GDI32(?,?,00000002), ref: 0042788F
CreateRectRgnIndirect.GDI32(?), ref: 0042789A
CombineRgn.GDI32(?,?,?,00000004), ref: 004278CB
DPtoLP.GDI32(?,?,00000002), ref: 004278E9

Part of subcall function 00475017: SetMapMode.GDI32(?,?), ref: 00475030
Part of subcall function 00475017: SetMapMode.GDI32(?,?), ref: 0047503E

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00427928
IntersectRect.USER32(?,?,?), ref: 004279BB
IsRectEmpty.USER32(?), ref: 00427A01
SelectObject.GDI32(?,?), ref: 00427A3C
DPtoLP.GDI32(?,?,00000001), ref: 00427AC8
LPtoDP.GDI32(?,?,00000001), ref: 00427BE7
DPtoLP.GDI32(?,?,00000001), ref: 00427C05

Part of subcall function 00475345: MoveToEx.GDI32(?,?,?,?), ref: 00475367
Part of subcall function 00475345: MoveToEx.GDI32(?,?,?,?), ref: 0047537B

Part of subcall function 00475391: MoveToEx.GDI32(?,?,?,00000000), ref: 004753AB
Part of subcall function 00475391: LineTo.GDI32(?,?,?), ref: 004753BC

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

Part of subcall function 0042A490: GetCurrentObject.GDI32(?), ref: 0042A55B
Part of subcall function 0042A490: LPtoDP.GDI32(?,00000000,00000001), ref: 0042A5A8

IntersectRect.USER32(?,00000000,?), ref: 00427D52
IsRectEmpty.USER32(00000000), ref: 00427D5D
PatBlt.GDI32(?,00000000,?,?,?,00F00021), ref: 00427DA4
LPtoDP.GDI32(?,00000000,00000002), ref: 00427DB9
CreateRectRgnIndirect.GDI32(00000000), ref: 00427DC4
CombineRgn.GDI32(?,?,?,00000004), ref: 00427DF5
LPtoDP.GDI32(?,?,00000001), ref: 00427E24
DPtoLP.GDI32(?,?,00000001), ref: 00427E42
wsprintfA.USER32 ref: 00427EE0
SelectObject.GDI32(?,?), ref: 00427F08
IntersectRect.USER32(?,?,?), ref: 00428478
IsRectEmpty.USER32(?), ref: 00428483
LPtoDP.GDI32(?,?,00000002), ref: 004284A0
CreateRectRgnIndirect.GDI32(?), ref: 004284AB
CombineRgn.GDI32(?,?,?,00000004), ref: 004284DC

Part of subcall function 00429B50: SetRectEmpty.USER32(?), ref: 00429BCA

Part of subcall function 00429B50: GetSysColor.USER32(0000000F), ref: 00429CFB
Part of subcall function 00429B50: IntersectRect.USER32(?,?,?), ref: 00429D53

GetSysColor.USER32(0000000F), ref: 00427666

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

Part of subcall function 0047586D: __EH_prolog.LIBCMT ref: 00475872
Part of subcall function 0047586D: CreatePen.GDI32(?,?,?), ref: 00475895

CreateRectRgnIndirect.GDI32(?), ref: 004273E6

Part of subcall function 004289A0: CopyRect.USER32(?,00000000), ref: 00428A17
Part of subcall function 004289A0: IsRectEmpty.USER32(?), ref: 00428A22
Part of subcall function 004289A0: GetClientRect.USER32(00000000,?), ref: 00428A61
Part of subcall function 004289A0: DPtoLP.GDI32(?,?,00000002), ref: 00428A73
Part of subcall function 004289A0: LPtoDP.GDI32(?,?,00000002), ref: 00428AB0

FillRect.USER32(?,?,?), ref: 004287D9

Strings

-{G, xrefs: 004273CE, 0042746C, 0042750C, 0042841C
{G, xrefs: 00427788, 00428698, 004287DF

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Create$IndirectIntersectObject$Empty$CurrentModeSelect$CombineH_prologMove$ClientColorFill$BeginBrushClipCopyFontLinePaintScrollSolidwsprintf
String ID: {G$-{G
API String ID: 3726329589-3094641186
Opcode ID: fa67f9f71844a5ed12ea99c1055322397f046ccaba2d9b8301f000f9e53cce8c
Instruction ID: 19f2a236e4a1826f4aa24468a2415d3c892ca25915c4cd34c473183d781cb521
Opcode Fuzzy Hash: fa67f9f71844a5ed12ea99c1055322397f046ccaba2d9b8301f000f9e53cce8c
Instruction Fuzzy Hash: A5D247712083819FD324DF25D895FAFB7E9BBC8704F408A1EF58A83251DB74A905CB66

Function 0040E280 Relevance: 53.5, APIs: 29, Strings: 1, Instructions: 979windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040E2F2
IsIconic.USER32(?), ref: 0040E32A
SetActiveWindow.USER32(?,?,?), ref: 0040E353
IsWindow.USER32(?), ref: 0040E37D
IsWindow.USER32(?), ref: 0040E64E
DestroyAcceleratorTable.USER32(?), ref: 0040E79E
DestroyMenu.USER32(?), ref: 0040E7A9
DestroyAcceleratorTable.USER32(?), ref: 0040E7C3
DestroyMenu.USER32(?), ref: 0040E7D2
DestroyAcceleratorTable.USER32(?), ref: 0040E832
DestroyMenu.USER32(?,000003EA,00000000,00000000,?,?,00000000,?,000007D9,00000000,00000000), ref: 0040E841
SetParent.USER32(?,?), ref: 0040E8C3
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013,?,?), ref: 0040E9DB
IsWindow.USER32(?), ref: 0040EB0C
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0040EB21
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0040EB3E
DestroyAcceleratorTable.USER32(?), ref: 0040EB8C
IsWindow.USER32(?), ref: 0040EC01
IsWindow.USER32(?), ref: 0040EC51
IsWindow.USER32(?), ref: 0040ECA1
IsWindow.USER32(?), ref: 0040ECDE
IsWindow.USER32(?), ref: 0040ED61
GetParent.USER32(?), ref: 0040ED6F
GetFocus.USER32 ref: 0040EDB0

Part of subcall function 0040E170: IsWindow.USER32(?), ref: 0040E1EB
Part of subcall function 0040E170: GetFocus.USER32 ref: 0040E1F5
Part of subcall function 0040E170: IsChild.USER32(?,00000000), ref: 0040E207

IsWindow.USER32(?), ref: 0040EE0F
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0040EE24
IsWindow.USER32(00000000), ref: 0040EE37
GetFocus.USER32 ref: 0040EE41
SetFocus.USER32(00000000), ref: 0040EE4C

Strings

d, xrefs: 0040E293

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Destroy$AcceleratorFocusTable$MenuMessageSend$Parent$ActiveChildIconic
String ID: d
API String ID: 3681805233-2564639436
Opcode ID: 98a0d4c211fe364d646996c6514ba5a8a41bff2dc34f659e70a415f7a25391af
Instruction ID: 904c4d25c216fb9a416c29c9ba4ff0429d336fce212d81d1ac02e55479ddecf7
Opcode Fuzzy Hash: 98a0d4c211fe364d646996c6514ba5a8a41bff2dc34f659e70a415f7a25391af
Instruction Fuzzy Hash: 2C72A2716043059BD320DF66C884B6FB7E9EF84704F04492EF949A7381DB78E945CBAA

Function 004168E0 Relevance: 50.0, APIs: 23, Strings: 5, Instructions: 986windowCOMMON

Download Yara Rule

APIs

IsWindowEnabled.USER32(?), ref: 00416919
TranslateAcceleratorA.USER32(?,?,?,?), ref: 00416973
IsChild.USER32(?,?), ref: 004169A4
GetFocus.USER32 ref: 00416AFF
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00416B89
PostMessageA.USER32(?,000000A1,00000002,00000000), ref: 00416BF8
IsChild.USER32(?,00000000), ref: 00416CA1
SendMessageA.USER32(?,00000010,00000000,00000000), ref: 00416C72

Part of subcall function 0040C1B0: IsChild.USER32(?,?), ref: 0040C22D
Part of subcall function 0040C1B0: GetParent.USER32(?), ref: 0040C247

IsWindow.USER32(?), ref: 00417579

Strings

hlp, xrefs: 0041721D
A, xrefs: 00416E73
Z, xrefs: 00416E7C
0, xrefs: 00416E69
9, xrefs: 00416E6E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ChildMessage$PostWindow$AcceleratorEnabledFocusParentSendTranslate
String ID: 0$9$A$Z$hlp
API String ID: 3372979518-114186910
Opcode ID: df09f27ed91a64f7004ad16b2a8db1c7f9ab984338f4a0d500564c7062ca0821
Instruction ID: ca23d2b7364e7255d09ad14a6e9ca2c9f809222eeec9c919560f6f80fcaa64fc
Opcode Fuzzy Hash: df09f27ed91a64f7004ad16b2a8db1c7f9ab984338f4a0d500564c7062ca0821
Instruction Fuzzy Hash: E2729F706083419BDB24DF25C881BABB7A9AF84744F10492FF946D7381DB78EC85CB5A

Function 0043A390 Relevance: 32.8, Strings: 26, Instructions: 305COMMON

Download Yara Rule

Strings

length does not match profile, xrefs: 0043A3C9
invalid embedded Abstract ICC profile, xrefs: 0043A5F1
caps, xrefs: 0043A624
unexpected NamedColor ICC profile class, xrefs: 0043A60A
invalid rendering intent, xrefs: 0043A45D
PCS illuminant is not D50, xrefs: 0043A4E4
rtrp, xrefs: 0043A616
tag count too large, xrefs: 0043A694
ZYX, xrefs: 0043A667
unrecognized ICC profile class, xrefs: 0043A62B
rtnm, xrefs: 0043A5C7
BGR, xrefs: 0043A525
rncs, xrefs: 0043A61D
unexpected ICC PCS encoding, xrefs: 0043A66E
Gray color space not permitted on RGB PNG, xrefs: 0043A574
invalid signature, xrefs: 0043A4BF
intent outside defined range, xrefs: 0043A47F
RGB color space not permitted on grayscale PNG, xrefs: 0043A550
tsba, xrefs: 0043A5B9
YARG, xrefs: 0043A51E
knil, xrefs: 0043A5C0
lcmn, xrefs: 0043A5B0
unexpected DeviceLink ICC profile class, xrefs: 0043A5D4
psca, xrefs: 0043A4B8
baL, xrefs: 0043A660
invalid ICC profile color space, xrefs: 0043A530

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: BGR$ ZYX$ baL$Gray color space not permitted on RGB PNG$PCS illuminant is not D50$RGB color space not permitted on grayscale PNG$YARG$caps$intent outside defined range$invalid ICC profile color space$invalid embedded Abstract ICC profile$invalid rendering intent$invalid signature$knil$lcmn$length does not match profile$psca$rncs$rtnm$rtrp$tag count too large$tsba$unexpected DeviceLink ICC profile class$unexpected ICC PCS encoding$unexpected NamedColor ICC profile class$unrecognized ICC profile class
API String ID: 0-319498373
Opcode ID: d0a034f3b0f6ca008276253c65bc45d3003ee775015020636a0b2af83fbd5da8
Instruction ID: b4dd63015131f1e52538c4f2c4899bf02f494b536e394beaa03db2dc3fef5498
Opcode Fuzzy Hash: d0a034f3b0f6ca008276253c65bc45d3003ee775015020636a0b2af83fbd5da8
Instruction Fuzzy Hash: B99189E364415017CF08DE2D9C92A7B7B9A9BCD305F2E95AAF8C4CA303D519C912867B

Function 00417AD0 Relevance: 22.8, APIs: 9, Strings: 4, Instructions: 93libraryloaderwindowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00417ADC
IsZoomed.USER32(?), ref: 00417AEA
LoadLibraryA.KERNEL32(User32.dll,00000003,00000009), ref: 00417B14
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00417B27
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00417B35
FreeLibrary.KERNEL32(00000000), ref: 00417B6B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00417B81
IsWindow.USER32(?), ref: 00417BAE
ShowWindow.USER32(?,00000005,?,?,?,?,00000004), ref: 00417BBB

Strings

MonitorFromWindow, xrefs: 00417B21
User32.dll, xrefs: 00417B09
H, xrefs: 00417B58
GetMonitorInfoA, xrefs: 00417B2D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AddressLibraryProcWindow$FreeIconicInfoLoadParametersShowSystemZoomed
String ID: GetMonitorInfoA$H$MonitorFromWindow$User32.dll
API String ID: 447426925-661446951
Opcode ID: 8818cf7d5f8bc5e24640cc008eb8f60f52cb70620d43aa5ad9ece9386c38e293
Instruction ID: 422c7aa189fab412b6176969856a1867350a238e7b792d847dc3ae3cad1e4425
Opcode Fuzzy Hash: 8818cf7d5f8bc5e24640cc008eb8f60f52cb70620d43aa5ad9ece9386c38e293
Instruction Fuzzy Hash: 093171716043016FDB109F66DC49F6B77B8EF88B44F00852DFA0997290EBB8ED458B69

Function 004101E0 Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 310libraryregistryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,004AF738,00000000), ref: 004102C4
LoadLibraryA.KERNEL32(?,?,00000000,?,?,?,00495C68,?,?,?,?,?,?,00000000,004AF738,00000000), ref: 00410301
GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00410337
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,004AF738,00000000), ref: 00410342
FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,00000000,004AF738,00000000), ref: 00410350
LoadTypeLib.OLEAUT32(00000000,00000000), ref: 0041045D
RegisterTypeLib.OLEAUT32(00000000,00000000), ref: 00410492
CLSIDFromString.OLE32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,004AF738,00000000), ref: 00410557
UnRegisterTypeLib.OLEAUT32(?,00000000,00000000,00000000,00000001), ref: 00410573

Strings

DllUnregisterServer, xrefs: 00410330, 00410335
DllRegisterServer, xrefs: 00410329

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Library$LoadType$FreeRegister$AddressFromProcString
String ID: DllRegisterServer$DllUnregisterServer
API String ID: 2476498075-2931954178
Opcode ID: 56a7e68cf9c6e2da4d1c28ffa0b88ac4bf3d889789ea3a4a2a75651e0b59cbfb
Instruction ID: fac1211436fa33e99a84fd93cbb72fbf577c19ef151be83f952733dcd379f8e6
Opcode Fuzzy Hash: 56a7e68cf9c6e2da4d1c28ffa0b88ac4bf3d889789ea3a4a2a75651e0b59cbfb
Instruction Fuzzy Hash: CDB1D571900209ABDB10DBA5CC45FEF77B8EF14318F10865EF815A7281DB78AE85CB65

Function 004105F0 Relevance: 18.3, APIs: 12, Instructions: 273threadwindownetworkCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 00410615
IsWindow.USER32(0002041E), ref: 00410631
SendMessageA.USER32(0002041E,000083E7,0040FF21,00000000), ref: 0041064A
ExitProcess.KERNEL32 ref: 0041065F
FreeLibrary.KERNEL32(?), ref: 00410743
FreeLibrary.KERNEL32 ref: 00410797
DestroyCursor.USER32(006C037D), ref: 004107E7
DestroyCursor.USER32(0001041F), ref: 004107FE
IsWindow.USER32(0002041E), ref: 00410815
DestroyCursor.USER32(?), ref: 004108C4
WSACleanup.WS2_32 ref: 0041090F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CursorDestroy$FreeLibraryWindow$CleanupCurrentExitMessageProcessSendThread
String ID:
API String ID: 2560087610-0
Opcode ID: e5a70de58f0a46f16c7c100b7a1e7c2d4ea4edcc875eebc2400477d108a0e41a
Instruction ID: 9b1411b1abca2fcf85738d8528b6234b702be7a41705bf04e7abbc008f1f46ad
Opcode Fuzzy Hash: e5a70de58f0a46f16c7c100b7a1e7c2d4ea4edcc875eebc2400477d108a0e41a
Instruction Fuzzy Hash: 25B169706007029BD724EF66C9D5BEBB7E4BF48304F00492EE5AA97281DB74B9C1CB59

Function 00413660 Relevance: 15.4, APIs: 10, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b19a69781cb65908a24d619cb8fb7043234aeb596982f34892e19cf7f43a7e
Instruction ID: f762637cd67ac9a6a2e03ab26f5f6415916c5b1dacc51cb5e891a48cbae04a8d
Opcode Fuzzy Hash: 90b19a69781cb65908a24d619cb8fb7043234aeb596982f34892e19cf7f43a7e
Instruction Fuzzy Hash: A7C115767046045FE310EF29EC85AABB3A4FB84318F104D2FE445C7382D736EA558799

Function 00411AE0 Relevance: 12.9, APIs: 8, Instructions: 865COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 9a3a715d2c853d0841b7f212ab8856e93572cd6a5cf96325be125e4ad8dd7ad1
Instruction ID: 7f4445f8d4821c2630b0eba3f38326e6bb1830cc18cb1b3e442410ca80f23a38
Opcode Fuzzy Hash: 9a3a715d2c853d0841b7f212ab8856e93572cd6a5cf96325be125e4ad8dd7ad1
Instruction Fuzzy Hash: 6F62F4716043019FD724DF25C980AABB3E5AFC8314F14492EF98AD7381DB78ED85879A

Function 0042C540 Relevance: 12.1, APIs: 8, Instructions: 88clipboardmemoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000042,?), ref: 0042C5B7
GlobalLock.KERNEL32(00000000), ref: 0042C5D3
GlobalUnlock.KERNEL32(00000000), ref: 0042C5F5
OpenClipboard.USER32(00000000), ref: 0042C5FD
GlobalFree.KERNEL32(00000000), ref: 0042C609
EmptyClipboard.USER32 ref: 0042C611
SetClipboardData.USER32(0000C1B3,00000000), ref: 0042C623
CloseClipboard.USER32 ref: 0042C629

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ClipboardGlobal$AllocCloseDataEmptyFreeLockOpenUnlock
String ID:
API String ID: 453615576-0
Opcode ID: e66211caa2b2539e5b69552aa324bc683d7cece9d705075546b5c3919d856842
Instruction ID: c23d83b73503a48a6c37131d030bad0eaea0fbbaf4d4d548cefde9dbd9a507e4
Opcode Fuzzy Hash: e66211caa2b2539e5b69552aa324bc683d7cece9d705075546b5c3919d856842
Instruction Fuzzy Hash: 3731A071304211AFD314EB66EC89A2F77A8EB88714F404A2DF95A932D1DB78D844CB5A

Function 0046F5E5 Relevance: 12.1, APIs: 8, Instructions: 72stringfileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046F5EA
GetFullPathNameA.KERNEL32(?,00000104,?,?,?,?), ref: 0046F608
lstrcpynA.KERNEL32(?,?,00000104), ref: 0046F617
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0046F64B
CharUpperA.USER32(?), ref: 0046F65C
FindFirstFileA.KERNEL32(?,?), ref: 0046F672
FindClose.KERNEL32(00000000), ref: 0046F67E
lstrcpyA.KERNEL32(?,?), ref: 0046F68E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Find$CharCloseFileFirstFullH_prologInformationNamePathUpperVolumelstrcpylstrcpyn
String ID:
API String ID: 304730633-0
Opcode ID: b6b55343ee7c4bd7d68d7df43043988c92242efc50c87842f5a3de24c5a84f81
Instruction ID: e8cb27ebe910a4becf21dcd00f97e635e7a22ef2ec815c14f89c5580a3251a1d
Opcode Fuzzy Hash: b6b55343ee7c4bd7d68d7df43043988c92242efc50c87842f5a3de24c5a84f81
Instruction Fuzzy Hash: 12217F31500119BACB109F66DC48EEF7FBCEF09764F008276F919D6160D7348A45CBA5

Function 004071A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114filewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046E92E: InterlockedIncrement.KERNEL32(-000000F4), ref: 0046E943

FindFirstFileA.KERNEL32(?,?,*.*), ref: 0040723A

Part of subcall function 0046C840: __EH_prolog.LIBCMT ref: 0046C845

Part of subcall function 0046EBB9: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046EBCD

SendMessageA.USER32 ref: 004072E0
FindNextFileA.KERNEL32(?,00000010), ref: 004072EC
FindClose.KERNEL32(?), ref: 004072FF
SendMessageA.USER32(?,00001102,00000002,?), ref: 00407311

Strings

*.*, xrefs: 00407222

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Find$FileInterlockedMessageSend$CloseDecrementFirstH_prologIncrementNext
String ID: *.*
API String ID: 2486832813-438819550
Opcode ID: 159f07bb4343b5f24955a487d098a6c82c29d15c1831dbb5dd5fcfc85e72d7db
Instruction ID: 535155dcb9d9a8bf480c15fa9e4194c606741d1e9eae1b0a547405276975facf
Opcode Fuzzy Hash: 159f07bb4343b5f24955a487d098a6c82c29d15c1831dbb5dd5fcfc85e72d7db
Instruction Fuzzy Hash: D741B071508341ABC710DF21C885B9BB7E8BB88704F108A2EFA95932D1EB79E509CB56

Function 0042C6A0 Relevance: 10.6, APIs: 7, Instructions: 89clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(00000000), ref: 0042C6CD
GetClipboardData.USER32(0000C1B3), ref: 0042C6E6
CloseClipboard.USER32 ref: 0042C6F2
GlobalSize.KERNEL32(00000000), ref: 0042C728
GlobalLock.KERNEL32(00000000), ref: 0042C730
GlobalUnlock.KERNEL32(00000000), ref: 0042C748
CloseClipboard.USER32 ref: 0042C74E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Clipboard$Global$Close$DataLockOpenSizeUnlock
String ID:
API String ID: 2237123812-0
Opcode ID: 6aa64ccc1dcbd10314aa4520bda6aa3dc7b33ee5af0b4d4729c3f275629d6713
Instruction ID: fa1cc0865efdebe6a53ec19ea3b752b2b282ec131d2ca45eda391a696a0829f0
Opcode Fuzzy Hash: 6aa64ccc1dcbd10314aa4520bda6aa3dc7b33ee5af0b4d4729c3f275629d6713
Instruction Fuzzy Hash: CB2182313002129BD704EB65EC88D7F77A9EFC8355F44067EF909C3250EB29E9458BA6

Function 0043CDED Relevance: 10.5, Strings: 8, Instructions: 498COMMON

Download Yara Rule

Strings

bad data option (internal error), xrefs: 0043D588
rgb[gray] color-map: too few entries, xrefs: 0043CE6F
rgb-alpha color-map: too few entries, xrefs: 0043D0F2
rgb+alpha color-map: too few entries, xrefs: 0043D037
color map overflow (BAD internal error), xrefs: 0043D5D9
rgb[ga] color-map: too few entries, xrefs: 0043CE34
rgb color-map: too few entries, xrefs: 0043CFFC
bad background index (internal error), xrefs: 0043D67F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$rgb color-map: too few entries$rgb+alpha color-map: too few entries$rgb-alpha color-map: too few entries$rgb[ga] color-map: too few entries$rgb[gray] color-map: too few entries
API String ID: 0-1509944728
Opcode ID: b8ea38f30aa503c1638ec56e337e0f1126306b40409454d4bd4394c04c5860c1
Instruction ID: 39e928d1a9779909b313e917382ba37e38f1757ba15e1d70332b27422035daf3
Opcode Fuzzy Hash: b8ea38f30aa503c1638ec56e337e0f1126306b40409454d4bd4394c04c5860c1
Instruction Fuzzy Hash: 3A020571A083005BE714DF18DC82B6BB7E5EBD8308F14152EF8899B381D7B9E945C79A

Function 0043CABB Relevance: 9.1, Strings: 7, Instructions: 309COMMON

Download Yara Rule

Strings

bad data option (internal error), xrefs: 0043D588
gray-alpha color-map: too few entries, xrefs: 0043CD45
ga-alpha color-map: too few entries, xrefs: 0043CB27
d2H, xrefs: 0043CCFD
color map overflow (BAD internal error), xrefs: 0043D5D9
gray+alpha color-map: too few entries, xrefs: 0043CAD4
bad background index (internal error), xrefs: 0043D67F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$d2H$ga-alpha color-map: too few entries$gray+alpha color-map: too few entries$gray-alpha color-map: too few entries
API String ID: 0-3196279404
Opcode ID: 3b86f1a0f50e8a6c6176e9b9ddb01544c08376597e8f2c52db89aa32dfb330dd
Instruction ID: 9a3352dab15abcdbe8c6e8a0999b4f5de24934eb9e706190925bfc85e084821b
Opcode Fuzzy Hash: 3b86f1a0f50e8a6c6176e9b9ddb01544c08376597e8f2c52db89aa32dfb330dd
Instruction Fuzzy Hash: BCB1F2B1A083019BD304DF18D88266FBBE5EBD8708F14593EF48997391D3B8E945C79A

Function 0046A5EB Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 207timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00465D44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D81
Part of subcall function 00465D44: EnterCriticalSection.KERNEL32(?,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D9C

Part of subcall function 00465DA5: LeaveCriticalSection.KERNEL32(?,00460172,00000009,0046015E,00000000,?,00000000,00000000,00000000), ref: 00465DB2

GetTimeZoneInformation.KERNEL32(0000000C,?,?,?,0000000B,0000000B,?,0046A5DC,0046A53F,?,?,?,?,00461B58,?,?), ref: 0046A639
WideCharToMultiByte.KERNEL32(00000220,004B2504,000000FF,0000003F,00000000,?,?,0046A5DC,0046A53F,?,?,?,?,00461B58,?,?), ref: 0046A6CF
WideCharToMultiByte.KERNEL32(00000220,004B2558,000000FF,0000003F,00000000,?,?,0046A5DC,0046A53F,?,?,?,?,00461B58,?,?), ref: 0046A708

Strings

l2J, xrefs: 0046A71B, 0046A84E, 0046A85C
,2J, xrefs: 0046A6DA, 0046A6E5, 0046A78F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
String ID: ,2J$l2J
API String ID: 3442286286-3680803850
Opcode ID: e3e3565c445a8b185fb0f1414ab2d9fa446ee8d6bbf8e99b4f490ce22b115e29
Instruction ID: 3853449bdfa9fb5b64614ff5acb66bb2e4865bad47a2ef7a38f810a507d69cea
Opcode Fuzzy Hash: e3e3565c445a8b185fb0f1414ab2d9fa446ee8d6bbf8e99b4f490ce22b115e29
Instruction Fuzzy Hash: F8613472904540AFD721AF29EC41B667FA8A706315F24457FF480A72A1F3788A52CB5F

Function 0043ECC0 Relevance: 8.0, Strings: 6, Instructions: 536COMMON

Download Yara Rule

Strings

unexpected 8-bit transformation, xrefs: 0043ED39
unexpected compose, xrefs: 0043ED04
unexpected bit depth, xrefs: 0043ED93
unknown interlace type, xrefs: 0043ED57
lost rgb to gray, xrefs: 0043ECF0
lost/gained channels, xrefs: 0043ED20

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: lost rgb to gray$lost/gained channels$unexpected 8-bit transformation$unexpected bit depth$unexpected compose$unknown interlace type
API String ID: 0-3614292578
Opcode ID: acb4f5d2f726fd569efd28351c6b9c3e71b1ffd5399fb73ff88b398ce61f98d7
Instruction ID: e8ef44d6931e18fc0f0aa4da4382312fd1f52e925e04377e45025bb689669a62
Opcode Fuzzy Hash: acb4f5d2f726fd569efd28351c6b9c3e71b1ffd5399fb73ff88b398ce61f98d7
Instruction Fuzzy Hash: 3012D531A083418BC718DF29D88166EB7E2BBCC304F54553EF98997381D679E94ACB4A

Function 0040FFE0 Relevance: 6.1, APIs: 4, Instructions: 94fileCOMMON

Download Yara Rule

APIs

FindNextFileA.KERNEL32(?,?), ref: 00410032
FindClose.KERNEL32 ref: 00410041
FindFirstFileA.KERNEL32(?,?), ref: 0041004D
FindClose.KERNEL32(00000000), ref: 004100AB

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Find$CloseFile$FirstNext
String ID:
API String ID: 1164774033-0
Opcode ID: ebbd1126c9c1eb6caa320795053feb21bdc44b3d8a60d5d7c9dc9d1117122a87
Instruction ID: 174c038fb0236ffa57aba56014d6659c9d1640255f11f0d64dc5c95d5d6768b8
Opcode Fuzzy Hash: ebbd1126c9c1eb6caa320795053feb21bdc44b3d8a60d5d7c9dc9d1117122a87
Instruction Fuzzy Hash: 91212B325047158BD3319A25E8407FB7B94ABCD714F15062AED2997381EBBEDCC6438A

Function 00472198 Relevance: 6.0, APIs: 4, Instructions: 38keyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00472DFE: GetWindowLongA.USER32(?,000000F0), ref: 00472E0A

GetKeyState.USER32(00000010), ref: 004721BC
GetKeyState.USER32(00000011), ref: 004721C5
GetKeyState.USER32(00000012), ref: 004721CE
SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 004721E4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: State$LongMessageSendWindow
String ID:
API String ID: 1063413437-0
Opcode ID: 1eb02737692c95c5a02fc810bfd85dd2c9ba06d9fd14268f725711a5760704f5
Instruction ID: c399a3cc95954984cb9abd4e7249848a08da30d905ce67c458e6ab9eb59dc449
Opcode Fuzzy Hash: 1eb02737692c95c5a02fc810bfd85dd2c9ba06d9fd14268f725711a5760704f5
Instruction Fuzzy Hash: F4F02732B4038527EA7032769D02FD61114BF44FDAFC0C53BBF0CAA1D98DD889425238

Function 004472E0 Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

internal row size calculation error, xrefs: 0044735B
internal row logic error, xrefs: 00447325
internal row width error, xrefs: 0044736D
invalid user transform pixel depth, xrefs: 00447559

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: internal row logic error$internal row size calculation error$internal row width error$invalid user transform pixel depth
API String ID: 0-64619857
Opcode ID: bfa48684dbcfc23f6a7df9e79614c81f09d5c236c49cedff1aeec7e4ec7b0a99
Instruction ID: 4d63485f2ceb79e898f02d3cf535b05d3f0fda637dd530db2967284919190d93
Opcode Fuzzy Hash: bfa48684dbcfc23f6a7df9e79614c81f09d5c236c49cedff1aeec7e4ec7b0a99
Instruction Fuzzy Hash: EAF1463260C3514FEB24DE2895902BFBBD1ABC5310F5949AEEC8587701E7299C0BC796

Function 0043D352 Relevance: 5.2, Strings: 4, Instructions: 245COMMON

Download Yara Rule

Strings

bad data option (internal error), xrefs: 0043D588
palette color-map: too few entries, xrefs: 0043D3D0
color map overflow (BAD internal error), xrefs: 0043D5D9
bad background index (internal error), xrefs: 0043D67F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: bad background index (internal error)$bad data option (internal error)$color map overflow (BAD internal error)$palette color-map: too few entries
API String ID: 0-3263629853
Opcode ID: cb74f94963b66f60b93e7c177737858558e654c9ac26c8ad720bc1afbf989964
Instruction ID: 76ee46254452789f41f9d33a875ba1f5929574bf2076b082ba85f7e9414902fe
Opcode Fuzzy Hash: cb74f94963b66f60b93e7c177737858558e654c9ac26c8ad720bc1afbf989964
Instruction Fuzzy Hash: 3F81F2B1A08240AFD718CF18E881A6FBBE5EFDC344F54592EF48A87351D279EC41875A

Function 0043A850 Relevance: 5.2, Strings: 4, Instructions: 200COMMON

Download Yara Rule

Strings

known incorrect sRGB profile, xrefs: 0043AA2E
0/H, xrefs: 0043A86A
out-of-date sRGB profile with no signature, xrefs: 0043AA46
copyright violation: edited ICC profile ignored, xrefs: 0043A9E7

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: 0/H$copyright violation: edited ICC profile ignored$known incorrect sRGB profile$out-of-date sRGB profile with no signature
API String ID: 0-3920028370
Opcode ID: 944cabed6dce6e4e4a678e8bee34242931417228323b649d48fec552a67cf9b1
Instruction ID: e45e1677f3c9f208d15242e9226941ce766bb3286e770199b5e185220b6b6034
Opcode Fuzzy Hash: 944cabed6dce6e4e4a678e8bee34242931417228323b649d48fec552a67cf9b1
Instruction Fuzzy Hash: 9D5154B27483810BDB28CE3D4C5136BBBE25FC9305F09986EE5DAD7302E128E905C769

Function 0042ADA0 Relevance: 4.8, APIs: 3, Instructions: 308keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 0042ADC0
GetKeyState.USER32(00000011), ref: 0042ADD0
CopyRect.USER32(00000000,00000000), ref: 0042AEA5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: State$CopyRect
String ID:
API String ID: 4142901696-0
Opcode ID: a84ada57f2fb325ccfd5208241ca01f809095cb453a3999c91e942bb5fd30e41
Instruction ID: d02af15f7c72955ed1a15f1ea731e63ca4ce8d8b65a73ecfb36bb1971168c990
Opcode Fuzzy Hash: a84ada57f2fb325ccfd5208241ca01f809095cb453a3999c91e942bb5fd30e41
Instruction Fuzzy Hash: 70A1B3703443219BD628CA14E881F3BB3E5EBC8704F90491FF99297380D7AAED45879B

Function 00461A8A Relevance: 4.6, APIs: 3, Instructions: 75timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00461A97
GetSystemTime.KERNEL32(?), ref: 00461AA1
GetTimeZoneInformation.KERNEL32(?), ref: 00461AF6

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Time$InformationLocalSystemZone
String ID:
API String ID: 2475273158-0
Opcode ID: b69033510c53699b0e6a1f7bc4792ab5787986996b8c7f2dcdb6303c1fa2f062
Instruction ID: 0c78268ac127cdaa9d70051065a39ac98fe8a29cb21823b3beb8e8a575037c29
Opcode Fuzzy Hash: b69033510c53699b0e6a1f7bc4792ab5787986996b8c7f2dcdb6303c1fa2f062
Instruction Fuzzy Hash: 3021812990110AA6CF24ABD8D9459FF73BABB08B10F440696F810E61A4F3785DC6D77E

Function 00418600 Relevance: 4.5, APIs: 3, Instructions: 49keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000011), ref: 00418631
GetKeyState.USER32(00000010), ref: 00418646
GetKeyState.USER32(00000012), ref: 0041865B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: d4bb0e098ebede257964dbe1d2d6224cf9132b06d631664215483d31d57495e6
Instruction ID: 91f631e90e88f1554e9f0a8128497995362b7ed47d29b57040af35cf05042a37
Opcode Fuzzy Hash: d4bb0e098ebede257964dbe1d2d6224cf9132b06d631664215483d31d57495e6
Instruction Fuzzy Hash: C601F43EC002A949EF341265AA08BF666421750F94F6A40BFCA0C37390CE8C0CC767AE

Function 0045E3CF Relevance: 4.5, APIs: 3, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1108de141c5179a59167c967ea658e2eee8a10bfe41365c063483d1703faaa78
Instruction ID: 5310de8dd62d3664b2f4ef49fcd7a6ce8a6957f46902d7391384473afb0f5bc4
Opcode Fuzzy Hash: 1108de141c5179a59167c967ea658e2eee8a10bfe41365c063483d1703faaa78
Instruction Fuzzy Hash: E6F0A43050014DABCF199FA3CC449AF3B68AF04346F448166FC05D5062E73CCB89AB19

Function 0047264E Relevance: 4.5, APIs: 3, Instructions: 32COMMON

Download Yara Rule

APIs

FindResourceA.KERNEL32(?,0041BD93,000000F0), ref: 0047266D
LoadResource.KERNEL32(?,00000000,?,?,?,0046FF11,?,?,0041BD93), ref: 00472679
LockResource.KERNEL32(00000000,?,?,?,0046FF11,?,?,0041BD93), ref: 00472688

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Resource$FindLoadLock
String ID:
API String ID: 2752051264-0
Opcode ID: eaf9b4e74fef92b41e82cb364b002f1744913ac8a6b643eeb4181d4bebf48b50
Instruction ID: e42da932eb8fe617b5f4f02b5c499d1216f89bbf9de688325cca6d2bef6eb553
Opcode Fuzzy Hash: eaf9b4e74fef92b41e82cb364b002f1744913ac8a6b643eeb4181d4bebf48b50
Instruction Fuzzy Hash: DBE02B752012216B93116B625D08CAFB35DEFC536171488BFF14DD2111CFA88C81467D

Function 00473CBF Relevance: 4.5, APIs: 3, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

GetKeyState.USER32(00000010), ref: 00473CE6
GetKeyState.USER32(00000011), ref: 00473CEF
GetKeyState.USER32(00000012), ref: 00473CF8

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: State
String ID:
API String ID: 1649606143-0
Opcode ID: af148ab33b5f455d276fc38e8b7be72354e2e3371612a1fc2b208263fbb36c63
Instruction ID: d0c1b28f97b00e0ff95f1dbd866f20cbecad03f8a79374f2f9876c99572e064d
Opcode Fuzzy Hash: af148ab33b5f455d276fc38e8b7be72354e2e3371612a1fc2b208263fbb36c63
Instruction Fuzzy Hash: 78E09B355042699DEF209B44F908FD5AEB05B04FA5F00CC67E74CAB091C7A8CA82BF69

Function 0047143C Relevance: 3.4, APIs: 2, Instructions: 422COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00471441
GetVersion.KERNEL32(00000007,?,?,00000000,00000000,?,0000C000,00000000,00000000,00000007), ref: 004715F4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologVersion
String ID:
API String ID: 1836448879-0
Opcode ID: 23490e29c7c6680c3c34e060d9e76cdcac254da9d2acdcecbf43ed846a9081d6
Instruction ID: c3eb4f873da91c53fa5e82a12eff01cabc87431256d3845233739861548a7238
Opcode Fuzzy Hash: 23490e29c7c6680c3c34e060d9e76cdcac254da9d2acdcecbf43ed846a9081d6
Instruction Fuzzy Hash: ECE14F70600219EBDB14DF59CC81AFE77A9BF48314F10C51AF81E9A2A1D738D911DB6A

Function 00448AD0 Relevance: 3.3, Strings: 2, Instructions: 788COMMON

Download Yara Rule

Strings

libpng does not support gamma+background+rgb_to_gray, xrefs: 00448F5C
invalid background gamma type, xrefs: 004492DC

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: invalid background gamma type$libpng does not support gamma+background+rgb_to_gray
API String ID: 0-3995106164
Opcode ID: 92392668d1172b3e5bf6a9cf5a480d18b42d2a4c8b0cef3a0819ae9c4c787ae3
Instruction ID: 42ea0aec05e8c509ff3f540599002066568cf30e0e051bd021a92f29c51e19ab
Opcode Fuzzy Hash: 92392668d1172b3e5bf6a9cf5a480d18b42d2a4c8b0cef3a0819ae9c4c787ae3
Instruction Fuzzy Hash: FC625B75108B814AE3359F35C8417F7FBE1EF5A304F08896ED9EA87342EA39A805C759

Function 00413D30 Relevance: 3.2, APIs: 2, Instructions: 209windowCOMMON

Download Yara Rule

APIs

IsIconic.USER32(?), ref: 00413E60

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Iconic
String ID:
API String ID: 110040809-0
Opcode ID: 85a127dfcbaac73a6a2efbffdbdb539634c2cbff157c6f647760a8cd0a060aa3
Instruction ID: aa100e5da44aeac3fec41c2f39b9eaf1db102685d493198251442932bfd1018c
Opcode Fuzzy Hash: 85a127dfcbaac73a6a2efbffdbdb539634c2cbff157c6f647760a8cd0a060aa3
Instruction Fuzzy Hash: F5819B76214701CBD354CF28D480B8AB7E5FBA9310F10886EE59ACB350D776E896CBA5

Function 004234A0 Relevance: 3.1, APIs: 2, Instructions: 62COMMON

Download Yara Rule

APIs

ioctlsocket.WS2_32(?,4004667F,?), ref: 004234D2
recvfrom.WS2_32(00000000,00000000,?,00000000,00000000,00000000), ref: 00423520

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ioctlsocketrecvfrom
String ID:
API String ID: 217199969-0
Opcode ID: bf261a1186d5bbe4fc5b1912c6780d7d8ba7d101bf7dd57741a8a5ba25bcefad
Instruction ID: aac7009381d6a94d805ff49dbc63cb338f4cda0e11d6b006479ccdcf01a9ff22
Opcode Fuzzy Hash: bf261a1186d5bbe4fc5b1912c6780d7d8ba7d101bf7dd57741a8a5ba25bcefad
Instruction Fuzzy Hash: 05216F70204611ABC314DF28C945F6BB7E4AB94B14F108B2EF55A932D0DB78D945CB5A

Function 00418450 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,?), ref: 00418460
FindClose.KERNEL32(00000000), ref: 0041846C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 8624cb990a121be87e2373dae7e542da0a430c5ad2e6ae1d91a1a55e592d2c8a
Instruction ID: c430855955fda56a3c171ca18f12bc5a277c102cdbbcf9cff25b14cc96c78205
Opcode Fuzzy Hash: 8624cb990a121be87e2373dae7e542da0a430c5ad2e6ae1d91a1a55e592d2c8a
Instruction Fuzzy Hash: E5D0A7744001005BE325DB75DC096BA325CB748310FC44BB8BA2CC52F0FE3EC8988651

Function 0043D8B0 Relevance: 2.9, Strings: 2, Instructions: 445COMMON

Download Yara Rule

Strings

color-map index out of range, xrefs: 0043D8FF
bad encoding (internal error), xrefs: 0043DA5D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: bad encoding (internal error)$color-map index out of range
API String ID: 0-7351992
Opcode ID: f78fd3941584f5ff03bb8ea07b5465af09dd6322671ec820339836ce42e9f06f
Instruction ID: 9e2b0042aca97029e9b0df843e95975898e366cda71906540ed668dbb1533439
Opcode Fuzzy Hash: f78fd3941584f5ff03bb8ea07b5465af09dd6322671ec820339836ce42e9f06f
Instruction Fuzzy Hash: EAF1D372E083028BC718DF28D89126AB7D1EBDC304F055A7EE899D7351E638EA05CB95

Function 004482E0 Relevance: 2.8, Strings: 2, Instructions: 266COMMON

Download Yara Rule

Strings

Row has too many bytes to allocate in memory, xrefs: 004485AC
VUUU, xrefs: 004483F8

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: Row has too many bytes to allocate in memory$VUUU
API String ID: 0-4092465491
Opcode ID: 6dba05c24fbe2db4cb7acb9c40233eed8c895f3a19fba999b5c7405ab8fcad42
Instruction ID: 94986ad1b703d0f443fb33163199ed9c842432204fe0fc209cb5317815fb2f5c
Opcode Fuzzy Hash: 6dba05c24fbe2db4cb7acb9c40233eed8c895f3a19fba999b5c7405ab8fcad42
Instruction Fuzzy Hash: 71913B71A04F414BF7298A38CC553FFB7D2AB95305F18492EE5ABC7382EA3C69408358

Function 00421920 Relevance: 2.8, Strings: 2, Instructions: 257COMMON

Download Yara Rule

Strings

d, xrefs: 00421B64
MTrk, xrefs: 00421A9C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: MTrk$d
API String ID: 0-4044675371
Opcode ID: f48132bec5364acb1eac464781a0da8e801ad391f5ec1316ee37aed779cab419
Instruction ID: f694f7191419467d8cee76575894de878a4f9f9e060a461867741be78ce8ec32
Opcode Fuzzy Hash: f48132bec5364acb1eac464781a0da8e801ad391f5ec1316ee37aed779cab419
Instruction Fuzzy Hash: 0491E371B003059FD718CF29D88096AB7E2EFD8314B54893EE84ACB751EA38ED45C798

Function 0043A6C0 Relevance: 2.6, Strings: 2, Instructions: 115COMMON

Download Yara Rule

Strings

ICC profile tag start not a multiple of 4, xrefs: 0043A789
ICC profile tag outside profile, xrefs: 0043A7D8

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: ICC profile tag outside profile$ICC profile tag start not a multiple of 4
API String ID: 0-2051163487
Opcode ID: ebeaebf2bb9095feb42dc494a298cba5063c2b5a2d334cd129fcd11fb56ea9a5
Instruction ID: aa916d01587d1da17961071b127c06898629b94fa6ed25eab4115538d09f7233
Opcode Fuzzy Hash: ebeaebf2bb9095feb42dc494a298cba5063c2b5a2d334cd129fcd11fb56ea9a5
Instruction Fuzzy Hash: 933103B360879107D72CCE2E9CA06A7BBE3ABC8244F1DD97DE4DAC3301E924A505C758

Function 00434C80 Relevance: 2.5, APIs: 1, Instructions: 1006COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce7e46b2b2f164dbb42366e1cedfbe0a7be6a72a7ca4c48c13521c3e96ae9a93
Instruction ID: d63851d7de119103064dcdce523f571393c0dd4c96b2a417cf6ff9f2be3ac1da
Opcode Fuzzy Hash: ce7e46b2b2f164dbb42366e1cedfbe0a7be6a72a7ca4c48c13521c3e96ae9a93
Instruction Fuzzy Hash: 64926371608F418FD329CF29C0906A7BBE2BF99304F24992EC5DB87B61D635B849CB45

Function 0041A990 Relevance: 2.1, APIs: 1, Instructions: 638COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1eb4cf5d0a268f499d248b6e48529c268c8aa6eaac0f18b6f2588338f60f0750
Instruction ID: bf30259b61ee9acae21595865e5a51823d91585af3840f35dfc3bed67a8d18a6
Opcode Fuzzy Hash: 1eb4cf5d0a268f499d248b6e48529c268c8aa6eaac0f18b6f2588338f60f0750
Instruction Fuzzy Hash: 7632D570E01205DFCB14DFA8C891AEEB7B1BF48314F24416AE515A7381E738AD95CBDA

Function 0046A4DD Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0006A497), ref: 0046A4E2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 30d91fc995736d327dd78c9a4a49789e75cf2be845bb980cc0e3b95af6323dd8
Instruction ID: 32d8282ef4f0105a8d42bf3e5e7f6185ab77dccf50195d435e20b7f5a09f9fb8
Opcode Fuzzy Hash: 30d91fc995736d327dd78c9a4a49789e75cf2be845bb980cc0e3b95af6323dd8
Instruction Fuzzy Hash: 13A022B80023008B8308CFA0BE0E8083F20F2C8302B000AF2E80880220EFF00020AF0F

Function 0046A4EF Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 0046A4F4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e726bc0fd43b046af13c1e9387544900a6f4d8d75ea26784cae1c8eef78ee403
Instruction ID: ce4e5749748c2625d3b1035ad1e84ea3b52b186f9d36fb9a681e36492213e0d4
Opcode Fuzzy Hash: e726bc0fd43b046af13c1e9387544900a6f4d8d75ea26784cae1c8eef78ee403
Instruction Fuzzy Hash:

Function 00436DF0 Relevance: .9, Instructions: 903COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction ID: 4c128b438348801d68be4d17ca9009026f73678505c9c1bcb4e803eedfd24bf8
Opcode Fuzzy Hash: 7588268db9ad160e2392b48f534035be178d540a008719f74208fe9ed0531eb1
Instruction Fuzzy Hash: 0C52CA767487094BD308CE9ACC9159EF3D3ABC8704F498A3CE955C3346EEB8E90AC655

Function 004518BE Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc4b0adb9a230f35728df1c0b376c03791fc121a901d07835481d8a032716fc
Instruction ID: 59854d183165004071eb452e0439537dda2041a425f242a6ce126dd2c15c89d1
Opcode Fuzzy Hash: 7cc4b0adb9a230f35728df1c0b376c03791fc121a901d07835481d8a032716fc
Instruction Fuzzy Hash: 46126FB16043018FCB18CF19C99062BBBE6EFC9305F14896EE8858B356E774DD49CB96

Function 00451B0E Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab6e6e249160569d7fe09bb13da66b73f764b527d10644e2c3f04c9e50d8cfe6
Instruction ID: dfbaef697d0e6796263bf53365eabf5af9ca6ee38b7a4f161b14bd1ca1bc9e45
Opcode Fuzzy Hash: ab6e6e249160569d7fe09bb13da66b73f764b527d10644e2c3f04c9e50d8cfe6
Instruction Fuzzy Hash: FB126FB16043018FCB18CF19C99062BBBE6EFC9305F14896EE8858B356E774DD49CB96

Function 00459740 Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b48dde9038afdc1da68c2f9f4a6e93b95dd44636b2c7172cad00f3ee934572f
Instruction ID: 2933a73be6c3bf97ad7e511425904a6f946795ec54af3b63d4391fa7952d472d
Opcode Fuzzy Hash: 3b48dde9038afdc1da68c2f9f4a6e93b95dd44636b2c7172cad00f3ee934572f
Instruction Fuzzy Hash: E9121AB4608701CFC708CF29D594A2ABBE1FB88315F14896EE89AC7752D734E909CF59

Function 0046B6CE Relevance: .4, Instructions: 417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e3401ea51b8e333885d39a5bcf66f92b03965ae2cc630abac9c8b952597d0c7
Instruction ID: bac07c172a2041c0d7de0a98aa1fbd44377e23f63d8fdf06eb68a2db1e298f65
Opcode Fuzzy Hash: 5e3401ea51b8e333885d39a5bcf66f92b03965ae2cc630abac9c8b952597d0c7
Instruction Fuzzy Hash: 35E1EC71E542188EEB258E98C8417FE7BB5EB44345F28002BD541E7282F77C99C6CB9B

Function 0044BCB0 Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45a2ee25fbc198a8894a5d0f024fb67808257f36a342a8b8fc92f5db9778492a
Instruction ID: f7c3ddac1729c4fdf92343078904a323548498a1db1a4a549e46ced0a1fba49c
Opcode Fuzzy Hash: 45a2ee25fbc198a8894a5d0f024fb67808257f36a342a8b8fc92f5db9778492a
Instruction Fuzzy Hash: 85C1F32560A6824FEB198A6C94E92FBFFD1DF6A310B4C85FED9D5CB323C515840AC394

Function 0044C3B0 Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction ID: f0763e8e109318b564c4128473b4e7d8b409c489f4e39b5ff0c4a43d74edab9c
Opcode Fuzzy Hash: bd7d6e5bdf9180fc249a7cdffd82ac3d4432134ef2b1545fd9ebd85a9bab015f
Instruction Fuzzy Hash: C4D1B93150E6D24BE752CE2884E03AAFFD1AFA6304F1CCADED4D44F346D6659809C796

Function 0045B430 Relevance: .4, Instructions: 379COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction ID: 4054f1a5e9dfe0b0ab3152d46fd002856ee6bca91899829c46c03db9167fa284
Opcode Fuzzy Hash: d4bfdb248b3fb90f8076a3fe4a1e75f7bd1b50aa5aafde52d762773f77742459
Instruction Fuzzy Hash: 41F1BF7250C2408FC3098F18D5989E27BE2FFA8714B1F42FAD4499B363D7369845CB96

Function 00443C20 Relevance: .4, Instructions: 373COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9740c7b36ca55bd43abc8c636f92bf623b6b02f92c8f2e435c91aa48745011
Instruction ID: 8f1390876f580635ff12275fdefb37879c86f8157d97b48d8e5bc5ad0ad06226
Opcode Fuzzy Hash: 9b9740c7b36ca55bd43abc8c636f92bf623b6b02f92c8f2e435c91aa48745011
Instruction Fuzzy Hash: D5E1F3B5600A018FD334CF1AD490A22FBF2EF89711B25C96ED89ACB761D735E846CB54

Function 0044A790 Relevance: .4, Instructions: 364COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction ID: 2e11f9565d103fcfe46f86ac8bb2410fbf9f220ee5539a367934a9521729ffad
Opcode Fuzzy Hash: dcdb0e9a48f9cc5b8454a5ea312c92bd26660b050e477f45892fe8a81102f325
Instruction Fuzzy Hash: BAD1D83564C7828FD325CF29C4902A7FBE2EF99304F08896DE5D99B352D234E816CB56

Function 0044ACA9 Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db9dba425d60c0dbb1d6e3988b3daa5d40f033763d1b81bf47780d34f9f63e9a
Instruction ID: f56703e5f6a6c57181c16e3dd6e1a82442a6f0e416528d6773de45f0af78ccf6
Opcode Fuzzy Hash: db9dba425d60c0dbb1d6e3988b3daa5d40f033763d1b81bf47780d34f9f63e9a
Instruction Fuzzy Hash: 11B1BE167CA2828BF716693C90A03F77BA1DBA6311F6C50BED5EAC7742D11E881DD305

Function 00447820 Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec41c2ec5a9472993e0fea019c7397e827e9df61bbc696b2f81349913d1a6d52
Instruction ID: ee0e7a6183119bc0159fbfeca56e470cba00bd429a5c524fd365eca9a54f7360
Opcode Fuzzy Hash: ec41c2ec5a9472993e0fea019c7397e827e9df61bbc696b2f81349913d1a6d52
Instruction Fuzzy Hash: 06D18C72A0D7468FE704CE18C49426FBBE1FBD9314F544A2EE49597350D338AA0ACB86

Function 00452AC0 Relevance: .3, Instructions: 346COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c788c343b023501b545d764f43615337e2e5eef6ed80e8622e29522940b04375
Instruction ID: cc7ba4cb82ccc6384ff4f8bc752ba9b12a4b054fdff85f103fdfc16b34b4561b
Opcode Fuzzy Hash: c788c343b023501b545d764f43615337e2e5eef6ed80e8622e29522940b04375
Instruction Fuzzy Hash: 18D13775200B418FD324CF29C980AA7B7E5FF9A305B18892ED8D787B52D675F84ACB44

Function 00418CC0 Relevance: .3, Instructions: 336COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 892bc27f49fdb9ec0ca051ebb5a842a1954d228a1487f1b87b8bd83eb46230eb
Instruction ID: 5b751acd1e3045eecf69e10729e9c5a5f8acbc6cca45528e721eede99bdf3485
Opcode Fuzzy Hash: 892bc27f49fdb9ec0ca051ebb5a842a1954d228a1487f1b87b8bd83eb46230eb
Instruction Fuzzy Hash: 76C1AD316087844FD725CE19C4643EBBBE3ABA5740F98441FE58187392DB3C9D86CB4A

Function 0045D580 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29ebd1ac3e53b050051580e8ce83b1a167650b8eb79b7030dff806e847e9b45c
Instruction ID: 522744798dfb163aca1ca9c0e7837bea1f257de0a7f7ead6dd743b01dcab21ce
Opcode Fuzzy Hash: 29ebd1ac3e53b050051580e8ce83b1a167650b8eb79b7030dff806e847e9b45c
Instruction Fuzzy Hash: 8DC18175A087518FC728CF2CD59012AFBE1FF98310F194A7EE8DA93751C674A819CB89

Function 0044B87E Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction ID: ab0463f5f660bf0361d787932c8741c7f4fedeb88a63e70479303d7057a4b081
Opcode Fuzzy Hash: 209fc5673e656db3213c2d2fbf9a8a4af23a33bfddf6ddf1f62eb543b428bd05
Instruction Fuzzy Hash: 40C1C0352087824BD72DDB2C94A55F7BFE2DFAA300B1DD5BDC48A8B3A7D9259409C780

Function 0045B9B0 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9489cd46fff3da46d0f7bf61a82e5ebe7e98034f89ad3e48203e3a634a8a5bec
Instruction ID: 5f469b066af47255ab2ccd231bf79b35836a9b3600ef3758ca9f381afe15b4fb
Opcode Fuzzy Hash: 9489cd46fff3da46d0f7bf61a82e5ebe7e98034f89ad3e48203e3a634a8a5bec
Instruction Fuzzy Hash: 9FD18A716082918FC319CF18E5D88E67BE1FFA8740B0E42F9D98A8B323D7359945CB95

Function 00452620 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ada256bebb666db84d41bc3a49de61a2541b6cb537ac48c3f7372247b1ca60dd
Instruction ID: 9913a85ad76444803466d661de35ec67cd5fdeca83ea78d17f1b552ebc4b651e
Opcode Fuzzy Hash: ada256bebb666db84d41bc3a49de61a2541b6cb537ac48c3f7372247b1ca60dd
Instruction Fuzzy Hash: C1B13875214B418FC328DF29CA909A7B7E5FF8A304B18892ED8CAC7B52D675F845CB44

Function 004677D6 Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction ID: e106142623c9a10c2045d318a6098b6c370f20c9d931e1bcac48a2b4f75a5ba3
Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
Instruction Fuzzy Hash: 48B19D7590420ADFDB15CF04C5D0AA9BBE1BF58318F24C19EC85A5B382D735EE46CB94

Function 00457FD0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction ID: 7ee656fca5a68d23b8315c379a7b78bf46efc9db59226f7f52b8db0497da6918
Opcode Fuzzy Hash: cab88bb81d6f1a3f294bb195b69a7ed404116198194961875d31482ad394f9ff
Instruction Fuzzy Hash: 49A10875A087418FC314CF29C49086AFBF2BFC8714F198A6DE99997325EB70E945CB42

Function 0044C180 Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction ID: 74e78ec7b96e9bbdf0598784668f9a0964096a10ca63ecb5b1f9a833665a5b43
Opcode Fuzzy Hash: 4664e54bd8655df0b62760be2564d86677a0bae60cff444b8354291ceb51d8c8
Instruction Fuzzy Hash: A471E93590D6828AE751CF28C080666FFD2BBA6304F0CC6DEC8C89F357D6A5E909C795

Function 0044B604 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction ID: 539729fcbd2162cf3c85be03d2a0fbab6ca5e29e73ea0a29e13b307e7747779b
Opcode Fuzzy Hash: e09e427cc0f5c48326d696f622ddb13854d7e20a58c35d846649955e18978596
Instruction Fuzzy Hash: 4371122520D7C24BD7299B2888A42F6BFE1AFA7300F5D95FED8D64F3A2C5069409C761

Function 00457530 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction ID: 5d20d1cd5bd05c8fcbfe771f3048db0c6edbc378e61ff5e6f3d2cb40971c6f8c
Opcode Fuzzy Hash: c85e5f8c1b8543d5e31b2507d484f8634bc59b4117db2810bbc7b5cb86d4c726
Instruction Fuzzy Hash: 5081F83954A7819FC711CF29C0D04A6FBE2BF9E204F5C999DE9C50B317C231A91ACB92

Function 00449F50 Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d32c06048184a79331f19cd8dcb26fb480605378fc1cbf4b0ea5e32d31721344
Instruction ID: 3945457b1a0afbdf6d5fe66a6519e9e862251737272bc7e0e6b05dc72fac7dec
Opcode Fuzzy Hash: d32c06048184a79331f19cd8dcb26fb480605378fc1cbf4b0ea5e32d31721344
Instruction Fuzzy Hash: 0B5125313487614FE305CF2E989016AFBD29BCE314F1C8AAED9D9C7712E635D8198786

Function 0044B451 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction ID: 33fd919644e6b60b58066c663e3885b1ca2b124ade01af0bf35c963956e228c5
Opcode Fuzzy Hash: 4d4d2dea2c165661568dc7cef3cf9871e53b13df2d48047b3dc5f70df1b2c506
Instruction Fuzzy Hash: C541173A3192834BD7189E3C84512B6FBA1EF9A304F5847BEC8D5C7742D629D50AC794

Function 0044B166 Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction ID: 1cc6e16d74fcd4b44435471cbd426c8eeb44466dc9b472171e0bc049ba5226a4
Opcode Fuzzy Hash: a8c27889d51f487b201adba72a386df83b8ac4b76ef92a9fc20cd27d85f323ea
Instruction Fuzzy Hash: BD51AE2520DBD14AD71A9B3C54A96F7FFE29F6B301B4E90EEC4DA8B323C6164409C760

Function 0044CDF0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eddc414df8733253dfeede56722cd565e69c5655e7760f35e8fb29e5fee39c47
Instruction ID: fb35d4af3d58dc8defcbba90b1a3d868f1628d58c99291806a87d8678ef0ab92
Opcode Fuzzy Hash: eddc414df8733253dfeede56722cd565e69c5655e7760f35e8fb29e5fee39c47
Instruction Fuzzy Hash: 9E41C3327429410BE7A8CB6AD4E01EBB7D3DBC6301B2CC46BD59ECB765C6355808CB88

Function 00444050 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction ID: 8bc66c6fa7b7fe4f91f2b84a0da40adcdf310f9511f655ac48ea3f63a5530df9
Opcode Fuzzy Hash: 0b4f27dd10139f30faea009d98bf7d04ad43b169fe1efa635cf320682f8d45aa
Instruction Fuzzy Hash: F2312D3374558203F72DCE2F9CA13BAEAD34FD522872DD47E99C98B356ECB984164144

Function 00443910 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 803abeb16e1204f9f52b8bf70aa85108b48422b90e1564a44f0248855dcd81d0
Instruction ID: 7a7621e181c13f7d51e667923c58b8bcbf4361c1fa29e38e3cfe0406c0d1df9b
Opcode Fuzzy Hash: 803abeb16e1204f9f52b8bf70aa85108b48422b90e1564a44f0248855dcd81d0
Instruction Fuzzy Hash: 453146227B609207D354CEBEDC8057BB69397CAA07B6DCA7DE584C7A0AC53DD9074244

Function 004608A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction ID: 24f0be60dc0a974f21df1cbbfd4c37282612d65ea50494e8c7ff0ace67253185
Opcode Fuzzy Hash: e65a41849ba1dff17564a555de7faa284a3be694d3db7f60d411abc468340149
Instruction Fuzzy Hash: A5113DF768024187E608DA7DD4B42BBE396EBC632072C827BD0424F354F6699C49D54B

Function 004340E0 Relevance: 80.0, APIs: 53, Instructions: 459windowsleepCOMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00434102

Part of subcall function 00419AE0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 00419AEF

SetStretchBltMode.GDI32(00000000,00000000), ref: 00434115
CreateCompatibleDC.GDI32(00000000), ref: 00434122
CreateCompatibleDC.GDI32(00000000), ref: 00434127
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434178
SelectObject.GDI32(00000000,00000000), ref: 0043418C
SelectObject.GDI32(?,?), ref: 004341B6
PatBlt.GDI32(?,00000000,00000000,?,?,00F00021), ref: 004341D8
SelectObject.GDI32(?,?), ref: 004341E8
SelectObject.GDI32(?,?), ref: 004341F4
GetTickCount.KERNEL32 ref: 00434242
SelectObject.GDI32(?,?), ref: 0043427A
SelectObject.GDI32(00000000,00000000), ref: 00434296
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004342BB
SelectObject.GDI32(00000000,?), ref: 004342C7
DeleteObject.GDI32(00000000), ref: 004342CE
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434312
SelectObject.GDI32(00000000,00000000), ref: 0043431E
BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,00000000,00CC0020), ref: 00434343
SelectObject.GDI32(00000000,?), ref: 0043434F
SelectObject.GDI32(00000000,?), ref: 00434357
CreateCompatibleDC.GDI32(00000000), ref: 0043436C
CreateCompatibleDC.GDI32(00000000), ref: 00434375
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0043438B
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004343A3
SelectObject.GDI32(00000000,?), ref: 004343B3
SelectObject.GDI32(00000000,?), ref: 004343C3
SetBkColor.GDI32(00000000,?), ref: 004343D5
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 004343F6
SetBkColor.GDI32(00000000,?), ref: 00434402
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 0043441F
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00434444
BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 00434461
BitBlt.GDI32(?,?,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 00434486
SelectObject.GDI32(00000000,?), ref: 00434492
DeleteObject.GDI32(00000000), ref: 00434499
SelectObject.GDI32(00000000,?), ref: 004344A5
DeleteObject.GDI32(00000000), ref: 004344AC
DeleteDC.GDI32(00000000), ref: 004344B9
DeleteDC.GDI32(00000000), ref: 004344BC
SelectObject.GDI32(00000000,?), ref: 004344F5
DeleteObject.GDI32(?), ref: 004344FC
IsWindow.USER32(?), ref: 00434506
StretchBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0043456A
BitBlt.GDI32(00000000,?,?,?,?,?,00000000,00000000,00CC0020), ref: 00434594
SelectObject.GDI32(?,?), ref: 004345A4
Sleep.KERNEL32(0000000A), ref: 004345F0
GetTickCount.KERNEL32 ref: 004345F6
DeleteObject.GDI32(00000000), ref: 00434623
DeleteDC.GDI32(00000000), ref: 00434630
DeleteDC.GDI32(?), ref: 00434637
ReleaseDC.USER32(?,00000000), ref: 0043463E

Part of subcall function 00433C20: GetClientRect.USER32(?,?), ref: 00433C47
Part of subcall function 00433C20: __ftol.LIBCMT ref: 00433D1E
Part of subcall function 00433C20: __ftol.LIBCMT ref: 00433D31

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Object$Select$Delete$Create$Compatible$Bitmap$ColorCountStretchTick__ftol$ClientDisplayEnumModeRectReleaseSettingsSleepWindow
String ID:
API String ID: 1975044605-0
Opcode ID: f2849edb5e079bc65b398f7e1b9825ccd27d7635c858d690889a8bca33efad5b
Instruction ID: 35ed341ee7ef7f34909475b20209965c06fc99bd66648f2be5cb2d63dd16d4ff
Opcode Fuzzy Hash: f2849edb5e079bc65b398f7e1b9825ccd27d7635c858d690889a8bca33efad5b
Instruction Fuzzy Hash: 3A02C6B1204740AFD324DF65CC85F6BB7E9FB88B04F104A1DF69A93290D6B4F8458B29

Function 00442090 Relevance: 47.7, APIs: 25, Strings: 2, Instructions: 452windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000010), ref: 00442118

Part of subcall function 00477835: SetBkColor.GDI32(?,?), ref: 00477844
Part of subcall function 00477835: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00477876

GetSysColor.USER32(00000014), ref: 00442150
InflateRect.USER32(?,000000FF,000000FF), ref: 00442182
GetSysColor.USER32(00000016), ref: 0044219B
GetSysColor.USER32(0000000F), ref: 004421AB
DrawEdge.USER32(?,?,00000002,0000000F), ref: 004421E4
GetDeviceCaps.GDI32(?), ref: 004423EE
RealizePalette.GDI32(?), ref: 00442411
GetSysColor.USER32(00000014), ref: 00442429
GetSysColor.USER32(0000000F), ref: 0044243B
GetSysColor.USER32(0000000F), ref: 004420F1

Part of subcall function 0047780B: SetBkColor.GDI32(?,?), ref: 00477815
Part of subcall function 0047780B: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 0047782B

GetSysColor.USER32(0000000F), ref: 00442248
InflateRect.USER32(?,000000FF,000000FF), ref: 00442281
GetSysColor.USER32(00000016), ref: 00442296
GetSysColor.USER32(0000000F), ref: 004422A2
InflateRect.USER32(?,?,?), ref: 004422E3
GetSysColor.USER32(00000010), ref: 004422E7
Rectangle.GDI32(?,?,?,?,?), ref: 0044232E
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00442369
DrawEdge.USER32(?,?,00000002,0000000F), ref: 00442470
GetSysColor.USER32(00000010), ref: 004424CD
CreatePen.GDI32(00000000,00000001,00000000), ref: 004424D4
InflateRect.USER32(?,?,?), ref: 00442513
Rectangle.GDI32(?,?,?,?,?), ref: 00442531
GetDeviceCaps.GDI32(?,00000026), ref: 00442567

Strings

x>H, xrefs: 004423B6
{G, xrefs: 0044257C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Color$InflateRect$DrawEdge$CapsDeviceRectangleText$CreatePaletteRealize
String ID: {G$x>H
API String ID: 3119264602-3484561576
Opcode ID: 630a5e93fa009b0781281ddff214ac59596dee7b8c39114aa5a705b0463bb86a
Instruction ID: 870a1969e67e72339ae3f4efc67ef1893795782e46af825daf801b4282a1054a
Opcode Fuzzy Hash: 630a5e93fa009b0781281ddff214ac59596dee7b8c39114aa5a705b0463bb86a
Instruction Fuzzy Hash: F5F17871204301AFE714DF65C884F6BB7E9FB88704F408A2EF65A87291DBB4E805CB56

Function 00432A80 Relevance: 42.4, APIs: 19, Strings: 5, Instructions: 356windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419210: SendMessageA.USER32(?,00000143,00000000,?), ref: 00419233

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 00432AD9
GetProfileStringA.KERNEL32(devices,00000000,004B01B4,?,00001000), ref: 00432B18
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 00432B5A
SendMessageA.USER32(?,00000143,00000000), ref: 00432C1B
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00432C58
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00432CFB
wsprintfA.USER32 ref: 00432D14
wsprintfA.USER32 ref: 00432D3A
wsprintfA.USER32 ref: 00432D60
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432D93
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432DBE
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432DD4
SendMessageA.USER32(?,0000014E,?,00000000), ref: 00432DEB
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432E2F
wsprintfA.USER32 ref: 00432E42
wsprintfA.USER32 ref: 00432E6C
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432E92
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 00432ED3
wsprintfA.USER32 ref: 00432EE4

Strings

windows, xrefs: 00432AD4
devices, xrefs: 00432B13, 00432B55
none, xrefs: 00432B98
device, xrefs: 00432ACF
,,,, xrefs: 00432ACA, 00432B4F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$wsprintf$ProfileString
String ID: ,,,$device$devices$none$windows
API String ID: 2373861888-528626633
Opcode ID: a60de7d1a7fb20ae59025d0c77c12ad9d14f7a8237ba4bf2f92d3bd57d74c7bc
Instruction ID: a0c75f5e10a0763e198c0df24f04321882ab051b568b7191f03127fe63a56c60
Opcode Fuzzy Hash: a60de7d1a7fb20ae59025d0c77c12ad9d14f7a8237ba4bf2f92d3bd57d74c7bc
Instruction Fuzzy Hash: 81C1D4712407056BD624DB71DD82FEBB7E8AB88704F00491EF55A971C0EBB8FA44CB69

Function 0041EFF0 Relevance: 35.4, APIs: 17, Strings: 3, Instructions: 366windowCOMMON

Download Yara Rule

APIs

CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041F07C
CreateCompatibleDC.GDI32(?), ref: 0041F08E
CreateCompatibleDC.GDI32(?), ref: 0041F097
SelectObject.GDI32(00000000,?), ref: 0041F0A6
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041F0B9
SelectObject.GDI32(?,00000000), ref: 0041F0C9
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041F0E9
SelectObject.GDI32(00000000,?), ref: 0041F0F5
DeleteDC.GDI32(00000000), ref: 0041F102
SelectObject.GDI32(?,?), ref: 0041F10A
DeleteDC.GDI32(?), ref: 0041F111
DeleteObject.GDI32(?), ref: 0041F117
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0041F14D

Strings

(, xrefs: 0041F1FC
(, xrefs: 0041F3AF
, xrefs: 0041F213

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateObject$Select$BitmapCompatibleDelete
String ID: $($(
API String ID: 1878064223-3669016180
Opcode ID: dc5e683d9d75504dd34afa9130b1e1fdd9423e2d141bc1b4e3794c1a996fb635
Instruction ID: b9ff081f3c25862aa0e335e62e959971e508910ef71725575a03f6f812f511a0
Opcode Fuzzy Hash: dc5e683d9d75504dd34afa9130b1e1fdd9423e2d141bc1b4e3794c1a996fb635
Instruction Fuzzy Hash: 47D146B56043019BC714CF26D884AABBBE9EFC8310F14492EFA96C7350D775E885CB66

Function 0040F390 Relevance: 33.3, APIs: 22, Instructions: 293windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 0040F41F
GetWindowRect.USER32(?,?), ref: 0040F476
GetParent.USER32(?), ref: 0040F486
GetParent.USER32(?), ref: 0040F4B9
GlobalSize.KERNEL32(00000000), ref: 0040F503
GlobalLock.KERNEL32(00000000), ref: 0040F50B
IsWindow.USER32(?), ref: 0040F524
GetTopWindow.USER32(?), ref: 0040F561
GetWindow.USER32(00000000,00000002), ref: 0040F57A
SetParent.USER32(?,?), ref: 0040F5A6
SendMessageA.USER32(?,0000806F,00000000,00000000), ref: 0040F5F1
SendMessageA.USER32(?,00008076,00000000,00000000), ref: 0040F600
GetParent.USER32(?), ref: 0040F613
SendMessageA.USER32(?,00008004,00000000,00000000), ref: 0040F62C
GetWindowLongA.USER32(?,000000F0), ref: 0040F634
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040F664
SendMessageA.USER32(?,0000130C,00000000,00000000), ref: 0040F672
IsWindow.USER32(?), ref: 0040F6BE
GetFocus.USER32 ref: 0040F6C8
SetFocus.USER32(?,00000000), ref: 0040F6E0
GlobalUnlock.KERNEL32(00000000), ref: 0040F6EB
GlobalFree.KERNEL32(00000000), ref: 0040F6F2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$MessageSend$GlobalParent$Focus$FreeLockLongRectSizeUnlock
String ID:
API String ID: 300820980-0
Opcode ID: a60d23cb19a3524c3a385939ccc3ddf19aa0d277b03f78ee3ab41469b6cce464
Instruction ID: ba0dfec272f2608cc7a5df87a0730c7ca7c14a59ffcc520b4dde9495886db0d9
Opcode Fuzzy Hash: a60d23cb19a3524c3a385939ccc3ddf19aa0d277b03f78ee3ab41469b6cce464
Instruction Fuzzy Hash: D8A11971604301ABD724DF65CC84B2BB7E9AB88704F108A2EF955972D1DB78E8058B59

Function 00405600 Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 384windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 00405645
GetCurrentObject.GDI32(?,00000002), ref: 0040568A
GetCurrentObject.GDI32(?,00000001), ref: 0040569D
GetClientRect.USER32 ref: 00405722
CreatePen.GDI32(-00000003,00000000,?), ref: 0040573E
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00405802

Part of subcall function 00475732: __EH_prolog.LIBCMT ref: 00475737
Part of subcall function 00475732: EndPaint.USER32(?,?,?,?,004044C3), ref: 00475754

Strings

gfff, xrefs: 00405972
{G, xrefs: 00405A46

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CurrentH_prologObjectPaintRect$BeginClientClipCreateEmpty
String ID: {G$gfff
API String ID: 3506841274-3485696999
Opcode ID: 8b4153a0712d3d9589025a35b24a52b892fdac40bb22b582b6eef14dc8705109
Instruction ID: 4721236834b6830f948ab31e41cdc78aa7a7671c50ea3910c3ae4460da3ab0a2
Opcode Fuzzy Hash: 8b4153a0712d3d9589025a35b24a52b892fdac40bb22b582b6eef14dc8705109
Instruction Fuzzy Hash: F6E18B715087409BC314DF65C884A6FB7E8FB88314F508A2EF59997290DB78E909CF6B

Function 00414C80 Relevance: 31.7, APIs: 15, Strings: 3, Instructions: 245COMMON

Download Yara Rule

APIs

SetWindowRgn.USER32(?,00000000,00000001), ref: 00414CB1
GetWindowRect.USER32(?,?), ref: 00414CDE
BeginPath.GDI32(?), ref: 00414D67
MulDiv.KERNEL32(7FFF0000,?,00007FFF), ref: 00414D80
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00414D8F
MulDiv.KERNEL32(3FFF0000,?,00007FFF), ref: 00414DB7
MulDiv.KERNEL32(00000000,?,00007FFF), ref: 00414DC6
EndPath.GDI32(?), ref: 00414DE1
PathToRegion.GDI32(?), ref: 00414DEC

Strings

gfff, xrefs: 00414EBA
-{G, xrefs: 00414CF4, 00414ED2, 00414ED3
gfff, xrefs: 00414EAA

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Path$Window$BeginRectRegion
String ID: -{G$gfff$gfff
API String ID: 3989698161-1189793372
Opcode ID: dcb4682f49f289de72bbb9af7459dfc62159c4a8f58506ea6e76d08db7ced6d1
Instruction ID: 886c95c1a8e75cc93815e59f75995cccce8db932725e5a11636bd21bf5b06896
Opcode Fuzzy Hash: dcb4682f49f289de72bbb9af7459dfc62159c4a8f58506ea6e76d08db7ced6d1
Instruction Fuzzy Hash: 7381F4B15047459BD314EF25CC45EABBBE8FBC8704F048A2EF48A97390DA78A844C766

Function 004367C0 Relevance: 31.7, APIs: 21, Instructions: 205COMMON

Download Yara Rule

APIs

WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000022B8), ref: 004367D5
EnterCriticalSection.KERNEL32(?), ref: 004367F8
LeaveCriticalSection.KERNEL32(?), ref: 00436806
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00436828
waveOutPrepareHeader.WINMM(?,?,00000020), ref: 00436871
waveOutWrite.WINMM(?,?,00000020), ref: 0043687E
EnterCriticalSection.KERNEL32(?), ref: 00436888
LeaveCriticalSection.KERNEL32(?), ref: 00436896
EnterCriticalSection.KERNEL32(?), ref: 004368C5
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004368E3
LeaveCriticalSection.KERNEL32(?), ref: 004368EA
waveOutPause.WINMM(?), ref: 004368F9
waveOutReset.WINMM(?), ref: 00436903
waveOutUnprepareHeader.WINMM(?,00000000,00000020), ref: 00436921
waveOutUnprepareHeader.WINMM(?,?,00000020), ref: 00436946
EnterCriticalSection.KERNEL32(004B01D8), ref: 0043695C
LeaveCriticalSection.KERNEL32(004B01D8), ref: 004369B8
CloseHandle.KERNEL32(?), ref: 004369E6
CloseHandle.KERNEL32(?), ref: 004369EC
CloseHandle.KERNEL32(?), ref: 004369F2
DeleteCriticalSection.KERNEL32(?), ref: 004369F8

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalSection$wave$EnterHeaderLeave$CloseHandleUnprepare$DeleteMultipleObjectsPausePrepareReleaseResetSemaphoreWaitWrite
String ID:
API String ID: 361331667-0
Opcode ID: 095daaea9831d2715494a48c17b2dfda3935db2f32b5d08f37b54d7301c4439f
Instruction ID: abd5fe08da0acd6715c7e30b0bb99ae289e59a5556a5451b96445d84151867de
Opcode Fuzzy Hash: 095daaea9831d2715494a48c17b2dfda3935db2f32b5d08f37b54d7301c4439f
Instruction Fuzzy Hash: 7071B3B560020AABCB14DF68DC49AAF3BA8EF4C704F06856AFD05D7351C738E941CB99

Function 0041CC60 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183windowmemoryCOMMON

Download Yara Rule

APIs

GetStockObject.GDI32(0000000F), ref: 0041CCB4
GetObjectA.GDI32(?,00000018,?), ref: 0041CCC7
SelectPalette.GDI32(?,00000000,00000000), ref: 0041CD22
RealizePalette.GDI32(?), ref: 0041CD2C
GlobalAlloc.KERNEL32(00000002,00000028), ref: 0041CD36
SelectPalette.GDI32(?,?,00000000), ref: 0041CD4C
GlobalLock.KERNEL32(00000000), ref: 0041CD54
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041CD83
GlobalUnlock.KERNEL32(00000000), ref: 0041CDD9
GlobalReAlloc.KERNEL32(00000000,?,00000002), ref: 0041CDE2
GlobalLock.KERNEL32(00000000), ref: 0041CDEF
GetDIBits.GDI32(?,?,00000000,?,00000000,00000000,00000000), ref: 0041CE12
SelectPalette.GDI32(?,?,00000000), ref: 0041CE25
GlobalUnlock.KERNEL32(00000000), ref: 0041CE2C
GlobalFree.KERNEL32(00000000), ref: 0041CE33

Part of subcall function 004755CA: __EH_prolog.LIBCMT ref: 004755CF
Part of subcall function 004755CA: ReleaseDC.USER32(?,00000000), ref: 004755EE

Strings

(, xrefs: 0041CCDA

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$Palette$Select$AllocBitsLockObjectUnlock$FreeH_prologRealizeReleaseStock
String ID: (
API String ID: 3986717603-3887548279
Opcode ID: f9592254f0fdb530ca9b7d862c4a008488676cbdb8dc2062957ae13bd2bd70dc
Instruction ID: 6fa590a997201871321b7557874e8bf3a3156276ee333fd83aa575f5ed7693bb
Opcode Fuzzy Hash: f9592254f0fdb530ca9b7d862c4a008488676cbdb8dc2062957ae13bd2bd70dc
Instruction Fuzzy Hash: 1361BE725443509FC320CF64CC84B6BBBE9FB89710F044A2DFA8997291CB78E844CB96

Function 00431910 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 255windowCOMMON

Download Yara Rule

APIs

CopyRect.USER32(?,?), ref: 00431946

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

FillRect.USER32(?,?,00000000), ref: 00431984
GetSystemMetrics.USER32(0000002E), ref: 004319AD
GetSystemMetrics.USER32(0000002D), ref: 004319B3
DrawFrameControl.USER32(?,?,00000003,?), ref: 00431A26
DrawEdge.USER32(?,?,0000000A,0000000F), ref: 00431A39
InflateRect.USER32(?,00FFFFFD,00000001), ref: 00431A54
GetSysColor.USER32(0000000F), ref: 00431A78
Rectangle.GDI32(?,?,?,?,?), ref: 00431ACB
OffsetRect.USER32(?,00000001,00000001), ref: 00431B35
GetSysColor.USER32(00000014), ref: 00431B3B
OffsetRect.USER32(?,000000FF,000000FF), ref: 00431B63
GetSysColor.USER32(00000010), ref: 00431B69
InflateRect.USER32(?,000000FF,000000FF), ref: 00431BB2
DrawFocusRect.USER32(?,?), ref: 00431BC1

Part of subcall function 00470F60: GetWindowTextLengthA.USER32(?), ref: 00470F6D
Part of subcall function 00470F60: GetWindowTextA.USER32(?,00000000,00000000), ref: 00470F85

Strings

%H, xrefs: 00431BC7
%H, xrefs: 00431992

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$ColorDraw$InflateMetricsOffsetSystemTextWindow$BrushControlCopyCreateEdgeFillFocusFrameH_prologLengthRectangleSolid
String ID: %H$ %H
API String ID: 4239342997-3940156963
Opcode ID: bbb6721f39e206f679193335830ab9d8a92811fb64b4f3cbb0f484563fb8d89f
Instruction ID: 78395a7d6a071b5c5f99b98e8cf8f45809d96c3e23939895f7332a5f10b651cf
Opcode Fuzzy Hash: bbb6721f39e206f679193335830ab9d8a92811fb64b4f3cbb0f484563fb8d89f
Instruction Fuzzy Hash: 40A17670208345AFD704DF68C888A6BBBE8FF88714F004A1DF59987390DBB4E945CB96

Function 00472499 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 174windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00472DFE: GetWindowLongA.USER32(?,000000F0), ref: 00472E0A

GetParent.USER32(?), ref: 004724C4
SendMessageA.USER32(00000000,0000036B,00000000,00000000), ref: 004724E7
GetWindowRect.USER32(?,?), ref: 00472500
GetWindowLongA.USER32(00000000,000000F0), ref: 00472513
CopyRect.USER32(?,?), ref: 00472560
CopyRect.USER32(?,?), ref: 0047256A
GetWindowRect.USER32(00000000,?), ref: 00472573
CopyRect.USER32(?,?), ref: 0047258F

Strings

@, xrefs: 00472502
(, xrefs: 0047252B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Window$Copy$Long$MessageParentSend
String ID: ($@
API String ID: 808654186-1311469180
Opcode ID: 61a6bc352d571d10a1717eb0fc72e2f0e7294cccc563cdae660e34c07dca1a99
Instruction ID: f8168fce0b1b5c406e83599fbcdf659e94e50d5e3f3fb5d529d21951e6627a81
Opcode Fuzzy Hash: 61a6bc352d571d10a1717eb0fc72e2f0e7294cccc563cdae660e34c07dca1a99
Instruction Fuzzy Hash: 4F51E771900219AFCB14DBA9CD84EEE7BB9AF48314F148166F905F3290D774ED458B58

Function 00433110 Relevance: 25.9, APIs: 17, Instructions: 351windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00470F60: GetWindowTextLengthA.USER32(?), ref: 00470F6D
Part of subcall function 00470F60: GetWindowTextA.USER32(?,00000000,00000000), ref: 00470F85

__ftol.LIBCMT ref: 00433186
__ftol.LIBCMT ref: 004331DC
__ftol.LIBCMT ref: 00433232
__ftol.LIBCMT ref: 00433288
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004332A9
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004332C3
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043338B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004333BD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004333DA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 004333FA
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00433414
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043342C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043344B
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 004334B4
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00433519
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043355B

Part of subcall function 00472D24: GetDlgItem.USER32(?,?), ref: 00472D32

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433587

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$__ftol$TextWindow$ItemLength
String ID:
API String ID: 2143175130-0
Opcode ID: 4fd5a24e3f3d76585932b055c9b2fa02895b9880c17a46c36d46922d81adb8ec
Instruction ID: d3559716bb8e18ace4f786a91ad48bad9457fceedd186897d4529db867d20870
Opcode Fuzzy Hash: 4fd5a24e3f3d76585932b055c9b2fa02895b9880c17a46c36d46922d81adb8ec
Instruction Fuzzy Hash: 3ED1CFB5540B02ABD724EF31CC42FAB73A4AF48705F10493EF59A862D1DA78F549CB4A

Function 0042BC40 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 320windowCOMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0042BC5E
SetCapture.USER32(?,?,?,?,?,?,?,?,?,0047BBE8,000000FF,0042B49D,?,?,?,?), ref: 0042BC7B

Part of subcall function 00475558: __EH_prolog.LIBCMT ref: 0047555D
Part of subcall function 00475558: GetDC.USER32(00000000), ref: 00475586

Part of subcall function 0043F750: GetWindowExtEx.GDI32(?,?), ref: 0043F773

Part of subcall function 00475486: GetWindowExtEx.GDI32(?,?), ref: 00475497
Part of subcall function 00475486: GetViewportExtEx.GDI32(?,?), ref: 004754A4
Part of subcall function 00475486: MulDiv.KERNEL32(?,00000000,00000000), ref: 004754C9
Part of subcall function 00475486: MulDiv.KERNEL32(?,00000000,00000000), ref: 004754E4

Part of subcall function 00475017: SetMapMode.GDI32(?,?), ref: 00475030
Part of subcall function 00475017: SetMapMode.GDI32(?,?), ref: 0047503E

Part of subcall function 00474F8C: SetROP2.GDI32(?,?), ref: 00474FA5
Part of subcall function 00474F8C: SetROP2.GDI32(?,?), ref: 00474FB3

Part of subcall function 00474F30: SetBkMode.GDI32(?,?), ref: 00474F49
Part of subcall function 00474F30: SetBkMode.GDI32(?,?), ref: 00474F57

Part of subcall function 0047586D: __EH_prolog.LIBCMT ref: 00475872
Part of subcall function 0047586D: CreatePen.GDI32(?,?,?), ref: 00475895

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

GetCapture.USER32 ref: 0042BD41
GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0042BD60
DispatchMessageA.USER32(?), ref: 0042BDA1
DispatchMessageA.USER32(?), ref: 0042BDBD
ScreenToClient.USER32(?,?), ref: 0042BE04
GetCapture.USER32 ref: 0042BE2C
ReleaseCapture.USER32 ref: 0042BE54
ReleaseCapture.USER32 ref: 0042BEB0
DPtoLP.GDI32 ref: 0042BEF4
InvalidateRect.USER32(?,00000000,00000000,?,00000000,?,?,?,00000000,?,?,?), ref: 0042BF7D
InvalidateRect.USER32(?,00000000,00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0042C00B

Strings

{G, xrefs: 0042BE68, 0042C025

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Capture$Mode$Message$DispatchH_prologInvalidateObjectRectReleaseSelectWindow$ClientCreateScreenViewport
String ID: {G
API String ID: 453157188-3571685011
Opcode ID: e0c906c848d31c33bbd56a15f1387172b4456ea4b519373160e8616ef48c62e8
Instruction ID: ca9eab331822938518e3af620420ec33d80d74c71c5eefdabcb2777f8b8bbaad
Opcode Fuzzy Hash: e0c906c848d31c33bbd56a15f1387172b4456ea4b519373160e8616ef48c62e8
Instruction Fuzzy Hash: 06B1E470204750ABD314EB65D885FAFB7E9EF88704F504A1EF25683291DB78E904CB9A

Function 004250A0 Relevance: 24.8, APIs: 8, Strings: 6, Instructions: 282COMMON

Download Yara Rule

APIs

GetProfileStringA.KERNEL32(windows,device,,,,,?,000001F4), ref: 0042511F
GetProfileStringA.KERNEL32(devices,00000000,004B0140,?,00001000), ref: 00425153
GetProfileStringA.KERNEL32(devices,?,,,,,?,000000C8), ref: 004251DA

Strings

H, xrefs: 00425422
device, xrefs: 00425115
windows, xrefs: 0042511A
devices, xrefs: 0042514E, 004251D5
,,,, xrefs: 00425110, 004251CF
none, xrefs: 00425210

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ProfileString
String ID: H$,,,$device$devices$none$windows
API String ID: 1468043044-1576548341
Opcode ID: 3f2829924f30f6b6ed53d8e711af8c8856a09f50378096a6bdca8a3e4941372c
Instruction ID: 55eef95c6fee8bc1e59fff7516bd0032a31dc82eadfb87836aab9f043f0ea79a
Opcode Fuzzy Hash: 3f2829924f30f6b6ed53d8e711af8c8856a09f50378096a6bdca8a3e4941372c
Instruction Fuzzy Hash: F8B1C6706087409FD320DF65D881BAFB7E4EF95754F800A1EF99583291EB789904CB6B

Function 0046D32D Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 119registryclipboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047868A: TlsGetValue.KERNEL32(004B1F0C,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E,?,00000000,?,0046C7A1,00000000,00000000,00000000,00000000), ref: 004786C9

RegisterClipboardFormatA.USER32(commdlg_LBSelChangedNotify), ref: 0046D385
RegisterClipboardFormatA.USER32(commdlg_ShareViolation), ref: 0046D391
RegisterClipboardFormatA.USER32(commdlg_FileNameOK), ref: 0046D39D
RegisterClipboardFormatA.USER32(commdlg_ColorOK), ref: 0046D3A9
RegisterClipboardFormatA.USER32(commdlg_help), ref: 0046D3B5
RegisterClipboardFormatA.USER32(commdlg_SetRGBColor), ref: 0046D3C1

Part of subcall function 00472CBB: SetWindowLongA.USER32(?,000000FC,00000000), ref: 00472CEA

SendMessageA.USER32(?,00000111,0000E146,00000000), ref: 0046D4B4

Strings

commdlg_ColorOK, xrefs: 0046D39F
commdlg_help, xrefs: 0046D3AB
commdlg_SetRGBColor, xrefs: 0046D3B7
commdlg_FileNameOK, xrefs: 0046D393
commdlg_LBSelChangedNotify, xrefs: 0046D380
ppH, xrefs: 0046D413
commdlg_ShareViolation, xrefs: 0046D387

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ClipboardFormatRegister$LongMessageSendValueWindow
String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help$ppH
API String ID: 3913284445-1245669998
Opcode ID: dfa477befc11b963f28fd64fa773ba7b9dda074bb738f4f4c96728410f153572
Instruction ID: 1964b7f739d04ba7502ac5e35538ca575b63cd7700d2d214693b044caf02fc67
Opcode Fuzzy Hash: dfa477befc11b963f28fd64fa773ba7b9dda074bb738f4f4c96728410f153572
Instruction Fuzzy Hash: D8416231F00604ABDB29AF25DD44B6E3BA1EB44754F10496BF94997360DB78AC80CB9F

Function 0045E2A1 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 68libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(USER32,?,?,?,0045E3DA), ref: 0045E2C3
GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 0045E2DB
GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 0045E2EC
GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 0045E2FD
GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 0045E30E
GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 0045E31F
GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 0045E330

Strings

GetSystemMetrics, xrefs: 0045E2D5
GetMonitorInfoA, xrefs: 0045E32A
USER32, xrefs: 0045E2BE
EnumDisplayMonitors, xrefs: 0045E319
MonitorFromRect, xrefs: 0045E2F7
MonitorFromWindow, xrefs: 0045E2E6
MonitorFromPoint, xrefs: 0045E308

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
API String ID: 667068680-2376520503
Opcode ID: 2e63d83aeeb86049e46f73971496fa0787c3e79271fc676b3551a0253a85c11d
Instruction ID: 7d267e8e9fbb93bace6254321e1a3852529a47a167c415f45d99266bb51c75ac
Opcode Fuzzy Hash: 2e63d83aeeb86049e46f73971496fa0787c3e79271fc676b3551a0253a85c11d
Instruction Fuzzy Hash: 27115772A112006F8385EFA7ACD49297AE4F2087857A80A3FDC08D3271D7F89545DB2C

Function 00440200 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 372COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 0043F750: GetWindowExtEx.GDI32(?,?), ref: 0043F773

MulDiv.KERNEL32(?,00000064,?), ref: 004402BB
GetClientRect.USER32(?,?), ref: 00440349
DPtoLP.GDI32(?,?,00000002), ref: 0044035E
OffsetRect.USER32 ref: 004403AD
Rectangle.GDI32(?,?,?,?,?), ref: 004403EB
FillRect.USER32(?,?,?), ref: 00440443
FillRect.USER32(?,00000032,?), ref: 00440486
LPtoDP.GDI32(?,?,00000002), ref: 0044052F
IsRectEmpty.USER32(?), ref: 00440536
CreateRectRgnIndirect.GDI32(?), ref: 0044057A

Part of subcall function 00475281: SelectClipRgn.GDI32(?,00000000), ref: 004752A3
Part of subcall function 00475281: SelectClipRgn.GDI32(?,?), ref: 004752B9

LPtoDP.GDI32(?,?,00000001), ref: 004405BA
DPtoLP.GDI32(?,?,00000001), ref: 004405E1

Strings

2, xrefs: 004403A5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$ClipFillSelect$BeginClientCreateEmptyH_prologIndirectOffsetPaintRectangleWindow
String ID: 2
API String ID: 2521159323-450215437
Opcode ID: c5a64f749946dd58a5525b14506acfa6ee1f17b66f435726031a223b20cf348f
Instruction ID: 85d3345a0d51d2116b26616155aee7e83f5bb2eefd27e66ac370c65562f6f7d9
Opcode Fuzzy Hash: c5a64f749946dd58a5525b14506acfa6ee1f17b66f435726031a223b20cf348f
Instruction Fuzzy Hash: 66E119716087409FD324DF69C880B6BB7E9BBC8704F408A2EF59A87391DB74A944CB56

Function 00415060 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 354COMMON

Download Yara Rule

APIs

CreateRectRgn.GDI32(?,?,?,?), ref: 004150AE
GetClientRect.USER32(?,?), ref: 00415149
CreateRectRgn.GDI32 ref: 004151BA
CombineRgn.GDI32(?,?,-{G,00000004), ref: 004151EB
SetRect.USER32(?,00000000,?,?,?), ref: 00415242
IntersectRect.USER32(?,?,?), ref: 0041524F
IsRectEmpty.USER32(?), ref: 0041527A
__ftol.LIBCMT ref: 00415358
__ftol.LIBCMT ref: 00415365
CreateRectRgn.GDI32(00000000,?,00000000,00000000), ref: 004153BE
CombineRgn.GDI32(?,?,-{G,00000004), ref: 004153EF

Part of subcall function 0041F430: SetStretchBltMode.GDI32(?,00000000), ref: 0041F444
Part of subcall function 0041F430: CreateCompatibleDC.GDI32(?), ref: 0041F4C9
Part of subcall function 0041F430: CreateCompatibleDC.GDI32(?), ref: 0041F4E1
Part of subcall function 0041F430: GetObjectA.GDI32(?,00000018,?), ref: 0041F522
Part of subcall function 0041F430: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0041F538

FillRgn.GDI32(?,?,00000000), ref: 0041546C

Strings

-{G, xrefs: 00415088, 0041519E, 004151E6, 004153A6, 004153EA

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Create$CombineCompatible__ftol$BitmapClientEmptyFillIntersectModeObjectStretch
String ID: -{G
API String ID: 3212946024-3953621167
Opcode ID: b324d67efac916f11ed740d0974994dadb689d68e2c102ca509157542505d56c
Instruction ID: f3b214ce5072bd3b6cdd3ce119f0f16e80594512f15f73b118517df7af6240c6
Opcode Fuzzy Hash: b324d67efac916f11ed740d0974994dadb689d68e2c102ca509157542505d56c
Instruction Fuzzy Hash: 1ED19C715087409FC314DF29C884AAFBBE8FBC8344F148A2EF89987251DB74E945CB66

Function 0041F430 Relevance: 22.8, APIs: 15, Instructions: 305windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00419AE0: EnumDisplaySettingsA.USER32(00000000,000000FF,?), ref: 00419AEF

SetStretchBltMode.GDI32(?,00000000), ref: 0041F444
CreateCompatibleDC.GDI32(?), ref: 0041F4C9
CreateCompatibleDC.GDI32(?), ref: 0041F4E1
GetObjectA.GDI32(?,00000018,?), ref: 0041F522
CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 0041F538
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0041F596
StretchBlt.GDI32(?,000000FF,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041F5EF
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,008800C6), ref: 0041F629
StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00660046), ref: 0041F663
CreateCompatibleDC.GDI32(?), ref: 0041F6DB
SelectObject.GDI32(00000000,?), ref: 0041F6E8
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,?), ref: 0041F72B
SelectObject.GDI32(00000000,?), ref: 0041F737
DeleteDC.GDI32(00000000), ref: 0041F73E
DrawIconEx.USER32(?,?,?,?,?,?,00000000,00000000,00000003), ref: 0041F77D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Stretch$Create$CompatibleObject$Select$BitmapDeleteDisplayDrawEnumIconModeSettings
String ID:
API String ID: 1298110373-0
Opcode ID: 1d7cb31bd51113b57c44351489b79bb86197c22ca8a939fc9b60c65a73548302
Instruction ID: 090679ed77ecd7b2b807602fa5e1dab56831623a7dae555efa2edea95804e433
Opcode Fuzzy Hash: 1d7cb31bd51113b57c44351489b79bb86197c22ca8a939fc9b60c65a73548302
Instruction Fuzzy Hash: 7CB13971204704AFD310DB25CC85FABB7E9FB88714F108A1DFAA987290D774ED458BA6

Function 004363E0 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 331threadCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 0043654B
CreateSemaphoreA.KERNEL32(00000000,00000014,00000014,00000000), ref: 00436560
InitializeCriticalSection.KERNEL32(?), ref: 0043658B
CreateThread.KERNEL32(00000000,00000000,004367C0,?,00000004,?), ref: 004365C0
EnterCriticalSection.KERNEL32(004B01D8), ref: 004365D2
LeaveCriticalSection.KERNEL32(004B01D8,-000000FC,00000000,00000000), ref: 00436785
ResumeThread.KERNEL32(?), ref: 00436793
ReleaseSemaphore.KERNEL32(?,00000014,00000000), ref: 004367A5

Strings

RIFF, xrefs: 004363F4, 00436408
WAVE, xrefs: 00436421, 00436438
data, xrefs: 00436485
fmt , xrefs: 00436464

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateCriticalSection$SemaphoreThread$EnterEventInitializeLeaveReleaseResume
String ID: RIFF$WAVE$data$fmt
API String ID: 1802393137-4212202414
Opcode ID: a1997dc8b5bacbbed031e48eda80cad5ff48c85c28537aad9a1e62d53a5fe5a3
Instruction ID: 64a720f61d41f97a2025b811afa1434197c72026239e3fd2fcee073b0255f3d1
Opcode Fuzzy Hash: a1997dc8b5bacbbed031e48eda80cad5ff48c85c28537aad9a1e62d53a5fe5a3
Instruction Fuzzy Hash: 74B10571600302ABD714DF29DC82A2B77D5FB8C318F15863EF94697381E779E9018B99

Function 0041CFA0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 265windowCOMMON

Download Yara Rule

APIs

GetObjectA.GDI32(?,00000018,?), ref: 0041CFDD
MulDiv.KERNEL32(?,?,00000064), ref: 0041D012
MulDiv.KERNEL32(?,?,00000064), ref: 0041D03D
GetDeviceCaps.GDI32 ref: 0041D077
GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041D0B1
CreatePalette.GDI32(00000000), ref: 0041D0BC
CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041D11C
CreateCompatibleDC.GDI32(?), ref: 0041D14F
CreateCompatibleDC.GDI32(?), ref: 0041D188
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,?,?,00CC0020), ref: 0041D1EB
GlobalFree.KERNEL32(00000000), ref: 0041D2B3

Strings

{G, xrefs: 0041D0F3, 0041D247

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Create$Compatible$Palette$BitmapCapsDeviceEntriesFreeGlobalObjectStretchSystem
String ID: {G
API String ID: 3563226738-3571685011
Opcode ID: 7a5802c410ef5670fab3a29b06dba599b83374adb2ba4b78d7cf9e3e725fd2f6
Instruction ID: 1e450911f93454cda334faaf9c8fff591edd7db48ff53af0201962591a169492
Opcode Fuzzy Hash: 7a5802c410ef5670fab3a29b06dba599b83374adb2ba4b78d7cf9e3e725fd2f6
Instruction Fuzzy Hash: 4A91E5B15083449FC310EF65CC85BAFB7E8EB88704F104A1EF59987281DB79E849CB66

Function 00404950 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 430COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 00404997
GetClientRect.USER32(?,?), ref: 004049AF
InflateRect.USER32(?,?,?), ref: 00404A6D
IntersectRect.USER32(?,?,?), ref: 00404AD7
CreateRectRgn.GDI32(?,?,?,?), ref: 00404AF1
FillRgn.GDI32(?,?,?), ref: 00404CB0
GetCurrentObject.GDI32(?,00000006), ref: 00404D2F

Part of subcall function 00474E18: GetStockObject.GDI32(?), ref: 00474E21
Part of subcall function 00474E18: SelectObject.GDI32(?,00000000), ref: 00474E3B
Part of subcall function 00474E18: SelectObject.GDI32(?,00000000), ref: 00474E46

OffsetRect.USER32(?,00000001,00000001), ref: 00404E0D
OffsetRect.USER32(?,00000002,00000002), ref: 00404EA1
OffsetRect.USER32(?,00000001,00000001), ref: 00404E54

Part of subcall function 00474FE8: SetTextColor.GDI32(?,?), ref: 00475002
Part of subcall function 00474FE8: SetTextColor.GDI32(?,?), ref: 00475010

Strings

{G, xrefs: 00404C6B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Object$Offset$ColorSelectText$BeginClientClipCreateCurrentEmptyFillH_prologInflateIntersectPaintStock
String ID: {G
API String ID: 4264835570-3571685011
Opcode ID: 402d412f1dcd386eff314ddff86ad630ccc5a1f744bdaa84b14ff296d1eedde6
Instruction ID: 3384d2c76cca00b493af5ab9e01d735418f7657caff10ca6068b2dcfc6924243
Opcode Fuzzy Hash: 402d412f1dcd386eff314ddff86ad630ccc5a1f744bdaa84b14ff296d1eedde6
Instruction Fuzzy Hash: 3D025CB11087809FD324DF65C884AABB7E9BFD8304F004D2EF19A97291DB74E949CB56

Function 00409C40 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 316windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00409C7F
CreateCompatibleBitmap.GDI32 ref: 00409CDB
CreateCompatibleDC.GDI32(?), ref: 00409D0B
CreateRectRgn.GDI32(00000000,00000000,00000001,?), ref: 00409DA0
SetRect.USER32(?,00000000,00000000,00000001,?), ref: 00409DC9

Part of subcall function 00405000: __ftol.LIBCMT ref: 00405125
Part of subcall function 00405000: __ftol.LIBCMT ref: 00405132

FillRgn.GDI32(?,?,?), ref: 00409E46
PatBlt.GDI32(?,00000000,00000000,00000001,?,00F00021), ref: 00409EB9

Part of subcall function 00403150: GetSysColor.USER32(0000000F), ref: 0040315D

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

GetObjectA.GDI32(?,00000018,?), ref: 00409F35
CreateCompatibleDC.GDI32(?), ref: 00409F73
BitBlt.GDI32(?,00000000,00000000,00000001,?,?,00000000,00000000,00CC0020), ref: 00409FD2

Strings

{G, xrefs: 00409E4C, 00409E65, 00409EC9, 0040A03C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Create$CompatibleRect$__ftol$BitmapBrushClientColorFillH_prologObjectSolid
String ID: {G
API String ID: 2289681609-3571685011
Opcode ID: c2171f82dbd31d7b569ddf8d7f620ed8fb7471cd5924730dcd78b9920e10b620
Instruction ID: cd11c89b753f53ba8b12ddd3d11873f12197d5efdcedd40cca8a48ca9dddbc82
Opcode Fuzzy Hash: c2171f82dbd31d7b569ddf8d7f620ed8fb7471cd5924730dcd78b9920e10b620
Instruction Fuzzy Hash: 9AC183711043419FD320DB65C885BABB7E8AF88704F048D2EF199D7291DB78ED49CB66

Function 0040F870 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 287libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,0049F5C0), ref: 0040F8D7
LoadLibraryA.KERNEL32(?,?,004AF908), ref: 0040F9C9
LoadLibraryA.KERNEL32(?,?), ref: 0040FA0F
LoadLibraryA.KERNEL32(?,?,004AF810,00000001), ref: 0040FA57
LoadLibraryA.KERNEL32(00000001), ref: 0040FA6D
GetProcAddress.KERNEL32(00000000,?), ref: 0040FA7F
FreeLibrary.KERNEL32(00000000), ref: 0040FB12

Strings

PZI, xrefs: 0040FAA1

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Library$Load$AddressProc$Free
String ID: PZI
API String ID: 3120990465-3702111048
Opcode ID: bb9e3971432086b1d3068e52bd2a055e3b56b6045f85bd946446d68716b8452f
Instruction ID: 9d08068543709fb1b28bb432c8e6b2db904c753cdc901b6c86d7670cd43a34cd
Opcode Fuzzy Hash: bb9e3971432086b1d3068e52bd2a055e3b56b6045f85bd946446d68716b8452f
Instruction Fuzzy Hash: FBA1B671600701ABD724DF65C881F6BB3A8BF98714F04463EF85997381D738E909CB99

Function 004289A0 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00428A17
IsRectEmpty.USER32(?), ref: 00428A22
GetClientRect.USER32(00000000,?), ref: 00428A61
DPtoLP.GDI32(?,?,00000002), ref: 00428A73
LPtoDP.GDI32(?,?,00000002), ref: 00428AB0
CreateRectRgnIndirect.GDI32(?), ref: 00428AC8
OffsetRect.USER32(?,?,?), ref: 00428AED
LPtoDP.GDI32(?,?,00000002), ref: 00428AFF

Part of subcall function 0047586D: __EH_prolog.LIBCMT ref: 00475872
Part of subcall function 0047586D: CreatePen.GDI32(?,?,?), ref: 00475895

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

Part of subcall function 00474E18: GetStockObject.GDI32(?), ref: 00474E21
Part of subcall function 00474E18: SelectObject.GDI32(?,00000000), ref: 00474E3B
Part of subcall function 00474E18: SelectObject.GDI32(?,00000000), ref: 00474E46

Part of subcall function 00474F8C: SetROP2.GDI32(?,?), ref: 00474FA5
Part of subcall function 00474F8C: SetROP2.GDI32(?,?), ref: 00474FB3

Rectangle.GDI32(?,?,?,?,?), ref: 00428B73

Part of subcall function 00475281: SelectClipRgn.GDI32(?,00000000), ref: 004752A3
Part of subcall function 00475281: SelectClipRgn.GDI32(?,?), ref: 004752B9

Part of subcall function 00475857: DeleteObject.GDI32(00000000), ref: 00475866

Part of subcall function 004755CA: __EH_prolog.LIBCMT ref: 004755CF
Part of subcall function 004755CA: ReleaseDC.USER32(?,00000000), ref: 004755EE

Strings

-{G, xrefs: 00428AB6
{G, xrefs: 00428B8D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ObjectSelect$Rect$ClipCreateH_prolog$ClientCopyDeleteEmptyIndirectOffsetRectangleReleaseStock
String ID: {G$-{G
API String ID: 2841338838-3094641186
Opcode ID: 9ee932c79efe7d24fc64421e32f16ff990f797a70258312fed787efd6cfa800e
Instruction ID: d316b9e981eaeff8a1df5043e061b5561ce15074305ae88db5cc48d19f254796
Opcode Fuzzy Hash: 9ee932c79efe7d24fc64421e32f16ff990f797a70258312fed787efd6cfa800e
Instruction Fuzzy Hash: B0614E712043409FC314DF66D885EABB7E9EFC8718F408A1DF59A93291DBB4E904CB66

Function 00407B90 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 130stringprocessCOMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,?), ref: 00407C28
lstrcatA.KERNEL32(?,\shell\open\command,80000000,.htm,?,?,?,?), ref: 00407C67
lstrlenA.KERNEL32(?), ref: 00407CBC
lstrcatA.KERNEL32(00000000,00495C7C), ref: 00407D05
lstrcatA.KERNEL32(00000000,?), ref: 00407D0D
WinExec.KERNEL32(?,?), ref: 00407D15

Part of subcall function 0046EBB9: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046EBCD

Strings

open, xrefs: 00407C21
.htm, xrefs: 00407C40
"%1", xrefs: 00407C8B
mailto:, xrefs: 00407BF6
\shell\open\command, xrefs: 00407C61

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: lstrcat$DecrementExecExecuteInterlockedShelllstrlen
String ID: "%1"$.htm$\shell\open\command$mailto:$open
API String ID: 51986957-2182632014
Opcode ID: f21354e3d7a9047dfb73c8de8e3a954fd2027a95593a5893e323e40829240241
Instruction ID: bb76e4793e0b207bbc226616243a4bec0121a1ab27f7818862ac1a77cc9570e9
Opcode Fuzzy Hash: f21354e3d7a9047dfb73c8de8e3a954fd2027a95593a5893e323e40829240241
Instruction Fuzzy Hash: E841EA31648302ABD724DB25DC44FABB7E8AF94754F104A2EF555A32C0E738B805CB6B

Function 0041E5F0 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 405COMMON

Download Yara Rule

APIs

InflateRect.USER32(?,?,?), ref: 0041E696

Part of subcall function 0041E3C0: SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041E4A9
Part of subcall function 0041E3C0: OffsetRect.USER32(?,?,?), ref: 0041E4B6
Part of subcall function 0041E3C0: IntersectRect.USER32(?,?,?), ref: 0041E4D2
Part of subcall function 0041E3C0: IsRectEmpty.USER32(?), ref: 0041E4DD

InflateRect.USER32(?,?,?), ref: 0041E709
CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0041E90D
GetClipRgn.GDI32(?,00000000), ref: 0041E91C
CreatePolygonRgn.GDI32 ref: 0041E99A
SelectClipRgn.GDI32(?,?), ref: 0041EA7D
CreatePolygonRgn.GDI32(?,00000005,00000002), ref: 0041EAA0
SelectClipRgn.GDI32(?,?), ref: 0041EB21
DeleteObject.GDI32(?), ref: 0041EB37

Strings

gfff, xrefs: 0041E7FD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$ClipCreate$InflatePolygonSelect$DeleteEmptyIntersectObjectOffset
String ID: gfff
API String ID: 1105800552-1553575800
Opcode ID: 61d5a07cf9bc2d9f5dd4b7eec41a6d0f079debee9abaa409888ee87c06a67362
Instruction ID: 9bc2ea09910d87bb6a29f3695be4948189239b028f7eb80f1e029c01c2700f11
Opcode Fuzzy Hash: 61d5a07cf9bc2d9f5dd4b7eec41a6d0f079debee9abaa409888ee87c06a67362
Instruction Fuzzy Hash: 05F116746083419FD324DF2AC980BABBBE5BBC8704F108A1EF99987391D774E845CB56

Function 00405000 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMON

Download Yara Rule

APIs

Part of subcall function 0041EFF0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041F07C
Part of subcall function 0041EFF0: CreateCompatibleDC.GDI32(?), ref: 0041F08E
Part of subcall function 0041EFF0: CreateCompatibleDC.GDI32(?), ref: 0041F097
Part of subcall function 0041EFF0: SelectObject.GDI32(00000000,?), ref: 0041F0A6
Part of subcall function 0041EFF0: CreateCompatibleBitmap.GDI32(?,?,?), ref: 0041F0B9
Part of subcall function 0041EFF0: SelectObject.GDI32(?,00000000), ref: 0041F0C9
Part of subcall function 0041EFF0: BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 0041F0E9
Part of subcall function 0041EFF0: SelectObject.GDI32(00000000,?), ref: 0041F0F5
Part of subcall function 0041EFF0: DeleteDC.GDI32(00000000), ref: 0041F102
Part of subcall function 0041EFF0: SelectObject.GDI32(?,?), ref: 0041F10A
Part of subcall function 0041EFF0: DeleteDC.GDI32(?), ref: 0041F111

__ftol.LIBCMT ref: 00405125
__ftol.LIBCMT ref: 00405132
CreateRectRgn.GDI32(00000000,?,00000000,?), ref: 004051A4
CombineRgn.GDI32(?,?,004810B8,00000004), ref: 004051CA
SetRect.USER32(?,00000000,?,?,?), ref: 00405216
IntersectRect.USER32(?,?,?), ref: 0040522E
IsRectEmpty.USER32(?), ref: 00405259
CreateRectRgn.GDI32(00000000,?,?,00000000), ref: 004052FE
CombineRgn.GDI32(?,?,004810B8,00000004), ref: 00405324

Strings

{G, xrefs: 004051D0, 0040532A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Create$Rect$ObjectSelect$Compatible$BitmapCombineDelete__ftol$EmptyIntersect
String ID: {G
API String ID: 909876544-3571685011
Opcode ID: 4f6a02103338425d35d1312216df51d1a42a9f20d794c21f583a63836d18931c
Instruction ID: f1085f9c85c7e8fcda6bf20792b9a4775f0377b124f509d5fdeeb27342ef09e9
Opcode Fuzzy Hash: 4f6a02103338425d35d1312216df51d1a42a9f20d794c21f583a63836d18931c
Instruction Fuzzy Hash: E7A17C716087419BC310DF29C884A5BBBE8FBC8344F544A2DF59997290EB74E948CF96

Function 00466C44 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

LCMapStringW.KERNEL32(00000000,00000100,0048838C,00000001,00000000,00000000,771AE860,004B2658,?,?,?,0046046A,?,?,?,00000000), ref: 00466C86
LCMapStringA.KERNEL32(00000000,00000100,00488388,00000001,00000000,00000000,?,?,0046046A,?,?,?,00000000,00000001), ref: 00466CA2
LCMapStringA.KERNEL32(?,?,?,0046046A,?,?,771AE860,004B2658,?,?,?,0046046A,?,?,?,00000000), ref: 00466CEB
MultiByteToWideChar.KERNEL32(?,X&K,?,0046046A,00000000,00000000,771AE860,004B2658,?,?,?,0046046A,?,?,?,00000000), ref: 00466D23
MultiByteToWideChar.KERNEL32(00000000,00000001,?,0046046A,?,00000000,?,?,0046046A,?), ref: 00466D7B
LCMapStringW.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0046046A,?), ref: 00466D91
LCMapStringW.KERNEL32(?,?,?,00000000,?,?,?,?,0046046A,?), ref: 00466DC4
LCMapStringW.KERNEL32(?,?,?,?,?,00000000,?,?,0046046A,?), ref: 00466E2C

Strings

X&K, xrefs: 00466D14, 00466D1F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: String$ByteCharMultiWide
String ID: X&K
API String ID: 352835431-3208559910
Opcode ID: ccfa194707d2e8f659d3885a739334d89414246f3dec1f0f9196a7f6ea27e8dc
Instruction ID: efb124f96ab9b6a814aba5f79e1e41e81858400648fcf3b49d2cb8eb35b75369
Opcode Fuzzy Hash: ccfa194707d2e8f659d3885a739334d89414246f3dec1f0f9196a7f6ea27e8dc
Instruction Fuzzy Hash: 77518F31600219BFCF229F95CD45ADF7FB9FB48744F11412AF915A2260E33A8D60DB6A

Function 0046F989 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 172COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046F98E
GetSystemMetrics.USER32(0000002A), ref: 0046FA3F
GlobalLock.KERNEL32(?), ref: 0046FAC9
CreateDialogIndirectParamA.USER32(?,?,?,Function_0006F7D1,00000000), ref: 0046FAFB

Strings

MS Sans Serif, xrefs: 0046FA60
MS Shell Dlg, xrefs: 0046FA4D
Helv, xrefs: 0046FA73

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
String ID: Helv$MS Sans Serif$MS Shell Dlg
API String ID: 2364537584-2894235370
Opcode ID: be7fd2a06560fae40ab9200c79a7bf45a47d3a95e355a886377424c410f74e4b
Instruction ID: ec9a8460b20763641a376aa10f427ec4046e3f32b5e283f39bc6c1c810f7d4d1
Opcode Fuzzy Hash: be7fd2a06560fae40ab9200c79a7bf45a47d3a95e355a886377424c410f74e4b
Instruction Fuzzy Hash: F361817190020AEFCF14EFA5D9859EEBBB1BF04304F20457FE549A2291E7389E44CB5A

Function 00441B60 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 00441BDF
GetTextExtentPoint32A.GDI32(?,?,?,00000090), ref: 00441C04
GetWindowRect.USER32(?,?), ref: 00441C8E
SetRect.USER32(00000080,?,?,?,?), ref: 00441CC3
SetRect.USER32(00000070,?,?,?,?), ref: 00441D08
SetRect.USER32(00000060,?,?,?,?), ref: 00441D7B
GetSystemMetrics.USER32(00000001), ref: 00441DA6
GetSystemMetrics.USER32(00000000), ref: 00441DAC
OffsetRect.USER32(00000080,00000000,00000000), ref: 00441DC4
OffsetRect.USER32(00000080,00000000,00000000), ref: 00441DD2
OffsetRect.USER32(00000080,00000000,00000000), ref: 00441DE4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Offset$ExtentMetricsPoint32SystemText$Window
String ID:
API String ID: 1551820068-0
Opcode ID: 82c211b6d72567091e5ecdc756d069a2292f802acd7bfe83e537cece3e63a1e5
Instruction ID: bb12ebf85c44264a55f440c747098a3cbcb64b7dd358e81da1830f0eae60eb14
Opcode Fuzzy Hash: 82c211b6d72567091e5ecdc756d069a2292f802acd7bfe83e537cece3e63a1e5
Instruction Fuzzy Hash: B49135B0200B059FE318CF29C985A6AF7E6FB88700F048A2DA95AC7754EB74FC458B54

Function 00433DB0 Relevance: 16.7, APIs: 11, Instructions: 185windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00433DDE
FillRect.USER32(?,?,00000000), ref: 00433E3E
FillRect.USER32(?,?,00000000), ref: 00433EAE

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

FillRect.USER32(?,?,00000000), ref: 00433F25
CreateCompatibleDC.GDI32(?), ref: 00433F4D
SelectObject.GDI32(00000000,?), ref: 00433F63
SetStretchBltMode.GDI32(?,00000000), ref: 00433F95
StretchBlt.GDI32(?,?,?,?,?,00000000,00000000,00000000,?,?,00CC0020), ref: 00433FC8
BitBlt.GDI32(?,00000000,?,?,?,00000000,00000000,00000000,00CC0020), ref: 00433FF3
SelectObject.GDI32(00000000,?), ref: 00433FFF
DeleteDC.GDI32(00000000), ref: 0043400C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Fill$CreateObjectSelectStretch$BrushClientCompatibleDeleteH_prologModeSolid
String ID:
API String ID: 1645634290-0
Opcode ID: 67ac762483add49b96782216ea05f1347a2288ebef346ee2e3d170acd2dea827
Instruction ID: 331ae58a22c0b9b8f621ef7073e8e21b99e2aa9d2a11caaa2f132da901cba348
Opcode Fuzzy Hash: 67ac762483add49b96782216ea05f1347a2288ebef346ee2e3d170acd2dea827
Instruction Fuzzy Hash: FB614B75204701AFD724DF61C985FABB3F8AB88705F008A1EF95A87280DB74E905CB26

Function 0040A660 Relevance: 16.7, APIs: 11, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?,00000001), ref: 0040A699
GetCurrentObject.GDI32(?,00000002), ref: 0040A6E3
GetCurrentObject.GDI32(?,00000006), ref: 0040A72D
GetTextColor.GDI32(?), ref: 0040A76C
GetBkMode.GDI32(?), ref: 0040A796
GetBkColor.GDI32(?), ref: 0040A7B5
GetBkMode.GDI32(?), ref: 0040A7D8
GetBkColor.GDI32(?), ref: 0040A7F7
GetROP2.GDI32(?), ref: 0040A81F
GetStretchBltMode.GDI32(?), ref: 0040A840
GetPolyFillMode.GDI32(?), ref: 0040A86C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Mode$ColorCurrentObject$FillPolyStretchText
String ID:
API String ID: 544274770-0
Opcode ID: cb7cb7e6b776b4c64b264c5836b593583cdd1de455cbdd98e7818b674b6c3087
Instruction ID: 335da07d4f24d74fea67bd53caa6ab81e57c0f1efe384cfe91a3e567edb3b56f
Opcode Fuzzy Hash: cb7cb7e6b776b4c64b264c5836b593583cdd1de455cbdd98e7818b674b6c3087
Instruction Fuzzy Hash: 45515031210B019BC764DB70C888BABB3B5EF84305F148A2DE15F97290DB75F896CB59

Function 00431230 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

GetClientRect.USER32(?,?), ref: 0043126D
CreateCompatibleBitmap.GDI32 ref: 004312A2
CreateCompatibleDC.GDI32(?), ref: 004312D2

Part of subcall function 00474E01: SelectObject.GDI32(?,?), ref: 00474E09

PatBlt.GDI32(?,00000000,00000000,?,?,00000042), ref: 0043130A
GetObjectA.GDI32(00000000,00000018,?), ref: 00431325
CreateCompatibleDC.GDI32(?), ref: 00431330
SelectObject.GDI32(00000000,00000000), ref: 00431340
BitBlt.GDI32(?,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 00431363
SelectObject.GDI32(00000000,?), ref: 0043136F
DeleteDC.GDI32(00000000), ref: 00431372
BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0043139B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Object$CompatibleCreateSelect$BeginBitmapClientDeleteH_prologPaintRect
String ID:
API String ID: 1593221388-0
Opcode ID: da8b596dbcaf6c345d18d8bbcae29e7b1548119d4bf1f80d1e94d7198614fb23
Instruction ID: 9e9782493ce04a6e386f9ed2c0e1cf3355a974f56f3e5bb4e4ebb3dbd1e8bc40
Opcode Fuzzy Hash: da8b596dbcaf6c345d18d8bbcae29e7b1548119d4bf1f80d1e94d7198614fb23
Instruction Fuzzy Hash: 61514F71208381AFD310DF65DC45F6BBBE8FBC8714F404A2DB69987291D7B8E8048B66

Function 00419470 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 181windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 004194BD
GetSysColor.USER32(0000000F), ref: 004194CE

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00419518
GetClientRect.USER32(?,?), ref: 00419531
LoadBitmapA.USER32(?,?), ref: 00419568
GetObjectA.GDI32(?,00000018,?), ref: 004195B7
CreateCompatibleDC.GDI32(?), ref: 004195DD
BitBlt.GDI32(?,?,?,?,?,?,00000000,00000000,00CC0020), ref: 0041966F

Strings

{G, xrefs: 0041957C, 00419698

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Object$CreateH_prologRectSelect$BeginBitmapBrushClientClipColorCompatibleEmptyLoadPaintSolid
String ID: {G
API String ID: 1390316934-3571685011
Opcode ID: c4f73dac3b29632a5b5602102f740d1ac6a44b5f626832cf8150264949dadde8
Instruction ID: 23bfdf5eeb11856a6879224333cfc8cf2b6bd2bc013ebf505c46d6baa82d7dda
Opcode Fuzzy Hash: c4f73dac3b29632a5b5602102f740d1ac6a44b5f626832cf8150264949dadde8
Instruction Fuzzy Hash: 3C616D711083819FD314DB65C845FABB7E8FBC8714F048A1DF19997290DB78E908CB66

Function 00463075 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045E84B), ref: 00463090
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045E84B), ref: 004630A4
GetEnvironmentStringsW.KERNEL32(?,00000000,?,?,?,?,0045E84B), ref: 004630D0
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045E84B), ref: 00463108
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,?,?,0045E84B), ref: 0046312A
FreeEnvironmentStringsW.KERNEL32(00000000,?,00000000,?,?,?,?,0045E84B), ref: 00463143
GetEnvironmentStrings.KERNEL32(?,00000000,?,?,?,?,0045E84B), ref: 00463156
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00463194

Strings

KE, xrefs: 0046313E, 00463130

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: EnvironmentStrings$ByteCharFreeMultiWide
String ID: KE
API String ID: 1823725401-4274131948
Opcode ID: aebf35f04b3e823bae0b138de56cfe496c39b4d0dad22d9cdc3c3f1aa969fb2f
Instruction ID: e03b1733ffbdf0c92e0d1206f12ceefd0959534b0d0e80efffb3a88e2d7d20b1
Opcode Fuzzy Hash: aebf35f04b3e823bae0b138de56cfe496c39b4d0dad22d9cdc3c3f1aa969fb2f
Instruction Fuzzy Hash: C0315AB25042916FD7203FBA9C8487B768DE64B34A711067BF546C3311F6298E85837F

Function 0041BD70 Relevance: 15.3, APIs: 10, Instructions: 288COMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(00FFFFFF), ref: 0041BECF
GetWindowRect.USER32(?), ref: 0041BEF9
GetStockObject.GDI32(00000005), ref: 0041BF27
LoadCursorA.USER32(00000000,00007F00), ref: 0041BF35
GetWindowRect.USER32(?,?), ref: 0041BFA3
GetWindowRect.USER32(?,?), ref: 0041BFB4
GetWindowRect.USER32(?,?), ref: 0041BFC9
GetSystemMetrics.USER32(00000001), ref: 0041BFDF
GetWindowRect.USER32(?,?), ref: 0041C06A
OffsetRect.USER32(?,00000000,00000001), ref: 0041C084

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Window$BrushCreateCursorLoadMetricsObjectOffsetSolidStockSystem
String ID:
API String ID: 3805611468-0
Opcode ID: 03eaaa9dc67f55a71cd03fd6a73c5df4c354614e7c45f1574add183e6ab74d91
Instruction ID: bf679803e0828fb24c147b71e3ed1b01e5cc9c7f3def529363f5e1f187aa9adb
Opcode Fuzzy Hash: 03eaaa9dc67f55a71cd03fd6a73c5df4c354614e7c45f1574add183e6ab74d91
Instruction Fuzzy Hash: 04A1B2702447019FD724DF65CD85BABB7E5EB88704F10891EF25A8B380EBB8A845CB59

Function 00409830 Relevance: 15.2, APIs: 10, Instructions: 198windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

GetClientRect.USER32(?,?), ref: 0040987E
IntersectRect.USER32(?,?,?), ref: 00409896
IsRectEmpty.USER32(?), ref: 004098C6
GetObjectA.GDI32(?,00000018,?), ref: 004098FD
CreateCompatibleDC.GDI32(?), ref: 00409923
IntersectRect.USER32(?,?,?), ref: 00409978
IsRectEmpty.USER32(?), ref: 00409983
BitBlt.GDI32(?,?,?,?,?,?,?,?,00CC0020), ref: 004099C1
DPtoLP.GDI32(?,?,00000002), ref: 00409A46
IsWindow.USER32(?), ref: 00409AA8

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$EmptyIntersect$BeginClientClipCompatibleCreateH_prologObjectPaintWindow
String ID:
API String ID: 29348440-0
Opcode ID: 924b318211b1048978eb70b0a0f8a405437f58c4e575eeed39caab4524bb0235
Instruction ID: 5922e2e82e2f054005e9a779275e5887e626807529c671869a7540762950dd0b
Opcode Fuzzy Hash: 924b318211b1048978eb70b0a0f8a405437f58c4e575eeed39caab4524bb0235
Instruction Fuzzy Hash: 568118B15087819FC324DF65C984AABB7E9FBC8704F008E2EF59A93351D734A909CB56

Function 0041A640 Relevance: 15.2, APIs: 10, Instructions: 179COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0041A65D
GetWindowRect.USER32(?,?), ref: 0041A66C
IntersectRect.USER32(?,?,?), ref: 0041A6C5
EqualRect.USER32(?,?), ref: 0041A6F5
GetWindowRect.USER32(?,?), ref: 0041A713
OffsetRect.USER32(?,?,?), ref: 0041A78A
OffsetRect.USER32(?,?,00000000), ref: 0041A7A4
OffsetRect.USER32(?,?,00000000), ref: 0041A7BC
OffsetRect.USER32(?,00000000,?), ref: 0041A7D6
OffsetRect.USER32(?,00000000,?), ref: 0041A7EE

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Offset$Window$EqualIntersect
String ID:
API String ID: 2638238157-0
Opcode ID: 774eedc39dbd56b908b72aec6b70e1daddbee18b364831ea23a5dac3cc51d53f
Instruction ID: 12e07bb6d2c284aa1ade4cdc9e9a425e9d4ec73ac3f3b45cd2c1279e4f19bc81
Opcode Fuzzy Hash: 774eedc39dbd56b908b72aec6b70e1daddbee18b364831ea23a5dac3cc51d53f
Instruction Fuzzy Hash: 4151FAB56083069FC708CF29C98496BBBF9ABC8744F004A2EF985D3354EA74ED458B52

Function 00431CC0 Relevance: 15.1, APIs: 10, Instructions: 86COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002E), ref: 00431CD1
GetSystemMetrics.USER32(0000002D), ref: 00431CD7
GetSystemMetrics.USER32(0000000A), ref: 00431CDD
GetSystemMetrics.USER32(0000000A), ref: 00431CE8
GetSystemMetrics.USER32(00000009), ref: 00431CF6
GetSystemMetrics.USER32(00000009), ref: 00431D02
GetWindowRect.USER32(?,?), ref: 00431D27
GetParent.USER32(?), ref: 00431D2D
GetWindowRect.USER32(?,00000000), ref: 00431D52
SetRect.USER32(?,?,00000000,?,?), ref: 00431D84

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MetricsSystem$Rect$Window$Parent
String ID:
API String ID: 3457858938-0
Opcode ID: 41e4569200fcfa936d2c5b2e66db7d7af182e5021615f2b822b16a53ea8e70f4
Instruction ID: 369aed60ecba1b3316a4fd4f7203d6bef2c1dd856008840a89562f8c854c1084
Opcode Fuzzy Hash: 41e4569200fcfa936d2c5b2e66db7d7af182e5021615f2b822b16a53ea8e70f4
Instruction Fuzzy Hash: C8218371A043056FD704DF69DC4596F77A9EBC9700F00492EF906D7290DBB4ED098BA6

Function 00474A66 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 58COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(00000011), ref: 00474A82
GetStockObject.GDI32(0000000D), ref: 00474A8A
GetObjectA.GDI32(00000000,0000003C,?), ref: 00474A97
GetDC.USER32(00000000), ref: 00474AA6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00474ABD
MulDiv.KERNEL32(?,00000048,00000000), ref: 00474AC9
ReleaseDC.USER32(00000000,00000000), ref: 00474AD4

Strings

System, xrefs: 00474A7B, 00474AEA

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Object$Stock$CapsDeviceRelease
String ID: System
API String ID: 46613423-3470857405
Opcode ID: e4b1a18803c47dcd09d64c6618a6f9410ad70b3178f91b49a5d33db632f7d8d4
Instruction ID: b8aefbe6f874015924ddaadc5b3415990b3192aa476b44a2d4309178b4170542
Opcode Fuzzy Hash: e4b1a18803c47dcd09d64c6618a6f9410ad70b3178f91b49a5d33db632f7d8d4
Instruction Fuzzy Hash: 76117771A40214AFEB109FA1DC45FAE7B68EB44745F008166FA09E62C0D7B49D41C769

Function 0046ABC1 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,00463841,?,Microsoft Visual C++ Runtime Library,00012010,?,00488104,?,00488154,?,?,?,Runtime Error!Program: ), ref: 0046ABD3
GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 0046ABEB
GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 0046ABFC
GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 0046AC09

Strings

GetActiveWindow, xrefs: 0046ABF6
GetLastActivePopup, xrefs: 0046ABFE
MessageBoxA, xrefs: 0046ABE5
user32.dll, xrefs: 0046ABCE

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AddressProc$LibraryLoad
String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
API String ID: 2238633743-4044615076
Opcode ID: 4d242cb9e70153bd0cd56a3cdb213be1c951c00b448f08dc7059dc9428827e21
Instruction ID: b86947b6a537cce566df0551ebe6cb2218f6ae8a167fd2122eb4073f7d53f0ba
Opcode Fuzzy Hash: 4d242cb9e70153bd0cd56a3cdb213be1c951c00b448f08dc7059dc9428827e21
Instruction Fuzzy Hash: 49018431700701EFC730AFB59ED891B7AE9DB88781314093FB504D2221EAB888609F6E

Function 0047296B Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(COMCTL32.DLL,00000800,00000000,00000400,00472C65,?,00020000), ref: 00472974
LoadLibraryA.KERNEL32(COMCTL32.DLL), ref: 0047297D
GetProcAddress.KERNEL32(00000000,InitCommonControlsEx), ref: 00472991
#17.COMCTL32 ref: 004729AC
#17.COMCTL32 ref: 004729C8
FreeLibrary.KERNEL32(00000000), ref: 004729D4

Strings

COMCTL32.DLL, xrefs: 0047296D, 00472973, 0047297A
InitCommonControlsEx, xrefs: 00472989

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Library$AddressFreeHandleLoadModuleProc
String ID: COMCTL32.DLL$InitCommonControlsEx
API String ID: 1437655972-4218389149
Opcode ID: fed3fc9f67fc4354eca912c12ad927ee25ca1fd50cfcc17f2c49a29457d2d97e
Instruction ID: ee075590c8403db15fbf7042a2fed8315e84f876a36f665713d1fc275d56fb79
Opcode Fuzzy Hash: fed3fc9f67fc4354eca912c12ad927ee25ca1fd50cfcc17f2c49a29457d2d97e
Instruction Fuzzy Hash: D8F0F9B27002124B42119F659D4854F769CAF98752B098477F949E3310CBB4DC415BBD

Function 00415D90 Relevance: 13.9, APIs: 9, Instructions: 387windowCOMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 00415DC8
GetParent.USER32(?), ref: 00415E59
IsWindow.USER32(?), ref: 00415F8B
IsWindowVisible.USER32(?), ref: 00415F9D

Part of subcall function 00472F8D: IsWindowEnabled.USER32(?), ref: 00472F97

GetParent.USER32(?), ref: 00415FEE
IsChild.USER32(?,?), ref: 0041600E
GetParent.USER32(?), ref: 004161B7
SendMessageA.USER32(?,000000F1,00000001,00000000), ref: 004161D4
IsWindow.USER32(?), ref: 0041622F

Part of subcall function 0040C1B0: IsChild.USER32(?,?), ref: 0040C22D
Part of subcall function 0040C1B0: GetParent.USER32(?), ref: 0040C247

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ParentWindow$Child$EnabledMessageSendVisible
String ID:
API String ID: 2452671399-0
Opcode ID: 844d5c868df849a2157aec92a4718879d32b9e06efc80a9493034c23262229a1
Instruction ID: f3b2d0fbf12e34170c702070be9d1d2533dd080fc278c652e9e3555a870f106d
Opcode Fuzzy Hash: 844d5c868df849a2157aec92a4718879d32b9e06efc80a9493034c23262229a1
Instruction Fuzzy Hash: 33E1E2716043419FC720DF25C980BABB7E8BF85704F010A2EF98597381DB78E985CB9A

Function 0046B401 Relevance: 13.7, APIs: 9, Instructions: 221COMMON

Download Yara Rule

APIs

CompareStringW.KERNEL32(00000000,00000000,0048838C,00000001,0048838C,00000001,00000000,022C11CC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045EED3), ref: 0046B43F
CompareStringA.KERNEL32(00000000,00000000,00488388,00000001,00488388,00000001), ref: 0046B45C
CompareStringA.KERNEL32(004500F6,00000000,00000000,00000000,0045EED3,00000000,00000000,022C11CC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045EED3), ref: 0046B4BA
GetCPInfo.KERNEL32(00000000,00000000,00000000,022C11CC,0000000C,00000000,0000000C,00000000,000001D0,00000000,00000000,0045EED3,00000000), ref: 0046B50B
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000), ref: 0046B58A
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046B5EB
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046B5FE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046B64A
CompareStringW.KERNEL32(004500F6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046B662

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ByteCharCompareMultiStringWide$Info
String ID:
API String ID: 1651298574-0
Opcode ID: 8076c5a4190ada52f4be73c20edd3f1e7df3ee84a411ff8d03d57d30445b5f2a
Instruction ID: 898a07f377f7f9a0a455b42837ecbd93b7e418edcd0d6052ccb511d8ff1f09c2
Opcode Fuzzy Hash: 8076c5a4190ada52f4be73c20edd3f1e7df3ee84a411ff8d03d57d30445b5f2a
Instruction Fuzzy Hash: C171AD72A00249AFCF219F55DC419EB7FB9EB05304F10412BF911E2261E73A8891CBAB

Function 0041A3E0 Relevance: 13.6, APIs: 9, Instructions: 118COMMON

Download Yara Rule

APIs

GetCapture.USER32 ref: 0041A3E6
ClientToScreen.USER32(?,?), ref: 0041A423
OffsetRect.USER32(?,?,?), ref: 0041A44C
GetParent.USER32(?), ref: 0041A452

Part of subcall function 004753C6: ScreenToClient.USER32(?,00000000), ref: 004753DA
Part of subcall function 004753C6: ScreenToClient.USER32(?,00000008), ref: 004753E3

GetClientRect.USER32(?,?), ref: 0041A475
OffsetRect.USER32(?,?,00000000), ref: 0041A493
OffsetRect.USER32(?,?,00000000), ref: 0041A4AB
OffsetRect.USER32(?,00000000,?), ref: 0041A4C9
OffsetRect.USER32(?,00000000,?), ref: 0041A4E9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Offset$Client$Screen$CaptureParent
String ID:
API String ID: 838496554-0
Opcode ID: aba45347822f9b8a7fc27c7986b2a5970630e3d65e2aa8bf5e0a5a9946ef9700
Instruction ID: db672139c05d888ef008936e07c309371017dab7dc5c740e3247627240ab41b0
Opcode Fuzzy Hash: aba45347822f9b8a7fc27c7986b2a5970630e3d65e2aa8bf5e0a5a9946ef9700
Instruction Fuzzy Hash: D541F8B5204301AFD718DF69D984D6FB7E9ABC8700F008A1DF986C7250DB74ED488B66

Function 0046FC6D Relevance: 13.6, APIs: 9, Instructions: 113COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046FC72
FindResourceA.KERNEL32(?,00000000,00000005), ref: 0046FCAA
LoadResource.KERNEL32(?,00000000,?,?,?,00000000), ref: 0046FCB2

Part of subcall function 00470AAF: UnhookWindowsHookEx.USER32(?), ref: 00470AD4

LockResource.KERNEL32(?,?,00000000,?,?,?,00000000), ref: 0046FCBF
IsWindowEnabled.USER32(?), ref: 0046FCF2
EnableWindow.USER32(?,00000000), ref: 0046FD00
EnableWindow.USER32(?,00000001), ref: 0046FD8E
GetActiveWindow.USER32 ref: 0046FD99
SetActiveWindow.USER32(?,?,?,00000000,?,?,?,00000000), ref: 0046FDA7

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Resource$ActiveEnable$EnabledFindH_prologHookLoadLockUnhookWindows
String ID:
API String ID: 401145483-0
Opcode ID: bf216a9627e47d6089919cf36dc479d508df2883d4e56eb53af2e42c4cfd8af5
Instruction ID: c7050416f1a8ac80436cbb6c868e2c4ef5ed896be97a178c8337377d5eb793a7
Opcode Fuzzy Hash: bf216a9627e47d6089919cf36dc479d508df2883d4e56eb53af2e42c4cfd8af5
Instruction Fuzzy Hash: B44110309006049FCB21AF65DC49AAEBBB5FF48704F10462FF446A22A1EB385D458B6A

Function 00417BD0 Relevance: 13.6, APIs: 9, Instructions: 85windowCOMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,?,00000001,?,?,?,?), ref: 00417BEA
GetTopWindow.USER32(?), ref: 00417BF0
IsWindowVisible.USER32(00000000), ref: 00417C01
GetWindowLongA.USER32(00000000,000000EC), ref: 00417C12
GetClientRect.USER32(00000000,?), ref: 00417C65
IntersectRect.USER32(?,?,?), ref: 00417C7A
IsRectEmpty.USER32(?), ref: 00417C85
InvalidateRect.USER32(00000000,00000000,00000000,?,?,?,?), ref: 00417C96
GetWindow.USER32(00000000,00000002), ref: 00417C9B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Window$Invalidate$ClientEmptyIntersectLongVisible
String ID:
API String ID: 938479747-0
Opcode ID: 317903f7ee635e88150ac802ed6bc74b10e83bcf9edc95b58dc40eca817ddee6
Instruction ID: 0110be1a4f402fb63bc2a329cb8dbdcf8274b3de57032f1523989f7d8dc19338
Opcode Fuzzy Hash: 317903f7ee635e88150ac802ed6bc74b10e83bcf9edc95b58dc40eca817ddee6
Instruction Fuzzy Hash: 88219171204302AB9310DF56C884DABB7FCBF88304B044A6DF50997241EB34D9858BAA

Function 0046CF05 Relevance: 13.6, APIs: 9, Instructions: 80windowstringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041C1F9,?,-00000001,00000000,?,?,?,0049ABD8), ref: 0046CF0F
GetFocus.USER32 ref: 0046CF2A

Part of subcall function 00470AAF: UnhookWindowsHookEx.USER32(?), ref: 00470AD4

IsWindowEnabled.USER32(?), ref: 0046CF53
EnableWindow.USER32(?,00000000), ref: 0046CF65
GetOpenFileNameA.COMDLG32(?,?), ref: 0046CF90
GetSaveFileNameA.COMDLG32(?,?), ref: 0046CF97
EnableWindow.USER32(?,00000001), ref: 0046CFAE
IsWindow.USER32(?), ref: 0046CFB4
SetFocus.USER32(?), ref: 0046CFC2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$EnableFileFocusName$EnabledHookOpenSaveUnhookWindowslstrlen
String ID:
API String ID: 3606897497-0
Opcode ID: c6622fb51b048dbe624321510bca23accede7af4a97188f0b8a65af9737283ab
Instruction ID: 22b17ee7c133d4b1911be1a183014536dc2e8cd58e69996ac5f43d7595924ae7
Opcode Fuzzy Hash: c6622fb51b048dbe624321510bca23accede7af4a97188f0b8a65af9737283ab
Instruction Fuzzy Hash: 1721A771204701ABDB246B72EC86B6B77E5EF44714F00452FF5C6C62D1EB79E8408B5A

Function 0041C7F0 Relevance: 12.4, APIs: 8, Instructions: 368windowCOMMON

Download Yara Rule

APIs

CreatePopupMenu.USER32 ref: 0041C96E
AppendMenuA.USER32(?,?,00000000,?), ref: 0041CAD1
AppendMenuA.USER32(?,00000000,00000000,?), ref: 0041CB09
ModifyMenuA.USER32(?,00000000,00000000,00000000,00000000), ref: 0041CB27
AppendMenuA.USER32(?,?,00000000,?), ref: 0041CB85
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041CBAA
AppendMenuA.USER32(?,?,?,?), ref: 0041CBF2
ModifyMenuA.USER32(?,?,?,?,?), ref: 0041CC17

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Menu$Append$Modify$CreatePopup
String ID:
API String ID: 3846898120-0
Opcode ID: 67b41d760d65365d35c6dea3f0ca94293e545819f27aa7aa7b0d06ffda99d328
Instruction ID: 3e593d160286896a754c75311f3010394191624e0052eb1536a264c45ad772cb
Opcode Fuzzy Hash: 67b41d760d65365d35c6dea3f0ca94293e545819f27aa7aa7b0d06ffda99d328
Instruction Fuzzy Hash: 87D1ACB15443148BC714DF19DC84A6BBBE4FF89754F04092DF989A3381E778AD84CB9A

Function 0046A34E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117COMMON

Download Yara Rule

APIs

GetStringTypeW.KERNEL32(00000001,0048838C,00000001,?,771AE860,004B2658,?,?,0046046A,?,?,?,00000000,00000001), ref: 0046A38D
GetStringTypeA.KERNEL32(00000000,00000001,00488388,00000001,?,?,0046046A,?,?,?,00000000,00000001), ref: 0046A3A7
GetStringTypeA.KERNEL32(?,?,?,?,0046046A,771AE860,004B2658,?,?,0046046A,?,?,?,00000000,00000001), ref: 0046A3DB
MultiByteToWideChar.KERNEL32(?,X&K,?,?,00000000,00000000,771AE860,004B2658,?,?,0046046A,?,?,?,00000000,00000001), ref: 0046A413
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?,?,?,?,?,0046046A,?), ref: 0046A469
GetStringTypeW.KERNEL32(?,?,00000000,0046046A,?,?,?,?,?,?,0046046A,?), ref: 0046A47B

Strings

X&K, xrefs: 0046A404, 0046A40F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: StringType$ByteCharMultiWide
String ID: X&K
API String ID: 3852931651-3208559910
Opcode ID: ec79ac16c677bb9e57f8b0f22c115b0614e31abf757d5940b663ba115e66cbaa
Instruction ID: 24c503e58caeba57f76843789bcdc5b71f3ee2d8db1c161fdbbf333837086e1f
Opcode Fuzzy Hash: ec79ac16c677bb9e57f8b0f22c115b0614e31abf757d5940b663ba115e66cbaa
Instruction Fuzzy Hash: FB418D71500609AFCF209F94DC8AAAF7F79EB08750F104526F915E2250E778D9A0DB9B

Function 0046371D Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 0046378A
GetStdHandle.KERNEL32(000000F4,00488104,00000000,00000000,00000000,?), ref: 00463860
WriteFile.KERNEL32(00000000), ref: 00463867

Strings

<program name unknown>, xrefs: 0046379A
..., xrefs: 004637DC
Microsoft Visual C++ Runtime Library, xrefs: 00463836
Runtime Error!Program: , xrefs: 004637F0

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: File$HandleModuleNameWrite
String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
API String ID: 3784150691-4022980321
Opcode ID: 7177076a8a8b41b79b9bc082728aac1f72361615b4745a17b3c5fc4930419204
Instruction ID: 269b6602b33631abb11f0d829d05c6a6e8ecb8852b24c2477c8c65b4b499dc46
Opcode Fuzzy Hash: 7177076a8a8b41b79b9bc082728aac1f72361615b4745a17b3c5fc4930419204
Instruction Fuzzy Hash: 7F31F4F2A002086FEF20EB60CD46FDA33ACAB45305F5405ABF545D6151FA78AA848B5B

Function 004236D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 93networkCOMMON

Download Yara Rule

APIs

accept.WS2_32 ref: 00423714

Strings

P, xrefs: 0042370C
%s:%d, xrefs: 0042378E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: accept
String ID: %s:%d$P
API String ID: 3005279540-612342447
Opcode ID: 721d011140d60b071be6afa674e0e2726607d3bc09ce4292eab088146a0a2793
Instruction ID: 095314eb2b3309d0e8deb2efb54d585c57cf794a1060e0d8448955dc947bfc26
Opcode Fuzzy Hash: 721d011140d60b071be6afa674e0e2726607d3bc09ce4292eab088146a0a2793
Instruction Fuzzy Hash: 263172712046015FE720EF29EC88DAB73E8FFD4725F404B2EF5A5922D0EB7499098B55

Function 0045CAC0 Relevance: 12.3, APIs: 8, Instructions: 306COMMON

Download Yara Rule

APIs

__ftol.LIBCMT ref: 0045CE18
__ftol.LIBCMT ref: 0045CE35
__ftol.LIBCMT ref: 0045CE51
__ftol.LIBCMT ref: 0045CE6B
__ftol.LIBCMT ref: 0045CE89
__ftol.LIBCMT ref: 0045CEA7
__ftol.LIBCMT ref: 0045CEC3
__ftol.LIBCMT ref: 0045CEDD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: __ftol
String ID:
API String ID: 495808979-0
Opcode ID: ba05833ba0cc8534a09baaa127e6872fdfa75acc0879f5b9cd5e02798a40b418
Instruction ID: 277c83e48f75e7924921a8df465aa563584cc01545df56fb0887a8ec24f2e953
Opcode Fuzzy Hash: ba05833ba0cc8534a09baaa127e6872fdfa75acc0879f5b9cd5e02798a40b418
Instruction Fuzzy Hash: C0D13272909342DFD3019F22D08925ABFB0FFD4744FA6099DE0D56626AE3318578CF86

Function 0043F580 Relevance: 12.2, APIs: 8, Instructions: 162COMMON

Download Yara Rule

APIs

GetDeviceCaps.GDI32(?,00000058), ref: 0043F598
GetDeviceCaps.GDI32(?,0000005A), ref: 0043F5A1
GetDeviceCaps.GDI32(?,0000006E), ref: 0043F5B2
GetDeviceCaps.GDI32(?,0000006F), ref: 0043F5CF
GetDeviceCaps.GDI32(?,00000070), ref: 0043F5E4
GetDeviceCaps.GDI32(?,00000071), ref: 0043F5F9
GetDeviceCaps.GDI32(?,00000008), ref: 0043F60E
GetDeviceCaps.GDI32(?,0000000A), ref: 0043F623

Part of subcall function 0043F360: __ftol.LIBCMT ref: 0043F365

Part of subcall function 0043F390: __ftol.LIBCMT ref: 0043F395

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CapsDevice$__ftol
String ID:
API String ID: 1555043975-0
Opcode ID: 76948cf01538fd80a1a5cc9d125878341f81a8c005dda44fa75dce4102e5af14
Instruction ID: b3b5c6605deca3b6c37b90240e4e578a4217291ee859015bf31e98a20de88bcf
Opcode Fuzzy Hash: 76948cf01538fd80a1a5cc9d125878341f81a8c005dda44fa75dce4102e5af14
Instruction Fuzzy Hash: E2513A705087419BD700EF6AC885A6FBBE4FFC9704F01495DFAC4962A0DB71D9248B96

Function 00431150 Relevance: 12.1, APIs: 8, Instructions: 77COMMON

Download Yara Rule

APIs

ReleaseCapture.USER32 ref: 00431221

Part of subcall function 00472F8D: IsWindowEnabled.USER32(?), ref: 00472F97

GetClientRect.USER32(?,?), ref: 00431177
PtInRect.USER32(?,?,?), ref: 0043118C
ClientToScreen.USER32(?,?), ref: 0043119D
WindowFromPoint.USER32(?,?), ref: 004311AD
ReleaseCapture.USER32 ref: 004311C7
GetCapture.USER32 ref: 004311E1
SetCapture.USER32(?), ref: 004311EC

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Capture$ClientRectReleaseWindow$EnabledFromPointScreen
String ID:
API String ID: 3076215760-0
Opcode ID: 92a10628406a4a0dfbdb5882de0a4002f6e6e393045b57f1b7110cb612dbb47d
Instruction ID: 584391131cd30ed37e74b0fb4764417c8f9785bc7856f48e52a2dd2a3e484098
Opcode Fuzzy Hash: 92a10628406a4a0dfbdb5882de0a4002f6e6e393045b57f1b7110cb612dbb47d
Instruction Fuzzy Hash: 4E210A352002009BD710EB5AD844EBF73E8EFCC308F048A5EF985D2261E678DC458BA9

Function 00473399 Relevance: 12.1, APIs: 8, Instructions: 65memorystringCOMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 004733B9
lstrcmpA.KERNEL32(?,?), ref: 004733C5
OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 004733D7
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 004733FA
GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00473402
GlobalLock.KERNEL32(00000000), ref: 0047340F
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0047341C
ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 0047343A

Part of subcall function 0047621F: GlobalFlags.KERNEL32(?), ref: 00476229
Part of subcall function 0047621F: GlobalUnlock.KERNEL32(?), ref: 00476240
Part of subcall function 0047621F: GlobalFree.KERNEL32(?), ref: 0047624B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
String ID:
API String ID: 168474834-0
Opcode ID: 64a05dbd7d8697a4d999a191fb5b27ef73348e5b91b9a6d99789aba4e12083c5
Instruction ID: 3351327441c7be122d2173d2a430d7ebaa4a1621b8ef8ad5db34bb00cc7f0c96
Opcode Fuzzy Hash: 64a05dbd7d8697a4d999a191fb5b27ef73348e5b91b9a6d99789aba4e12083c5
Instruction Fuzzy Hash: E7119171500144BADB256FB6CC4AEAF7BAEEF89745F40445AFA0CD2122D6399E40A728

Function 00407A70 Relevance: 12.1, APIs: 8, Instructions: 55COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00407A8C
PtInRect.USER32(?,?,?), ref: 00407AA1
ReleaseCapture.USER32 ref: 00407AB1
InvalidateRect.USER32(?,00000000,00000000), ref: 00407ABF
GetCapture.USER32 ref: 00407ACF
SetCapture.USER32(?), ref: 00407ADA
InvalidateRect.USER32(?,00000000,00000000), ref: 00407AFB
SetCapture.USER32(?), ref: 00407B05

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CaptureRect$Invalidate$ClientRelease
String ID:
API String ID: 3559558096-0
Opcode ID: 0c03f4bb99b994a683fba5ad03509df0a8319aeb3fd6206eb0738ce1a8ba9b22
Instruction ID: a42c518e1e3bc53f0649a9f66e9ffbce9e6adf91ad9c2b48ea81709c82c63164
Opcode Fuzzy Hash: 0c03f4bb99b994a683fba5ad03509df0a8319aeb3fd6206eb0738ce1a8ba9b22
Instruction Fuzzy Hash: 71115E71500710AFD320EB65DC48F9B77B8BB88704F008A6DF58AD7250E734F8458B69

Function 0040BBA0 Relevance: 10.8, APIs: 7, Instructions: 268windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0040BBDD
GetParent.USER32(?), ref: 0040BBEF
SendMessageA.USER32(?,0000130B,00000000,00000000), ref: 0040BC17
GetWindowRect.USER32(?,?), ref: 0040BCA1
InvalidateRect.USER32(?,?,00000001,?), ref: 0040BCC4
GetWindowRect.USER32(?,?), ref: 0040BE8C
InvalidateRect.USER32(?,?,00000001,?), ref: 0040BEAD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Window$Invalidate$MessageParentSend
String ID:
API String ID: 236041146-0
Opcode ID: bbacd1e5933a470cb0a56a2f676f94e4186d054eb225409781a40626f17b41d2
Instruction ID: c79ada7066ee12ea7fad326cac3fc3a85a6fba3ad43600a2d24097984be0074f
Opcode Fuzzy Hash: bbacd1e5933a470cb0a56a2f676f94e4186d054eb225409781a40626f17b41d2
Instruction Fuzzy Hash: AA91AE316443059BD720EF25C944B6B72E8EF84758F144A2EF905AB3C2EB78E9418BDD

Function 00440AF0 Relevance: 10.8, APIs: 7, Instructions: 260windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 00440B1D
GetParent.USER32(?), ref: 00440B29
GetClientRect.USER32(?,?), ref: 00440B3A

Part of subcall function 00475402: ClientToScreen.USER32(00403AC8,?), ref: 00475416
Part of subcall function 00475402: ClientToScreen.USER32(00403AC8,?), ref: 0047541F

GetParent.USER32(?), ref: 00440B4C

Part of subcall function 004753C6: ScreenToClient.USER32(?,00000000), ref: 004753DA
Part of subcall function 004753C6: ScreenToClient.USER32(?,00000008), ref: 004753E3

Part of subcall function 00475558: __EH_prolog.LIBCMT ref: 0047555D
Part of subcall function 00475558: GetDC.USER32(00000000), ref: 00475586

SendMessageA.USER32 ref: 00440B7F

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

GetTextExtentPoint32A.GDI32(?,0049D150,00000001,?), ref: 00440BAC
EqualRect.USER32(?,?), ref: 00440D6A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Client$Screen$Rect$ObjectParentSelect$EqualExtentH_prologMessagePoint32SendText
String ID:
API String ID: 98060165-0
Opcode ID: 9ae62954b8d2f2450505d7fd4763a2590a09a114acb81b21c501c88fa312361a
Instruction ID: 18dba59a087c35a5779b9bc0a74ede3e8472364f73bc8f86ded2d3aaffaa5bd7
Opcode Fuzzy Hash: 9ae62954b8d2f2450505d7fd4763a2590a09a114acb81b21c501c88fa312361a
Instruction Fuzzy Hash: 23919D712087019FD718CF29C8C1A6BB7E5ABC8704F104A2EF586C7341D778E859CB5A

Function 0041E3C0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 170COMMON

Download Yara Rule

APIs

SetRect.USER32(?,00000000,00000032,00000032,?), ref: 0041E4A9
OffsetRect.USER32(?,?,?), ref: 0041E4B6
IntersectRect.USER32(?,?,?), ref: 0041E4D2
IsRectEmpty.USER32(?), ref: 0041E4DD
OffsetRect.USER32(?,?,?), ref: 0041E51A

Strings

2, xrefs: 0041E466

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Offset$EmptyIntersect
String ID: 2
API String ID: 765610062-450215437
Opcode ID: 11003edc7c06e69fc2fac7009fe145df28a8809d2255e23cf75fe40f457d8eb9
Instruction ID: 0f0231f9c58da2d2a28c07026d596094d8bff0c83da126d975e3e78e4cae1268
Opcode Fuzzy Hash: 11003edc7c06e69fc2fac7009fe145df28a8809d2255e23cf75fe40f457d8eb9
Instruction Fuzzy Hash: 8A6129B56083419FD314CF5AC5849ABFBEABBC8344F148A2EF98987310D734E945CB56

Function 00409630 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 159windowCOMMON

Download Yara Rule

APIs

IsRectEmpty.USER32(?), ref: 00409652
CreateRectRgn.GDI32 ref: 004096D4
GetClientRect.USER32(?,?), ref: 004096FD
FillRgn.GDI32(?,?,?), ref: 00409776
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 004097EC

Strings

{G, xrefs: 00409732, 004097FA

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$ClientCreateEmptyFill
String ID: {G
API String ID: 97219908-3571685011
Opcode ID: 6a8af540e350e06e8cd14ea01bf1ef7eac2f298c2e7fb500bb9d10731a83c2f8
Instruction ID: 7deaadc9e2caf7b10de6a72303acbea5fc5909825e45e97a1cf15b4cf526034e
Opcode Fuzzy Hash: 6a8af540e350e06e8cd14ea01bf1ef7eac2f298c2e7fb500bb9d10731a83c2f8
Instruction Fuzzy Hash: 48515BB1214642AFD714EF65C884E6BB7E9FF88704F00892EB559D7281D778EC04CBA6

Function 004772AA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 140windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000019F,00000000,00000000), ref: 004772CE
GetParent.USER32(?), ref: 004772D5

Part of subcall function 00472DFE: GetWindowLongA.USER32(?,000000F0), ref: 00472E0A

SendMessageA.USER32(?,00000187,00000000,00000000), ref: 00477328
SendMessageA.USER32(0000AC84,00000111,?,?), ref: 00477379
SendMessageA.USER32(?,00000185,00000000,00000000), ref: 00477404

Strings

, xrefs: 004772AB

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$LongParentWindow
String ID:
API String ID: 779260966-3916222277
Opcode ID: db26de18d014128a53dbee33792159795441411dd1ac0cf71a9bd4faf9bfeeaa
Instruction ID: 135c2b1d9b8de8b456a8499052cb8451c3cf31dba53e454f05a7dde5db659c9f
Opcode Fuzzy Hash: db26de18d014128a53dbee33792159795441411dd1ac0cf71a9bd4faf9bfeeaa
Instruction Fuzzy Hash: 03311A702147146FCB357A368C80DBF7A9DEB49748B51C93EF94AD2291CA2DDC02D678

Function 00432F10 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432F2B

Part of subcall function 00472FA8: EnableWindow.USER32(?,?), ref: 00472FB6

Part of subcall function 00472D24: GetDlgItem.USER32(?,?), ref: 00472D32

SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432F65
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432F7C
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00432FCD
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433007
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 00433034
SendMessageA.USER32(?,000000F0,00000000,00000000), ref: 0043306A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$EnableItemWindow
String ID:
API String ID: 607626308-0
Opcode ID: 73e2e70e1442836abbbbf6b9b9971ac58be94b2ea5ec4792d94da53ee0e84f46
Instruction ID: dee05ba851cb7f1d38dc6b5f78cb3f35215ac07e8651d9503d8973347fe0b43e
Opcode Fuzzy Hash: 73e2e70e1442836abbbbf6b9b9971ac58be94b2ea5ec4792d94da53ee0e84f46
Instruction Fuzzy Hash: 793190713C074076EA38A275CD96FEB22B59BC6B05F10452EF21AAF1C2CDE8A840D71C

Function 004727A0 Relevance: 10.6, APIs: 7, Instructions: 122windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004727D4
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004727FD
UpdateWindow.USER32(?), ref: 00472819
SendMessageA.USER32(?,00000121,00000000,?), ref: 0047283F
SendMessageA.USER32(?,0000036A,00000000,00000001), ref: 0047285E
UpdateWindow.USER32(?), ref: 004728A1
PeekMessageA.USER32(00000000,00000000,00000000,00000000,00000000), ref: 004728D4

Part of subcall function 00472DFE: GetWindowLongA.USER32(?,000000F0), ref: 00472E0A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Message$Window$PeekSendUpdate$LongParent
String ID:
API String ID: 2853195852-0
Opcode ID: 6e6a34a83d18250a0484d97339919f377b422511b8a39fcae7a847ddcabc03a3
Instruction ID: 42cca56e4a5ac5df0183ca3af56ce0b98a2c758bca5a3505a95a10b19fdae257
Opcode Fuzzy Hash: 6e6a34a83d18250a0484d97339919f377b422511b8a39fcae7a847ddcabc03a3
Instruction Fuzzy Hash: 9741B3306043419BD720AF268944E5BBAF4FFC4B04F108A1FF45996291C7BAD945DB5B

Function 00476FFB Relevance: 10.6, APIs: 7, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0047871F: __EH_prolog.LIBCMT ref: 00478724

Part of subcall function 00472DFE: GetWindowLongA.USER32(?,000000F0), ref: 00472E0A

SendMessageA.USER32(?,000001A1,00000000,00000000), ref: 00477044
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 00477053
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 0047706C
SendMessageA.USER32(?,0000018E,00000000,00000000), ref: 00477094
SendMessageA.USER32(?,0000018B,00000000,00000000), ref: 004770A3
SendMessageA.USER32(?,00000198,?,?), ref: 004770B9
PtInRect.USER32(?,000000FF,?), ref: 004770C5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$H_prologLongRectWindow
String ID:
API String ID: 2846605207-0
Opcode ID: b5c8232b8dd40a2c9f61f1cc3b397c6484c648151181255eea116c89bde8d925
Instruction ID: 5eb003828ad40aabaced148f03c20a0348b95a78db52bfcefc0cfd0596ab9b67
Opcode Fuzzy Hash: b5c8232b8dd40a2c9f61f1cc3b397c6484c648151181255eea116c89bde8d925
Instruction Fuzzy Hash: 01312770A00209FFDB10DFA5CC81DEEB7B9EF44348B20C56AF915A72A1D774AE429B14

Function 0047317F Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85stringtimeCOMMON

Download Yara Rule

APIs

lstrcpynA.KERNEL32(?,?,00000104,?,?,?,?,?,?,?,00473169,?), ref: 004731A9
GetFileTime.KERNEL32(00000000,i1G,?,?,?,?,?,?,?,?,?,00473169,?), ref: 004731CA
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,00473169,?), ref: 004731D9
GetFileAttributesA.KERNEL32(?,?,?,?,?,?,?,?,00473169,?), ref: 004731FA

Strings

i1G, xrefs: 00473187, 0047320C, 0047321D, 0047322F, 00473194
i1G, xrefs: 004731C5, 00473207, 004731C8, 0047320B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: File$AttributesSizeTimelstrcpyn
String ID: i1G$i1G
API String ID: 1499663573-3758398814
Opcode ID: 2d635bf171cc924d5299ac0f4abe0a332b9eb5f5b51214a47fab726c5166f96d
Instruction ID: a6b9fe626fe35d4286fd2411add92ffb1e42c72dfa45db520f86de07d7aa9c6a
Opcode Fuzzy Hash: 2d635bf171cc924d5299ac0f4abe0a332b9eb5f5b51214a47fab726c5166f96d
Instruction Fuzzy Hash: 0231B172900205AFC710DFA5C885EEBBBB8FB14341F108A6EF15AC7191E774EA84CB94

Function 004793FE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 65registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,software,00000000,0002001F,?,?,00000000), ref: 0047942C
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047944F
RegCreateKeyExA.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?,?,00000000), ref: 0047946E
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0047947E
RegCloseKey.ADVAPI32(?,?,00000000), ref: 00479488

Strings

software, xrefs: 00479416

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CloseCreate$Open
String ID: software
API String ID: 1740278721-2010147023
Opcode ID: 8a51326e099ab46a1e55ee49a2f7e0ae4ec1a972dadeee80fedb6ed3469683ee
Instruction ID: 7dc427ccc66abee71b02caa95acab82c81b2203099060c2350e3f887dfc2d811
Opcode Fuzzy Hash: 8a51326e099ab46a1e55ee49a2f7e0ae4ec1a972dadeee80fedb6ed3469683ee
Instruction Fuzzy Hash: 4D11F872901158FBCB21DB9ACC88DEFFFBCEF89704F1040AAE505A2121D2759E41DBA4

Function 0045E43A Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 61stringCOMMON

Download Yara Rule

APIs

SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0045E478
GetSystemMetrics.USER32(00000000), ref: 0045E490
GetSystemMetrics.USER32(00000001), ref: 0045E497
lstrcpyA.KERNEL32(?,DISPLAY), ref: 0045E4BB

Strings

DISPLAY, xrefs: 0045E4B5
B, xrefs: 0045E459

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: System$Metrics$InfoParameterslstrcpy
String ID: B$DISPLAY
API String ID: 1409579217-3316187204
Opcode ID: 7cf837957293f88b9379466eb4079a9763c757381c00ba7d595c1abdc53b2199
Instruction ID: 1fc4f9aa71284627dff6952c0d43e4ad5f6967f2d84610a08c104fca2a7ce8a9
Opcode Fuzzy Hash: 7cf837957293f88b9379466eb4079a9763c757381c00ba7d595c1abdc53b2199
Instruction Fuzzy Hash: C311E7715003249BCB059F679C8869B7FA8EF0A751B008563FC0C9B146D3B9D644CBA8

Function 00474AF7 Relevance: 10.5, APIs: 7, Instructions: 29COMMON

Download Yara Rule

APIs

GetSysColor.USER32(0000000F), ref: 00474B03
GetSysColor.USER32(00000010), ref: 00474B0A
GetSysColor.USER32(00000014), ref: 00474B11
GetSysColor.USER32(00000012), ref: 00474B18
GetSysColor.USER32(00000006), ref: 00474B1F
GetSysColorBrush.USER32(0000000F), ref: 00474B2C
GetSysColorBrush.USER32(00000006), ref: 00474B33

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Color$Brush
String ID:
API String ID: 2798902688-0
Opcode ID: 4a3207a4a8937395013d0a872cdb410838480c4dc6092941ab3453691b310564
Instruction ID: 44c8d4cf5a2b2cd3b163c0c2f5292992926ae5d77662c299a91e766de1ae3b3e
Opcode Fuzzy Hash: 4a3207a4a8937395013d0a872cdb410838480c4dc6092941ab3453691b310564
Instruction Fuzzy Hash: 04F0F8719407489BD730ABB29D09B47BAE4FFC4B10F02092AD2858BA90E6B5A4409F44

Function 00416310 Relevance: 9.2, APIs: 6, Instructions: 176windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00416361
IsWindow.USER32(?), ref: 00416376
IsChild.USER32(?,?), ref: 00416387
SetFocus.USER32(?), ref: 00416398
IsWindow.USER32(?), ref: 00416490
IsWindowVisible.USER32(?), ref: 0041649E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$ChildFocusVisible
String ID:
API String ID: 372613587-0
Opcode ID: f94437c4de884e32ed8fa5544f9721b3a6d4154444d2b5e213d1169a0bfe77db
Instruction ID: b1f279b01037dbc9e176972e4b82558a7c6b4e0f563218a3257518906a21a161
Opcode Fuzzy Hash: f94437c4de884e32ed8fa5544f9721b3a6d4154444d2b5e213d1169a0bfe77db
Instruction Fuzzy Hash: 2351AFB16003059FC720EF25D884DABB7E9FF84358F01492EF84597286DB78E945CBA9

Function 00432420 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000147,00000000,00000000), ref: 0043244C

Part of subcall function 0046E92E: InterlockedIncrement.KERNEL32(-000000F4), ref: 0046E943

OpenPrinterA.WINSPOOL.DRV(?,?,00000000), ref: 0043247D
DocumentPropertiesA.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000), ref: 004324C5
DocumentPropertiesA.WINSPOOL.DRV(?,?,?,00000000,00000000,0000000E), ref: 0043255B
ClosePrinter.WINSPOOL.DRV(?,?,?,?,00000000,00000000,0000000E), ref: 00432590

Part of subcall function 0046EBB9: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046EBCD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: DocumentInterlockedProperties$CloseDecrementIncrementMessageOpenPrinterPrinter.Send
String ID:
API String ID: 1978028495-0
Opcode ID: 827dfc67f36485d190cbb7dd4dd1382db913e76a3025403cadb86f816eb2217e
Instruction ID: 5fbb988d4ac2c9ce61d785d66e993327cd0bdfe48b522d0faa329833ad4201e4
Opcode Fuzzy Hash: 827dfc67f36485d190cbb7dd4dd1382db913e76a3025403cadb86f816eb2217e
Instruction Fuzzy Hash: 0941F5B4104345ABC724DF25CC81EEB77A9EF98724F00490DF85987381D778D945C7AA

Function 00428C60 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00428CA2
IsRectEmpty.USER32(?), ref: 00428CD3
OffsetRect.USER32(?,00000000,?), ref: 00428D23
LPtoDP.GDI32(?,?,00000002), ref: 00428D58
GetClientRect.USER32(?,?), ref: 00428D67
IntersectRect.USER32(?,?,?), ref: 00428D7C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$ClientCopyEmptyIntersectOffset
String ID:
API String ID: 1743551499-0
Opcode ID: 36467b326c1229e6b1d65797276fe176bd7864eb619c730c6c5216030d419125
Instruction ID: 100921e174bfc183f2940a01f03d52659d5a2dc0576d971055939c5847112cae
Opcode Fuzzy Hash: 36467b326c1229e6b1d65797276fe176bd7864eb619c730c6c5216030d419125
Instruction Fuzzy Hash: D14138B66087019FC308CF69D88096BB7E9FBC8700F048A2EF55AC7251DB74D845CBA2

Function 0041E280 Relevance: 9.1, APIs: 6, Instructions: 100COMMON

Download Yara Rule

APIs

Part of subcall function 0041E1F0: CreateDIBitmap.GDI32(?,?,00000004,?,?,00000000), ref: 0041E26B

CreateCompatibleDC.GDI32(?), ref: 0041E2DA
DeleteObject.GDI32(00000000), ref: 0041E2EF

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Create$BitmapCompatibleDeleteObject
String ID:
API String ID: 3709961035-0
Opcode ID: a41619deeafebc8578a57b1a284da02ffbfdd0e26f362298fd332d2bec617557
Instruction ID: 5e78ea3b322a3c5d6a7587aee125aaac71c125892f20ae0fc59c7253fc481d18
Opcode Fuzzy Hash: a41619deeafebc8578a57b1a284da02ffbfdd0e26f362298fd332d2bec617557
Instruction Fuzzy Hash: 943160762047409FC314DF6AD984FABB7E8FBC8724F004A6EF55983281D778E8058766

Function 0041A830 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0041A8BD
wsprintfA.USER32 ref: 0041A8D9

Strings

%d / %d], xrefs: 0041A8B7
?? / %d], xrefs: 0041A8D3
- [, xrefs: 0041A858
- , xrefs: 0041A904

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf
String ID: - $ - [$%d / %d]$?? / %d]
API String ID: 2111968516-3107364983
Opcode ID: fa002db78119f0b944b1b264f3e05db6978464972f18d99124db9b07c5b8c321
Instruction ID: b8599d6bb23a8efc257de5e4d2087ea8d868c2f217e0dc7d081a466f686d4085
Opcode Fuzzy Hash: fa002db78119f0b944b1b264f3e05db6978464972f18d99124db9b07c5b8c321
Instruction Fuzzy Hash: 6B317074204301AFC714EB16CD45BABB7E4AF84714F10892EF49A83291EB78E859CB97

Function 00478492 Relevance: 9.1, APIs: 6, Instructions: 85memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(004B1F0C,004B1EFC,00000000,?,004B1F0C,?,004786FA,004B1EFC,00000000,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E), ref: 0047849D
EnterCriticalSection.KERNEL32(004B1F28,00000010,?,004B1F0C,?,004786FA,004B1EFC,00000000,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E), ref: 004784EC
LeaveCriticalSection.KERNEL32(004B1F28,00000000,?,004B1F0C,?,004786FA,004B1EFC,00000000,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E), ref: 004784FF
LocalAlloc.KERNEL32(00000000,00000004,?,004B1F0C,?,004786FA,004B1EFC,00000000,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E), ref: 00478515
LocalReAlloc.KERNEL32(?,00000004,00000002,?,004B1F0C,?,004786FA,004B1EFC,00000000,?,00000000,00478111,00477A10,0047812D,00473902,00474B9E), ref: 00478527
TlsSetValue.KERNEL32(004B1F0C,00000000), ref: 00478563

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AllocCriticalLocalSectionValue$EnterLeave
String ID:
API String ID: 4117633390-0
Opcode ID: 4885bd8e5b58c922649d07103e530e5f7cc881e51c0aeeb39bf73999ade1766b
Instruction ID: 1b14ce1223cf98e943ce273b313473e171ba0cd46306996122440bbd3643050a
Opcode Fuzzy Hash: 4885bd8e5b58c922649d07103e530e5f7cc881e51c0aeeb39bf73999ade1766b
Instruction Fuzzy Hash: 8731AE71200605EFD724CF16C889EA6B7A8FB48354F00CA6EE41AC7650EB74E805CB65

Function 004712D0 Relevance: 9.1, APIs: 6, Instructions: 82windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004712D5
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00471322
SendMessageA.USER32(?,0000001F,00000000,00000000), ref: 00471344
GetCapture.USER32 ref: 00471356
SendMessageA.USER32(00000000,0000001F,00000000,00000000), ref: 00471365
WinHelpA.USER32(?,?,?,?), ref: 00471379

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$CaptureH_prologHelp
String ID:
API String ID: 432264411-0
Opcode ID: 18f4b74e11591a3c42605fb41340886b5f368d6cbf6d3ec48eec9a0730cc41cc
Instruction ID: f09deee2f4f5ee41e11bd5e4f72ff4667d6cc2ac5b04bf8c88d11346cc0c4953
Opcode Fuzzy Hash: 18f4b74e11591a3c42605fb41340886b5f368d6cbf6d3ec48eec9a0730cc41cc
Instruction Fuzzy Hash: 75219571240208BFEB21AF65CC8AFAA76AAEF44758F00856EF149971E2CB749C009714

Function 004767A3 Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004767D6
GetLastActivePopup.USER32(?), ref: 004767E5
IsWindowEnabled.USER32(?), ref: 004767FA
EnableWindow.USER32(?,00000000), ref: 0047680D
GetWindowLongA.USER32(?,000000F0), ref: 0047681F
GetParent.USER32(?), ref: 0047682D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
String ID:
API String ID: 670545878-0
Opcode ID: 5ec95d04b4da99f8c7de6fb4ae662cba76bc0e7f6a5f7b233c65ba776efde8a8
Instruction ID: 6eecb92c07775f9cb4be073185819a50f8f60fc09baeba580c5848590623163e
Opcode Fuzzy Hash: 5ec95d04b4da99f8c7de6fb4ae662cba76bc0e7f6a5f7b233c65ba776efde8a8
Instruction Fuzzy Hash: 7A11EB32602A205796342A6F8C84BAF739E5F54F54F0B826AEC0CD3300D718CC0186EF

Function 00407540 Relevance: 9.1, APIs: 6, Instructions: 54windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000002,?), ref: 0040755B
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040756D
SendMessageA.USER32(?,0000110A,00000002,?), ref: 0040757B
SendMessageA.USER32(?,0000110A,00000001,?), ref: 0040758D
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 0040759F
SendMessageA.USER32(?,0000110A,00000001,?), ref: 004075AD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0e33f842f2f93b0417210f9c26f02c3522fedc2d45690e551ebce3febabd7da1
Instruction ID: d0db95ab8ea728b9b8290d7d0b553c74baedcc1a504c90de42cddd6312820373
Opcode Fuzzy Hash: 0e33f842f2f93b0417210f9c26f02c3522fedc2d45690e551ebce3febabd7da1
Instruction Fuzzy Hash: A40162B2B403057EF534D6658CC2FE3A2AD9F98B91F008629B701AB6C0C5F5FC424A70

Function 0042B930 Relevance: 9.1, APIs: 6, Instructions: 54COMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 0042B952
ScreenToClient.USER32(00000001,?), ref: 0042B961

Part of subcall function 0042B9E0: DPtoLP.GDI32(?,?,00000001), ref: 0042BAF7

LoadCursorA.USER32(00000000,00007F85), ref: 0042B991
SetCursor.USER32(00000000), ref: 0042B998
LoadCursorA.USER32(00000000,00007F84), ref: 0042B9B7
SetCursor.USER32(00000000), ref: 0042B9BE

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Cursor$Load$ClientScreen
String ID:
API String ID: 789353160-0
Opcode ID: 78fa25f95a6496b9f77bc138b24d887b21700ad048caeeeae035cfd399e9ab36
Instruction ID: 5890a64a289c4a9866776073201b2468d9ae58227e2b93f11c241ef694efca24
Opcode Fuzzy Hash: 78fa25f95a6496b9f77bc138b24d887b21700ad048caeeeae035cfd399e9ab36
Instruction Fuzzy Hash: 1C11A9716042119FCA10EB65ED59E9F7368EB94B05F004A2EF54986280EB74D988C7B7

Function 004761A8 Relevance: 9.0, APIs: 6, Instructions: 48windowCOMMON

Download Yara Rule

APIs

GetFocus.USER32 ref: 004761AB

Part of subcall function 0047604D: GetWindowLongA.USER32(00000000,000000F0), ref: 0047605E

GetParent.USER32(00000000), ref: 004761D2

Part of subcall function 0047604D: GetClassNameA.USER32(00000000,?,0000000A), ref: 00476079
Part of subcall function 0047604D: lstrcmpiA.KERNEL32(?,combobox), ref: 00476088

GetWindowLongA.USER32(?,000000F0), ref: 004761ED
GetParent.USER32(?), ref: 004761FB
GetDesktopWindow.USER32 ref: 004761FF
SendMessageA.USER32(00000000,0000014F,00000000,00000000), ref: 00476213

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$LongParent$ClassDesktopFocusMessageNameSendlstrcmpi
String ID:
API String ID: 2818563221-0
Opcode ID: 43cb321f08a5f85bbadd62e4aed34effcefd304bc2b9439695adef02bfb129a2
Instruction ID: b54aca9b87c332c4e37373f5d30338ef52accf5e6cc8a2f7971d76f4758620ea
Opcode Fuzzy Hash: 43cb321f08a5f85bbadd62e4aed34effcefd304bc2b9439695adef02bfb129a2
Instruction Fuzzy Hash: 8CF04431A40A2026E23236665C48FEF511B4B85B58F2782AAF81CA73C29B1CCC4144EC

Function 004760C2 Relevance: 9.0, APIs: 6, Instructions: 46COMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 004760D1
GetWindow.USER32(?,00000005), ref: 004760E2
GetDlgCtrlID.USER32(00000000), ref: 004760EB
GetWindowLongA.USER32(00000000,000000F0), ref: 004760FA
GetWindowRect.USER32(00000000,?), ref: 0047610C
PtInRect.USER32(?,?,?), ref: 0047611C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Rect$ClientCtrlLongScreen
String ID:
API String ID: 1315500227-0
Opcode ID: 0e0060e67d15d748e337394f06664292c1df01d4654e489a4109b4f59dbf7a26
Instruction ID: 5f75060dbdf5f3be65905468e5747d7ab9e2d050b960572b34e1a3c37eb34b49
Opcode Fuzzy Hash: 0e0060e67d15d748e337394f06664292c1df01d4654e489a4109b4f59dbf7a26
Instruction Fuzzy Hash: E5017131200515ABDB119B65DD0CEEF3B6DEF08710F458161F909A61A5E63899419798

Function 00407D60 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 00407DA6
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 00407E2D
GetCurrentObject.GDI32(?,00000006), ref: 00407EBA
GetClientRect.USER32(?,?), ref: 00407F2C

Part of subcall function 00475732: __EH_prolog.LIBCMT ref: 00475737
Part of subcall function 00475732: EndPaint.USER32(?,?,?,?,004044C3), ref: 00475754

Strings

{G, xrefs: 00407F5D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologPaintRect$BeginClientClipCurrentEmptyObject
String ID: {G
API String ID: 3717962522-3571685011
Opcode ID: f4117b12b0fbf2b3d4cdbe8d21ae3287e5f77c6a524b7b381417328cbb7ce37d
Instruction ID: 862cf16bb09034218f4443234d5037ccbe9fa3ef680ca2fc4156790aafbdf9bf
Opcode Fuzzy Hash: f4117b12b0fbf2b3d4cdbe8d21ae3287e5f77c6a524b7b381417328cbb7ce37d
Instruction Fuzzy Hash: E8617E715083419FD324DB25C841FABB7E8BFD8714F00892EF19A83291DB78A909CB57

Function 0042CAC0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 157COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0042CAFF
CreateFontIndirectA.GDI32(00000028), ref: 0042CB68
GetTextExtentPoint32A.GDI32(?,?,?,?), ref: 0042CBAF

Strings

{G, xrefs: 0042CC7A
(, xrefs: 0042CB54

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateExtentFontIndirectPoint32Textwsprintf
String ID: {G$(
API String ID: 3175173087-3330564328
Opcode ID: aa725184b40974c00a788a18f9dd08b44105e90c50f187f9fe250a47edc92eb1
Instruction ID: aca1ab7263ad1379d11a5ba09503d4c54f4d5000ccb503bd9713e43c61c11e46
Opcode Fuzzy Hash: aa725184b40974c00a788a18f9dd08b44105e90c50f187f9fe250a47edc92eb1
Instruction Fuzzy Hash: 1A51C3712043458FC328DF28D885B6FBBE5FB88304F144A1EF59A87381DBB5A945CB96

Function 0046345E Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32 ref: 0046347D
GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 004634B2
GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 00463512

Strings

__MSVCRT_HEAP_SELECT, xrefs: 004634AD
__GLOBAL_HEAP_SELECTED, xrefs: 004634EC

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: EnvironmentFileModuleNameVariableVersion
String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
API String ID: 1385375860-4131005785
Opcode ID: c32e349b95e2885332bbd7f52f9355547aeb37ad5cf39b9e25001e8a531ab2ed
Instruction ID: 19df04455d65acce554a960baf7edf5d034492d33637148dbd414a29779c7732
Opcode Fuzzy Hash: c32e349b95e2885332bbd7f52f9355547aeb37ad5cf39b9e25001e8a531ab2ed
Instruction Fuzzy Hash: AF3115719052D879EB329E719C457EA77689B06309F2404DBD086C7242FA399FC58B1F

Function 00470CBD Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000000,00000405,00000000,?), ref: 00470D76
GetWindowLongA.USER32(?,000000FC), ref: 00470D87
GetWindowLongA.USER32(?,000000FC), ref: 00470D97
SetWindowLongA.USER32(?,000000FC,?), ref: 00470DB3

Strings

(, xrefs: 00470D61

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID: (
API String ID: 2178440468-3887548279
Opcode ID: 785614400adb583a2e1588a393cbb901674a55c3edd3ef2ad2023397af5d3c65
Instruction ID: 388fae811ce3cce6859add39f903e5240c2ada0d171145e45cee6e332b0fa741
Opcode Fuzzy Hash: 785614400adb583a2e1588a393cbb901674a55c3edd3ef2ad2023397af5d3c65
Instruction Fuzzy Hash: 8131D031601700DFDB31AFA5D884A9ABBF5BF48314F14866EE54A97692CB38F8408B58

Function 0040EEB0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 99COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040EEF9
GetTickCount.KERNEL32 ref: 0040EF3E

Strings

X6J, xrefs: 0040EEC1
X6J, xrefs: 0040EFAF
C1_, xrefs: 0040EEFB, 0040EF46

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CountTick
String ID: C1_$X6J$X6J
API String ID: 536389180-4051417117
Opcode ID: 9290c176c21d5f59606581df546746cbe6892395a687c09625771a46179f45e0
Instruction ID: e94635db4d8c4e3ca7cf506de681cf77d4c520a3b0f0f332261e6cee84f50dde
Opcode Fuzzy Hash: 9290c176c21d5f59606581df546746cbe6892395a687c09625771a46179f45e0
Instruction Fuzzy Hash: F8314CB22053056BC624DF2BEC80A67B799D7A1314F10493FF911933C1DBB9A855C79D

Function 00478F4F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 88stringCOMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?), ref: 00478F80

Part of subcall function 0047906C: lstrlenA.KERNEL32(00000104,00000000,?,00478FB0), ref: 004790A3

lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00479021
lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 0047904E

Strings

.HLP, xrefs: 0047901B
.INI, xrefs: 00479048

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: FileModuleNamelstrcatlstrcpylstrlen
String ID: .HLP$.INI
API String ID: 2421895198-3011182340
Opcode ID: e34136af03bc38afa9056a8313a6752401746483d07b7ab225a720510a6c4939
Instruction ID: 6777b5824565c5ede121c1160eb4ede071fa469b868183777dff6447d6ceea9f
Opcode Fuzzy Hash: e34136af03bc38afa9056a8313a6752401746483d07b7ab225a720510a6c4939
Instruction Fuzzy Hash: 723172B1904718AFDB21EF71D885BC6B7FCAB04304F1089AFE299D3151EB74A984CB58

Function 0041CEA0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32(?), ref: 0041CEE0
GlobalSize.KERNEL32(?), ref: 0041CF03
GlobalSize.KERNEL32(?), ref: 0041CF33
GlobalUnlock.KERNEL32(?), ref: 0041CF43

Strings

BM, xrefs: 0041CEFD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$Size$LockUnlock
String ID: BM
API String ID: 2233901773-2348483157
Opcode ID: 2c7c4cadeea11ef3867d9bb77aa25d007c85adce27100e61d34f5206fdc3ab09
Instruction ID: 769ad477fd6080d00ab2572e551e9ac3a8d2d9303588d501354ae0b5d0bf46af
Opcode Fuzzy Hash: 2c7c4cadeea11ef3867d9bb77aa25d007c85adce27100e61d34f5206fdc3ab09
Instruction Fuzzy Hash: 1C21B672900214EBC710DFA9D941BDEFBB8FF48720F1042AAE919E3791D738994087A9

Function 004711D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 68COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 0047120C
wsprintfA.USER32 ref: 00471228
GetClassInfoA.USER32(?,-00000058,?), ref: 00471237

Strings

Afx:%x:%x:%x:%x:%x, xrefs: 00471222
Afx:%x:%x, xrefs: 00471206

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf$ClassInfo
String ID: Afx:%x:%x$Afx:%x:%x:%x:%x:%x
API String ID: 845911565-79760390
Opcode ID: d99add8d9665821b6b4d9238e6f5242e75cd0aa8cf677551d22d437bb6cfaaa6
Instruction ID: 474ea394d7027a99449f0acd3192837ddc56b506ea88c24ba71809ef2f778f8e
Opcode Fuzzy Hash: d99add8d9665821b6b4d9238e6f5242e75cd0aa8cf677551d22d437bb6cfaaa6
Instruction Fuzzy Hash: 452130B1900209AF8F10EF99DC449DF7BB8EF49354B00846BF908F2251D7348A51DBA9

Function 00414BB0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 60windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconA.SHELL32(00000001,?,?,00000058), ref: 00414C29
DestroyCursor.USER32(?), ref: 00414C36
Shell_NotifyIconA.SHELL32(?,?,00000000,00000058), ref: 00414C69

Strings

X, xrefs: 00414BC7
d, xrefs: 00414BD9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: IconNotifyShell_$CursorDestroy
String ID: X$d
API String ID: 3039372612-651813629
Opcode ID: 8d6672e5e06735aa447a253a5e44ab98a95887cb7fe9af3a710c8f65d94cedf6
Instruction ID: 202293225918aa077c6509107eb3298bc00305c7be3e66d69f2a72beef8293e3
Opcode Fuzzy Hash: 8d6672e5e06735aa447a253a5e44ab98a95887cb7fe9af3a710c8f65d94cedf6
Instruction Fuzzy Hash: C02138756087009FE310DF15D804B9BBBE5BBC8704F00891EF9C893350EBB5E9488BA6

Function 0046F811 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56windowCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000F0), ref: 0046F852
GetDlgItem.USER32(?,00000002), ref: 0046F871
IsWindowEnabled.USER32(00000000), ref: 0046F87C
SendMessageA.USER32(?,00000111,00000002,00000000), ref: 0046F892

Strings

Edit, xrefs: 0046F85C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$EnabledItemLongMessageSend
String ID: Edit
API String ID: 3499652902-554135844
Opcode ID: ce8b613b86944e942b09750121a6300be229ae62999251582becf2b60fcea156
Instruction ID: c8603f4ae855883492cf47400911ca9c6715e0ca1352fbdff6c2ebf69062689d
Opcode Fuzzy Hash: ce8b613b86944e942b09750121a6300be229ae62999251582becf2b60fcea156
Instruction Fuzzy Hash: E3018831200302AAEB303A2AAC09F6B67559F44754F1445B7F589D76F1EB68EC85C61E

Function 00470C23 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 39COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00470C28

Strings

iH, xrefs: 00470C4C
iH, xrefs: 00470C44
iH, xrefs: 00470C54
iH, xrefs: 00470C5C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prolog
String ID: iH$ iH$ iH$ iH
API String ID: 3519838083-1641845196
Opcode ID: 42927f4314c2c11aeba04ca0e22963b3e7b8bb3539b7244310b53d214a213855
Instruction ID: 1b4eba373af86f0149a348140ba788be4830b89dc52f7ae700b231cc280dc8f6
Opcode Fuzzy Hash: 42927f4314c2c11aeba04ca0e22963b3e7b8bb3539b7244310b53d214a213855
Instruction Fuzzy Hash: E1017131902310CFDB3D9B58C1597EAB6A4EB04715F04C7AFE45A536E1C3789D40CA59

Function 00410B90 Relevance: 7.9, APIs: 5, Instructions: 359COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 988792a90e0b659fb36c76c55bf263735913fa2420c0600a54e4b11809b3a33d
Instruction ID: 88f04b18724d8519c98eff00add799602a149264be32160feb03a8d903c4bab2
Opcode Fuzzy Hash: 988792a90e0b659fb36c76c55bf263735913fa2420c0600a54e4b11809b3a33d
Instruction Fuzzy Hash: 2CC1B3715043059FC720DF24C8859ABB7E9FF84748F10492EF84697352E7B8E9868B9A

Function 004294F0 Relevance: 7.7, APIs: 5, Instructions: 229COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 00429579
GetClientRect.USER32(00000000,?), ref: 004295B2
DPtoLP.GDI32 ref: 00429608
GetClientRect.USER32(00000000,?), ref: 004296DC
DPtoLP.GDI32 ref: 00429732

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Client$Copy
String ID:
API String ID: 472922470-0
Opcode ID: 3889db461c7c0d7f18858b3d52bd71999c3ffb8cf116c4373d9befcc520914d9
Instruction ID: 7ca4cda0e87e0962d48fd2db94badc5f52f47881bad6a4a63d67014a90affcc1
Opcode Fuzzy Hash: 3889db461c7c0d7f18858b3d52bd71999c3ffb8cf116c4373d9befcc520914d9
Instruction Fuzzy Hash: 688182713083519FC314EF69D490B6FB7E5BBC8708F80491EF19A87241DB789D058B56

Function 00417790 Relevance: 7.7, APIs: 5, Instructions: 196windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0041786C
SendMessageA.USER32(?,00008003,00000000,00000000), ref: 00417883
GetWindowRect.USER32(?,00000000), ref: 004178D5
GetClientRect.USER32(?,00000000), ref: 0041792D
GetWindowRect.USER32(?,00000000), ref: 00417951

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: RectWindow$ClientMessageSend
String ID:
API String ID: 1071774122-0
Opcode ID: 073932ac841115530614dd338e12d6a542ffb00cfcc4b48b830048aece69d11a
Instruction ID: f2f7c3b7c880590776eff3af8b0ff016687ce00089201d24edc400eadd23435a
Opcode Fuzzy Hash: 073932ac841115530614dd338e12d6a542ffb00cfcc4b48b830048aece69d11a
Instruction Fuzzy Hash: 1161B0719083459FD710EF25C984AABB7E8EF88744F004A1EF98597380DA78DD45CB9A

Function 004631A7 Relevance: 7.6, APIs: 5, Instructions: 150COMMON

Download Yara Rule

APIs

GetStartupInfoA.KERNEL32(?), ref: 00463205
GetFileType.KERNEL32(?,?,00000000), ref: 004632B0
GetStdHandle.KERNEL32(-000000F6,?,00000000), ref: 00463313
GetFileType.KERNEL32(00000000,?,00000000), ref: 00463321
SetHandleCount.KERNEL32 ref: 00463358

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: FileHandleType$CountInfoStartup
String ID:
API String ID: 1710529072-0
Opcode ID: 4ee080395b2c4293cf9057cb5d7ee94b0520831904b6acb705a10db59322bdf4
Instruction ID: 519795e0779ee541768cf01374102d942dbae17a0219fdb06d2fdd6abc52a432
Opcode Fuzzy Hash: 4ee080395b2c4293cf9057cb5d7ee94b0520831904b6acb705a10db59322bdf4
Instruction Fuzzy Hash: 045149315002828BD7108F68C9587663BE4EF1132AF2547AED462CB3E1EB38DA45C70E

Function 004158B0 Relevance: 7.6, APIs: 5, Instructions: 104windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00415980
WinHelpA.USER32(?,00000000,00000002,00000000), ref: 0041599B
GetMenu.USER32(?), ref: 004159AB
SetMenu.USER32(?,00000000), ref: 004159B8
DestroyMenu.USER32(00000000), ref: 004159C3

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Menu$DestroyHelpWindow
String ID:
API String ID: 427501538-0
Opcode ID: 900248818ea90f49cd304404cac36940d517b6250341081c7f6a018ff64a8fb4
Instruction ID: cd0288b7ab08309e29e2199d3bae35148d1275fb3a6357eee8c4928d32a3d660
Opcode Fuzzy Hash: 900248818ea90f49cd304404cac36940d517b6250341081c7f6a018ff64a8fb4
Instruction Fuzzy Hash: FD31C7B1600619EBC314AF66C945EEBB7ACFF85358F05061EF50957240DB39B8818BAA

Function 00421C50 Relevance: 7.6, APIs: 5, Instructions: 103synchronizationCOMMON

Download Yara Rule

APIs

midiStreamStop.WINMM(?,00000000,?,00000000,004217BA,00000000,004AF738,00417DA6,004AF738,?,004128CF,004AF738,00410886,00000001,00000000,000000FF), ref: 00421C85
midiOutReset.WINMM(?,?,004128CF,004AF738,00410886,00000001,00000000,000000FF), ref: 00421CA3
WaitForSingleObject.KERNEL32(?,000007D0,?,004128CF,004AF738,00410886,00000001,00000000,000000FF), ref: 00421CC6
midiStreamClose.WINMM(?,?,004128CF,004AF738,00410886,00000001,00000000,000000FF), ref: 00421D03
midiStreamClose.WINMM(?,?,004128CF,004AF738,00410886,00000001,00000000,000000FF), ref: 00421D37

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: midi$Stream$Close$ObjectResetSingleStopWait
String ID:
API String ID: 3142198506-0
Opcode ID: 81aeb9052c6ebb1a7b2826ea8fdfd5b928bb0a3ec5f0f4d3f62ab820ff395ce9
Instruction ID: e8dc1890f0ce8cf0780f92cc90d5123d005915214ae813253ce6e126cd49c9f5
Opcode Fuzzy Hash: 81aeb9052c6ebb1a7b2826ea8fdfd5b928bb0a3ec5f0f4d3f62ab820ff395ce9
Instruction Fuzzy Hash: 33316076700760CBC7309F66E4C892BB7E9BBA83057904A3FE146C7610C778E8858B98

Function 004119E0 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 00411A50
GetMenu.USER32(?), ref: 00411A5F
DestroyAcceleratorTable.USER32(?), ref: 00411AAC
SetMenu.USER32(?,00000000), ref: 00411AC1
DestroyMenu.USER32(?), ref: 00411AD1

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Menu$Destroy$AcceleratorTableWindow
String ID:
API String ID: 1240299919-0
Opcode ID: 2d84444f675289ec8f195568eb6d712add0adf2a265f7c8c520dc28e79bb584b
Instruction ID: 10e2991d96be5e5f697965df49564790a0cfd767b2d1506c8e83187c5f534aac
Opcode Fuzzy Hash: 2d84444f675289ec8f195568eb6d712add0adf2a265f7c8c520dc28e79bb584b
Instruction Fuzzy Hash: 9331C471500216AFC620EF66DC48D6B77A9EF84748F01452EF90597292EB38E905CBE5

Function 00417620 Relevance: 7.6, APIs: 5, Instructions: 90COMMON

Download Yara Rule

APIs

IsChild.USER32(?,?), ref: 0041763C

Part of subcall function 0040C1B0: IsChild.USER32(?,?), ref: 0040C22D
Part of subcall function 0040C1B0: GetParent.USER32(?), ref: 0040C247

GetCursorPos.USER32(?), ref: 00417654
GetClientRect.USER32(?,?), ref: 00417663
PtInRect.USER32(?,?,?), ref: 00417684
SetCursor.USER32(?,?,00000000,?,?,?,?,004172B0), ref: 00417702

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ChildCursorRect$ClientParent
String ID:
API String ID: 1110532797-0
Opcode ID: e25a4836c973aa0d7cc268796f470df279e30610eb3dab6f125b92b108758518
Instruction ID: 037d321ab3e97d686f1c527d00f26ea2aefb973ea637010b5f54223afecc8cfa
Opcode Fuzzy Hash: e25a4836c973aa0d7cc268796f470df279e30610eb3dab6f125b92b108758518
Instruction Fuzzy Hash: 7C21F5316046019FC720EB35CC49F9B73F8AF84754F144A2EF809A72C1E778E98587A9

Function 0046CFE0 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0046CFE5
GetParent.USER32(?), ref: 0046D022
SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046D04A
GetParent.USER32(?), ref: 0046D073
SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046D090

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageParentSend$H_prolog
String ID:
API String ID: 1056721960-0
Opcode ID: 6795a1119fa966d58b7fc8c70fc27923af799787eb82c01bb05bc492571600d6
Instruction ID: ff8bc72f987023a23740f7cb78c63d0c7a7722598aee02e91eb3b5dc542ca221
Opcode Fuzzy Hash: 6795a1119fa966d58b7fc8c70fc27923af799787eb82c01bb05bc492571600d6
Instruction Fuzzy Hash: 74318670900215EBCB04EFA2CC45EAEB7B4FF44318F10452EB525A71E1EB38AD06CB1A

Function 00403990 Relevance: 7.6, APIs: 5, Instructions: 86COMMON

Download Yara Rule

APIs

Part of subcall function 0047560C: __EH_prolog.LIBCMT ref: 00475611
Part of subcall function 0047560C: GetWindowDC.USER32(?,?,?,004039C1), ref: 0047563A

GetClientRect.USER32 ref: 004039D2
GetWindowRect.USER32(?,?), ref: 004039E1

Part of subcall function 004753C6: ScreenToClient.USER32(?,00000000), ref: 004753DA
Part of subcall function 004753C6: ScreenToClient.USER32(?,00000008), ref: 004753E3

OffsetRect.USER32(?,?,?), ref: 00403A0C

Part of subcall function 00475303: ExcludeClipRect.GDI32(?,?,?,?,?,75A4A5C0,?,?,00403A1C,?), ref: 00475328
Part of subcall function 00475303: ExcludeClipRect.GDI32(?,?,?,?,?,75A4A5C0,?,?,00403A1C,?), ref: 0047533D

OffsetRect.USER32(?,?,?), ref: 00403A2F
FillRect.USER32(?,?,?), ref: 00403A4A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Rect$Client$ClipExcludeOffsetScreenWindow$FillH_prolog
String ID:
API String ID: 2829754061-0
Opcode ID: 038fe87ad6e0b921215462a48bc4b9c75b69959304e25c7f444b98ba647227f5
Instruction ID: dbd7886dd99655853382881a0c07c0fdafd7dbe5478f2c24232cd555965477ca
Opcode Fuzzy Hash: 038fe87ad6e0b921215462a48bc4b9c75b69959304e25c7f444b98ba647227f5
Instruction Fuzzy Hash: 15314175208701AFD714DF24C845EABB7E8EB88754F008E1DF49A87290DB78E949CB56

Function 004074C0 Relevance: 7.6, APIs: 5, Instructions: 56windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046D6E3: SendMessageA.USER32(?,0000110C,00000000,00000040), ref: 0046D704

SendMessageA.USER32(?,0000110A,00000004,?), ref: 004074E5
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00407505
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00407517
SendMessageA.USER32(?,0000110A,00000004,00000000), ref: 00407525
SendMessageA.USER32(?,00001101,00000000,00000000), ref: 00407537

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 85218930ee9474af26e2e4b69b7ee2637244a9577bc00fb2015996c317c5ed2f
Instruction ID: 949ebe23b5e495682a561e36efb9a474c3e636f202f85d28a3bd73bb00ea84db
Opcode Fuzzy Hash: 85218930ee9474af26e2e4b69b7ee2637244a9577bc00fb2015996c317c5ed2f
Instruction Fuzzy Hash: 0401A2F2B407013AE534AA669CC1FA792AC9F98B55F00452AF701E76C0DAF8FC024679

Function 00471135 Relevance: 7.6, APIs: 5, Instructions: 52stringregistryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0047113A
GetClassInfoA.USER32(?,?,?), ref: 00471155
RegisterClassA.USER32(?), ref: 00471160
lstrcatA.KERNEL32(00000034,?,00000001), ref: 00471197
lstrcatA.KERNEL32(00000034,?), ref: 004711A5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Classlstrcat$H_prologInfoRegister
String ID:
API String ID: 106226465-0
Opcode ID: 1832201f04d03ffef8572d0d3a170f5f84ee44e270ed7ce097eba86042d6ae11
Instruction ID: 75d0dfd800cc90c5b831556df60993a34eb5e4b3de7cc68dcaf748f09a458f2c
Opcode Fuzzy Hash: 1832201f04d03ffef8572d0d3a170f5f84ee44e270ed7ce097eba86042d6ae11
Instruction Fuzzy Hash: E8112B35500254BECB20AF759C01EDE7BBCEF08714F00C69FF91AA7161C7789A458769

Function 004633CA Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000103,7FFFFFFF,00460B32,0046256B,00000000,?,?,00000000,00000001), ref: 004633CC
TlsGetValue.KERNEL32(?,?,00000000,00000001), ref: 004633DA
SetLastError.KERNEL32(00000000,?,?,00000000,00000001), ref: 00463426

Part of subcall function 00460EE2: HeapAlloc.KERNEL32(00000008,?,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00460FD8

TlsSetValue.KERNEL32(00000000,?,?,00000000,00000001), ref: 004633FE
GetCurrentThreadId.KERNEL32 ref: 0046340F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ErrorLastValue$AllocCurrentHeapThread
String ID:
API String ID: 2020098873-0
Opcode ID: a40884b84214e9fc8b2bc761e8ea5076f125f1fec7fccd2057dab65150030a23
Instruction ID: 4552e7c6de069204e94612d5bac2027023efa1d9cc802313cd4f47551d049d24
Opcode Fuzzy Hash: a40884b84214e9fc8b2bc761e8ea5076f125f1fec7fccd2057dab65150030a23
Instruction Fuzzy Hash: D7F02B316007615BD3222F32BC0DD2A7B54EF05B7271446BEF955962E1EF388C808A9E

Function 004782CC Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

TlsFree.KERNEL32(00000000,?,?,004787D9,00000000,00000001), ref: 004782D8
GlobalHandle.KERNEL32(00572788), ref: 00478300
GlobalUnlock.KERNEL32(00000000), ref: 00478309
GlobalFree.KERNEL32(00000000), ref: 00478310
DeleteCriticalSection.KERNEL32(004B1EF0,?,?,004787D9,00000000,00000001), ref: 0047831A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$Free$CriticalDeleteHandleSectionUnlock
String ID:
API String ID: 2159622880-0
Opcode ID: e3d70df917e411a64b95eca76eac3886f7fcc401de268ba526e557acafa6b04f
Instruction ID: a267f71cf48512c62700ee1c1361224b810e5b81c55b206235809bd5cc3c57b9
Opcode Fuzzy Hash: e3d70df917e411a64b95eca76eac3886f7fcc401de268ba526e557acafa6b04f
Instruction Fuzzy Hash: 13F0B4312005009BC2209F399C0CA6B76ACAF8861170547AEF80DD32A2CF34DC41876C

Function 0042A490 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277COMMON

Download Yara Rule

APIs

GetCurrentObject.GDI32(?), ref: 0042A55B
LPtoDP.GDI32(?,00000000,00000001), ref: 0042A5A8
DPtoLP.GDI32(?,00000000,00000001), ref: 0042A5CB

Strings

{G, xrefs: 0042A788

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CurrentObject
String ID: {G
API String ID: 844725943-3571685011
Opcode ID: 8bdbfe01cb79ad863e0df1b08dc2fefc9bda252dbae77553a55adb106baa26af
Instruction ID: f77f379c760bbe6dd114ff3f38f992c571e05efbda78d0147c5cf1612335cf2b
Opcode Fuzzy Hash: 8bdbfe01cb79ad863e0df1b08dc2fefc9bda252dbae77553a55adb106baa26af
Instruction Fuzzy Hash: 6EA188713083509BC718DA55D890B6FB7E9ABC8708F48891EF98A83351CB78ED45CB5B

Function 0047494C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 109COMMON

Download Yara Rule

APIs

GlobalLock.KERNEL32 ref: 00474968
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000020), ref: 004749BB
GlobalUnlock.KERNEL32(?), ref: 00474A52

Strings

@, xrefs: 004749A5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$ByteCharLockMultiUnlockWide
String ID: @
API String ID: 231414890-2766056989
Opcode ID: de5f3d4295143b497c6c8dbbc1a0677e9a432e4940eecccd231e65c8aa445633
Instruction ID: fb91b5183606693312b8225c2bddf8e35eedd7beac1c392974f6ab8bb502c953
Opcode Fuzzy Hash: de5f3d4295143b497c6c8dbbc1a0677e9a432e4940eecccd231e65c8aa445633
Instruction Fuzzy Hash: D641EA72800215EBCB14DFA4C8819FFBBB8FF44354F10C16AE819AB295D3349946CF99

Function 0041D3C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 97memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0041CFA0: GetObjectA.GDI32(?,00000018,?), ref: 0041CFDD
Part of subcall function 0041CFA0: GetDeviceCaps.GDI32 ref: 0041D077
Part of subcall function 0041CFA0: GetSystemPaletteEntries.GDI32(?,00000000,000000FF,00000004), ref: 0041D0B1
Part of subcall function 0041CFA0: CreatePalette.GDI32(00000000), ref: 0041D0BC

GlobalAlloc.KERNEL32(00000002,?), ref: 0041D44A
GlobalLock.KERNEL32(00000000), ref: 0041D465
GlobalUnlock.KERNEL32(00000000), ref: 0041D47E

Strings

{G, xrefs: 0041D49A, 0041D4DE

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Global$Palette$AllocCapsCreateDeviceEntriesLockObjectSystemUnlock
String ID: {G
API String ID: 1348334340-3571685011
Opcode ID: ac5679325f364479258538bdd8d6dcb10c9119547807700fd5f7d9a29bafbbd7
Instruction ID: 5082457c33bb82f0ae7a3dcc27834ac9142aaae20f6f4a4ec2d3f287257d11c2
Opcode Fuzzy Hash: ac5679325f364479258538bdd8d6dcb10c9119547807700fd5f7d9a29bafbbd7
Instruction Fuzzy Hash: 0F31A2715083418FC314EF19D8856AFFBE8BBD4754F404E1EF48993291DBB8A948C7A6

Function 00478BD7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81windowCOMMON

Download Yara Rule

APIs

GetMenuCheckMarkDimensions.USER32 ref: 00478BE3
CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00478C92
LoadBitmapA.USER32(00000000,00007FE3), ref: 00478CAA

Strings

, xrefs: 00478BF2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu
String ID:
API String ID: 2596413745-3916222277
Opcode ID: a8b2270b0a55325cd2f43dc5e23afed3219d74878a71fd404022429d9880c743
Instruction ID: cd1ecddc96f9ec89781bd12870c531b75bf6f36148d1fac45bd5ce70e3ef2598
Opcode Fuzzy Hash: a8b2270b0a55325cd2f43dc5e23afed3219d74878a71fd404022429d9880c743
Instruction Fuzzy Hash: 1A213D71E00219AFDB10DF78DD89BAE7BB4EB44304F0445AAF509EB282D6749A44CB54

Function 004325F0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0046CD6B: __EH_prolog.LIBCMT ref: 0046CD70
Part of subcall function 0046CD6B: lstrcpynA.KERNEL32(?,?,00000104), ref: 0046CE5D

Part of subcall function 0046CF05: lstrlenA.KERNEL32(?,?,?,0000000C,?,?,0041C1F9,?,-00000001,00000000,?,?,?,0049ABD8), ref: 0046CF0F
Part of subcall function 0046CF05: GetFocus.USER32 ref: 0046CF2A
Part of subcall function 0046CF05: IsWindowEnabled.USER32(?), ref: 0046CF53
Part of subcall function 0046CF05: EnableWindow.USER32(?,00000000), ref: 0046CF65
Part of subcall function 0046CF05: GetOpenFileNameA.COMDLG32(?,?), ref: 0046CF90
Part of subcall function 0046CF05: EnableWindow.USER32(?,00000001), ref: 0046CFAE
Part of subcall function 0046CF05: IsWindow.USER32(?), ref: 0046CFB4
Part of subcall function 0046CF05: SetFocus.USER32(?), ref: 0046CFC2

Part of subcall function 0046CFE0: __EH_prolog.LIBCMT ref: 0046CFE5
Part of subcall function 0046CFE0: GetParent.USER32(?), ref: 0046D022
Part of subcall function 0046CFE0: SendMessageA.USER32(?,00000464,00000104,00000000), ref: 0046D04A
Part of subcall function 0046CFE0: GetParent.USER32(?), ref: 0046D073
Part of subcall function 0046CFE0: SendMessageA.USER32(?,00000465,00000104,00000000), ref: 0046D090

Part of subcall function 00472E94: SetWindowTextA.USER32(?,0041A95A), ref: 00472EA2

Part of subcall function 0046EBB9: InterlockedDecrement.KERNEL32(-000000F4), ref: 0046EBCD

SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 0043269D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 004326AC

Part of subcall function 00472FCF: SetFocus.USER32(?,0040F6B3), ref: 00472FD9

Strings

prn, xrefs: 0043261E
out.prn, xrefs: 00432619

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$MessageSend$Focus$EnableH_prologParent$DecrementEnabledFileInterlockedNameOpenTextlstrcpynlstrlen
String ID: out.prn$prn
API String ID: 4074345921-3109735852
Opcode ID: 3c99b995b603c70299601b5ac172316c50dcf0bf27b6c43d5a5105952b0f91ec
Instruction ID: 007d55f24c20992fb7ca162868667ade10387a7177f2ae27ba1a277fa5c666e6
Opcode Fuzzy Hash: 3c99b995b603c70299601b5ac172316c50dcf0bf27b6c43d5a5105952b0f91ec
Instruction Fuzzy Hash: 2021A471248340AAD334EB15CD86F9BB7E4AB98B14F104B1EF4EA532D1DBB86444CB97

Function 00413550 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetClassInfoA.USER32(?,WTWindow,00000000), ref: 00413578
LoadCursorA.USER32(00000000,00007F00), ref: 00413589
GetStockObject.GDI32(00000005), ref: 00413593

Strings

WTWindow, xrefs: 0041356C, 00413576

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ClassCursorInfoLoadObjectStock
String ID: WTWindow
API String ID: 1762135420-3503404378
Opcode ID: b7093672d314251e2bef1f48c0d8e93b14f04deecca4ba522ffc103ab1c0dcdd
Instruction ID: 2ae6454881b7aa317c0b125cba8a2213016832c066eb6378a507aa507e0ce54c
Opcode Fuzzy Hash: b7093672d314251e2bef1f48c0d8e93b14f04deecca4ba522ffc103ab1c0dcdd
Instruction Fuzzy Hash: A411C2B0908340AFC700DF269C8455BBBE9FF88764F40492EF98893211D738DA448B5A

Function 0046A0EA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004B2658), ref: 0046A110
InterlockedDecrement.KERNEL32(004B2658), ref: 0046A125

Strings

X&K, xrefs: 0046A109

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: X&K
API String ID: 2172605799-3208559910
Opcode ID: 85207f929f2a316d72bd1b23293a35e65cfda682d6552a391100d86fb07b36e7
Instruction ID: edb03c6984c25d2aadc4cbd2ac4bf7d4a2d4aef3d571e8eda3be4f16b920c1a8
Opcode Fuzzy Hash: 85207f929f2a316d72bd1b23293a35e65cfda682d6552a391100d86fb07b36e7
Instruction Fuzzy Hash: 8CF0F6B2105B569FE720AF56ACC69CB7354FFA2315F10483FF100E5290E7A88C959A6F

Function 00460419 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004B2658), ref: 0046043F
InterlockedDecrement.KERNEL32(004B2658), ref: 00460454

Strings

X&K, xrefs: 00460438

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Interlocked$DecrementIncrement
String ID: X&K
API String ID: 2172605799-3208559910
Opcode ID: e6af9b1b1a066caeda90391b6339972cce0a0fd98ede1e96c8b3518cb7d57640
Instruction ID: a764e9553feb92ac2a29d2444ffb26cbb1ba9dd11c07270d0a8c19e58bf6bd68
Opcode Fuzzy Hash: e6af9b1b1a066caeda90391b6339972cce0a0fd98ede1e96c8b3518cb7d57640
Instruction Fuzzy Hash: 64F0F6321152529BE730AF66ACC594B6394FB90316F144D3FF200C5190EFA8D882C52F

Function 0046BBC8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004B2658), ref: 0046BBD4
InterlockedDecrement.KERNEL32(004B2658), ref: 0046BBEB

Part of subcall function 00465D44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D81
Part of subcall function 00465D44: EnterCriticalSection.KERNEL32(?,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D9C

InterlockedDecrement.KERNEL32(004B2658), ref: 0046BC17

Strings

X&K, xrefs: 0046BBCD

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: X&K
API String ID: 2038102319-3208559910
Opcode ID: fbf296feb5688f7b9b340c7cacbba81c5823dabda6d6a8d2a0abb2668cc65879
Instruction ID: e21e0245fea74c6399829106156af35a35ec497ed5d01be1702db3c187c007d5
Opcode Fuzzy Hash: fbf296feb5688f7b9b340c7cacbba81c5823dabda6d6a8d2a0abb2668cc65879
Instruction Fuzzy Hash: 00F0E932101219BEEB102F56EC85D9A7758DF94329F10803FF608991819FB99AC2859E

Function 0046BEE8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

APIs

InterlockedIncrement.KERNEL32(004B2658), ref: 0046BEF4
InterlockedDecrement.KERNEL32(004B2658), ref: 0046BF0B

Part of subcall function 00465D44: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D81
Part of subcall function 00465D44: EnterCriticalSection.KERNEL32(?,?,?,00460F98,00000009,00000000,00000000,00000001,004633EF,00000001,00000074,?,?,00000000,00000001), ref: 00465D9C

InterlockedDecrement.KERNEL32(004B2658), ref: 0046BF3B

Strings

X&K, xrefs: 0046BEED

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Interlocked$CriticalDecrementSection$EnterIncrementInitialize
String ID: X&K
API String ID: 2038102319-3208559910
Opcode ID: 889166b5c3b7f04717adf561cfc14d4ffc1705e6990f621b2ea850d9b80b7d76
Instruction ID: 18ac4bfcdc7c8b146caa2fcecdcae4187fc4434b58126d4117ff6f5197eaa134
Opcode Fuzzy Hash: 889166b5c3b7f04717adf561cfc14d4ffc1705e6990f621b2ea850d9b80b7d76
Instruction Fuzzy Hash: 19F0B43210135AAFEB106F92AC45D9B3758EFA4315F04403BFA04891A0E7B549929AEE

Function 0047604D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27stringCOMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(00000000,000000F0), ref: 0047605E
GetClassNameA.USER32(00000000,?,0000000A), ref: 00476079
lstrcmpiA.KERNEL32(?,combobox), ref: 00476088

Strings

combobox, xrefs: 00476082

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ClassLongNameWindowlstrcmpi
String ID: combobox
API String ID: 2054663530-2240613097
Opcode ID: 29d1f8da4a83ac6c84e339cc1be197d597aca93b26070481bac4f8cd07c59891
Instruction ID: 3ebcb7744455ce743bb6d9ee55ce84ea37a8a0f2f3b80ff87610030f96e38fe7
Opcode Fuzzy Hash: 29d1f8da4a83ac6c84e339cc1be197d597aca93b26070481bac4f8cd07c59891
Instruction Fuzzy Hash: 72E06531554108BBDF10AF70CC4AE9E3BA9A704305F108632B42BD51A0DA38E585CB59

Function 00474E18 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetStockObject.GDI32(?), ref: 00474E21
SelectObject.GDI32(?,00000000), ref: 00474E3B
SelectObject.GDI32(?,00000000), ref: 00474E46

Strings

{G, xrefs: 00474E18

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Object$Select$Stock
String ID: {G
API String ID: 3337941649-3571685011
Opcode ID: c64e962174cf0611437787bff51aa608f3255c073c92e2bf514cb0f860d700f5
Instruction ID: 8b01500517c702028ac14746e5adea172e8a89b748e6c880474d41e72e5a9cc0
Opcode Fuzzy Hash: c64e962174cf0611437787bff51aa608f3255c073c92e2bf514cb0f860d700f5
Instruction Fuzzy Hash: BEE0DF722006206B8220AB32CC88C6BF79CEED4724706892AF60D93220C7B4BC4089A4

Function 0047931F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 26COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(004B2080,?,?,?,0046C7D0,00000000,00000001), ref: 00479345
DeleteCriticalSection.KERNEL32(004B2098,?,?,?,0046C7D0,00000000,00000001), ref: 00479357

Strings

8 K, xrefs: 00479347
0"K, xrefs: 00479361

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalDeleteSection
String ID: 0"K$8 K
API String ID: 166494926-569018290
Opcode ID: de29af77399b6ba7cb14242218565d48aa06b8d4cbadf983df422c2c9ad44e4d
Instruction ID: c4d44a7d83b77b76a872f2fd4955cd38c3369a29b299848f84d04a5f802d8674
Opcode Fuzzy Hash: de29af77399b6ba7cb14242218565d48aa06b8d4cbadf983df422c2c9ad44e4d
Instruction Fuzzy Hash: 0EE0D8325012008FCB282759EE847C77268EB48321F1446F7DE0D912A183FD4C80C7BD

Function 004638C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 13libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,0045E910), ref: 004638C5
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 004638D5

Strings

IsProcessorFeaturePresent, xrefs: 004638CF
KERNEL32, xrefs: 004638C0

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 540c9a083b65457300ba310219c6d0f7bc65601cfa59030d7743bd44ae8e7f32
Instruction ID: 3890c503377599f9efc1b93bc0efb23ccfb20acd1d6e1489e2dec4264c6137d1
Opcode Fuzzy Hash: 540c9a083b65457300ba310219c6d0f7bc65601cfa59030d7743bd44ae8e7f32
Instruction Fuzzy Hash: 0EC01220380240A6EA103FB2CC0DB5A22882B88B47F94096BB80DD3180FE6DC241A62E

Function 00461CC6 Relevance: 6.5, APIs: 5, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f271d2d90907141368e549c1321ba638438fbec2ce953bba0dac0d2625539274
Instruction ID: 2c807a8aaee325b713b8ba8802974d2c2235d4afbf25f6c6a9903ce88e74916b
Opcode Fuzzy Hash: f271d2d90907141368e549c1321ba638438fbec2ce953bba0dac0d2625539274
Instruction Fuzzy Hash: 9B91C571D00114AFDF21AB69DC41ADE7BB8EB45764F28062BF814A62B1F7398D40C76E

Function 00467ACC Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapAlloc.KERNEL32(00000000,00002020,004A0FB0,?,?,?,00467F98,00000000,00000010,00000000,00000009,00000009,?,00460151,00000010,00000000), ref: 00467AED
VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,00467F98,00000000,00000010,00000000,00000009,00000009,?,00460151,00000010,00000000), ref: 00467B11
VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,00467F98,00000000,00000010,00000000,00000009,00000009,?,00460151,00000010,00000000), ref: 00467B2B
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,00467F98,00000000,00000010,00000000,00000009,00000009,?,00460151,00000010,00000000,?), ref: 00467BEC
HeapFree.KERNEL32(00000000,00000000,?,?,00467F98,00000000,00000010,00000000,00000009,00000009,?,00460151,00000010,00000000,?,00000000), ref: 00467C03

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AllocVirtual$FreeHeap
String ID:
API String ID: 714016831-0
Opcode ID: 9c82c56c3929b39922804cee7791930baf845a2caed46e9a11131b26fd2bd2b5
Instruction ID: 850b7eb3f7867656f75c3d228fb6586d576d3004ba16b5a87d9f3252ee005ec4
Opcode Fuzzy Hash: 9c82c56c3929b39922804cee7791930baf845a2caed46e9a11131b26fd2bd2b5
Instruction Fuzzy Hash: BE31E2706447029FD3318F24DC41B26BBA4E756B9CF10863BF555A73A0EBB8A8408B5D

Function 004225B0 Relevance: 6.2, APIs: 4, Instructions: 246COMMON

Download Yara Rule

APIs

midiStreamOpen.WINMM(?,?,00000001,00422BE0,?,00030000,?,?,?,00000000), ref: 004225DB
midiStreamProperty.WINMM ref: 004226C2
midiOutPrepareHeader.WINMM(?,?,00000040,00000001,?,?,?,?,00000000), ref: 00422810

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: midi$Stream$HeaderOpenPrepareProperty
String ID:
API String ID: 2061886437-0
Opcode ID: 1fdd073760603a330f961377744429640364ef7cfeb22953e78c4382e573ae1e
Instruction ID: 9a7fa25f5b6b60d145ffc660ec9cc89966111e109d0d122f6dcabb46a67113ce
Opcode Fuzzy Hash: 1fdd073760603a330f961377744429640364ef7cfeb22953e78c4382e573ae1e
Instruction Fuzzy Hash: A8A18BB17006159FC724DF28D990BAAB7F6FB84304F408A2EE686C7650EB75F919CB40

Function 0041F890 Relevance: 6.2, APIs: 4, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56aa7b995f69f3d89f15b8a26021cea1c96adac45249bdb071cad3288c365d0
Instruction ID: ec73e7116fc8cce61b1b56fd51025e34718512e855018f3c1a4975a9c60cdd7a
Opcode Fuzzy Hash: a56aa7b995f69f3d89f15b8a26021cea1c96adac45249bdb071cad3288c365d0
Instruction Fuzzy Hash: 585161B15083419FC310EF6AC8819ABF7E8FB89714F408E2EF5A983650D779D849CB56

Function 00469348 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(000001D0,000001D0,00000000,000001D0,00000000,00000000,00000000,00000000), ref: 004693C2
GetLastError.KERNEL32 ref: 004693CC
ReadFile.KERNEL32(?,?,00000001,000001D0,00000000), ref: 00469492
GetLastError.KERNEL32 ref: 0046949C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 0ab1037822403d22514da15aba5246fd9b033e8491598a7004ec1968c554b8c9
Instruction ID: d7300a5d39db0201c133bd1f7f580df9dc791e245e4f390863e956b6d5e705fd
Opcode Fuzzy Hash: 0ab1037822403d22514da15aba5246fd9b033e8491598a7004ec1968c554b8c9
Instruction Fuzzy Hash: 0851C731508385EFDF228F58C8807AA7BB8AF16308F14459BE8558B351E7B89D46CB1B

Function 004206A0 Relevance: 6.2, APIs: 4, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?,?), ref: 004206B2
PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0042070A
__ftol.LIBCMT ref: 004207F5
__ftol.LIBCMT ref: 00420802

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ObjectSelect__ftol$ClientRect
String ID:
API String ID: 2514210182-0
Opcode ID: 1b8b458c909f11ac10b82b7a7fb77413a51d2e4f6cd475fee9861abae4ded236
Instruction ID: 262842f761424257a978d652267ce77e7bd1a6383c8f232a59f10c68b5de5e00
Opcode Fuzzy Hash: 1b8b458c909f11ac10b82b7a7fb77413a51d2e4f6cd475fee9861abae4ded236
Instruction Fuzzy Hash: F351BEB17043128FC714DF29D98096BBBE5FBC8740F544A2EF88993252D634ED498B96

Function 00434670 Relevance: 6.2, APIs: 4, Instructions: 162COMMON

Download Yara Rule

APIs

DeleteObject.GDI32(?), ref: 004346AE
GetDC.USER32(?), ref: 00434812
ReleaseDC.USER32(?,?), ref: 00434836
DeleteObject.GDI32(?), ref: 00434868

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: DeleteObject$Release
String ID:
API String ID: 2600533906-0
Opcode ID: 86352ae8217a4de3b01482716ee8f644f79ce7264a02519a41ed49e1c088e7a9
Instruction ID: 4ea2061853813a5013b6faad548dd64a83e771fdc13351201a9b13257f44287b
Opcode Fuzzy Hash: 86352ae8217a4de3b01482716ee8f644f79ce7264a02519a41ed49e1c088e7a9
Instruction Fuzzy Hash: BE517DB5A002449FDB14DF29C880BDA7BE5BF89310F0885BAEC49CF306D778A945CB65

Function 0040DDC0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 0040DE34
GetParent.USER32(00000000), ref: 0040DE84
IsWindow.USER32(?), ref: 0040DEA4
SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000013), ref: 0040DF1F

Part of subcall function 00472F66: ShowWindow.USER32(?,?,0040BEBC,00000000), ref: 00472F74

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$ParentShow
String ID:
API String ID: 2052805569-0
Opcode ID: d951cfb823faf1e19e419092bcba0f0f137db842c57c01ebd39af1c20da203ec
Instruction ID: 6e227652a0a9be90e624bd21ed154e2cf6ec15ec032dc704f9e78586be0602de
Opcode Fuzzy Hash: d951cfb823faf1e19e419092bcba0f0f137db842c57c01ebd39af1c20da203ec
Instruction Fuzzy Hash: B7418071A003129BD720EEA5DC81FABB3A4AF44754F04453EFD05AB3C1D778E90987A9

Function 00403620 Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00472F8D: IsWindowEnabled.USER32(?), ref: 00472F97

IsWindowVisible.USER32(?), ref: 0040365A

Part of subcall function 00470F60: GetWindowTextLengthA.USER32(?), ref: 00470F6D
Part of subcall function 00470F60: GetWindowTextA.USER32(?,00000000,00000000), ref: 00470F85

Part of subcall function 0046D7B4: SendMessageA.USER32(?,00000466,00000000,00000000), ref: 0046D7C0

wsprintfA.USER32 ref: 004036F4
SendMessageA.USER32(?,000000B1,00000000,000000FF), ref: 00403720
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0040372F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$MessageSend$Text$EnabledLengthVisiblewsprintf
String ID:
API String ID: 1914814478-0
Opcode ID: af73c5c84c81a2196832ad37d224bce534d9ac65705e8be2b01f42a1f6b9700f
Instruction ID: 3cf31025fcfb3c77319fd07b0f080bd8f827ae44492ff506a03dbb7e2665284a
Opcode Fuzzy Hash: af73c5c84c81a2196832ad37d224bce534d9ac65705e8be2b01f42a1f6b9700f
Instruction Fuzzy Hash: 5C517875608701AFC724DF14C981B9BB7F5BB88704F10892EF58A97380CB79E805CB96

Function 00469158 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,00000000,00000000,00000001,?,?), ref: 0046921F

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8bbb130c0e972c822d7623c5639bfcd07a14abc17f03250d4888b07b3fec0f73
Instruction ID: 30dae6d25d6cd1840b4cb5fa1fdc9a0b15590d34a83fac706c6bf64135f2af69
Opcode Fuzzy Hash: 8bbb130c0e972c822d7623c5639bfcd07a14abc17f03250d4888b07b3fec0f73
Instruction Fuzzy Hash: 63518171500208EFDB11CF99C884ADE7BB8FF45344F2489E6E8159B251E774DE41CB5A

Function 0042C380 Relevance: 6.1, APIs: 4, Instructions: 108windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(?), ref: 0042C3F4
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 0042C44D
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 0042C45C
SendMessageA.USER32(?,000000C2,00000000,?), ref: 0042C48A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$Window
String ID:
API String ID: 2326795674-0
Opcode ID: ea916c7bc4c33b333efbfe6342826208ff054bb9ebc7e0e9e25ef5898c96a465
Instruction ID: c9f3f28dbe2909336d5c442eeb17ec56b70b3ebe1129e9ff8abc360fbffbcef5
Opcode Fuzzy Hash: ea916c7bc4c33b333efbfe6342826208ff054bb9ebc7e0e9e25ef5898c96a465
Instruction Fuzzy Hash: 0341C0722487519FD320DB19DC90B6BB7D4EB99720F448B2EF895873D1C7789804CB96

Function 00440830 Relevance: 6.1, APIs: 4, Instructions: 100windowCOMMON

Download Yara Rule

APIs

CreateSolidBrush.GDI32(?), ref: 004408BA
SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004408FE
SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00440934
SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00440943

Part of subcall function 00472E94: SetWindowTextA.USER32(?,0041A95A), ref: 00472EA2

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$BrushCreateSolidTextWindow
String ID:
API String ID: 3501373727-0
Opcode ID: 975d81337e6f3ed0a1a6590b0eca4af0052036dba9c2c2fa06b9e699365748c8
Instruction ID: 3b997eed84283583da01ee79dd3d3c1b8fd364a6f90f6b69f7fff15c97f8c112
Opcode Fuzzy Hash: 975d81337e6f3ed0a1a6590b0eca4af0052036dba9c2c2fa06b9e699365748c8
Instruction Fuzzy Hash: 56314BB1604710AFD324DF19C851B2AF7E5FB88B14F108A1EF59987791CBB9E800CB59

Function 0047662B Relevance: 6.1, APIs: 4, Instructions: 87windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004767A3: GetParent.USER32(?), ref: 004767D6
Part of subcall function 004767A3: GetLastActivePopup.USER32(?), ref: 004767E5
Part of subcall function 004767A3: IsWindowEnabled.USER32(?), ref: 004767FA
Part of subcall function 004767A3: EnableWindow.USER32(?,00000000), ref: 0047680D

SendMessageA.USER32(?,00000376,00000000,00000000), ref: 00476661
GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,?,00000000), ref: 004766CF
MessageBoxA.USER32(00000000,?,?,00000000), ref: 004766DD
EnableWindow.USER32(00000000,00000001), ref: 004766F9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$EnableMessage$ActiveEnabledFileLastModuleNameParentPopupSend
String ID:
API String ID: 1958756768-0
Opcode ID: b3f1ecce14e636951ec7f01bd8bd6d340677a18c64ce5ab3a301b2fe21aff090
Instruction ID: 8e3c9bff916a5dbd9c2ae2e8d9af246b06a2abb30da70c2704ad4f80d0d6bb5a
Opcode Fuzzy Hash: b3f1ecce14e636951ec7f01bd8bd6d340677a18c64ce5ab3a301b2fe21aff090
Instruction Fuzzy Hash: 7321B472A00608AFDB209F95CC81BEEB7BBEB44354FA5857AE61CE7340C7749D808B54

Function 00409B30 Relevance: 6.1, APIs: 4, Instructions: 84windowCOMMON

Download Yara Rule

APIs

GetMessagePos.USER32 ref: 00409BC8
ScreenToClient.USER32(?,?), ref: 00409BEA
ChildWindowFromPointEx.USER32(?,?,?,00000005), ref: 00409C00
GetFocus.USER32 ref: 00409C0B

Part of subcall function 00472FCF: SetFocus.USER32(?,0040F6B3), ref: 00472FD9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Focus$ChildClientFromMessagePointScreenWindow
String ID:
API String ID: 3117237277-0
Opcode ID: 4f014c95c10972c0471afb36dabae5b4cc214843cb3db6040f3e691193b11ccb
Instruction ID: 06a7ef88289007cb40b1ce5e776809364b7a9dc2bccdcb532dd6df7ec183aac6
Opcode Fuzzy Hash: 4f014c95c10972c0471afb36dabae5b4cc214843cb3db6040f3e691193b11ccb
Instruction Fuzzy Hash: 9C21D534704205ABD224EB21DD45F6BB3A9AF84708F04853EF945AB2C2DB78E942C799

Function 0045E7B5 Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

GetVersion.KERNEL32 ref: 0045E7DB

Part of subcall function 004635A6: HeapCreate.KERNELBASE(00000000,00001000,00000000,0045E813,00000001), ref: 004635B7
Part of subcall function 004635A6: HeapDestroy.KERNEL32 ref: 004635F6

GetCommandLineA.KERNEL32 ref: 0045E83B
GetStartupInfoA.KERNEL32(?), ref: 0045E866
GetModuleHandleA.KERNEL32(00000000,00000000,?,0000000A), ref: 0045E889

Part of subcall function 0045E8E2: ExitProcess.KERNEL32 ref: 0045E8FF

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Heap$CommandCreateDestroyExitHandleInfoLineModuleProcessStartupVersion
String ID:
API String ID: 2057626494-0
Opcode ID: 9d4c8fc448092b6827a9de9c3903d469745c7d5610fb6656d23a1146d5247049
Instruction ID: 83f3eea9a0af5d8964d46c5054e21421e02c65a2f4a544551d14263563b06f03
Opcode Fuzzy Hash: 9d4c8fc448092b6827a9de9c3903d469745c7d5610fb6656d23a1146d5247049
Instruction Fuzzy Hash: 6421B4B1900705ABD70CBFB6DD46A6D7BA8EF04705F10062FF9059B2A1EB784640C75A

Function 004410B0 Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(0000002D), ref: 004410D9
SystemParametersInfoA.USER32 ref: 00441133
CreateFontIndirectA.GDI32(?), ref: 00441141
CreatePalette.GDI32(00000300), ref: 00441199

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CreateSystem$FontIndirectInfoMetricsPaletteParameters
String ID:
API String ID: 934993634-0
Opcode ID: 10c4527d6846814fe064d13873692f309141be140bebe42b046318d2b5e6b6b4
Instruction ID: e6e90fca2469d2c5ee3d68f24ebb5c46fab40624fe7e8ff46e852fa98befc7f1
Opcode Fuzzy Hash: 10c4527d6846814fe064d13873692f309141be140bebe42b046318d2b5e6b6b4
Instruction Fuzzy Hash: FF318E714047408FD320DF25C888A97FBF5FF88308F50896EE69A8B751D7B5A448CB65

Function 0040A440 Relevance: 6.1, APIs: 4, Instructions: 70COMMON

Download Yara Rule

APIs

StartPage.GDI32(?), ref: 0040A485
EndPage.GDI32(?), ref: 0040A4AB

Part of subcall function 00418490: wsprintfA.USER32 ref: 0041849F

Part of subcall function 00472E94: SetWindowTextA.USER32(?,0041A95A), ref: 00472EA2

UpdateWindow.USER32(?), ref: 0040A4FA
EndPage.GDI32(?), ref: 0040A512

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Page$Window$StartTextUpdatewsprintf
String ID:
API String ID: 104827578-0
Opcode ID: f8a45c0d80d5d6c082bbb6010def575e2a1a8c84eacd04823b474875cfdadb71
Instruction ID: 4079f01e8e962f47729b058a636f2d80cbe43931f87da138f6cc4340ad3696cc
Opcode Fuzzy Hash: f8a45c0d80d5d6c082bbb6010def575e2a1a8c84eacd04823b474875cfdadb71
Instruction Fuzzy Hash: 66215071601B009BC324DB3ADC88ADBB7E4FFC4704F10882EF59FC6250E678A4468B5A

Function 00404330 Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0040435C
GetParent.USER32(?), ref: 00404371
SetParent.USER32(?,?), ref: 0040438F
GetWindowRect.USER32(?,?), ref: 004043A4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Parent$RectWindow
String ID:
API String ID: 2276825053-0
Opcode ID: c66756e2d389daed8923c44678dfcf4ef77360dd7b7082fda6138a866795d2fd
Instruction ID: bd72296be7f148bf78a104a67b221eb1dce39491b25565354b9de13620b5184d
Opcode Fuzzy Hash: c66756e2d389daed8923c44678dfcf4ef77360dd7b7082fda6138a866795d2fd
Instruction Fuzzy Hash: CC117FB5200705AFD724DF65D884D6BB7ADEBC8350F008A2EBD4697381EA78EC098774

Function 0046B5BC Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 0046B5EB
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,?,00000000,00000000), ref: 0046B5FE
MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 0046B64A
CompareStringW.KERNEL32(004500F6,00000000,00000000,00000000,?,00000000,?,00000000), ref: 0046B662

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ByteCharMultiWide$CompareString
String ID:
API String ID: 376665442-0
Opcode ID: 755f01779177d21b79313f481d10bb144656ee469c38ebcd9bcb863d99d04fd5
Instruction ID: 7020c156c6d61505070c102225fc90e3ccf28cf440924a951fecbf6d82018f32
Opcode Fuzzy Hash: 755f01779177d21b79313f481d10bb144656ee469c38ebcd9bcb863d99d04fd5
Instruction Fuzzy Hash: 82213B32900219EBCF218F95DC419DEBFB5FF48750F10426AFA15B2160E33699A1DF96

Function 00403290 Relevance: 6.1, APIs: 4, Instructions: 63windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 004032ED
SendMessageA.USER32(?,00000030,?,00000001), ref: 00403306
GetStockObject.GDI32(00000011), ref: 00403311
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 00403324

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$ObjectStock
String ID:
API String ID: 1309931672-0
Opcode ID: ccf744d5cb3fdb5de01818019d6619cb0413762bceab797b145ec223823b78ef
Instruction ID: 7b52c14ad331daa37e0b0e8fc0cda5a821b5120751ef9c6f45968a89f0eb8e7d
Opcode Fuzzy Hash: ccf744d5cb3fdb5de01818019d6619cb0413762bceab797b145ec223823b78ef
Instruction Fuzzy Hash: 3F116335310210AFCA24DF55E855F5BB7A9EF88B11F00856DFA089B2C1C774ED41CBA5

Function 0040C370 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 0040C37D

Part of subcall function 0040C1B0: IsChild.USER32(?,?), ref: 0040C22D
Part of subcall function 0040C1B0: GetParent.USER32(?), ref: 0040C247

SendMessageA.USER32(00000000,000000F0,00000000,00000000), ref: 0040C3D6
SendMessageA.USER32(00000000,000000F1,00000000,00000000), ref: 0040C3E6
GetWindow.USER32(00000000,00000002), ref: 0040C3EB

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSendWindow$ChildParent
String ID:
API String ID: 1043810220-0
Opcode ID: 145f0d3a9b869178ae5218c807a8c2a627e179a77aae20d3b09fa4e38e522a29
Instruction ID: 99231c256349c2797127f682fd8ec7daf1c786e823270622054ed53ba5885678
Opcode Fuzzy Hash: 145f0d3a9b869178ae5218c807a8c2a627e179a77aae20d3b09fa4e38e522a29
Instruction Fuzzy Hash: 9B019E31780712B7E231532A9CD2F6B62889F05B51F144336BA00FB2D0DEB8EC4182AD

Function 004316C0 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 004316DB
SendMessageA.USER32(?,000083EB,?,00000000), ref: 00431705
SendMessageA.USER32(?,000083EC,?,00000000), ref: 00431719
SendMessageA.USER32(?,000083E9,?,00000000), ref: 0043173C

Part of subcall function 00472EBB: GetDlgCtrlID.USER32(?), ref: 00472EC5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$CtrlParent
String ID:
API String ID: 1383977212-0
Opcode ID: 211fd0bc9604e1843083b2a21d9fc25e92f4dc5456858df50df2e8805d773aaa
Instruction ID: 540c71cbf858ece50d3f8903fb4bbd945951bf7f01e309fb340de66e0fb79363
Opcode Fuzzy Hash: 211fd0bc9604e1843083b2a21d9fc25e92f4dc5456858df50df2e8805d773aaa
Instruction Fuzzy Hash: 4401A272300A043BD220AB6A8CC5D6FB3ADAB88B45F00951EF94587380CF78EC5247AC

Function 0046F244 Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 0046F278
GetCurrentProcess.KERNEL32(?,00000000), ref: 0046F27E
DuplicateHandle.KERNEL32(00000000), ref: 0046F281
GetLastError.KERNEL32(00000000), ref: 0046F29B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CurrentProcess$DuplicateErrorHandleLast
String ID:
API String ID: 3907606552-0
Opcode ID: d5be78a5a9ffa7bb3368211642469d21c2560c98dad82d779693b8270ace0d8a
Instruction ID: 999837c0a534540ba74d3985ec56a04dc1240e5ead70b6802b2cda7a1f1c2ef1
Opcode Fuzzy Hash: d5be78a5a9ffa7bb3368211642469d21c2560c98dad82d779693b8270ace0d8a
Instruction Fuzzy Hash: 1301B535700200BFEB009BA69C4AF5A77A8DB44760F144566B504CB281EA74DC008B65

Function 0046DB27 Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

WindowFromPoint.USER32(?,?), ref: 0046DB3F
GetParent.USER32(00000000), ref: 0046DB4C
ScreenToClient.USER32(00000000,?), ref: 0046DB6D
IsWindowEnabled.USER32(00000000), ref: 0046DB86

Part of subcall function 0047604D: GetWindowLongA.USER32(00000000,000000F0), ref: 0047605E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$ClientEnabledFromLongParentPointScreen
String ID:
API String ID: 2204725058-0
Opcode ID: 325d66464dd7a64aefd51706e4ba7b3f3ec450699830482118621c08b8e11575
Instruction ID: df30993927777f8ad7f382727246406235e2fca1b2d15a2e502e3938ebe23b43
Opcode Fuzzy Hash: 325d66464dd7a64aefd51706e4ba7b3f3ec450699830482118621c08b8e11575
Instruction Fuzzy Hash: 6C01B136F00500AB97129B598C04CAF7BB9AF8AB00B0541A9F909D7365EB38DD00876E

Function 00403330 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,00000030,?,00000001), ref: 00403361
SendMessageA.USER32(?,00000030,?,00000001), ref: 00403379
GetStockObject.GDI32(00000011), ref: 00403383
SendMessageA.USER32(?,00000030,00000000,00000001), ref: 004033A3

Part of subcall function 00403170: CreateFontIndirectA.GDI32 ref: 004031B9

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$CreateFontIndirectObjectStock
String ID:
API String ID: 1613733799-0
Opcode ID: b381d9cbc370a518bdf43b441d41deb483e7112a0289bcdf52c8af668466c4c4
Instruction ID: d1385cb9261396452669f9ef4b792f420375828b3885eab77eeab1eb86f4703a
Opcode Fuzzy Hash: b381d9cbc370a518bdf43b441d41deb483e7112a0289bcdf52c8af668466c4c4
Instruction Fuzzy Hash: 9F018C32600310BFCA249F55EC85F9B77A8AB8C751F048899BA089B291C774E982CB94

Function 00471BFC Relevance: 6.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00471C07
GetTopWindow.USER32(00000000), ref: 00471C1A
GetTopWindow.USER32(?), ref: 00471C4A
GetWindow.USER32(00000000,00000002), ref: 00471C65

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$Item
String ID:
API String ID: 369458955-0
Opcode ID: dfbf3c8c7133d74f8c74a1b88c14f28744946eee32cf8d557940050751d64f2b
Instruction ID: a4c218d716b5ca78357df39762d93a9a33c1596fd186214618d108bcae8056c6
Opcode Fuzzy Hash: dfbf3c8c7133d74f8c74a1b88c14f28744946eee32cf8d557940050751d64f2b
Instruction Fuzzy Hash: DE012C36541219BB8B232AEA8D04EDF3A69AF05354B008126FD0895235E739D9219A9E

Function 00471C75 Relevance: 6.0, APIs: 4, Instructions: 49windowCOMMON

Download Yara Rule

APIs

GetTopWindow.USER32(?), ref: 00471C83
SendMessageA.USER32(00000000,?,?,?), ref: 00471CB9
GetTopWindow.USER32(00000000), ref: 00471CC6
GetWindow.USER32(00000000,00000002), ref: 00471CE4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Window$MessageSend
String ID:
API String ID: 1496643700-0
Opcode ID: 87ecd8becfdf74685b7d5a847408602a01fcef66dd1b456cf018814a94ab515e
Instruction ID: 8ba4a1963ff69dc407699250a72c5a5566811bb333ec61e803665851ee7ec41c
Opcode Fuzzy Hash: 87ecd8becfdf74685b7d5a847408602a01fcef66dd1b456cf018814a94ab515e
Instruction Fuzzy Hash: 3601C53204111ABFCF135FEA9D04EDF3A6AAF49354F048116FA1855170C73AC975EBAA

Function 0047375E Relevance: 6.0, APIs: 4, Instructions: 48windowCOMMON

Download Yara Rule

APIs

EnableMenuItem.USER32(?,?,?), ref: 00473786
GetFocus.USER32 ref: 00473799
GetParent.USER32(?), ref: 004737A7
GetNextDlgTabItem.USER32(?,?,00000000), ref: 004737C3

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Item$EnableFocusMenuNextParent
String ID:
API String ID: 988757621-0
Opcode ID: b3cda74f283bd009cbc987943bae5c8559ec8ebddd00a65f8e60685c3e6d2db6
Instruction ID: eaba97e0d48e236c4db810f6fd8c62ac19126298ef55d58a7656c9f4248eace0
Opcode Fuzzy Hash: b3cda74f283bd009cbc987943bae5c8559ec8ebddd00a65f8e60685c3e6d2db6
Instruction Fuzzy Hash: 6C11E5B0100600ABCB389F21DC19B96B7B5FF44316F10CA2EF10A876E0C778E881DB18

Function 004769CF Relevance: 6.0, APIs: 4, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegSetValueExA.ADVAPI32(00000000,?,00000000,00000004,?,00000004,?,?), ref: 004769FB
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00476A04
wsprintfA.USER32 ref: 00476A20
WritePrivateProfileStringA.KERNEL32(?,?,?,?), ref: 00476A39

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ClosePrivateProfileStringValueWritewsprintf
String ID:
API String ID: 1902064621-0
Opcode ID: fc0ad157b7e78f17d5a957f600bec3d2b7ca1d61fdf86a63d9dbccc114d47a23
Instruction ID: 92e10222cf41bb7483216f482d675fa0dc51b9fa4044e1bf7279688194489f60
Opcode Fuzzy Hash: fc0ad157b7e78f17d5a957f600bec3d2b7ca1d61fdf86a63d9dbccc114d47a23
Instruction Fuzzy Hash: 2001A732400615BBCB119F69DC09FEA37A9FF08714F058925FA19A60A1E774C954CB98

Function 00472364 Relevance: 6.0, APIs: 4, Instructions: 43COMMON

Download Yara Rule

APIs

GetObjectA.GDI32(00000000,0000000C,?), ref: 004723A2
SetBkColor.GDI32(00000000,00000000), ref: 004723AE
GetSysColor.USER32(00000008), ref: 004723BE
SetTextColor.GDI32(00000000,?), ref: 004723C8

Part of subcall function 0047604D: GetWindowLongA.USER32(00000000,000000F0), ref: 0047605E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Color$LongObjectTextWindow
String ID:
API String ID: 2871169696-0
Opcode ID: b3ce9fb2d4edf940657979981ab9740bba6fb143ae987ee270cc982b75bde426
Instruction ID: 094a5e41216780c41e7cde4621db9281937d90c070e2422b2e62423b94a6af8c
Opcode Fuzzy Hash: b3ce9fb2d4edf940657979981ab9740bba6fb143ae987ee270cc982b75bde426
Instruction Fuzzy Hash: 82011631100108AAEB215F64DE49AEB3A69EB05314F148522FE49C42E0D7FCCDD1CAA9

Function 004330A0 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 43COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 004330E3
wsprintfA.USER32 ref: 004330F9

Strings

gfff, xrefs: 004330AB
%d.%d, xrefs: 004330F3

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf
String ID: %d.%d$gfff
API String ID: 2111968516-3773932281
Opcode ID: 726acaec74f80256bc2c3c842c022e5510e74cfb2faa768e2e751dc032b80df0
Instruction ID: dcaa442792e7332df1c78b27ea8138c1a56273145b4272eac388030050826dc0
Opcode Fuzzy Hash: 726acaec74f80256bc2c3c842c022e5510e74cfb2faa768e2e751dc032b80df0
Instruction Fuzzy Hash: 66F0247170020117CB5CA92FBC09E2B6ADAABDD711F05D43EF848C73A4D920CC55826A

Function 004754EF Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00475500
GetViewportExtEx.GDI32(?,?), ref: 0047550D
MulDiv.KERNEL32(?,00000000,00000000), ref: 00475532
MulDiv.KERNEL32(?,00000000,00000000), ref: 0047554D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 571716c79385d20e348a18ffc13fb78570a109d190cfbb7ee9f06541a60c68b1
Instruction ID: 013b764b8b9bf525ddad80fd9580751997d1c977fe925d8dcbbbb489f5861c78
Opcode Fuzzy Hash: 571716c79385d20e348a18ffc13fb78570a109d190cfbb7ee9f06541a60c68b1
Instruction Fuzzy Hash: 40F01972400108FFEB156FA6DC06CBEBBBDEF84314714446AF855A2170EBB16D919B54

Function 00475486 Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

GetWindowExtEx.GDI32(?,?), ref: 00475497
GetViewportExtEx.GDI32(?,?), ref: 004754A4
MulDiv.KERNEL32(?,00000000,00000000), ref: 004754C9
MulDiv.KERNEL32(?,00000000,00000000), ref: 004754E4

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ViewportWindow
String ID:
API String ID: 1589084482-0
Opcode ID: 4a6ddf3751999627245c6cde4bd7235e683cbf2f83b7b642d668678ebe907c7e
Instruction ID: b83f3d294a014b6c0088081f1b44c6774cc366d695e83ae767d7337ed8ece844
Opcode Fuzzy Hash: 4a6ddf3751999627245c6cde4bd7235e683cbf2f83b7b642d668678ebe907c7e
Instruction Fuzzy Hash: 0FF01972400108FFEB156FA6DC06CBEBBBDEF84314714446AF855A2170EBB16D919B54

Function 00431030 Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 0043103F
PtInRect.USER32(?,?,?), ref: 00431054

Part of subcall function 00472F8D: IsWindowEnabled.USER32(?), ref: 00472F97

Part of subcall function 00431470: UpdateWindow.USER32(00000002), ref: 0043148D

GetCapture.USER32 ref: 0043107C
SetCapture.USER32(00000002), ref: 00431087

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CaptureRectWindow$ClientEnabledUpdate
String ID:
API String ID: 2789096292-0
Opcode ID: fa1da7a3efae173f74f852fcacd5a1825098a7b72e9f9c9afe24be9448ddf417
Instruction ID: 7d88b7821c56a43d216db115622f8a789ed349cb59e89345c147afa06e3100a4
Opcode Fuzzy Hash: fa1da7a3efae173f74f852fcacd5a1825098a7b72e9f9c9afe24be9448ddf417
Instruction Fuzzy Hash: F3F0AF31200210ABD324EB35C814AAB73B9AF4C304F04896EF54AC7660DA78E9448BA9

Function 00407B20 Relevance: 6.0, APIs: 4, Instructions: 35registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000001,00000000,00000000), ref: 00407B3A
RegQueryValueA.ADVAPI32 ref: 00407B5E
lstrcpyA.KERNEL32(?,00000000), ref: 00407B71
RegCloseKey.ADVAPI32(?), ref: 00407B7C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CloseOpenQueryValuelstrcpy
String ID:
API String ID: 534897748-0
Opcode ID: 51dff40d8cc40da5b33e30ba0cd3c8cb277f1bfc2107e128c5c32cfdb7d591bd
Instruction ID: b9b3f4313f96ffdd46708bef30dd3b79fe0128a5e7223f99eaad39686f88097c
Opcode Fuzzy Hash: 51dff40d8cc40da5b33e30ba0cd3c8cb277f1bfc2107e128c5c32cfdb7d591bd
Instruction Fuzzy Hash: FAF04475104311BFD310CB10DC88EABB7A8FB88758F008A1DF98882250D674E845CBE2

Function 00476137 Relevance: 6.0, APIs: 4, Instructions: 29stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?), ref: 00476144
GetWindowTextA.USER32(?,?,00000100), ref: 00476160
lstrcmpA.KERNEL32(?,?), ref: 00476174
SetWindowTextA.USER32(?,?), ref: 00476184

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: TextWindow$lstrcmplstrlen
String ID:
API String ID: 330964273-0
Opcode ID: 1e61338f66f2b11ccf9ac46d25b54f1ba909cb0ed878d9606b01f73928ccd846
Instruction ID: 4e45f641c83870c70c0602827637ca8ba9e7bda9a5fab4687a2ae46c6bd33d88
Opcode Fuzzy Hash: 1e61338f66f2b11ccf9ac46d25b54f1ba909cb0ed878d9606b01f73928ccd846
Instruction Fuzzy Hash: 4EF01231400019BBDF226F65DC08ADE7BBEFB18354F04C261F94DD5121E775D9948B98

Function 00411090 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 291COMMON

Download Yara Rule

Strings

<, xrefs: 0041141A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID: <
API String ID: 0-4251816714
Opcode ID: 0ef77c1c9032f06d7372ead74b68106123d7bf082f805283cde4acc8fa3b92e6
Instruction ID: e4d34aaf3648685e5f780ef28b4a04f786084afde42fe752f16707c7bbec4670
Opcode Fuzzy Hash: 0ef77c1c9032f06d7372ead74b68106123d7bf082f805283cde4acc8fa3b92e6
Instruction Fuzzy Hash: 33B1A6756087418FD724CF24D880AAFB7E1BBC4710F148A2EF59AD7390DB78D9898B46

Function 0042C7A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CopyRect.USER32(?,00000000), ref: 0042C900
IsRectEmpty.USER32(?), ref: 0042C90B

Part of subcall function 004299E0: CreateFontIndirectA.GDI32(?), ref: 00429B0C

Part of subcall function 00440830: CreateSolidBrush.GDI32(?), ref: 004408BA
Part of subcall function 00440830: SendMessageA.USER32(?,00000030,00000000,00000000), ref: 004408FE
Part of subcall function 00440830: SendMessageA.USER32(?,000000B1,?,000000FF), ref: 00440934
Part of subcall function 00440830: SendMessageA.USER32(?,000000B7,00000000,00000000), ref: 00440943

Strings

{G, xrefs: 0042C9B6

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend$CreateRect$BrushCopyEmptyFontIndirectSolid
String ID: {G
API String ID: 4199050670-3571685011
Opcode ID: 9ad6e90b4d5a9ae19aeef5229ef50a92100e877003cdeacf827c247afee2ad7c
Instruction ID: c7139165f28e0703f6a93c9df7a555252ea23200c76cc90fe26c43bd355f1b50
Opcode Fuzzy Hash: 9ad6e90b4d5a9ae19aeef5229ef50a92100e877003cdeacf827c247afee2ad7c
Instruction Fuzzy Hash: C361C1713047519FD314EB25D881B6FB7E9BBC8708F40491EF68683281EBB9E905CB66

Function 0045E982 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0045EA12

Strings

pow, xrefs: 0045E9EA, 0045EA07

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 79abda82b6e6bcc5b323e160c56f3bd1441a990690187c866d4e535ca946c0fb
Instruction ID: 07b60d9d6d391903503546d032327eb1da97fabfba7b12ac2b2e0557b97bed5c
Opcode Fuzzy Hash: 79abda82b6e6bcc5b323e160c56f3bd1441a990690187c866d4e535ca946c0fb
Instruction Fuzzy Hash: FB513E61A0820186CF197719C9153AF2B94AB91752F204D6FE8D68139AFF3C8FC9964F

Function 0040CBF0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 172COMMON

Download Yara Rule

APIs

Part of subcall function 004105F0: GetCurrentThreadId.KERNEL32 ref: 00410615
Part of subcall function 004105F0: IsWindow.USER32(0002041E), ref: 00410631
Part of subcall function 004105F0: SendMessageA.USER32(0002041E,000083E7,0040FF21,00000000), ref: 0041064A
Part of subcall function 004105F0: ExitProcess.KERNEL32 ref: 0041065F

DeleteCriticalSection.KERNEL32(004B01D8,?,?,?,?,?,?,?,?,00417D0D), ref: 0040CC2A

Part of subcall function 00470C23: __EH_prolog.LIBCMT ref: 00470C28

Strings

!, xrefs: 0040CC18
#, xrefs: 0040CEA3

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalCurrentDeleteExitH_prologMessageProcessSectionSendThreadWindow
String ID: !$#
API String ID: 2888814780-2504090897
Opcode ID: ce1f1680f4aaae5f46ceddd48af2570be2d857b3217d1f20b94eecd4909050b8
Instruction ID: 3294320f5568bbef6a3f57c5de1bd692618631a2650eb10facad980c1cdf9fce
Opcode Fuzzy Hash: ce1f1680f4aaae5f46ceddd48af2570be2d857b3217d1f20b94eecd4909050b8
Instruction Fuzzy Hash: D6914430108781CAD311EF75C89479ABFD4AF65348F24485EE4D5077E2DBB86289C7AB

Function 004237F0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

, xrefs: 00423829

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 97a0096d0e9066808b8d12b38eca8700c9b5eb78bf0c0bc251973465f3748fed
Instruction ID: 5c8148b81eeefaff2ab891f95ee4f673f6a7270865dac29f859b649bddc57583
Opcode Fuzzy Hash: 97a0096d0e9066808b8d12b38eca8700c9b5eb78bf0c0bc251973465f3748fed
Instruction Fuzzy Hash: 1B519D702043519BC318EF15D891B6BB7B4FB95318F400A2EF98297290D77DEA85CB9A

Function 004629FE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(?,00000000), ref: 00462A12

Strings

, xrefs: 00462A5B
, xrefs: 00462A37

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: Info
String ID: $
API String ID: 1807457897-3032137957
Opcode ID: 1f45f7a7fa829b99f548bd1174548fbf4b63e45b80e0fde66b5c5e55835931fb
Instruction ID: 6625f577d2f2fa936e984161e48ee7ab07ee3242223aed92965eb1a162777bc0
Opcode Fuzzy Hash: 1f45f7a7fa829b99f548bd1174548fbf4b63e45b80e0fde66b5c5e55835931fb
Instruction Fuzzy Hash: 7E4178300006583FEB168F14DF49BFB3FA8EB02B00F1405E6D549DB152E2E94945CB6B

Function 00423581 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON

Download Yara Rule

Strings

, xrefs: 004235C5

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: b9a9978473757b270397097aafd61809124a5eef5ee263eb2a308dc62c2f3b22
Instruction ID: 9fff643caf23e2bd7c31c38051c62da9ceff3fa422d2552c359275c1ffcfc8e6
Opcode Fuzzy Hash: b9a9978473757b270397097aafd61809124a5eef5ee263eb2a308dc62c2f3b22
Instruction Fuzzy Hash: 90319C71208340AFC724DF24C855B6BB7B8FB94724F404A2EF89A932D0DB7C99458B5A

Function 0040AEB0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 81COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 0040AF0A

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

FillRect.USER32(?,?,00000000), ref: 0040AF37

Strings

{G, xrefs: 0040AF3D

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologRect$BeginBrushClipCreateEmptyFillPaintSolid
String ID: {G
API String ID: 3827101677-3571685011
Opcode ID: 332b3114cde0c664f3450cbd4e44e6c449da53eaf72912fff1717aea26660e97
Instruction ID: b65c2cb78114414b4b55834f36ad40b8d9750f85b4ba736a483b962f015a64b6
Opcode Fuzzy Hash: 332b3114cde0c664f3450cbd4e44e6c449da53eaf72912fff1717aea26660e97
Instruction Fuzzy Hash: 2231DE711087409FD314EB20C845BABB7E8BF98708F10891EF5AA832D1DB78D909CB57

Function 00404400 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 00404464

Part of subcall function 00403150: GetSysColor.USER32(0000000F), ref: 0040315D

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

FillRect.USER32(?,?,00000000), ref: 00404496

Strings

{G, xrefs: 0040449C

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologRect$BeginBrushClipColorCreateEmptyFillPaintSolid
String ID: {G
API String ID: 534515830-3571685011
Opcode ID: 6cc70bf8fc6be45240e3f1059919c46bdf60acbf9e1727b0232990cb4b7903df
Instruction ID: eda853122e66ec4d42d2be3f7bcdb710e208ea87e98134810cc0b9e3f011e480
Opcode Fuzzy Hash: 6cc70bf8fc6be45240e3f1059919c46bdf60acbf9e1727b0232990cb4b7903df
Instruction Fuzzy Hash: 0E21AF71104B409FD324EF24C881B9BB7E8BB88714F04892EF5AA87291DB78E904CB56

Function 004711C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 004793DD: LeaveCriticalSection.KERNEL32(?,00478757,00000010,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D,00473902,00474B9E), ref: 004793F5

Part of subcall function 004618CC: RaiseException.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,0045E895,00000000), ref: 004618FA

wsprintfA.USER32 ref: 0047120C
wsprintfA.USER32 ref: 00471228
GetClassInfoA.USER32(?,-00000058,?), ref: 00471237

Strings

Afx:%x:%x, xrefs: 00471206

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf$ClassCriticalExceptionInfoLeaveRaiseSection
String ID: Afx:%x:%x
API String ID: 2529146597-2071556601
Opcode ID: f5fbae6b152986dd37ab2e304f9743e20982623c29c9a526437c5266a1d0947a
Instruction ID: ac0b7e22ee2b8a44dd3eae4e3d69ced168585397ea25a4a99e559311276b517a
Opcode Fuzzy Hash: f5fbae6b152986dd37ab2e304f9743e20982623c29c9a526437c5266a1d0947a
Instruction Fuzzy Hash: B61106B1A002099F8B10EFA9D8819DF7BB8EF49754F00846FF908F3252D7749D418BA9

Function 00403CC0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(004797A8,000000B1,00000000,000000FF), ref: 00403D4D
SendMessageA.USER32(004797A8,000000B7,00000000,00000000), ref: 00403D5C

Strings

e<@, xrefs: 00403D24, 00403D5E, 00403D0F, 00403D13, 00403D2A

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MessageSend
String ID: e<@
API String ID: 3850602802-3027429558
Opcode ID: 478561387be486a0022da4f9f7afa3c318ba93620d5ed7217bd53916df91acd7
Instruction ID: 4b96ce89c654f172c15030c877faaaa34ba7fc892a990af0e9f121e6f53e3606
Opcode Fuzzy Hash: 478561387be486a0022da4f9f7afa3c318ba93620d5ed7217bd53916df91acd7
Instruction Fuzzy Hash: 2C116675204701ABD624DF59DC41F5BB7E9EBC4720F504B1EF469933D1CB78A4048B65

Function 0043F7F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57windowCOMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

GetSysColor.USER32(0000000F), ref: 0043F82F

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

Part of subcall function 00474E54: SelectObject.GDI32(?,00000000), ref: 00474E76
Part of subcall function 00474E54: SelectObject.GDI32(?,?), ref: 00474E8C

PatBlt.GDI32(?,?,?,?,?,00F00021), ref: 0043F876

Part of subcall function 00475732: __EH_prolog.LIBCMT ref: 00475737
Part of subcall function 00475732: EndPaint.USER32(?,?,?,?,004044C3), ref: 00475754

Strings

@:H, xrefs: 0043F88E

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prolog$ObjectPaintSelect$BeginBrushClipColorCreateSolid
String ID: @:H
API String ID: 415473069-3530900233
Opcode ID: bd2f79d70b1d33d99e29aa7d0f9786cc81a2d0525891297639d8b3e778b40fdc
Instruction ID: 9ff5c8500a71caad46ced88581fa529837769109e8be9653b3aca52aac8c7535
Opcode Fuzzy Hash: bd2f79d70b1d33d99e29aa7d0f9786cc81a2d0525891297639d8b3e778b40fdc
Instruction Fuzzy Hash: 611124751087819FC314EF25C945FAFB7E8FBC8B14F508A1DB1A952191DB749508CF62

Function 00476D75 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00476D7A
GetObjectA.GDI32(00000000,00000018,?), ref: 00476DD2

Strings

DpH, xrefs: 00476DC1

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologObject
String ID: DpH
API String ID: 3423075018-3756674138
Opcode ID: 64d05f1bb01888e774c567fe176ce7e2e0cb5a2a1bf24d040ea076939102a5ab
Instruction ID: aeb51b9854b578879b8083d645be19d4ba8def33ff3b444e724e4f15a4768254
Opcode Fuzzy Hash: 64d05f1bb01888e774c567fe176ce7e2e0cb5a2a1bf24d040ea076939102a5ab
Instruction Fuzzy Hash: 4B119E71D00219DFDB10EF94C5467EEBBF4AB08318F10845FE25966281D7B85A48CBA5

Function 0040A9F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 004756C0: __EH_prolog.LIBCMT ref: 004756C5
Part of subcall function 004756C0: BeginPaint.USER32(?,?,?,?,00404449), ref: 004756EE

Part of subcall function 00475271: GetClipBox.GDI32(?,?), ref: 00475278

IsRectEmpty.USER32(?), ref: 0040AA2D

Part of subcall function 00403150: GetSysColor.USER32(0000000F), ref: 0040315D

Part of subcall function 004758BD: __EH_prolog.LIBCMT ref: 004758C2
Part of subcall function 004758BD: CreateSolidBrush.GDI32(?), ref: 004758DF

FillRect.USER32(?,?,00000000), ref: 0040AA60

Strings

{G, xrefs: 0040AA66

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: H_prologRect$BeginBrushClipColorCreateEmptyFillPaintSolid
String ID: {G
API String ID: 534515830-3571685011
Opcode ID: 25cfb411c0ee6e53101ce97ec15270f73fbdee94bd690124cfe4ecdb1d3871dc
Instruction ID: b21b1ab198cc4714b57b9dbd1a000f6c24dd9d6ea18912fe6788e50a64bd8fd1
Opcode Fuzzy Hash: 25cfb411c0ee6e53101ce97ec15270f73fbdee94bd690124cfe4ecdb1d3871dc
Instruction Fuzzy Hash: 7411C2750087419FD310EF61C845B9BBBE8BB88714F008A1DF0A9872E1D738D108CB57

Function 0045E379 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000000), ref: 0045E3B2
GetSystemMetrics.USER32(00000001), ref: 0045E3BA

Strings

2E, xrefs: 0045E39B

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: MetricsSystem
String ID: 2E
API String ID: 4116985748-167809362
Opcode ID: 148c55d7586aed904f4d4d85d437106f34062a38e86c70719aa7b0c2acae6878
Instruction ID: 2bdbd630e03ba0b737fd061a206323a585cc4e18d4a27ca101fbc6e211eff9ae
Opcode Fuzzy Hash: 148c55d7586aed904f4d4d85d437106f34062a38e86c70719aa7b0c2acae6878
Instruction Fuzzy Hash: 20F0B4315043029BC7145B338C0452B77E0AF40356F009C3EEC8DC3112D738DA99EB19

Function 00418B00 Relevance: 5.1, APIs: 4, Instructions: 97COMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00418B91
wsprintfA.USER32 ref: 00418BAB
wsprintfA.USER32 ref: 00418BC6

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: wsprintf
String ID:
API String ID: 2111968516-0
Opcode ID: 35670cdead2fa83049b43a5f0db82a9ecfbdb62e989ddf4084d72aa93f1cba6a
Instruction ID: 022c10e16cd42a8496bddf6fa281b83baac9c18ed18ae0e1480528b09a5034f2
Opcode Fuzzy Hash: 35670cdead2fa83049b43a5f0db82a9ecfbdb62e989ddf4084d72aa93f1cba6a
Instruction Fuzzy Hash: 4D31A6B15043045BC714EBA5DC4696BB7E8EFC4758F440A2EFC4693281DB78DA0CC6AA

Function 00478598 Relevance: 5.1, APIs: 4, Instructions: 62COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 004785F5
LeaveCriticalSection.KERNEL32(?,?), ref: 00478605
LocalFree.KERNEL32(?), ref: 0047860E
TlsSetValue.KERNEL32(?,00000000), ref: 00478624

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalSection$EnterFreeLeaveLocalValue
String ID:
API String ID: 2949335588-0
Opcode ID: f28c30fc6bb44c5fb5e22719fb12d57e68b858e0a19089bb051bb97f40dc37cd
Instruction ID: 71dfc4f125e8e4c66911367d8f6e90dbacb850f38886afb3cd899fb528521bd2
Opcode Fuzzy Hash: f28c30fc6bb44c5fb5e22719fb12d57e68b858e0a19089bb051bb97f40dc37cd
Instruction Fuzzy Hash: 82217C31240200EFD7258F55C889FAA77A4FF45716F10C4AEE94A8B2A1CB75EC81DB59

Function 0046762A Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

HeapReAlloc.KERNEL32(00000000,00000050,00000000,00000000,004673F2,00000000,00000000,00000000,004600F3,00000000,00000000,?,00000000,00000000,00000000), ref: 00467652
HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,004673F2,00000000,00000000,00000000,004600F3,00000000,00000000,?,00000000,00000000,00000000), ref: 00467686
VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 004676A0
HeapFree.KERNEL32(00000000,?), ref: 004676B7

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: AllocHeap$FreeVirtual
String ID:
API String ID: 3499195154-0
Opcode ID: 6a80b545e210785e7bc9b5b21007a2d53f64a474a3cc50a47844b51dc295dd3d
Instruction ID: 1569e956c1bcc6d4d651f89205a553c5063f52a36a4c5c62ef713cd455ea894f
Opcode Fuzzy Hash: 6a80b545e210785e7bc9b5b21007a2d53f64a474a3cc50a47844b51dc295dd3d
Instruction Fuzzy Hash: 76115E70200A019FD7218F29FD49E22BBB6FB857247104B7EF556C61B0E7B19852CF18

Function 0047936D Relevance: 5.0, APIs: 4, Instructions: 36COMMONLIBRARYCODE

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(004B2080,?,00000000,?,?,00478740,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D), ref: 004793A8
InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00478740,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D), ref: 004793BA
LeaveCriticalSection.KERNEL32(004B2080,?,00000000,?,?,00478740,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D), ref: 004793C3
EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00478740,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D,00473902), ref: 004793D5

Part of subcall function 004792DA: GetVersion.KERNEL32(?,0047937D,?,00478740,00000010,?,00000000,?,?,?,00478127,0047818A,00477A10,0047812D,00473902,00474B9E), ref: 004792ED

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalSection$Enter$InitializeLeaveVersion
String ID:
API String ID: 1193629340-0
Opcode ID: 97af587a0d615ece02715b3eac0e54bfabc6143ab94a940ce4b1fd7d5a70aa71
Instruction ID: c0b93adcec86117fa3bbc01ddcd569223f428ac1a076b41e6c3e7c6d34bc39cc
Opcode Fuzzy Hash: 97af587a0d615ece02715b3eac0e54bfabc6143ab94a940ce4b1fd7d5a70aa71
Instruction Fuzzy Hash: 5EF0AF3100121ADFCB10AF65EDC0997B36CFB29316B004A77EB4A82151D775E859CBAD

Function 00465D1B Relevance: 5.0, APIs: 4, Instructions: 12COMMON

Download Yara Rule

APIs

InitializeCriticalSection.KERNEL32(?,00463369,?,0045E825), ref: 00465D28
InitializeCriticalSection.KERNEL32(?,00463369,?,0045E825), ref: 00465D30
InitializeCriticalSection.KERNEL32(?,00463369,?,0045E825), ref: 00465D38
InitializeCriticalSection.KERNEL32(?,00463369,?,0045E825), ref: 00465D40

Memory Dump Source

Source File: 00000000.00000002.2602895491.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2602878041.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602941671.000000000047E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602963051.0000000000492000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602978778.0000000000494000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2602994472.0000000000496000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603012115.000000000049F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004A3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603029037.00000000004AF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2603064319.00000000004B4000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_1234.jbxd

Similarity

API ID: CriticalInitializeSection
String ID:
API String ID: 32694325-0
Opcode ID: 471fcd2a1b1e3fbc5eb403a6c625a231d5615071601774e15f0ba4e9f189fc15
Instruction ID: b2ca5c31d38118f803cb720cea96af15c1fc76be6fd6f3540f81322a5aa707ed
Opcode Fuzzy Hash: 471fcd2a1b1e3fbc5eb403a6c625a231d5615071601774e15f0ba4e9f189fc15
Instruction Fuzzy Hash: 6FC002318010349ACE152B75FD05C493F25FB0637030542B3A509521748E321C51DFD8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 1234.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 1234.exePID: 7492, Parent PID: 4056

General

Chronological Activities

Disassembly

Windows Analysis Report
1234.exe

Function 00435AE0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370
commemorythreadCOMMON

Function 0047919A Relevance: 6.1, APIs: 4, Instructions: 63
COMMON

Function 0047086D Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 170
stringCOMMON

Function 00416580 Relevance: 19.7, APIs: 13, Instructions: 187
windowCOMMON

Function 00470692 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 99
COMMON

Function 00478323 Relevance: 15.1, APIs: 10, Instructions: 99
memoryCOMMONLIBRARYCODE

Function 004131A0 Relevance: 13.8, APIs: 9, Instructions: 289
COMMON

Function 00474B3B Relevance: 9.0, APIs: 6, Instructions: 35
COMMON

Function 00405E50 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 207
windowCOMMON

Function 00413080 Relevance: 6.1, APIs: 4, Instructions: 94
windowCOMMON

Function 0040F1F0 Relevance: 4.6, APIs: 3, Instructions: 110
windowCOMMON

Function 00473E6F Relevance: 4.5, APIs: 3, Instructions: 29
windowCOMMON

Function 00478EEC Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Function 004635A6 Relevance: 3.0, APIs: 2, Instructions: 30
memoryCOMMON

Function 004199B0 Relevance: 3.0, APIs: 2, Instructions: 28
COMMON