Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
51FZ8pgLbe.exe

Overview

General Information

Sample name:51FZ8pgLbe.exe
renamed because original name is a hash value
Original sample name:9C29717F4D12C30226F5F0FB1BD13FE5.exe
Analysis ID:1580950
MD5:9c29717f4d12c30226f5f0fb1bd13fe5
SHA1:b4a9c7a926d7bb950de71477186b4d78bca63fbb
SHA256:272bf955c164d64065dde62da7d5ec609c504b67cbd776a79aa28c34117c3887
Tags:exeValleyRATuser-abuse_ch
Infos:

Detection

Score:60
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to retrieve information about pressed keystrokes
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (may stop execution after accessing registry keys)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Program does not show much activity (idle)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Communication To Uncommon Destination Ports
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 51FZ8pgLbe.exe (PID: 6976 cmdline: "C:\Users\user\Desktop\51FZ8pgLbe.exe" MD5: 9C29717F4D12C30226F5F0FB1BD13FE5)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

Sigma detected: Communication To Uncommon Destination Ports
Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 116.198.232.205, DestinationIsIpv6: false, DestinationPort: 8888, EventID: 3, Image: C:\Users\user\Desktop\51FZ8pgLbe.exe, Initiated: true, ProcessId: 6976, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49730

Suricata Signatures

TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-12-26T13:52:06.117047+010020528751A Network Trojan was detected192.168.2.449730116.198.232.2058888TCP
2024-12-26T13:53:13.444343+010020528751A Network Trojan was detected192.168.2.449772116.198.232.2056666TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: 51FZ8pgLbe.exeVirustotal: Detection: 60%Perma Link
Source: 51FZ8pgLbe.exeReversingLabs: Detection: 57%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
Source: 51FZ8pgLbe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 51FZ8pgLbe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0056A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,0_2_0056A6C3

Networking

barindex
Suricata IDS alerts for network traffic
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49730 -> 116.198.232.205:8888
Source: Network trafficSuricata IDS: 2052875 - Severity 1 - ET MALWARE Anonymous RAT CnC Checkin : 192.168.2.4:49772 -> 116.198.232.205:6666
Source: global trafficTCP traffic: 192.168.2.4:49730 -> 116.198.232.205:8888
Source: Joe Sandbox ViewASN Name: CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqian
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: unknownTCP traffic detected without corresponding DNS query: 116.198.232.205
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00533507 recv,SetLastError,WSASetLastError,GetLastError,WSAGetLastError,0_2_00533507
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0055C213 __EH_prolog3_GS,GetParent,GetParent,GetParent,UpdateWindow,SetCursor,GetAsyncKeyState,UpdateWindow,InflateRect,SetCapture,SetCursor,IsWindow,GetCursorPos,ScreenToClient,PtInRect,RedrawWindow,GetParent,GetParent,GetParent,RedrawWindow,RedrawWindow,GetParent,GetParent,GetParent,InvalidateRect,UpdateWindow,UpdateWindow,SetCapture,RedrawWindow,0_2_0055C213
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00598206 MessageBeep,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,0_2_00598206
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0056C51E SendMessageW,UpdateWindow,GetKeyState,GetKeyState,GetKeyState,GetParent,PostMessageW,0_2_0056C51E
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005E0863 GetWindowRect,GetKeyState,GetKeyState,GetKeyState,KillTimer,GetFocus,SetTimer,0_2_005E0863
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0057688A IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_0057688A
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005749CC IsWindow,SendMessageW,GetCapture,GetKeyState,GetKeyState,GetKeyState,ImmGetContext,ImmGetOpenStatus,ImmReleaseContext,GetFocus,IsWindow,IsWindow,IsWindow,ClientToScreen,IsWindow,ClientToScreen,0_2_005749CC
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B09E6 GetKeyState,GetKeyState,GetKeyState,GetKeyState,0_2_005B09E6
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00598DC6 GetParent,GetKeyState,GetKeyState,GetKeyState,SendMessageW,SendMessageW,SendMessageW,0_2_00598DC6
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0056207D0_2_0056207D
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005CE67D0_2_005CE67D
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00644E6C0_2_00644E6C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00636F6B0_2_00636F6B
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_006398A30_2_006398A3
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: String function: 00635E4B appears 208 times
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: String function: 006363B0 appears 33 times
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: String function: 00635EB4 appears 54 times
Source: 51FZ8pgLbe.exe, 00000000.00000000.1676149608.0000000000823000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs 51FZ8pgLbe.exe
Source: 51FZ8pgLbe.exeBinary or memory string: OriginalFilenameMiniCADSee_X64.exe0 vs 51FZ8pgLbe.exe
Source: 51FZ8pgLbe.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal60.evad.winEXE@1/0@0/1
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0054A66C CoInitialize,CoCreateInstance,0_2_0054A66C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0053A4D3 FindResourceW,LoadResource,LockResource,FreeResource,0_2_0053A4D3
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeMutant created: \Sessions\1\BaseNamedObjects\MyUniqueMutexName
Source: 51FZ8pgLbe.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: 51FZ8pgLbe.exeVirustotal: Detection: 60%
Source: 51FZ8pgLbe.exeReversingLabs: Detection: 57%
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: msimg32.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: oledlg.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: winmm.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeSection loaded: rasadhlp.dllJump to behavior
Source: 51FZ8pgLbe.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: 51FZ8pgLbe.exeStatic file information: File size 3218944 > 1048576
Source: 51FZ8pgLbe.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x128a00
Source: 51FZ8pgLbe.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x173a00
Source: 51FZ8pgLbe.exeStatic PE information: More than 200 imports for USER32.dll
Source: 51FZ8pgLbe.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: 51FZ8pgLbe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 51FZ8pgLbe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 51FZ8pgLbe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 51FZ8pgLbe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 51FZ8pgLbe.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005310BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,0_2_005310BE
Source: 51FZ8pgLbe.exeStatic PE information: real checksum: 0x314ee0 should be: 0x31a569
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_006363F5 push ecx; ret 0_2_00636408
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00635F23 push ecx; ret 0_2_00635F36
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00572018 IsIconic,0_2_00572018
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B22CB IsWindow,IsWindowVisible,GetWindowRect,PtInRect,GetAsyncKeyState,ScreenToClient,IsWindow,IsWindow,IsWindow,GetWindowRect,PtInRect,SendMessageW,PtInRect,SendMessageW,ScreenToClient,PtInRect,GetParent,SendMessageW,GetFocus,WindowFromPoint,SendMessageW,GetSystemMenu,IsMenu,EnableMenuItem,EnableMenuItem,EnableMenuItem,IsZoomed,IsIconic,EnableMenuItem,TrackPopupMenu,SendMessageW,0_2_005B22CB
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0055CC9C SetRectEmpty,RedrawWindow,ReleaseCapture,SetCapture,ReleaseCapture,SetCapture,SendMessageW,UpdateWindow,SendMessageW,IsWindow,IsIconic,IsZoomed,IsWindow,UpdateWindow,0_2_0055CC9C
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0056CD1F IsWindowVisible,IsIconic,0_2_0056CD1F
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B2E90 IsIconic,PostMessageW,0_2_005B2E90
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B0FB1 IsWindow,GetFocus,IsChild,SendMessageW,IsChild,SendMessageW,IsIconic,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,IsWindowVisible,0_2_005B0FB1
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00535516 IsIconic,SendMessageW,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,GetWindowRect,ScreenToClient,ScreenToClient,ScreenToClient,GetDC,SelectObject,0_2_00535516
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B1A40 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetWindowRect,IsIconic,GetSystemMetrics,OffsetRect,GetSystemMetrics,IsIconic,GetSystemMetrics,GetSystemMetrics,0_2_005B1A40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005B1D40 IsWindowVisible,ScreenToClient,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,IsIconic,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,GetSystemMetrics,PtInRect,0_2_005B1D40
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00587DE2 GetClientRect,IsRectEmpty,IsIconic,BeginDeferWindowPos,GetClientRect,IsRectEmpty,IsRectEmpty,EqualRect,GetWindowRect,GetParent,EndDeferWindowPos,0_2_00587DE2
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00571F74 SetForegroundWindow,IsIconic,0_2_00571F74
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0054B770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0054B770
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeWindow / User API: threadDelayed 6838Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)graph_0-51718
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeEvasive API call chain: RegQueryValue,DecisionNodes,Sleepgraph_0-51758
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeAPI coverage: 4.8 %
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe TID: 6228Thread sleep count: 6838 > 30Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exe TID: 6228Thread sleep time: -68380s >= -30000sJump to behavior
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeThread sleep count: Count: 6838 delay: -10Jump to behavior
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0056A6C3 __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,0_2_0056A6C3
Source: 51FZ8pgLbe.exe, 00000000.00000002.2914968247.0000000001140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<@|
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeAPI call chain: ExitProcess graph end nodegraph_0-51314
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_006347AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006347AC
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_005310BE __floor_pentium4,LoadLibraryW,GetProcAddress,VirtualAlloc,_memmove,VirtualFree,0_2_005310BE
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_006347AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_006347AC
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0063BBA1 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0063BBA1
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,0_2_00537502
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00638F59 GetSystemTimeAsFileTime,__aulldiv,0_2_00638F59
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_00642110 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_00642110
Source: C:\Users\user\Desktop\51FZ8pgLbe.exeCode function: 0_2_0054B770 __EH_prolog3_GS,GetDeviceCaps,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,DeleteObject,_memset,GetTextCharsetInfo,lstrcpyW,lstrcpyW,EnumFontFamiliesW,EnumFontFamiliesW,lstrcpyW,EnumFontFamiliesW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,CreateFontIndirectW,GetSystemMetrics,lstrcpyW,CreateFontIndirectW,GetStockObject,GetStockObject,GetObjectW,GetObjectW,lstrcpyW,CreateFontIndirectW,CreateFontIndirectW,GetStockObject,GetObjectW,CreateFontIndirectW,CreateFontIndirectW,__EH_prolog3_GS,GetVersionExW,GetSystemMetrics,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0054B770

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Native API		1
DLL Side-Loading		1
DLL Side-Loading		2
Virtualization/Sandbox Evasion		21
Input Capture		2
System Time Discovery		Remote Services21
Input Capture		1
Encrypted Channel		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Deobfuscate/Decode Files or Information		LSASS Memory11
Security Software Discovery		Remote Desktop Protocol1
Archive Collected Data		1
Non-Standard Port		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		Security Account Manager2
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Ingress Tool Transfer		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading		NTDS11
Application Window Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
File and Directory Discovery		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials13
System Information Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
51FZ8pgLbe.exe61%VirustotalBrowse
51FZ8pgLbe.exe58%ReversingLabsWin32.Infostealer.Tinba

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

World Map of Contacted IPs

  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Public IPs

IPDomainCountryFlagASNASN NameMalicious
116.198.232.205
unknownChina
137699CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqiantrue

General Information

Joe Sandbox version:41.0.0 Charoite
Analysis ID:1580950
Start date and time:2024-12-26 13:51:06 +01:00
Joe Sandbox product:CloudBasic
Overall analysis duration:0h 4m 37s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:default.jbs
Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Sample name:51FZ8pgLbe.exe
renamed because original name is a hash value
Original Sample Name:9C29717F4D12C30226F5F0FB1BD13FE5.exe
Detection:MAL
Classification:mal60.evad.winEXE@1/0@0/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 73%
  • Number of executed functions: 31
  • Number of non-executed functions: 369
Cookbook Comments:
  • Found application associated with file extension: .exe

Warnings

  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
  • Excluded IPs from analysis (whitelisted): 20.12.23.50, 13.107.246.63
  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
  • Not all processes where analyzed, report is missing behavior information
  • Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

TimeTypeDescription
07:52:53API Interceptor998x Sleep call for process: 51FZ8pgLbe.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASNs

MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
CHINATELECOM-JIANGSU-SUQIAN-IDCCHINATELECOMJiangsuSuqianapp.exeGet hashmaliciousUnknownBrowse
  • 116.198.204.121
mips.nn.elfGet hashmaliciousMirai, OkiruBrowse
  • 116.198.200.237
TEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
TEiot52yrz.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
2PSj0qX4W6.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
LtmV2sDcTK.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169
QT2hJT3Syn.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
  • 116.198.231.169

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):7.319172076879911
TrID:
  • Win32 Executable (generic) a (10002005/4) 98.81%
  • Windows ActiveX control (116523/4) 1.15%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:51FZ8pgLbe.exe
File size:3'218'944 bytes
MD5:9c29717f4d12c30226f5f0fb1bd13fe5
SHA1:b4a9c7a926d7bb950de71477186b4d78bca63fbb
SHA256:272bf955c164d64065dde62da7d5ec609c504b67cbd776a79aa28c34117c3887
SHA512:78b6074dea958d6fbebb784dd65678c9c180971a35e03d32ac0f57393e595116ebddbbe977659a11ff627d1d7d2fa7bc3043a68f14a1f9ff01c99dfbebba808c
SSDEEP:98304:zIYSSR0z8vvZpdmI6RSTSGcNoIv0kGX4g7O9P9Lfe9G25NJn:zIdy0ohgBGImO9P9Lfe3J
TLSH:09E5D0313691D47BE53B36309259A3B9B2BEB9308E35024726A15F3D3E754938D2827F
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u..41.bg1.bg1.bg^..g..bg^..g..bg^..gI.bg8..g>.bg8..g..bg1.cg-.bg^..g?.bg^..g0.bg^..g0.bgRich1.bg........................PE..L..

File Icon

Icon Hash:6b49e0c4612d0f55

Static PE Info

General

Entrypoint:0x505a11
Entrypoint Section:.text
Digitally signed:false
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:0x662079F4 [Thu Apr 18 01:40:04 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:5
OS Version Minor:1
File Version Major:5
File Version Minor:1
Subsystem Version Major:5
Subsystem Version Minor:1
Import Hash:c7cd9a28c59d689112a5f72c9ae31817

Entrypoint Preview

Instruction
call 00007F63B085C386h
jmp 00007F63B0852C2Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 00550270h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F63B0852DAEh
test byte ptr [eax], 00000008h
je 00007F63B0852DA9h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [0052A314h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ebx
mov eax, dword ptr [ebp+0Ch]
add eax, 0Ch
mov dword ptr [ebp-04h], eax
mov ebx, dword ptr fs:[00000000h]
mov eax, dword ptr [ebx]
mov dword ptr fs:[00000000h], eax
mov eax, dword ptr [ebp+08h]
mov ebx, dword ptr [ebp+0Ch]
mov ebp, dword ptr [ebp-04h]
mov esp, dword ptr [ebx-04h]
jmp eax
pop ebx
leave
retn 0008h
pop eax
pop ecx
xchg dword ptr [esp], eax
jmp eax
mov edi, edi
push ebp
mov ebp, esp
push ecx
push ecx
push ebx
push esi
push edi
mov esi, dword ptr fs:[00000000h]
mov dword ptr [ebp-04h], esi
mov dword ptr [ebp-08h], 00505ACBh
push 00000000h
push dword ptr [ebp+0Ch]
push dword ptr [ebp-08h]
push dword ptr [ebp+08h]
call 00007F63B0869308h
mov eax, dword ptr [ebp+0Ch]
mov eax, dword ptr [eax+04h]
and eax, FFFFFFFDh
mov ecx, dword ptr [ebp+0Ch]
mov dword ptr [ecx+00h], eax

Rich Headers

Programming Language:
  • [ASM] VS2010 build 30319
  • [ C ] VS2010 build 30319
  • [C++] VS2010 build 30319
  • [ C ] VS2008 SP1 build 30729
  • [IMP] VS2008 SP1 build 30729
  • [RES] VS2010 build 30319
  • [LNK] VS2010 build 30319

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x16c0bc0x17c.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE0x1810000x173817.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
IMAGE_DIRECTORY_ENTRY_BASERELOC0x2f50000x1ac8c.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x154d700x40.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IAT0x12a0000x9e8.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x12881f0x128a0008126d7c27e1de4a907093ca817d1234False0.565460552307206data6.5329102207493825IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata0x12a0000x455dc0x456004ccda5c669343a32a9a888ef12edd8faFalse0.2671699042792793data5.002277513445981IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data0x1700000x103400x6c0054dda5b978e78398a698181e4b584e15False0.26001880787037035data4.5404986943653185IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc0x1810000x1738170x173a00ea3ee13a03cd81d884876d55980cb98bFalse0.9375617536999664data7.904870488456657IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc0x2f50000x2936e0x29400d5402f4b94d2ead2df238cc6f25d8e68False0.27293442234848486data5.0526509296469IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountryZLIB Complexity
PNG0x1815580x14e059PNG image data, 2338 x 1314, 8-bit colormap, non-interlaced1.0002803802490234
RT_ICON0x2cf5b40x5072PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9811110032048169
RT_ICON0x2d46280x10828Device independent bitmap graphic, 128 x 256 x 32, image size 9600EnglishUnited States0.2892316337395008
RT_ICON0x2e4e500x5488Device independent bitmap graphic, 72 x 144 x 32, image size 9600EnglishUnited States0.38946395563770797
RT_ICON0x2ea2d80x39e0Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.3254589632829374
RT_ICON0x2edcb80x3004Device independent bitmap graphic, 32 x 64 x 32, image size 9600EnglishUnited States0.2245362837617963
RT_ICON0x2f0cbc0x25a8Device independent bitmap graphic, 16 x 32 x 32, image size 9600EnglishUnited States0.10487551867219917
RT_DIALOG0x2f32640xb4dataEnglishUnited States0.6111111111111112
RT_DIALOG0x2f33180x120dataEnglishUnited States0.5138888888888888
RT_DIALOG0x2f34380x1eedataEnglishUnited States0.3866396761133603
RT_DIALOG0x2f36280xf8dataEnglishUnited States0.6290322580645161
RT_DIALOG0x2f37200xdadataEnglishUnited States0.6376146788990825
RT_DIALOG0x2f37fc0xa0dataEnglishUnited States0.6
RT_DIALOG0x2f389c0x10cdataEnglishUnited States0.5111940298507462
RT_DIALOG0x2f39a80x1eedataEnglishUnited States0.3866396761133603
RT_DIALOG0x2f3b980xe4dataEnglishUnited States0.6359649122807017
RT_DIALOG0x2f3c7c0xdadataEnglishUnited States0.6376146788990825
RT_DIALOG0x2f3d580xa4dataEnglishUnited States0.6158536585365854
RT_DIALOG0x2f3dfc0x110dataEnglishUnited States0.5183823529411765
RT_DIALOG0x2f3f0c0x1f2dataEnglishUnited States0.39759036144578314
RT_DIALOG0x2f41000xe8dataEnglishUnited States0.6508620689655172
RT_DIALOG0x2f41e80xdedataEnglishUnited States0.6486486486486487
RT_GROUP_ICON0x2f42c80x84dataEnglishUnited States0.6893939393939394
RT_VERSION0x2f434c0x2b4dataChineseChina0.546242774566474
RT_MANIFEST0x2f46000x217XML 1.0 document, ASCII text, with CRLF line terminatorsChineseChina0.5570093457943925

Imports

DLLImport
KERNEL32.dllGlobalFree, FreeLibrary, lstrcmpW, MultiByteToWideChar, DeactivateActCtx, ActivateActCtx, GetLocaleInfoW, GlobalUnlock, ConvertDefaultLocale, GetUserDefaultUILanguage, GetCurrentThread, GlobalDeleteAtom, lstrcmpA, FreeResource, lstrcpyW, GetPrivateProfileIntW, WritePrivateProfileStringW, GetPrivateProfileStringW, GetCurrentProcessId, SetThreadPriority, ResumeThread, GlobalAddAtomW, ReleaseActCtx, CompareStringW, GetVersionExW, GlobalFindAtomW, LocalAlloc, TlsGetValue, GlobalReAlloc, GlobalHandle, InitializeCriticalSection, TlsAlloc, TlsSetValue, LocalReAlloc, TlsFree, GetCurrentDirectoryW, GlobalFlags, DeleteFileW, GlobalGetAtomNameW, lstrlenA, GetThreadLocale, FileTimeToSystemTime, lstrcmpiW, CreateFileW, ReadFile, WriteFile, SetFilePointer, FlushFileBuffers, LockFile, UnlockFile, SetEndOfFile, GetFileSize, DuplicateHandle, GetCurrentProcess, FindClose, FindFirstFileW, GetVolumeInformationW, GetFullPathNameW, CopyFileW, GetFileAttributesExW, FileTimeToLocalFileTime, GetFileAttributesW, GetFileSizeEx, GetFileTime, GetTempFileNameW, GetTempPathW, GetWindowsDirectoryW, GetNumberFormatW, GetProfileIntW, SearchPathW, VirtualProtect, FindResourceExW, DecodePointer, EncodePointer, ExitThread, HeapSetInformation, GetStartupInfoW, RaiseException, RtlUnwind, ExitProcess, HeapReAlloc, HeapQueryInformation, HeapSize, GetSystemTimeAsFileTime, GetSystemInfo, VirtualQuery, SetStdHandle, GetFileType, TerminateProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, GetStdHandle, GetModuleFileNameA, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, QueryPerformanceCounter, GetStringTypeW, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetTimeZoneInformation, LCMapStringW, GetConsoleCP, GetConsoleMode, WriteConsoleW, SetEnvironmentVariableA, LocalFree, MulDiv, GlobalSize, GlobalAlloc, GlobalLock, GetExitCodeProcess, OpenProcess, WriteProcessMemory, VirtualAlloc, FindResourceW, LoadResource, LockResource, SizeofResource, GetModuleHandleW, GetCommandLineA, CreateThread, GetConsoleWindow, CreateMutexW, GetTickCount, GetModuleFileNameW, TryEnterCriticalSection, SetWaitableTimer, CreateWaitableTimerW, lstrlenW, WideCharToMultiByte, ResetEvent, CancelIo, InterlockedExchange, CreateEventW, SetLastError, SwitchToThread, GetCurrentThreadId, GetLastError, FormatMessageW, SetEvent, Sleep, WaitForSingleObject, CloseHandle, CreateEventA, InterlockedDecrement, InterlockedIncrement, InterlockedCompareExchange, HeapDestroy, HeapCreate, LeaveCriticalSection, EnterCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, HeapFree, HeapAlloc, LoadLibraryW, GetProcAddress, GetSystemDefaultUILanguage, VirtualFree
USER32.dllSetTimer, KillTimer, SetRectEmpty, EnumDisplayMonitors, SetLayeredWindowAttributes, CharNextW, OffsetRect, CopyAcceleratorTableW, IsRectEmpty, SetRect, IntersectRect, InvalidateRgn, GetNextDlgGroupItem, MessageBeep, LoadMenuW, SetWindowRgn, RedrawWindow, NotifyWinEvent, GetAsyncKeyState, IsZoomed, CharUpperW, UnionRect, EnableScrollBar, UpdateLayeredWindow, MonitorFromPoint, IsMenu, CreatePopupMenu, SetMenuDefaultItem, GetMenuDefaultItem, DestroyIcon, TranslateAcceleratorW, BringWindowToTop, InsertMenuItemW, LoadAcceleratorsW, LoadImageW, ReuseDDElParam, UnpackDDElParam, SetParent, DestroyAcceleratorTable, SetClassLongW, DrawIconEx, DrawEdge, DrawFrameControl, DrawFocusRect, ToUnicodeEx, MapVirtualKeyW, GetKeyboardLayout, GetKeyboardState, CreateAcceleratorTableW, SetCursorPos, LockWindowUpdate, RegisterClipboardFormatW, InvertRect, HideCaret, GetIconInfo, CopyImage, OpenClipboard, SetClipboardData, CloseClipboard, EmptyClipboard, FrameRect, CopyIcon, CharUpperBuffW, PostThreadMessageW, GetKeyNameTextW, DefFrameProcW, DefMDIChildProcW, DrawMenuBar, TranslateMDISysAccel, CreateMenu, IsClipboardFormatAvailable, GetUpdateRect, GetDoubleClickTime, IsCharLowerW, MapVirtualKeyExW, SubtractRect, DestroyCursor, GetWindowRgn, WinHelpW, IsChild, GetCapture, GetClassLongW, SetPropW, GetPropW, RemovePropW, SetFocus, GetWindowTextW, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, GetMessageTime, GetMessagePos, MonitorFromWindow, GetMonitorInfoW, MapWindowPoints, ScrollWindow, TrackPopupMenu, SetMenu, RealChildWindowFromPoint, GetScrollRange, SetScrollPos, GetScrollPos, SetForegroundWindow, ShowScrollBar, CreateWindowExW, GetClassInfoExW, GetClassInfoW, RegisterClassW, AdjustWindowRectEx, EqualRect, DeferWindowPos, GetScrollInfo, SetScrollInfo, SetWindowPlacement, GetWindowPlacement, GetDlgCtrlID, DefWindowProcW, CallWindowProcW, GetMenu, SetWindowLongW, SystemParametersInfoW, DestroyMenu, GetMenuItemInfoW, InflateRect, CopyRect, GetClassNameW, InvalidateRect, UpdateWindow, DrawStateW, ShowOwnedPopups, SetCursor, GetMessageW, IsWindowVisible, GetKeyState, ValidateRect, SetMenuItemBitmaps, GetMenuCheckMarkDimensions, LoadBitmapW, ModifyMenuW, EnableMenuItem, CheckMenuItem, SetWindowsHookExW, UnhookWindowsHookEx, GetCursorPos, CallNextHookEx, GetFocus, PtInRect, GetSysColor, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, ClientToScreen, GrayStringW, DrawTextExW, DrawTextW, TabbedTextOutW, FillRect, GetWindowThreadProcessId, GetLastActivePopup, MessageBoxW, GetDesktopWindow, GetActiveWindow, SetActiveWindow, CreateDialogIndirectParamW, DestroyWindow, IsWindow, GetWindowLongW, GetDlgItem, IsWindowEnabled, GetNextDlgTabItem, EndDialog, RegisterWindowMessageW, GetWindow, SetWindowContextHelpId, GetParent, MapDialogRect, SetWindowPos, PostQuitMessage, PostMessageW, GetMenuState, GetMenuStringW, GetMenuItemID, InsertMenuW, GetMenuItemCount, GetSubMenu, RemoveMenu, PeekMessageW, TranslateMessage, DispatchMessageW, MsgWaitForMultipleObjects, ShowWindow, PostThreadMessageA, GetInputState, LoadIconW, GetSystemMenu, AppendMenuW, SendMessageW, IsIconic, GetSystemMetrics, GetClientRect, DrawIcon, GetWindowRect, ScreenToClient, GetDC, EnableWindow, DeleteMenu, WaitMessage, ReleaseCapture, WindowFromPoint, SetCapture, GetSysColorBrush, LoadCursorW, MoveWindow, SetWindowTextW, IsDialogMessageW, CheckDlgButton, SendDlgItemMessageW, SetScrollRange, SendDlgItemMessageA, GetWindowTextLengthW
GDI32.dllGetTextMetricsW, EnumFontFamiliesW, GetTextCharsetInfo, GetBkColor, GetTextColor, GetRgnBox, SetRectRgn, CombineRgn, GetMapMode, PatBlt, DPtoLP, CreateRoundRectRgn, CreateDIBSection, CreatePolygonRgn, CreateEllipticRgn, Polyline, Ellipse, Polygon, CreatePalette, GetPaletteEntries, GetNearestPaletteIndex, RealizePalette, CopyMetaFileW, CreateDCW, SaveDC, RestoreDC, SetBkColor, SetBkMode, SetPolyFillMode, SetROP2, SetTextColor, CreateRectRgnIndirect, SetMapMode, GetClipBox, ExcludeClipRect, IntersectClipRect, LineTo, MoveToEx, SetTextAlign, SelectObject, CreateCompatibleBitmap, CreateDIBitmap, GetTextExtentPoint32W, CreateFontIndirectW, CreateHatchBrush, CreateSolidBrush, CreatePen, GetObjectType, SelectPalette, GetStockObject, CreateCompatibleDC, CreateBitmap, CreatePatternBrush, GetLayout, SetLayout, DeleteObject, SelectClipRgn, CreateRectRgn, GetObjectW, GetViewportExtEx, GetWindowExtEx, BitBlt, GetPixel, PtVisible, RectVisible, TextOutW, ExtTextOutW, Escape, SetViewportOrgEx, DeleteDC, ExtSelectClipRgn, ScaleWindowExtEx, SetWindowExtEx, GetDeviceCaps, SetPixelV, GetTextFaceW, GetBoundsRect, FrameRgn, FillRgn, PtInRegion, GetViewportOrgEx, GetWindowOrgEx, LPtoDP, SetPaletteEntries, ExtFloodFill, EnumFontFamiliesExW, Rectangle, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowOrgEx, GetSystemPaletteEntries, OffsetRgn, SetDIBColorTable, StretchBlt, SetPixel, OffsetWindowOrgEx
ADVAPI32.dllRegOpenKeyExW, RegCreateKeyExW, RegDeleteKeyW, RegEnumKeyW, RegQueryValueW, RegEnumValueW, RegEnumKeyExW, RegDeleteValueW, RegSetValueExW, RegCloseKey, RegQueryValueExW, RegCreateKeyW
MSIMG32.dllAlphaBlend, TransparentBlt
COMCTL32.dllImageList_GetIconSize, InitCommonControlsEx
SHLWAPI.dllPathIsUNCW, PathStripToRootW, PathFindFileNameW, PathFindExtensionW, PathRemoveFileSpecW
oledlg.dllOleUIBusyW
WS2_32.dllWSASetLastError, WSAEnumNetworkEvents, shutdown, WSACloseEvent, WSAResetEvent, WSAEventSelect, WSAWaitForMultipleEvents, WSAGetLastError, WSAStartup, WSACleanup, setsockopt, closesocket, socket, gethostbyname, htons, connect, WSAIoctl, select, recv, send, WSACreateEvent
gdiplus.dllGdipGetImageGraphicsContext, GdipBitmapUnlockBits, GdipBitmapLockBits, GdipCreateBitmapFromScan0, GdipCreateBitmapFromStream, GdipGetImagePalette, GdipGetImagePaletteSize, GdipGetImagePixelFormat, GdipGetImageHeight, GdipGetImageWidth, GdipCloneImage, GdipDrawImageRectI, GdipSetInterpolationMode, GdipCreateFromHDC, GdiplusShutdown, GdiplusStartup, GdipCreateBitmapFromHBITMAP, GdipDisposeImage, GdipDeleteGraphics, GdipAlloc, GdipFree, GdipDrawImageI
WINMM.dllPlaySoundW, timeGetTime
OLEACC.dllLresultFromObject, AccessibleObjectFromWindow, CreateStdAccessibleObject
IMM32.dllImmReleaseContext, ImmGetContext, ImmGetOpenStatus
WINSPOOL.DRVDocumentPropertiesW, OpenPrinterW, ClosePrinter
COMDLG32.dllGetFileTitleW
SHELL32.dllSHGetDesktopFolder, SHGetMalloc, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, DragFinish, DragQueryFileW, ShellExecuteW, SHAppBarMessage, SHGetSpecialFolderLocation
ole32.dllOleTranslateAccelerator, IsAccelerator, OleLockRunning, CoRevokeClassObject, CoRegisterMessageFilter, OleGetClipboard, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, CLSIDFromProgID, OleDestroyMenuDescriptor, CoCreateGuid, OleDuplicateData, CoTaskMemAlloc, ReleaseStgMedium, OleCreateMenuDescriptor, CoTaskMemFree, CoInitializeEx, DoDragDrop, OleFlushClipboard, OleIsCurrentClipboard, CreateStreamOnHGlobal, OleInitialize, CoFreeUnusedLibraries, OleUninitialize, CreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CoInitialize, CoCreateInstance, CoUninitialize, CLSIDFromString
OLEAUT32.dllSysAllocStringLen, VariantClear, VariantChangeType, VariantInit, SysStringLen, VariantCopy, SysAllocString, SafeArrayDestroy, VariantTimeToSystemTime, SystemTimeToVariantTime, VarBstrFromDate, OleCreateFontIndirect, SysFreeString

Possible Origin

Language of compilation systemCountry where language is spokenMap
EnglishUnited States
ChineseChina

Network Behavior

Suricata IDS Alerts

TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
2024-12-26T13:52:06.117047+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449730116.198.232.2058888TCP
2024-12-26T13:53:13.444343+01002052875ET MALWARE Anonymous RAT CnC Checkin1192.168.2.449772116.198.232.2056666TCP

Network Port Distribution

TCP Packets

TimestampSource PortDest PortSource IPDest IP
Dec 26, 2024 13:52:05.996107101 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:06.116112947 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:52:06.116203070 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:06.117047071 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:06.236479998 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:52:22.432761908 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:22.552261114 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:52:39.026559114 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:39.146298885 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:52:55.276556015 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:52:55.396156073 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:53:12.042186975 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:12.042360067 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:12.161916018 CET888849730116.198.232.205192.168.2.4
Dec 26, 2024 13:53:12.162233114 CET497308888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:13.323904991 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:13.443535089 CET666649772116.198.232.205192.168.2.4
Dec 26, 2024 13:53:13.443614006 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:13.444343090 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:13.563788891 CET666649772116.198.232.205192.168.2.4
Dec 26, 2024 13:53:30.229799032 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:30.349472046 CET666649772116.198.232.205192.168.2.4
Dec 26, 2024 13:53:35.417119026 CET666649772116.198.232.205192.168.2.4
Dec 26, 2024 13:53:35.417229891 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:35.424216032 CET497726666192.168.2.4116.198.232.205
Dec 26, 2024 13:53:36.651874065 CET498238888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:36.772053003 CET888849823116.198.232.205192.168.2.4
Dec 26, 2024 13:53:36.772198915 CET498238888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:36.776766062 CET498238888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:36.896490097 CET888849823116.198.232.205192.168.2.4
Dec 26, 2024 13:53:53.276725054 CET498238888192.168.2.4116.198.232.205
Dec 26, 2024 13:53:53.396255970 CET888849823116.198.232.205192.168.2.4

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

General

Target ID:0
Start time:07:51:56
Start date:26/12/2024
Path:C:\Users\user\Desktop\51FZ8pgLbe.exe
Wow64 process (32bit):true
Commandline:"C:\Users\user\Desktop\51FZ8pgLbe.exe"
Imagebase:0x530000
File size:3'218'944 bytes
MD5 hash:9C29717F4D12C30226F5F0FB1BD13FE5
Has elevated privileges:true
Has administrator privileges:true
Programmed in:C, C++ or other language
Reputation:low
Has exited:false

Disassembly

Reset < >

    Execution Graph

    Execution Coverage:2.1%
    Dynamic/Decrypted Code Coverage:0%
    Signature Coverage:18.9%
    Total number of Nodes:434
    Total number of Limit Nodes:12
    execution_graph 51223 5a2fde 51224 5a2fea __EH_prolog3 ctype 51223->51224 51233 534fbb 51224->51233 51226 5a3045 51227 5a30af CreateCompatibleDC CreateCompatibleDC 51226->51227 51229 5a30d8 51226->51229 51228 5a30cf 51227->51228 51228->51229 51237 53b173 RaiseException __CxxThrowException@8 51228->51237 51238 5a2c06 348 API calls 4 library calls 51229->51238 51232 5a316a ~_Task_impl 51234 534fd0 51233->51234 51235 534fc6 51233->51235 51234->51226 51239 53440e 70 API calls ctype 51235->51239 51238->51232 51240 536156 51241 536162 __EH_prolog3 ctype 51240->51241 51242 534fbb ctype 70 API calls 51241->51242 51243 536174 51242->51243 51248 5361e0 103 API calls ctype 51243->51248 51245 536182 51246 536190 ~_Task_impl 51245->51246 51249 536200 51245->51249 51248->51245 51250 53620c ctype 51249->51250 51253 536258 51250->51253 51252 536219 51252->51246 51254 536264 51253->51254 51255 53626b 51253->51255 51272 53619a 70 API calls ctype 51254->51272 51256 53627d 51255->51256 51273 53440e 70 API calls ctype 51255->51273 51266 534dff 51256->51266 51261 536297 51274 5362c9 66 API calls _memmove_s 51261->51274 51262 5362a8 51275 534ced 66 API calls _memcpy_s 51262->51275 51265 536269 51265->51252 51267 534e14 51266->51267 51268 534e0a 51266->51268 51270 534e2d 51267->51270 51276 534daf 51267->51276 51280 53440e 70 API calls ctype 51268->51280 51270->51261 51270->51262 51272->51265 51274->51265 51275->51265 51277 534dbd 51276->51277 51279 534dcb 51277->51279 51281 534d0c 51277->51281 51279->51270 51282 534d27 51281->51282 51289 538221 51282->51289 51284 534d3d 51294 534ced 66 API calls _memcpy_s 51284->51294 51287 534d53 ctype 51287->51279 51290 538235 51289->51290 51291 534d32 51289->51291 51295 634cbe 51290->51295 51291->51284 51293 534d70 70 API calls ctype 51291->51293 51293->51284 51294->51287 51296 634d3b 51295->51296 51300 634ccc 51295->51300 51318 63c533 DecodePointer 51296->51318 51298 634d41 51319 63521d 66 API calls __getptd_noexit 51298->51319 51299 634cd7 51299->51300 51312 63c4cd 66 API calls __NMSG_WRITE 51299->51312 51313 63c31e 66 API calls 8 library calls 51299->51313 51314 636088 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 51299->51314 51300->51299 51303 634cfa RtlAllocateHeap 51300->51303 51306 634d27 51300->51306 51310 634d25 51300->51310 51315 63c533 DecodePointer 51300->51315 51303->51300 51304 634d33 51303->51304 51304->51291 51316 63521d 66 API calls __getptd_noexit 51306->51316 51317 63521d 66 API calls __getptd_noexit 51310->51317 51312->51299 51313->51299 51315->51300 51316->51310 51317->51304 51318->51298 51319->51304 51320 55c213 51322 55c21f __EH_prolog3_GS 51320->51322 51321 55c264 51323 55c2a0 51321->51323 51324 55c26c GetParent 51321->51324 51322->51321 51322->51324 51442 5599e6 11 API calls __write_nolock 51322->51442 51326 55c319 51323->51326 51333 55c2a5 51323->51333 51443 541feb 100 API calls 2 library calls 51324->51443 51422 557ba4 LocalAlloc PtInRect RaiseException ctype 51326->51422 51327 55c27d 51444 54655f LocalAlloc RaiseException ctype 51327->51444 51329 55c2df 51336 55c304 51329->51336 51337 55c2f8 SetCursor 51329->51337 51332 55c288 51332->51323 51335 55c28e GetParent 51332->51335 51333->51329 51447 5599e6 11 API calls __write_nolock 51333->51447 51445 541feb 100 API calls 2 library calls 51335->51445 51448 5a7074 95 API calls 51336->51448 51337->51336 51339 55c2d6 UpdateWindow 51339->51329 51343 55c390 51348 55c779 51343->51348 51350 55c3bc 51343->51350 51344 55c323 51344->51343 51351 55c35e GetAsyncKeyState 51344->51351 51374 55c454 51344->51374 51345 55c299 51446 545dc1 104 API calls ctype 51345->51446 51346 55c314 51346->51374 51469 557d04 LocalAlloc PtInRect RaiseException 51348->51469 51357 55c3f9 51350->51357 51449 5599e6 11 API calls __write_nolock 51350->51449 51351->51343 51353 55c370 51351->51353 51352 55c78a 51354 55c79f 51352->51354 51470 546516 LocalAlloc RaiseException ctype 51352->51470 51353->51343 51354->51374 51471 5599e6 11 API calls __write_nolock 51354->51471 51423 557ba4 LocalAlloc PtInRect RaiseException ctype 51357->51423 51359 55c7c0 UpdateWindow 51363 55c7d6 51359->51363 51361 55c406 51364 55c41c 51361->51364 51450 536451 51361->51450 51365 55c82a SetCapture 51363->51365 51373 55c7e3 51363->51373 51366 55c433 51364->51366 51367 55c459 51364->51367 51473 541feb 100 API calls 2 library calls 51365->51473 51366->51374 51457 5599e6 11 API calls __write_nolock 51366->51457 51424 5599e6 11 API calls __write_nolock 51367->51424 51371 55c769 51371->51374 51474 55a171 101 API calls ctype 51371->51474 51372 55c463 UpdateWindow 51375 55c477 ctype 51372->51375 51472 5599e6 11 API calls __write_nolock 51373->51472 51475 635f37 51374->51475 51380 55c495 51375->51380 51381 55c4f4 51375->51381 51377 55c859 RedrawWindow 51377->51374 51379 55c81f UpdateWindow 51379->51371 51383 55c4cc SetCapture 51380->51383 51384 55c4bb InflateRect 51380->51384 51381->51371 51425 5c385e 99 API calls 51381->51425 51458 541feb 100 API calls 2 library calls 51383->51458 51384->51383 51386 55c4db SetCursor 51386->51371 51387 55c522 51426 5c3c15 51387->51426 51390 55c58f 51459 5c388b 10 API calls 3 library calls 51390->51459 51391 55c5ba GetCursorPos ScreenToClient 51392 55c5e3 PtInRect 51391->51392 51421 55c706 51391->51421 51397 55c5fb 51392->51397 51392->51421 51394 55c718 51396 55c722 InvalidateRect 51394->51396 51394->51421 51396->51421 51397->51394 51398 55c635 51397->51398 51460 557a4e LocalAlloc RaiseException ctype 51398->51460 51400 55c644 RedrawWindow 51402 55c673 GetParent 51400->51402 51461 541feb 100 API calls 2 library calls 51402->51461 51404 55c684 51405 55c6a8 51404->51405 51406 55c68d GetParent 51404->51406 51407 55c6ca GetParent 51405->51407 51411 55c6ba RedrawWindow 51405->51411 51462 541feb 100 API calls 2 library calls 51406->51462 51463 541feb 100 API calls 2 library calls 51407->51463 51410 55c698 RedrawWindow 51410->51405 51411->51407 51412 55c6d5 51464 546516 LocalAlloc RaiseException ctype 51412->51464 51414 55c6e1 51415 55c6e5 GetParent 51414->51415 51414->51421 51465 541feb 100 API calls 2 library calls 51415->51465 51417 55c6f0 GetParent 51466 541feb 100 API calls 2 library calls 51417->51466 51419 55c6fb 51467 54655f LocalAlloc RaiseException ctype 51419->51467 51468 5c388b 10 API calls 3 library calls 51421->51468 51422->51344 51423->51361 51424->51372 51425->51387 51427 5c3c21 __EH_prolog3_GS 51426->51427 51478 5c3b63 51427->51478 51429 5c3c32 51430 5c3c45 CopyRect 51429->51430 51431 5c3c52 GetCursorPos SetRect 51429->51431 51432 5c3c78 51430->51432 51431->51432 51433 5c3c8c IsRectEmpty 51432->51433 51434 5c3c83 51432->51434 51433->51434 51435 5c3c97 InflateRect 51433->51435 51488 536ec3 99 API calls ctype 51434->51488 51435->51434 51437 5c3cac ctype 51438 5c3cb6 ctype 51437->51438 51440 5c3ce9 DoDragDrop 51437->51440 51439 635f37 ctype 5 API calls 51438->51439 51441 55c581 IsWindow 51439->51441 51440->51438 51441->51390 51441->51391 51442->51321 51443->51327 51444->51332 51445->51345 51446->51323 51447->51339 51448->51346 51449->51357 51555 635a1b 51450->51555 51452 53646c __EH_prolog3 51453 5465ad ctype 2 API calls 51452->51453 51454 53647e 51453->51454 51558 5465ad LocalAlloc 51454->51558 51456 536483 ctype ~_Task_impl 51456->51364 51457->51374 51458->51386 51459->51374 51460->51400 51461->51404 51462->51410 51463->51412 51464->51414 51465->51417 51466->51419 51467->51421 51468->51371 51469->51352 51470->51354 51471->51359 51472->51379 51473->51371 51474->51377 51563 6347ac 51475->51563 51477 635f41 51477->51477 51479 5c3b6f __EH_prolog3 51478->51479 51489 53ceae 51479->51489 51483 5c3ba7 51484 5c3baf GetProfileIntW GetProfileIntW 51483->51484 51485 5c3be5 51483->51485 51484->51485 51502 569fc3 LocalAlloc LeaveCriticalSection RaiseException ctype 51485->51502 51487 5c3bec ~_Task_impl 51487->51429 51488->51437 51503 53ec08 51489->51503 51492 569f51 51493 569f66 51492->51493 51494 569f61 51492->51494 51496 569f74 51493->51496 51554 569f2d InitializeCriticalSection 51493->51554 51495 536451 ctype 2 API calls 51494->51495 51495->51493 51498 569f86 EnterCriticalSection 51496->51498 51499 569fb0 EnterCriticalSection 51496->51499 51500 569fa5 LeaveCriticalSection 51498->51500 51501 569f92 InitializeCriticalSection 51498->51501 51499->51483 51500->51499 51501->51500 51502->51487 51508 546a4d 51503->51508 51505 53ec17 51506 53ceb8 51505->51506 51519 54664c 8 API calls 3 library calls 51505->51519 51506->51492 51511 546a59 __EH_prolog3 51508->51511 51509 536451 ctype 2 API calls 51509->51511 51510 546aa7 51539 5465e0 EnterCriticalSection 51510->51539 51511->51509 51511->51510 51520 546856 TlsAlloc 51511->51520 51524 54673e EnterCriticalSection 51511->51524 51516 546acd ~_Task_impl 51516->51505 51517 546aba 51546 5468fd 77 API calls 4 library calls 51517->51546 51519->51505 51521 546887 InitializeCriticalSection 51520->51521 51522 546882 51520->51522 51521->51511 51547 536419 RaiseException __CxxThrowException@8 51522->51547 51526 546761 51524->51526 51525 546820 _memset 51527 546837 LeaveCriticalSection 51525->51527 51526->51525 51528 5467af GlobalHandle GlobalUnlock 51526->51528 51529 54679a 51526->51529 51527->51511 51530 5382a4 ctype 70 API calls 51528->51530 51548 5382a4 51529->51548 51532 5467cd GlobalReAlloc 51530->51532 51534 5467d9 51532->51534 51535 546800 GlobalLock 51534->51535 51536 5467e4 GlobalHandle GlobalLock 51534->51536 51537 5467f2 LeaveCriticalSection 51534->51537 51535->51525 51536->51537 51552 536419 RaiseException __CxxThrowException@8 51537->51552 51540 546622 LeaveCriticalSection 51539->51540 51541 5465fb 51539->51541 51542 54662b 51540->51542 51541->51540 51543 546600 TlsGetValue 51541->51543 51542->51516 51542->51517 51543->51540 51544 54660c 51543->51544 51544->51540 51545 546611 LeaveCriticalSection 51544->51545 51545->51542 51546->51516 51549 5382b9 ctype 51548->51549 51550 5382c6 GlobalAlloc 51549->51550 51553 53440e 70 API calls ctype 51549->51553 51550->51534 51554->51496 51556 635a50 RaiseException 51555->51556 51557 635a44 51555->51557 51556->51452 51557->51556 51559 5465c6 51558->51559 51560 5465c1 51558->51560 51559->51456 51562 536419 RaiseException __CxxThrowException@8 51560->51562 51564 6347b6 IsDebuggerPresent 51563->51564 51565 6347b4 51563->51565 51571 646dc8 51564->51571 51565->51477 51568 63ad51 SetUnhandledExceptionFilter UnhandledExceptionFilter 51569 63ad76 GetCurrentProcess TerminateProcess 51568->51569 51570 63ad6e __call_reportfault 51568->51570 51569->51477 51570->51569 51571->51568 51572 534978 51573 53499c __EH_prolog3 51572->51573 51590 6353f0 51573->51590 51579 536304 ~_Task_impl 66 API calls 51581 5349db 51579->51581 51580 5349c9 51580->51579 51583 5349ec _memset 51581->51583 51598 535075 51581->51598 51616 534821 51583->51616 51585 534821 66 API calls 51586 534a39 51585->51586 51586->51585 51588 6353f0 67 API calls 51586->51588 51630 5348d2 51586->51630 51589 534a74 Sleep 51588->51589 51589->51586 51591 6353da 51590->51591 51644 636761 51591->51644 51594 536304 51597 53630c 51594->51597 51595 634cbe _malloc 66 API calls 51595->51597 51596 5349bb 51596->51580 51643 5327d7 8 API calls __write_nolock 51596->51643 51597->51595 51597->51596 51662 635e4b 51598->51662 51600 535081 CreateEventW 51605 5350b0 ctype 51600->51605 51601 536451 ctype 2 API calls 51601->51605 51602 534fbb ctype 70 API calls 51603 535105 HeapCreate 51602->51603 51603->51605 51605->51601 51605->51602 51663 5314ee 66 API calls 3 library calls 51605->51663 51664 5315b2 InitializeCriticalSectionAndSpinCount LocalAlloc RaiseException ctype 51605->51664 51607 53517f CreateEventW 51607->51605 51608 5351bf CreateEventW 51607->51608 51608->51605 51609 5351de CreateEventW 51608->51609 51609->51605 51610 5351fd 51609->51610 51665 5315b2 InitializeCriticalSectionAndSpinCount LocalAlloc RaiseException ctype 51610->51665 51612 5352b5 51666 5315b2 InitializeCriticalSectionAndSpinCount LocalAlloc RaiseException ctype 51612->51666 51614 5352c2 InterlockedExchange timeGetTime CreateEventW CreateEventW 51615 535354 ~_Task_impl 51614->51615 51615->51583 51617 534833 51616->51617 51618 534856 51616->51618 51667 634fe9 66 API calls 2 library calls 51617->51667 51669 634fe9 66 API calls 2 library calls 51618->51669 51621 534841 51668 634fe9 66 API calls 2 library calls 51621->51668 51622 534864 51670 634fe9 66 API calls 2 library calls 51622->51670 51625 5348be 51625->51586 51626 53484f 51626->51625 51671 634fe9 66 API calls 2 library calls 51626->51671 51628 5348b0 51672 634fe9 66 API calls 2 library calls 51628->51672 51631 5348de __EH_prolog3 51630->51631 51632 6353f0 67 API calls 51631->51632 51633 5348f4 51632->51633 51673 5328d9 ResetEvent InterlockedExchange timeGetTime socket 51633->51673 51635 534972 ~_Task_impl 51635->51586 51636 53491d CreateEventA 51688 532c6e 51636->51688 51702 53129f 51636->51702 51637 534958 WaitForSingleObject 51705 535a5a CloseHandle CloseHandle 51637->51705 51643->51580 51647 63659f 51644->51647 51648 6365b1 51647->51648 51649 6365b7 51648->51649 51650 6365e0 51648->51650 51658 63521d 66 API calls __getptd_noexit 51649->51658 51655 6365fc wcstoxl 51650->51655 51660 640482 GetStringTypeW 51650->51660 51652 6365bc 51659 63bd1c 11 API calls _memcpy_s 51652->51659 51657 5349a6 Sleep 51655->51657 51661 63521d 66 API calls __getptd_noexit 51655->51661 51657->51594 51658->51652 51659->51657 51660->51650 51661->51657 51662->51600 51663->51605 51664->51607 51665->51612 51666->51614 51667->51621 51668->51626 51669->51622 51670->51626 51671->51628 51672->51625 51674 532944 51673->51674 51675 53294b lstrlenW WideCharToMultiByte 51673->51675 51677 6347ac __write_nolock 5 API calls 51674->51677 51706 53633e 51675->51706 51679 532b16 51677->51679 51678 53296e lstrlenW WideCharToMultiByte gethostbyname 51680 5329a9 moneypunct 51678->51680 51679->51635 51679->51636 51680->51674 51681 5329af 22 API calls 51680->51681 51681->51674 51682 532a2a setsockopt setsockopt setsockopt setsockopt 51681->51682 51683 532a9f WSAIoctl 51682->51683 51684 532acc InterlockedExchange 51682->51684 51683->51684 51685 63513b 94 API calls 51684->51685 51686 532aec 51685->51686 51687 63513b 94 API calls 51686->51687 51687->51674 51707 532eb2 GetCurrentThreadId 51688->51707 51692 532c9a 51693 531038 72 API calls 51692->51693 51694 532cac 51693->51694 51695 531038 72 API calls 51694->51695 51696 532cc0 51695->51696 51714 532cfb 51696->51714 51699 53129f 74 API calls 51700 532cda GetCurrentThreadId 51699->51700 51701 532ce5 51700->51701 51701->51637 51744 531194 51702->51744 51705->51635 51708 532c7f 51707->51708 51709 532ec0 InterlockedExchange 51707->51709 51710 531038 51708->51710 51709->51708 51709->51709 51711 531048 51710->51711 51720 5310be 51711->51720 51713 531050 _memmove 51713->51692 51715 532d53 51714->51715 51718 532d23 51714->51718 51716 532d5a send 51715->51716 51719 532cd2 51715->51719 51716->51715 51716->51719 51717 532d27 send 51717->51718 51718->51715 51718->51717 51718->51719 51719->51699 51721 5310d6 51720->51721 51722 5310dd 51720->51722 51723 6347ac __write_nolock 5 API calls 51721->51723 51730 634b50 51722->51730 51725 531190 51723->51725 51725->51713 51726 5310ff 51727 531106 LoadLibraryW GetProcAddress VirtualAlloc 51726->51727 51728 53114f _memmove 51727->51728 51728->51721 51729 531166 VirtualFree 51728->51729 51729->51721 51731 634b5d 51730->51731 51734 63c11b __ctrlfp __floor_pentium4 51730->51734 51732 634b8e 51731->51732 51731->51734 51739 634bd8 51732->51739 51741 63be3f 67 API calls __toupper_l 51732->51741 51733 63c189 __floor_pentium4 51738 63c176 __ctrlfp 51733->51738 51743 6454a5 67 API calls 7 library calls 51733->51743 51734->51733 51737 63c166 51734->51737 51734->51738 51742 645450 66 API calls 3 library calls 51737->51742 51738->51726 51739->51726 51741->51739 51742->51738 51743->51738 51746 5311ab 51744->51746 51745 5311b0 51748 6347ac __write_nolock 5 API calls 51745->51748 51746->51745 51747 634b50 __floor_pentium4 68 API calls 51746->51747 51749 5311d7 51747->51749 51750 53129b 51748->51750 51749->51745 51751 5311e9 LoadLibraryW GetProcAddress VirtualAlloc 51749->51751 51750->51637 51752 531236 _memmove 51751->51752 51753 531245 LoadLibraryW GetProcAddress VirtualFree 51752->51753 51753->51745 51754 53461f RegOpenKeyExW 51755 534653 RegQueryValueExW 51754->51755 51756 53466b _memset 51754->51756 51755->51756 51757 534744 51756->51757 51758 534687 RegQueryValueExW 51756->51758 51776 534508 51758->51776 51760 5346b1 51761 534508 Sleep 51760->51761 51762 5346c3 51761->51762 51763 534508 Sleep 51762->51763 51764 5346d5 51763->51764 51765 534508 Sleep 51764->51765 51766 5346e7 51765->51766 51767 534508 Sleep 51766->51767 51768 5346f9 51767->51768 51769 534508 Sleep 51768->51769 51770 53470b 51769->51770 51771 534508 Sleep 51770->51771 51772 534720 51771->51772 51773 534508 Sleep 51772->51773 51774 534732 51773->51774 51775 534508 Sleep 51774->51775 51775->51757 51778 53451d _memset 51776->51778 51779 5345e5 _memmove 51776->51779 51777 53459a Sleep 51777->51778 51778->51777 51778->51779 51779->51760 51780 544e49 51781 544e59 51780->51781 51784 543d3b 51781->51784 51798 536ec3 99 API calls ctype 51784->51798 51786 543d45 51787 543d53 51786->51787 51799 546dd9 8 API calls 51786->51799 51800 545a26 GetWindowLongW 51787->51800 51790 543d5a 51791 543d61 51790->51791 51792 543d7b 51790->51792 51801 541f07 95 API calls ctype 51791->51801 51803 541f45 93 API calls ctype 51792->51803 51795 543d82 51796 543d66 51802 54300e 127 API calls 51796->51802 51798->51786 51799->51787 51800->51790 51801->51796 51802->51792 51803->51795

    Executed Functions

    Function 0054B770 Relevance: 103.8, APIs: 48, Strings: 11, Instructions: 557libraryloaderstringCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 0 54b770-54b7c7 call 635eb4 call 53bac4 GetDeviceCaps 5 54b7e2 0->5 6 54b7c9-54b7d8 0->6 7 54b7e4 5->7 6->7 8 54b7da-54b7e0 6->8 9 54b7e6-54b7f4 7->9 8->9 10 54b7f6-54b7f9 9->10 11 54b803-54b811 9->11 10->11 14 54b7fb-54b801 call 53bc9d DeleteObject 10->14 12 54b820-54b82e 11->12 13 54b813-54b816 11->13 17 54b830-54b833 12->17 18 54b83d-54b845 12->18 13->12 16 54b818-54b81e call 53bc9d DeleteObject 13->16 14->11 16->12 17->18 21 54b835-54b83b call 53bc9d DeleteObject 17->21 22 54b854-54b862 18->22 23 54b847-54b84a 18->23 21->18 24 54b864-54b867 22->24 25 54b871-54b879 22->25 23->22 28 54b84c-54b852 call 53bc9d DeleteObject 23->28 24->25 29 54b869-54b86f call 53bc9d DeleteObject 24->29 30 54b888-54b890 25->30 31 54b87b-54b87e 25->31 28->22 29->25 37 54b892-54b895 30->37 38 54b89f-54b8a7 30->38 31->30 36 54b880-54b886 call 53bc9d DeleteObject 31->36 36->30 37->38 43 54b897-54b89d call 53bc9d DeleteObject 37->43 39 54b8b6-54b8c4 38->39 40 54b8a9-54b8ac 38->40 45 54b8c6-54b8c9 39->45 46 54b8d3-54b8db 39->46 40->39 44 54b8ae-54b8b4 call 53bc9d DeleteObject 40->44 43->38 44->39 45->46 50 54b8cb-54b8d1 call 53bc9d DeleteObject 45->50 51 54b8dd-54b8e0 46->51 52 54b8ea-54b938 call 54a507 call 6367a0 GetTextCharsetInfo 46->52 50->46 51->52 57 54b8e2-54b8e8 call 53bc9d DeleteObject 51->57 64 54b93f 52->64 65 54b93a-54b93d 52->65 57->52 66 54b940-54b946 64->66 65->66 67 54b948 66->67 68 54b94a-54b962 lstrcpyW 66->68 67->68 69 54b964-54b96b 68->69 70 54b9ca-54ba1b CreateFontIndirectW call 53bc6f call 638f4a call 638d70 68->70 69->70 72 54b96d-54b989 EnumFontFamiliesW 69->72 83 54ba20-54bb17 CreateFontIndirectW call 53bc6f call 54a507 CreateFontIndirectW call 53bc6f CreateFontIndirectW call 53bc6f CreateFontIndirectW call 53bc6f GetSystemMetrics lstrcpyW CreateFontIndirectW call 53bc6f GetStockObject 70->83 84 54ba1d 70->84 74 54b99d-54b9b7 EnumFontFamiliesW 72->74 75 54b98b-54b99b lstrcpyW 72->75 77 54b9c1 74->77 78 54b9b9-54b9bf 74->78 75->70 80 54b9c7-54b9c8 lstrcpyW 77->80 78->80 80->70 97 54bb1d-54bb2d GetObjectW 83->97 98 54bb9f-54bbfa GetStockObject call 53bc5b GetObjectW CreateFontIndirectW call 53bc6f CreateFontIndirectW call 53bc6f call 54a5a3 83->98 84->83 97->98 99 54bb2f-54bb9a lstrcpyW CreateFontIndirectW call 53bc6f CreateFontIndirectW call 53bc6f 97->99 111 54bc28-54bc2a 98->111 99->98 112 54bbfc-54bc00 111->112 113 54bc2c-54bc59 call 534ec8 call 53bb18 call 635f37 111->113 114 54bc02-54bc10 112->114 115 54bc5a-54bdee call 536451 call 635eb4 GetVersionExW GetSystemMetrics 112->115 114->115 118 54bc12-54bc1c call 542017 114->118 130 54be00 115->130 131 54bdf0-54bdf7 115->131 118->111 128 54bc1e-54bc20 118->128 128->111 132 54be06-54be08 130->132 134 54be02-54be04 130->134 131->132 133 54bdf9 131->133 135 54be09-54be48 call 54b217 call 537416 132->135 133->130 134->135 140 54beb9-54bed7 135->140 141 54be4a-54beb7 GetProcAddress * 6 135->141 142 54bedd-54bef0 call 537416 140->142 141->142 145 54bef2-54bf26 GetProcAddress * 3 142->145 146 54bf28-54bf34 142->146 147 54bf3a-54bf77 call 54b770 145->147 146->147 149 54bf7c-54bffd call 54a1b6 call 635f37 147->149
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0054B77A
      • Part of subcall function 0053BAC4: __EH_prolog3.LIBCMT ref: 0053BACB
      • Part of subcall function 0053BAC4: GetWindowDC.USER32(00000000,00000004,0054B273,00000000,?,?,00667718), ref: 0053BAF7
    • GetDeviceCaps.GDI32(?,00000058), ref: 0054B7A0
    • DeleteObject.GDI32(00000000), ref: 0054B801
    • DeleteObject.GDI32(00000000), ref: 0054B81E
    • DeleteObject.GDI32(00000000), ref: 0054B83B
    • DeleteObject.GDI32(00000000), ref: 0054B852
    • DeleteObject.GDI32(00000000), ref: 0054B86F
    • DeleteObject.GDI32(00000000), ref: 0054B886
    • DeleteObject.GDI32(00000000), ref: 0054B89D
    • DeleteObject.GDI32(00000000), ref: 0054B8B4
    • DeleteObject.GDI32(00000000), ref: 0054B8D1
    • DeleteObject.GDI32(00000000), ref: 0054B8E8
    • _memset.LIBCMT ref: 0054B8FF
    • GetTextCharsetInfo.GDI32(?,00000000,00000000), ref: 0054B90F
    • lstrcpyW.KERNEL32(?,?), ref: 0054B95E
    • EnumFontFamiliesW.GDI32(?,00000000,Function_0001B727), ref: 0054B985
    • lstrcpyW.KERNEL32(?), ref: 0054B995
    • EnumFontFamiliesW.GDI32(?,00000000,Function_0001B727), ref: 0054B9B0
    • lstrcpyW.KERNEL32(?), ref: 0054B9C8
    • CreateFontIndirectW.GDI32(?), ref: 0054B9D4
    • CreateFontIndirectW.GDI32(?), ref: 0054BA24
    • CreateFontIndirectW.GDI32(?), ref: 0054BA5F
    • CreateFontIndirectW.GDI32(?), ref: 0054BA87
    • CreateFontIndirectW.GDI32(?), ref: 0054BAA4
    • GetSystemMetrics.USER32(00000048), ref: 0054BABF
    • lstrcpyW.KERNEL32(?), ref: 0054BAD3
    • CreateFontIndirectW.GDI32(?), ref: 0054BAD9
    • GetStockObject.GDI32(00000011), ref: 0054BB07
    • GetObjectW.GDI32(?,0000005C,?), ref: 0054BB29
    • lstrcpyW.KERNEL32(?), ref: 0054BB62
    • CreateFontIndirectW.GDI32(?), ref: 0054BB6C
    • CreateFontIndirectW.GDI32(?), ref: 0054BB8B
    • GetStockObject.GDI32(00000011), ref: 0054BBA1
    • GetObjectW.GDI32(?,0000005C,?), ref: 0054BBB2
    • CreateFontIndirectW.GDI32(?), ref: 0054BBBC
    • CreateFontIndirectW.GDI32(?), ref: 0054BBDF
    • __EH_prolog3_GS.LIBCMT ref: 0054BC6A
    • GetVersionExW.KERNEL32(?,0000011C,00000000), ref: 0054BDC0
    • GetSystemMetrics.USER32(00001000), ref: 0054BDCB
    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0054BE50
    • GetProcAddress.KERNEL32(?,DrawThemeTextEx), ref: 0054BE63
    • GetProcAddress.KERNEL32(?,BufferedPaintInit), ref: 0054BE76
    • GetProcAddress.KERNEL32(?,BufferedPaintUnInit), ref: 0054BE89
    • GetProcAddress.KERNEL32(?,BeginBufferedPaint), ref: 0054BE9C
    • GetProcAddress.KERNEL32(?,EndBufferedPaint), ref: 0054BEAF
    • GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 0054BEF8
    • GetProcAddress.KERNEL32(?,DwmDefWindowProc), ref: 0054BF0B
    • GetProcAddress.KERNEL32(?,DwmIsCompositionEnabled), ref: 0054BF1E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Font$CreateDeleteIndirect$AddressProc$lstrcpy$EnumFamiliesH_prolog3_MetricsStockSystem$CapsCharsetDeviceH_prolog3InfoTextVersionWindow_memset
    • String ID: BeginBufferedPaint$BufferedPaintInit$BufferedPaintUnInit$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
    • API String ID: 3153784359-1174303547
    • Opcode ID: bf817e7a792a598c1551153d90d03dbed073abff58edf6131ce20293b41703a5
    • Instruction ID: 1dc329ce88d8631889466cc2ae1e6258650469140f8f690adf1a93485b4837e7
    • Opcode Fuzzy Hash: bf817e7a792a598c1551153d90d03dbed073abff58edf6131ce20293b41703a5
    • Instruction Fuzzy Hash: 283222B08007199FDB21AFB4C844BDAFBF9BF59304F0049AEE59AA7251DB70A940CF51
    Function 005310BE Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 72librarymemoryloaderCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 422 5310be-5310d4 423 5310d6-5310d8 422->423 424 5310dd-5310e7 422->424 425 531186-531191 call 6347ac 423->425 426 5310e9 424->426 427 5310ef-53114a call 634b50 call 638da6 LoadLibraryW GetProcAddress VirtualAlloc call 5310ae 424->427 426->427 435 53114f-531164 call 636bd0 427->435 438 531166-53116e VirtualFree 435->438 439 531174-531185 435->439 438->439 439->425
    APIs
    • __floor_pentium4.LIBCMT ref: 005310FA
    • LoadLibraryW.KERNEL32(KERNEL32.dll,?,?,?), ref: 0053112D
    • GetProcAddress.KERNEL32(00000000), ref: 00531134
    • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,?,?), ref: 00531144
    • _memmove.LIBCMT ref: 00531157
    • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?), ref: 0053116E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Virtual$AddressAllocFreeLibraryLoadProc__floor_pentium4_memmove
    • String ID: KERNEL32.dll$Virt$lloc$ualA
    • API String ID: 3182696094-1143375017
    • Opcode ID: ca427fa99908714b1d720401b217fa54790e0f56d0fb15e18f9a087c6f310ee0
    • Instruction ID: b8242edc855969e4eb1fd48a3e18700ee673b47f0232c4a1ceb6aa662112c38e
    • Opcode Fuzzy Hash: ca427fa99908714b1d720401b217fa54790e0f56d0fb15e18f9a087c6f310ee0
    • Instruction Fuzzy Hash: 61218E71A00709AFD710DFA9DD46B6EBBF9FF44700F10851DE646E7241DAB4E9008BA8
    Function 005328D9 Relevance: 66.7, APIs: 37, Strings: 1, Instructions: 224sleepnetworkstringCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • ResetEvent.KERNEL32(?), ref: 005328F7
    • InterlockedExchange.KERNEL32(?,00000000), ref: 00532904
    • timeGetTime.WINMM ref: 0053290A
    • socket.WS2_32(00000002,00000001,00000006), ref: 00532936
    • lstrlenW.KERNEL32(000000CA,00000000,00000000,00000000,00000000), ref: 00532952
    • WideCharToMultiByte.KERNEL32(00000000,00000000,000000CA,00000000), ref: 0053295E
    • lstrlenW.KERNEL32(000000CA,00000000,?,00000000,00000000), ref: 0053297B
    • WideCharToMultiByte.KERNEL32(00000000,00000000,000000CA,00000000), ref: 00532987
    • gethostbyname.WS2_32(?), ref: 00532998
    • Sleep.KERNELBASE(00000001), ref: 005329BD
    • Sleep.KERNEL32(00000001), ref: 005329C0
    • Sleep.KERNEL32(00000001), ref: 005329C3
    • Sleep.KERNEL32(00000001), ref: 005329C6
    • Sleep.KERNEL32(00000001), ref: 005329C9
    • Sleep.KERNEL32(00000001), ref: 005329CC
    • Sleep.KERNEL32(00000001), ref: 005329CF
    • Sleep.KERNEL32(00000001), ref: 005329D2
    • Sleep.KERNEL32(00000001), ref: 005329D5
    • Sleep.KERNEL32(00000001), ref: 005329D8
    • Sleep.KERNEL32(00000001), ref: 005329DB
    • Sleep.KERNEL32(00000001), ref: 005329DE
    • Sleep.KERNEL32(00000001), ref: 005329E1
    • Sleep.KERNEL32(00000001), ref: 005329E4
    • Sleep.KERNEL32(00000001), ref: 005329E7
    • Sleep.KERNEL32(00000001), ref: 005329EA
    • Sleep.KERNEL32(00000001), ref: 005329ED
    • Sleep.KERNEL32(00000001), ref: 005329F0
    • Sleep.KERNEL32(00000001), ref: 005329F3
    • Sleep.KERNEL32(00000001), ref: 005329F6
    • htons.WS2_32(?), ref: 005329FB
    • connect.WS2_32(?,?,00000010), ref: 00532A1B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Sleep$ByteCharMultiWidelstrlen$EventExchangeInterlockedResetTimeconnectgethostbynamehtonssockettime
    • String ID: 0u
    • API String ID: 2683528456-3203441087
    • Opcode ID: 85965e5893939ee90b322a660535aaaeca11c29369161b7ea16ceb22c1e14f8e
    • Instruction ID: 096976cb706baae9af709b6b61fc13d7d73f6ed1232ca560a40f9e2264e741ed
    • Opcode Fuzzy Hash: 85965e5893939ee90b322a660535aaaeca11c29369161b7ea16ceb22c1e14f8e
    • Instruction Fuzzy Hash: 51713B71900218BEDB11EFA5DC89DEF7FB9EF4A761F00011AFA04A6150DB749941DFA1
    Function 0054B217 Relevance: 64.8, APIs: 43, Instructions: 304COMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3.LIBCMT ref: 0054B21E
    • GetSysColor.USER32(00000016), ref: 0054B22D
    • GetSysColor.USER32(0000000F), ref: 0054B23A
    • GetSysColor.USER32(00000015), ref: 0054B24D
    • GetSysColor.USER32(0000000F), ref: 0054B255
    • GetDeviceCaps.GDI32(?,0000000C), ref: 0054B27B
    • GetSysColor.USER32(0000000F), ref: 0054B289
    • GetSysColor.USER32(00000010), ref: 0054B293
    • GetSysColor.USER32(00000015), ref: 0054B29D
    • GetSysColor.USER32(00000016), ref: 0054B2A7
    • GetSysColor.USER32(00000014), ref: 0054B2B1
    • GetSysColor.USER32(00000012), ref: 0054B2BB
    • GetSysColor.USER32(00000011), ref: 0054B2C5
    • GetSysColor.USER32(00000006), ref: 0054B2CC
    • GetSysColor.USER32(0000000D), ref: 0054B2D3
    • GetSysColor.USER32(0000000E), ref: 0054B2DA
    • GetSysColor.USER32(00000005), ref: 0054B2E1
    • GetSysColor.USER32(00000008), ref: 0054B2EB
    • GetSysColor.USER32(00000009), ref: 0054B2F2
    • GetSysColor.USER32(00000007), ref: 0054B2F9
    • GetSysColor.USER32(00000002), ref: 0054B300
    • GetSysColor.USER32(00000003), ref: 0054B307
    • GetSysColor.USER32(0000001B), ref: 0054B30E
    • GetSysColor.USER32(0000001C), ref: 0054B318
    • GetSysColor.USER32(0000000A), ref: 0054B322
    • GetSysColor.USER32(0000000B), ref: 0054B32C
    • GetSysColor.USER32(00000013), ref: 0054B336
    • GetSysColor.USER32(0000001A), ref: 0054B350
    • GetSysColorBrush.USER32(00000010), ref: 0054B36B
    • GetSysColorBrush.USER32(00000014), ref: 0054B382
    • GetSysColorBrush.USER32(00000005), ref: 0054B394
    • CreateSolidBrush.GDI32(?), ref: 0054B3B8
    • CreateSolidBrush.GDI32(?), ref: 0054B3D4
    • CreateSolidBrush.GDI32(?), ref: 0054B3F0
    • CreateSolidBrush.GDI32(?), ref: 0054B40C
    • CreateSolidBrush.GDI32(?), ref: 0054B428
    • CreateSolidBrush.GDI32(?), ref: 0054B444
    • CreateSolidBrush.GDI32(?), ref: 0054B460
    • CreatePen.GDI32(00000000,00000001,00000000), ref: 0054B489
    • CreatePen.GDI32(00000000,00000001,00000000), ref: 0054B4AC
    • CreatePen.GDI32(00000000,00000001,00000000), ref: 0054B4CF
    • CreateSolidBrush.GDI32(?), ref: 0054B553
    • CreatePatternBrush.GDI32(00000000), ref: 0054B594
      • Part of subcall function 0053BCC9: DeleteObject.GDI32(00000000), ref: 0053BCD8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Color$BrushCreate$Solid$CapsDeleteDeviceH_prolog3ObjectPattern
    • String ID:
    • API String ID: 3754413814-0
    • Opcode ID: 6d6d4a065b9ffe71d4a34072145e0d8b7963f6c85c449f221d282037c9de2f0a
    • Instruction ID: 2b066809c2aac1a8ea26a7e58c3b6d352fc70aad5c64d9af263b3264db2389f9
    • Opcode Fuzzy Hash: 6d6d4a065b9ffe71d4a34072145e0d8b7963f6c85c449f221d282037c9de2f0a
    • Instruction Fuzzy Hash: 10B15C70900B499AE730EF75CC99BABBFE1BF84700F04492DE296865A1EF71A944DF50
    Function 005A2C06 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 421windowCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 256 5a2c06-5a2c1c call 635e4b 259 5a2c22-5a2c35 256->259 260 5a2d17-5a2d1c call 635f23 256->260 261 5a2c37-5a2c49 259->261 262 5a2ca4 259->262 264 5a2c4b-5a2c52 261->264 265 5a2c58-5a2ca2 261->265 266 5a2ca6-5a2cae 262->266 264->265 265->266 268 5a2cc3-5a2cd0 call 59e08e 266->268 269 5a2cb0-5a2cb3 266->269 277 5a2cd2-5a2cdc call 59f2a7 268->277 278 5a2ce1-5a2d00 call 5477c2 * 2 268->278 271 5a2d1d-5a2d23 269->271 272 5a2cb5-5a2cbc 269->272 271->260 273 5a2d25-5a2d39 call 5477c2 271->273 275 5a2cbe call 5a2705 272->275 273->268 282 5a2d3b-5a2d41 273->282 275->268 277->278 291 5a2d0c-5a2d11 278->291 292 5a2d02-5a2d07 call 59edb0 278->292 284 5a2d49-5a2d52 282->284 286 5a2fd8-5a30ad call 536451 call 635e4b call 53b26e call 53821b call 534fbb call 558f00 call 59e34c call 558f33 284->286 287 5a2d58-5a2d68 284->287 346 5a30af-5a30cd CreateCompatibleDC * 2 286->346 347 5a30e3-5a30e5 286->347 287->286 290 5a2d6e-5a2d98 call 5a0ee4 287->290 299 5a2d9a-5a2da7 call 53bc9d 290->299 300 5a2da9-5a2db1 290->300 291->260 292->291 299->300 305 5a2ddb-5a2df6 GetObjectW 299->305 303 5a2dc8-5a2dd8 LoadImageW 300->303 304 5a2db3-5a2db9 300->304 303->305 304->303 308 5a2dbb-5a2dc1 304->308 310 5a2e08-5a2e0d 305->310 311 5a2df8-5a2e03 call 59e270 305->311 308->303 309 5a2dc3 308->309 309->303 314 5a2e0f-5a2e12 310->314 315 5a2e14-5a2e1a 310->315 319 5a2fa3-5a2fcd call 5a3172 DeleteObject call 534ec8 311->319 314->315 318 5a2e20-5a2e23 314->318 315->318 315->319 318->319 321 5a2e29-5a2e59 call 53b26e CreateCompatibleDC call 53b99b GetObjectW 318->321 335 5a2d43-5a2d46 319->335 336 5a2fd3 319->336 337 5a2e5f-5a2e6c SelectObject 321->337 338 5a2f97-5a2f9e call 53ba1c 321->338 335->284 336->268 337->338 340 5a2e72-5a2e94 CreateCompatibleBitmap 337->340 338->319 343 5a2ea3-5a2ece call 53b26e CreateCompatibleDC call 53b99b SelectObject 340->343 344 5a2e96-5a2e9e SelectObject 340->344 359 5a2ed0-5a2ee1 SelectObject DeleteObject 343->359 360 5a2ee6-5a2f07 BitBlt 343->360 344->338 349 5a30cf-5a30d1 346->349 350 5a30d3 call 53b173 346->350 352 5a30e6-5a3171 call 5a2c06 call 635f23 347->352 349->350 353 5a30d8-5a30e1 349->353 350->353 353->352 362 5a2f8b-5a2f92 call 53ba1c 359->362 363 5a2f09-5a2f0f 360->363 364 5a2f6c-5a2f88 SelectObject * 2 DeleteObject 360->364 362->338 367 5a2f61-5a2f6a 363->367 368 5a2f11-5a2f28 GetPixel 363->368 364->362 367->363 367->364 369 5a2f3a-5a2f3c call 59e0c7 368->369 370 5a2f2a-5a2f30 368->370 373 5a2f41-5a2f44 369->373 370->369 372 5a2f32-5a2f38 call 59e149 370->372 372->373 375 5a2f56-5a2f5f 373->375 376 5a2f46-5a2f50 SetPixel 373->376 375->367 375->368 376->375
    APIs
    • __EH_prolog3.LIBCMT ref: 005A2C10
    • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002000), ref: 005A2DD2
    • GetObjectW.GDI32(00000082,00000018,?), ref: 005A2DE4
    • CreateCompatibleDC.GDI32(00000000), ref: 005A2E36
    • GetObjectW.GDI32(00000082,00000018,?), ref: 005A2E51
    • SelectObject.GDI32(?,00000082), ref: 005A2E65
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 005A2E89
    • SelectObject.GDI32(?,00000000), ref: 005A2E9C
    • CreateCompatibleDC.GDI32(?), ref: 005A2EB2
    • SelectObject.GDI32(?,?), ref: 005A2EC7
    • SelectObject.GDI32(?,00000000), ref: 005A2ED6
    • DeleteObject.GDI32(?), ref: 005A2EDB
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 005A2EFB
    • GetPixel.GDI32(?,?,?), ref: 005A2F1A
    • SetPixel.GDI32(?,?,?,00000000), ref: 005A2F50
    • SelectObject.GDI32(?,?), ref: 005A2F72
    • SelectObject.GDI32(?,00000000), ref: 005A2F7A
    • DeleteObject.GDI32(00000082), ref: 005A2F7F
    • DeleteObject.GDI32(00000082), ref: 005A2FB1
    • __EH_prolog3.LIBCMT ref: 005A2FE5
    • CreateCompatibleDC.GDI32(00000000), ref: 005A30B0
    • CreateCompatibleDC.GDI32(00000000), ref: 005A30BC
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Select$CompatibleCreate$Delete$H_prolog3Pixel$BitmapImageLoad
    • String ID:
    • API String ID: 1197801157-3916222277
    • Opcode ID: ae9f8c5c8f8ad90e51e02a6517f5a57fb686ae721b9ebe1cb08be666b0fa6f56
    • Instruction ID: d6b6c62f732f4202e62bed09705f1e652c36247afa9b323598d498ad1ac89062
    • Opcode Fuzzy Hash: ae9f8c5c8f8ad90e51e02a6517f5a57fb686ae721b9ebe1cb08be666b0fa6f56
    • Instruction Fuzzy Hash: 470248B0C00219DFCF15DFA8C886AAEBFB6FF49700F14416AF905AA256D7705945CFA1
    Function 0053461F Relevance: 28.1, APIs: 4, Strings: 12, Instructions: 97registryCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 378 53461f-534651 RegOpenKeyExW 379 534653-534665 RegQueryValueExW 378->379 380 53466b-53466f 378->380 379->380 381 534675-534747 call 6367a0 RegQueryValueExW call 534508 * 9 380->381 382 534748-53474b 380->382 381->382
    APIs
    • RegOpenKeyExW.KERNELBASE(80000001,Console,00000000,00020019,?), ref: 00534649
    • RegQueryValueExW.KERNELBASE(?,IpDate,00000000,00000003,00000000,?), ref: 00534665
    • _memset.LIBCMT ref: 00534682
    • RegQueryValueExW.ADVAPI32(?,IpDate,00000000,00000003,|p1:116.198.232.205|o1:6666|t1:1|p2:116.198.232.205|o2:8888|t2:1|p3:116.198.232.205|o3:82|t3:1|dd:1|cl:1|fz:,0000000A), ref: 0053469C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: QueryValue$Open_memset
    • String ID: Console$IpDate$o1:$o2:$o3:$p1:$p2:$p3:$t1:$t2:$t3:$|p1:116.198.232.205|o1:6666|t1:1|p2:116.198.232.205|o2:8888|t2:1|p3:116.198.232.205|o3:82|t3:1|dd:1|cl:1|fz:
    • API String ID: 3682538864-3567818038
    • Opcode ID: 027fb7161b4c286ee924cc9f9a8e0026a64315122e50d7e6e4ebec76373dd48f
    • Instruction ID: bc2cc0b1895ead6a6b64b6a5ea76a8cea304ada1697a1d16b0e1d19823e2be36
    • Opcode Fuzzy Hash: 027fb7161b4c286ee924cc9f9a8e0026a64315122e50d7e6e4ebec76373dd48f
    • Instruction Fuzzy Hash: A82123FA9402057BD720AA95DC4ADEF7BFDEFD5B05F020229B905E2041EA706A44CB72
    Function 00531194 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 84libraryloadermemoryCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __floor_pentium4.LIBCMT ref: 005311D2
    • LoadLibraryW.KERNEL32(KERNEL32.dll,?), ref: 00531213
    • GetProcAddress.KERNEL32(00000000), ref: 0053121C
    • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0053122A
    • _memmove.LIBCMT ref: 00531240
    • LoadLibraryW.KERNEL32(KERNEL32.dll,?), ref: 00531266
    • GetProcAddress.KERNEL32(00000000), ref: 00531269
    • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00531275
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressLibraryLoadProcVirtual$AllocFree__floor_pentium4_memmove
    • String ID: KERNEL32.dll$Virt$Virt$lloc$ualA$ualF
    • API String ID: 616662133-2299423766
    • Opcode ID: f09794a3b6876a005048f2a995471f3fe5b1589a83e5c56bae88322f23123130
    • Instruction ID: 6c09adcfedf0b41e40775e97cd99ad00a146a98c4530f15f48ea3cb737fe608d
    • Opcode Fuzzy Hash: f09794a3b6876a005048f2a995471f3fe5b1589a83e5c56bae88322f23123130
    • Instruction Fuzzy Hash: DE314A70A00609AFDB00EFA9DD45BAEBBF5FF48700F108419E555E7251DBB0A900CFA9
    Function 0054673E Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 440 54673e-54675f EnterCriticalSection 441 546761-546768 440->441 442 54676e-546773 440->442 441->442 443 54682c-54682f 441->443 444 546775-546778 442->444 445 546790-546798 442->445 447 546837-546855 LeaveCriticalSection 443->447 448 546831-546834 443->448 446 54677b-54677e 444->446 449 5467af-5467d3 GlobalHandle GlobalUnlock call 5382a4 GlobalReAlloc 445->449 450 54679a-5467ad call 5382a4 GlobalAlloc 445->450 452 546780-546786 446->452 453 546788-54678a 446->453 448->447 457 5467d9-5467db 449->457 450->457 452->446 452->453 453->443 453->445 458 546800-546829 GlobalLock call 6367a0 457->458 459 5467dd-5467e2 457->459 458->443 460 5467e4-5467ec GlobalHandle GlobalLock 459->460 461 5467f2-5467fb LeaveCriticalSection call 536419 459->461 460->461 461->458
    APIs
    • EnterCriticalSection.KERNEL32(006A8878,?,?,?,006A885C,006A885C,?,00546AA1,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546751
    • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,006A885C,006A885C,?,00546AA1,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 005467A7
    • GlobalHandle.KERNEL32(01112758), ref: 005467B0
    • GlobalUnlock.KERNEL32(00000000), ref: 005467BA
    • GlobalReAlloc.KERNEL32(00535501,00000000,00002002), ref: 005467D3
    • GlobalHandle.KERNEL32(01112758), ref: 005467E5
    • GlobalLock.KERNEL32(00000000), ref: 005467EC
    • LeaveCriticalSection.KERNEL32(434C7695,?,?,?,006A885C,006A885C,?,00546AA1,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 005467F5
    • GlobalLock.KERNEL32(00000000), ref: 00546801
    • _memset.LIBCMT ref: 0054681B
    • LeaveCriticalSection.KERNEL32(434C7695,?,00535501,434C7695), ref: 00546849
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
    • String ID:
    • API String ID: 496899490-0
    • Opcode ID: 44310512c5483bcacdf51fb757e101d2f2289412d9943dbebea0aeb67918dec5
    • Instruction ID: 5f850697cf9057bb63437608cf2c2563028add2ae23b4df550e9f55e8c5f71b5
    • Opcode Fuzzy Hash: 44310512c5483bcacdf51fb757e101d2f2289412d9943dbebea0aeb67918dec5
    • Instruction Fuzzy Hash: 2D318D71600701AFDB20DFA4CC89B9ABBFAFF84309F05892DE542D7650DB35E9448B52
    Function 00535075 Relevance: 15.2, APIs: 10, Instructions: 209memorytimeCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3.LIBCMT ref: 0053507C
    • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,00000004,005349EC,00000000), ref: 0053509C
    • HeapCreate.KERNELBASE(00000004,00000000,00000000,00000000), ref: 00535129
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000,?), ref: 005351A8
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005351C7
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 005351E6
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • InterlockedExchange.KERNEL32(?,00000000), ref: 0053531B
    • timeGetTime.WINMM ref: 00535321
    • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00535335
    • CreateEventW.KERNEL32(00000000,00000000,00000000,00000000), ref: 0053533E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Create$Event$H_prolog3$Exception@8ExchangeHeapInterlockedThrowTimetime
    • String ID:
    • API String ID: 2521172286-0
    • Opcode ID: f80de58232ee63b2e693a9207b116afdca67e48bbced6d3436071e9c3bec8ac3
    • Instruction ID: 91fb41f4fc387d1fa7082b498c70ab3da61b6c6137a9c09bb0a31c7c7a798e54
    • Opcode Fuzzy Hash: f80de58232ee63b2e693a9207b116afdca67e48bbced6d3436071e9c3bec8ac3
    • Instruction Fuzzy Hash: C391D4B0A01B46AFD758DF6AC9C869AFBE8FB08304F50862ED16D83640D774A564CF90
    Function 0063513B Relevance: 12.1, APIs: 8, Instructions: 63threadCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 493 63513b-635149 494 63514b-63515d call 63521d call 63bd1c 493->494 495 63515f-635177 call 63d5a1 call 63dc1d 493->495 506 6351d7-6351da 494->506 504 6351c2-6351cb call 634d52 495->504 505 635179-63519b call 63d75c call 63d62f 495->505 512 6351d4 504->512 513 6351cd-6351d3 call 635243 504->513 518 6351a0-6351b8 CreateThread 505->518 519 63519d 505->519 515 6351d6 512->515 513->512 515->506 518->515 520 6351ba-6351c0 GetLastError 518->520 519->518 520->504
    APIs
    • ___set_flsgetvalue.LIBCMT ref: 00635160
    • __calloc_crt.LIBCMT ref: 0063516C
    • __getptd.LIBCMT ref: 00635179
    • __initptd.LIBCMT ref: 00635182
    • CreateThread.KERNELBASE(?,?,006350D6,00000000,?,?), ref: 006351B0
    • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 006351BA
    • _free.LIBCMT ref: 006351C3
    • __dosmaperr.LIBCMT ref: 006351CE
      • Part of subcall function 0063521D: __getptd_noexit.LIBCMT ref: 0063521D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__dosmaperr__getptd__getptd_noexit__initptd_free
    • String ID:
    • API String ID: 73303432-0
    • Opcode ID: ec502c1ad8bc1ff073cde9ca574380601d82a214234566641e22feb2698bf215
    • Instruction ID: 6d0337f480e3057348cf12907425b2989136d522a2ca4aab3624d620b18a8043
    • Opcode Fuzzy Hash: ec502c1ad8bc1ff073cde9ca574380601d82a214234566641e22feb2698bf215
    • Instruction Fuzzy Hash: 4911C832600B05AFDB51BFA4AC42AAB77EBEF04374F10012DF91687151DB71D9118BE5
    Function 00546DD9 Relevance: 12.0, APIs: 8, Instructions: 39COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • KiUserCallbackDispatcher.NTDLL(0000000B), ref: 00546DE8
    • GetSystemMetrics.USER32(0000000C), ref: 00546DEF
    • GetSystemMetrics.USER32(00000002), ref: 00546DF6
    • GetSystemMetrics.USER32(00000003), ref: 00546E00
    • GetDC.USER32(00000000), ref: 00546E0A
    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00546E1B
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00546E23
    • ReleaseDC.USER32(00000000,00000000), ref: 00546E2B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$CapsDevice$CallbackDispatcherReleaseUser
    • String ID:
    • API String ID: 1031845853-0
    • Opcode ID: ceadd7eaa043e9d24b6b4fb7a9075ba862aa0d6ab68a671f5b8da35ec22708f9
    • Instruction ID: fbf0a65fc3f6cc215c1c8fa5ccc8907c3fcfc16e32a319bc030b09981d12a07b
    • Opcode Fuzzy Hash: ceadd7eaa043e9d24b6b4fb7a9075ba862aa0d6ab68a671f5b8da35ec22708f9
    • Instruction Fuzzy Hash: BEF01DB1E40714AAE710AFB29C49B277FA9FB45762F005616E7059B280DBB998118FD0
    Function 005C3B63 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39COMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3.LIBCMT ref: 005C3B6A
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F8B
      • Part of subcall function 00569F51: InitializeCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F9D
      • Part of subcall function 00569F51: LeaveCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FAA
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FBA
    • GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 005C3BC2
    • GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 005C3BD4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$EnterProfile$H_prolog3InitializeLeave
    • String ID: DragDelay$DragMinDist$windows
    • API String ID: 3965097884-2101198082
    • Opcode ID: c9872849edc83708ae273b0da7cd5dd5193c00bc021fb76a06bd462b0e561976
    • Instruction ID: b114e1ec467ea647a5b288f4e8f5a6af157932bae8db5abb5a4964aaf8c08d7c
    • Opcode Fuzzy Hash: c9872849edc83708ae273b0da7cd5dd5193c00bc021fb76a06bd462b0e561976
    • Instruction Fuzzy Hash: DA0171B0D017009FC761AFAA8982617FEEABF90700F51150FE146A7650C7F0A501CF4B
    Function 00534978 Relevance: 7.6, APIs: 5, Instructions: 84sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    APIs
    • __EH_prolog3.LIBCMT ref: 00534997
    • Sleep.KERNELBASE(00000000,00000008), ref: 005349AE
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • _memset.LIBCMT ref: 00534A07
    • _memset.LIBCMT ref: 00534A1E
    • Sleep.KERNELBASE(00000000), ref: 00534A7E
      • Part of subcall function 005327D7: WSAStartup.WS2_32(00000202,?), ref: 00532836
      • Part of subcall function 005327D7: CreateEventW.KERNEL32(00000000,00000001,00000000,00000000), ref: 00532841
      • Part of subcall function 005327D7: InterlockedExchange.KERNEL32(00000018,00000000), ref: 0053284F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Sleep_memset$CreateEventExchangeH_prolog3InterlockedStartup_malloc
    • String ID:
    • API String ID: 2351260541-0
    • Opcode ID: e6c4daa6bdd9d71f8f0164fe642c19e9894ec57bc1bec24381c045cf1373002d
    • Instruction ID: 458a2e04e85294e3f98d5e9e9148542e36004635c6fb154c03d16e475174a3fe
    • Opcode Fuzzy Hash: e6c4daa6bdd9d71f8f0164fe642c19e9894ec57bc1bec24381c045cf1373002d
    • Instruction Fuzzy Hash: CD217572900249ABCB51EFF4CC499DF7BADFF44300F104A2AB515D7141EA70AB048BA5
    Function 00532877 Relevance: 7.5, APIs: 5, Instructions: 35COMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 568 532877-532885 569 532887-5328d1 setsockopt CancelIo InterlockedExchange closesocket SetEvent 568->569 570 5328d5-5328d8 568->570 569->570
    APIs
    • setsockopt.WS2_32(?,0000FFFF,00000080,?,00000004), ref: 005328A7
    • CancelIo.KERNEL32(?), ref: 005328B0
    • InterlockedExchange.KERNEL32(?,00000000), ref: 005328B9
    • closesocket.WS2_32(?), ref: 005328C2
    • SetEvent.KERNEL32(?), ref: 005328CB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CancelEventExchangeInterlockedclosesocketsetsockopt
    • String ID:
    • API String ID: 1486965892-0
    • Opcode ID: 36030183eb2f996c983fccfab3eb82dcdc0643b34a3fa128b7bdce88dab643b3
    • Instruction ID: 4659f805a5fd644b8cdf8929968af0823ad973df83727f90405fa5544c8a3664
    • Opcode Fuzzy Hash: 36030183eb2f996c983fccfab3eb82dcdc0643b34a3fa128b7bdce88dab643b3
    • Instruction Fuzzy Hash: 26F06D32100700EBD7219BE4DD0ABAABBFAFF44B12F005629E282D55B0D7B0A905DB41
    Function 00534508 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 104sleepCOMMON
    Download Yara Rule

    Control-flow Graph

    • Executed
    • Not Executed
    control_flow_graph 571 534508-534517 572 53461b-53461e 571->572 573 53451d-534522 571->573 574 534545-534556 573->574 575 534524-53452b 573->575 576 534563-53456e 574->576 577 534558-534561 574->577 578 534536-534542 call 6367a0 575->578 579 53452d-534534 575->579 580 534570-534577 576->580 581 53457c-534589 576->581 577->576 577->577 578->574 579->578 579->579 580->580 584 534579 580->584 585 53461a 581->585 586 53458f 581->586 584->581 585->572 587 534592-534595 586->587 588 534597 587->588 589 5345b9-5345be 587->589 590 53459a-5345ac Sleep 588->590 591 5345c0-5345c9 589->591 592 5345d5-5345e3 589->592 594 5345d3 590->594 595 5345ae-5345b5 590->595 596 5345e7-5345ea 591->596 597 5345cb-5345cf 591->597 592->587 593 5345e5 592->593 593->585 594->592 595->590 601 5345b7 595->601 599 534606-53460f 596->599 600 5345ec-534604 call 636bd0 596->600 597->591 598 5345d1 597->598 598->592 599->585 603 534611-534614 599->603 600->585 601->589 603->585
    APIs
    Strings
    • |p1:116.198.232.205|o1:6666|t1:1|p2:116.198.232.205|o2:8888|t2:1|p3:116.198.232.205|o3:82|t3:1|dd:1|cl:1|fz:, xrefs: 00534545, 0053454F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Sleep_memmove_memset
    • String ID: |p1:116.198.232.205|o1:6666|t1:1|p2:116.198.232.205|o2:8888|t2:1|p3:116.198.232.205|o3:82|t3:1|dd:1|cl:1|fz:
    • API String ID: 2704151744-3794833943
    • Opcode ID: 189de93774282de935e413102c6210ecee9a2eb8f25cc7eb64d017fdaa68978e
    • Instruction ID: ed81c373453a9fdb109a9b3c229a89b7e2abc936eadd3e9207634cce45ad793b
    • Opcode Fuzzy Hash: 189de93774282de935e413102c6210ecee9a2eb8f25cc7eb64d017fdaa68978e
    • Instruction Fuzzy Hash: AB319C76D00129EBCF21EF98D8814AEBBB5FB45714F64806AE412D7211D370AE82CF90
    Function 005348D2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58synchronizationCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005348D9
    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000), ref: 00534922
    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00534964
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CreateEventH_prolog3ObjectSingleWait
    • String ID: (Eh
    • API String ID: 3065744638-125344864
    • Opcode ID: 2fd036c6924f4699bf52f5d27bc74a764ac64fad1c98b768e51f5321441a26f1
    • Instruction ID: cff0e45e9132af8c2d8b5858a384045cd4f10d46f59c79bb54e2aef866da8971
    • Opcode Fuzzy Hash: 2fd036c6924f4699bf52f5d27bc74a764ac64fad1c98b768e51f5321441a26f1
    • Instruction Fuzzy Hash: A3114974A002199FCF04EFA8C8889ADBBB6FF48311F10851DF552A72A1CB705A45CFA5
    Function 005A2FDE Relevance: 4.6, APIs: 3, Instructions: 119COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005A2FE5
    • CreateCompatibleDC.GDI32(00000000), ref: 005A30B0
    • CreateCompatibleDC.GDI32(00000000), ref: 005A30BC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CompatibleCreate$H_prolog3
    • String ID:
    • API String ID: 2193723985-0
    • Opcode ID: 594ccbd1678a1a8b83bc4df30aa5575623a39eec06fe2f0f345aef2ed8501fba
    • Instruction ID: 42a2c0d110c455bdf32aa7e29c542244845426a1eea1749b7655a2b350342e5c
    • Opcode Fuzzy Hash: 594ccbd1678a1a8b83bc4df30aa5575623a39eec06fe2f0f345aef2ed8501fba
    • Instruction Fuzzy Hash: 9751CEB09107258FCB44DF68C48129A7FB9BF09B00F1482ABEC09DF25AD7B09645CFA5
    Function 00635076 Relevance: 4.5, APIs: 3, Instructions: 11threadCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd_noexit.LIBCMT ref: 0063507B
      • Part of subcall function 0063D6E3: GetLastError.KERNEL32(00000001,00000000,00635222,00634D47,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1), ref: 0063D6E7
      • Part of subcall function 0063D6E3: ___set_flsgetvalue.LIBCMT ref: 0063D6F5
      • Part of subcall function 0063D6E3: __calloc_crt.LIBCMT ref: 0063D709
      • Part of subcall function 0063D6E3: DecodePointer.KERNEL32(00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1,?,?,?,0063D807), ref: 0063D723
      • Part of subcall function 0063D6E3: __initptd.LIBCMT ref: 0063D732
      • Part of subcall function 0063D6E3: GetCurrentThreadId.KERNEL32 ref: 0063D739
      • Part of subcall function 0063D6E3: SetLastError.KERNEL32(00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1,?,?,?,0063D807), ref: 0063D751
    • __freeptd.LIBCMT ref: 00635085
      • Part of subcall function 0063D8A5: TlsGetValue.KERNEL32(?,?,0063508A,00000000,?,006350B6,00000000), ref: 0063D8C6
      • Part of subcall function 0063D8A5: TlsGetValue.KERNEL32(?,?,0063508A,00000000,?,006350B6,00000000), ref: 0063D8D8
      • Part of subcall function 0063D8A5: DecodePointer.KERNEL32(00000000,?,0063508A,00000000,?,006350B6,00000000), ref: 0063D8EE
      • Part of subcall function 0063D8A5: __freefls@4.LIBCMT ref: 0063D8F9
      • Part of subcall function 0063D8A5: TlsSetValue.KERNEL32(00000017,00000000,?,0063508A,00000000,?,006350B6,00000000), ref: 0063D90B
    • ExitThread.KERNEL32 ref: 0063508E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Value$DecodeErrorLastPointerThread$CurrentExit___set_flsgetvalue__calloc_crt__freefls@4__freeptd__getptd_noexit__initptd
    • String ID:
    • API String ID: 779801232-0
    • Opcode ID: fdeda40bf33b358f5298a34d0110bb6fa1ccac2013158d8764804593ca9d29af
    • Instruction ID: b551a292693330f96769b8f931cddae62a6a971a3ebdb58861c0d5a887a8e0ec
    • Opcode Fuzzy Hash: fdeda40bf33b358f5298a34d0110bb6fa1ccac2013158d8764804593ca9d29af
    • Instruction Fuzzy Hash: 72C04C314007046A9B543B61ED0A95A3A6F99C0751F541525B81986152DE75E88185D5
    Function 00536304 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 23COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00536322
      • Part of subcall function 00634CBE: __FF_MSGBANNER.LIBCMT ref: 00634CD7
      • Part of subcall function 00634CBE: __NMSG_WRITE.LIBCMT ref: 00634CDE
      • Part of subcall function 00634CBE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1), ref: 00634D03
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AllocateHeap_malloc
    • String ID: bS
    • API String ID: 501242067-1100520951
    • Opcode ID: c0429506c9f4194cd3a7383ba8ee2c8cc4a7702fd7723651235bc3aa47379737
    • Instruction ID: f8730314b51c1f8af81e44f5d04eb152709bbd40835861e435932f7b9c76eaad
    • Opcode Fuzzy Hash: c0429506c9f4194cd3a7383ba8ee2c8cc4a7702fd7723651235bc3aa47379737
    • Instruction Fuzzy Hash: 01D05B36605129779B216A95DC016597F8AEB457B0F14843DF905D7550DE21DC1047D0
    Function 00532CFB Relevance: 3.1, APIs: 2, Instructions: 58networkCOMMON
    Download Yara Rule
    APIs
    • send.WS2_32(?,?,00040000,00000000), ref: 00532D30
    • send.WS2_32(?,?,?,00000000), ref: 00532D65
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: send
    • String ID:
    • API String ID: 2809346765-0
    • Opcode ID: 0d5002a79903f11c685188525fff293f171a0a8481a9ca7450d3e8168883d730
    • Instruction ID: a5495012e8eb7e5661f568b50c8f04724daa34b95bc7fdb31f799f4cc19015ba
    • Opcode Fuzzy Hash: 0d5002a79903f11c685188525fff293f171a0a8481a9ca7450d3e8168883d730
    • Instruction Fuzzy Hash: 28113A32D00A19FBCF129E98C884BCDBFB4FF04761F208466E918A6551D3709E869B90
    Function 00532C0F Relevance: 3.0, APIs: 2, Instructions: 38sleeptimeCOMMON
    Download Yara Rule
    APIs
    • Sleep.KERNELBASE(0000000A), ref: 00532C28
    • timeGetTime.WINMM(000000C9,00000001), ref: 00532C41
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: SleepTimetime
    • String ID:
    • API String ID: 346578373-0
    • Opcode ID: baacaf555b3c96758f8c959bfa60509ff12f621f06b958df4a66532da353b1a8
    • Instruction ID: a63138b29a95efbc005584c35c8ef12766e41956a203e30cfc78c002634f62c7
    • Opcode Fuzzy Hash: baacaf555b3c96758f8c959bfa60509ff12f621f06b958df4a66532da353b1a8
    • Instruction Fuzzy Hash: 30F0FF31200B08AFD725CF68C88CB5EBBE4FB95301F041A19E042D31E0CB74AE86CB82
    Function 00537416 Relevance: 3.0, APIs: 2, Instructions: 24libraryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • ActivateActCtx.KERNEL32(?,?,0068E768,00000010,00537604,KERNEL32.DLL), ref: 00537436
    • LoadLibraryW.KERNELBASE(?), ref: 0053744D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ActivateLibraryLoad
    • String ID:
    • API String ID: 389599620-0
    • Opcode ID: 164061fea27e2d2fe470664fb90d58ccb48adcbc2859d2536ce6da8b1fe10a82
    • Instruction ID: 8fe8500037cbbcf0b5dbf207ad532d6ba9787b5e1d8e4bb13cc6e987731b8694
    • Opcode Fuzzy Hash: 164061fea27e2d2fe470664fb90d58ccb48adcbc2859d2536ce6da8b1fe10a82
    • Instruction Fuzzy Hash: 5FF015B0C00619ABDF61EFE0CD09A9DBFB1BF48B11F109629F411A62A1C7749A02DF95
    Function 00635095 Relevance: 3.0, APIs: 2, Instructions: 19COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 006350A1
      • Part of subcall function 0063D75C: __getptd_noexit.LIBCMT ref: 0063D75F
      • Part of subcall function 0063D75C: __amsg_exit.LIBCMT ref: 0063D76C
      • Part of subcall function 00635076: __getptd_noexit.LIBCMT ref: 0063507B
      • Part of subcall function 00635076: __freeptd.LIBCMT ref: 00635085
      • Part of subcall function 00635076: ExitThread.KERNEL32 ref: 0063508E
    • __XcptFilter.LIBCMT ref: 006350C2
      • Part of subcall function 0063DA8E: __getptd_noexit.LIBCMT ref: 0063DA94
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __getptd_noexit$ExitFilterThreadXcpt__amsg_exit__freeptd__getptd
    • String ID:
    • API String ID: 418257734-0
    • Opcode ID: c8fd626f220d3748a20f919c6535736f7f7d43b0635721f53fb95931356292a9
    • Instruction ID: 196a83286b313fdf90485af7f01a1d1727df25b78a1fcc5a0fbd25d3eb03fc8c
    • Opcode Fuzzy Hash: c8fd626f220d3748a20f919c6535736f7f7d43b0635721f53fb95931356292a9
    • Instruction Fuzzy Hash: 01E08CB0900600EFEB08EBA0DA06E2D3736EF44301F20404CF0026B2A2CB369900DBA5
    Function 00535A5A Relevance: 2.5, APIs: 2, Instructions: 13COMMON
    Download Yara Rule
    APIs
    • CloseHandle.KERNELBASE(006F004E,00000001,?,00534972), ref: 00535A6D
    • CloseHandle.KERNEL32(0065006C), ref: 00535A78
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CloseHandle
    • String ID:
    • API String ID: 2962429428-0
    • Opcode ID: 48a445b49d46fa74a9031a15a26c4eda24f4fc2665a9ded34d4b9111d99de900
    • Instruction ID: 8e466cb8c319360fc879df057d0d32450803c8fc68fd6bb28a22b7ff4afb159d
    • Opcode Fuzzy Hash: 48a445b49d46fa74a9031a15a26c4eda24f4fc2665a9ded34d4b9111d99de900
    • Instruction Fuzzy Hash: 81D0C9795002129F87302F96AC04846FFE6EFC8321316461ED98052220DAB068558FA2
    Function 00532C6E Relevance: 1.6, APIs: 1, Instructions: 55threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00532EB2: GetCurrentThreadId.KERNEL32 ref: 00532EB3
      • Part of subcall function 00532EB2: InterlockedExchange.KERNEL32(?,00000001), ref: 00532EC3
      • Part of subcall function 00531038: _memmove.LIBCMT ref: 00531057
      • Part of subcall function 00532CFB: send.WS2_32(?,?,00040000,00000000), ref: 00532D30
      • Part of subcall function 00532CFB: send.WS2_32(?,?,?,00000000), ref: 00532D65
    • GetCurrentThreadId.KERNEL32 ref: 00532CDA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CurrentThreadsend$ExchangeInterlocked_memmove
    • String ID:
    • API String ID: 3842595502-0
    • Opcode ID: 12ab94f2a44675ec28b86362765bf148fd8375a54c8f4e13f67767b2d58d6444
    • Instruction ID: 35f64d6d344c076e7bfa827e10ff9802065548524c3a7e2555cc9f05e0453e2f
    • Opcode Fuzzy Hash: 12ab94f2a44675ec28b86362765bf148fd8375a54c8f4e13f67767b2d58d6444
    • Instruction Fuzzy Hash: 8511A172110A0EBFD714EBA1CC86FAABBACFF50710F108426F641D6491D7B1F9599BA0
    Function 00531038 Relevance: 1.6, APIs: 1, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _memmove
    • String ID:
    • API String ID: 4104443479-0
    • Opcode ID: b674be14080885f2d0b722ac2ca17afe3fcc4dfb24c807cd946884e02bb0f590
    • Instruction ID: affa35597844d4fdd58b86aeb6a99f8a6beb08833b730e982000fd3bf7ba6eee
    • Opcode Fuzzy Hash: b674be14080885f2d0b722ac2ca17afe3fcc4dfb24c807cd946884e02bb0f590
    • Instruction Fuzzy Hash: 34012072B017456BD7149E2ACCC596A7F9AFFC4361F14C03AF94987112D672CD91CB50
    Function 00534D0C Relevance: 1.5, APIs: 1, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _wmemcpy_s
    • String ID:
    • API String ID: 67063488-0
    • Opcode ID: 20ae2cae1628be41d80399f7f3a08a7a000561a731f24c109d3fd02e1c8846e5
    • Instruction ID: e2f68569bb9b9ff49dbeab06d7d18b25ef79efce53f6a6bb65bdad5f194db099
    • Opcode Fuzzy Hash: 20ae2cae1628be41d80399f7f3a08a7a000561a731f24c109d3fd02e1c8846e5
    • Instruction Fuzzy Hash: 6F014FB5600605AFD700DFA8C885CAABBB8FF89354B104969F411CB311D770ED00CFA0
    Function 00546A4D Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00546A54
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$Exception@8Throw
    • String ID:
    • API String ID: 2489616738-0
    • Opcode ID: 6865d8d9ffaa4c84f72469abf317289131480fee4b51da816626ccedb32ab1a0
    • Instruction ID: 90f9ae2ccca483e0d479dfda81f75b056da7e20f17bd9806d27e512350febeec
    • Opcode Fuzzy Hash: 6865d8d9ffaa4c84f72469abf317289131480fee4b51da816626ccedb32ab1a0
    • Instruction Fuzzy Hash: 7A017174600A43DBDB28BF25C8157AA3FA3FB82358F14442DE48297290DF34CD50CB02
    Function 00538221 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _malloc
    • String ID:
    • API String ID: 1579825452-0
    • Opcode ID: 582c6e15e642d2f884a8cc01ff7d04cd56f85fdd331bb7307460aeecf3188ce9
    • Instruction ID: 572bd0a4fbf62e1c3597023879e0b739037681851e5817d75aa5314aab45f244
    • Opcode Fuzzy Hash: 582c6e15e642d2f884a8cc01ff7d04cd56f85fdd331bb7307460aeecf3188ce9
    • Instruction Fuzzy Hash: 21E06D375006159BC7048B49C504B57FBDDEF91370F168426F808CB252CAB1E8048BA0
    Function 0054A507 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0056AEA2: GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0056AED5
      • Part of subcall function 0056AEA2: _memset.LIBCMT ref: 0056AEEE
    • SystemParametersInfoW.USER32(00000029,-000001F8,?,00000000), ref: 0054A52B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressInfoParametersProcSystem_memset
    • String ID:
    • API String ID: 831922234-0
    • Opcode ID: a35e4e486de6c46c956665d107a2cfd445191714660b12055a2ff16e0934e14b
    • Instruction ID: 180cb37e9a2be3a3bb7d74a2a2cad03abb28eaa331adb18ba5c3ee8d08dc665c
    • Opcode Fuzzy Hash: a35e4e486de6c46c956665d107a2cfd445191714660b12055a2ff16e0934e14b
    • Instruction Fuzzy Hash: 78D0A7B35906056FE3005B71EC0AF76360DE7A0721F180624B524CA1D0EF76DC408550
    Function 0053BCC9 Relevance: 1.5, APIs: 1, Instructions: 8COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • DeleteObject.GDI32(00000000), ref: 0053BCD8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: DeleteObject
    • String ID:
    • API String ID: 1531683806-0
    • Opcode ID: f948541372a9e3936b510143fe0c6dc157e60b812d9aac4afd6cdf3fdba5dfb0
    • Instruction ID: 9741f62adf6db518a721d52ca3758847fef03f17c814199ada973f3341705216
    • Opcode Fuzzy Hash: f948541372a9e3936b510143fe0c6dc157e60b812d9aac4afd6cdf3fdba5dfb0
    • Instruction Fuzzy Hash: C0B092B090120AAAEF20AB718A1DB263B946B81307F00A898A20895001DF39C8418500

    Non-executed Functions

    Function 005B22CB Relevance: 53.0, APIs: 28, Strings: 2, Instructions: 452windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 005B2300
    • GetWindowRect.USER32(?,?), ref: 005B2323
    • PtInRect.USER32(?,?,?), ref: 005B2331
      • Part of subcall function 005E0E67: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 005E0EDE
    • GetAsyncKeyState.USER32(00000012), ref: 005B2356
    • ScreenToClient.USER32(?,?), ref: 005B23A4
    • IsWindow.USER32(?), ref: 005B23EB
    • IsWindow.USER32(?), ref: 005B242E
    • GetWindowRect.USER32(?,?), ref: 005B244E
    • PtInRect.USER32(?,?,?), ref: 005B245E
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B2493
    • PtInRect.USER32(-00000054,?,?), ref: 005B24DE
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B2503
    • ScreenToClient.USER32(?,?), ref: 005B255B
    • PtInRect.USER32(?,?,?), ref: 005B256B
    • GetParent.USER32(?), ref: 005B25F5
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B2688
    • GetFocus.USER32 ref: 005B268E
    • WindowFromPoint.USER32(?,?,00000000), ref: 005B26C6
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B2710
    • GetSystemMenu.USER32(?,00000000,?,?,75C0A000,?), ref: 005B2799
    • IsMenu.USER32(?), ref: 005B27BB
    • EnableMenuItem.USER32(?,0000F030,00000000), ref: 005B27D8
    • EnableMenuItem.USER32(?,0000F120,00000000), ref: 005B27E3
    • IsZoomed.USER32(?), ref: 005B27F1
    • IsIconic.USER32(?), ref: 005B2810
    • EnableMenuItem.USER32(?,0000F120,00000003), ref: 005B2824
    • TrackPopupMenu.USER32(?,00000100,?,?,00000000,?,00000000), ref: 005B284C
    • SendMessageW.USER32(?,00000112,00000000,00000000), ref: 005B2866
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$MenuRect$MessageSend$EnableItem$ClientScreen$AsyncFocusFromIconicParentPointPopupRedrawStateSystemTrackVisibleZoomed
    • String ID: (e$pe
    • API String ID: 3398603409-3688049780
    • Opcode ID: e958bc24a8d10a922a5d556076d5fe09d0c1cd9d30b65c1848d93539b859e9f4
    • Instruction ID: 3eabe79e292654a06f8fe49e4897a615b8d05580169762f92b9ed04889593a5f
    • Opcode Fuzzy Hash: e958bc24a8d10a922a5d556076d5fe09d0c1cd9d30b65c1848d93539b859e9f4
    • Instruction Fuzzy Hash: 05F12871A00209AFDB21AFA4DC88AEEBBF6FB48300F145569F545E7261DB30AD40DF61
    Function 0056207D Relevance: 51.8, APIs: 28, Strings: 1, Instructions: 1017windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 005620B0
    • IsWindow.USER32(?), ref: 005620C5
    • MonitorFromPoint.USER32(?,?,00000002), ref: 00562136
    • GetMonitorInfoW.USER32(00000000), ref: 0056213D
    • CopyRect.USER32(?,?), ref: 0056214F
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0056215F
    • GetSystemMetrics.USER32(00000033), ref: 005622E3
    • GetSystemMetrics.USER32(00000006), ref: 005622E9
    • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0056236E
    • SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 00562388
    • SetRectEmpty.USER32(?), ref: 005625EB
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00562654
    • GetWindowRect.USER32(?,?), ref: 00562737
    • ClientToScreen.USER32(?,?), ref: 00562982
    • ClientToScreen.USER32(?,?), ref: 005629A9
    • ClientToScreen.USER32(?,?), ref: 00562B42
    • ClientToScreen.USER32(?,?), ref: 00562B6A
    • GetSystemMetrics.USER32(00000002), ref: 00562C05
    • IsRectEmpty.USER32(?), ref: 00562C15
    • GetSystemMetrics.USER32(00000002), ref: 00562C21
    • GetWindowRect.USER32(?,?), ref: 00562D21
    • IntersectRect.USER32(?,?,-00000054), ref: 00562D82
    • InvalidateRect.USER32(?,-00000054,00000001), ref: 00562D97
    • UpdateWindow.USER32(?), ref: 00562DA0
    • IntersectRect.USER32(?,?,-00000054), ref: 00562DE9
    • InvalidateRect.USER32(?,-00000054,00000001), ref: 00562DFE
    • UpdateWindow.USER32(?), ref: 00562E07
    • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,?,?,?,?,00000014), ref: 00562E45
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$System$ClientMetricsScreen$EmptyInfoIntersectInvalidateMessageMonitorRedrawSendUpdate$CopyFromParametersPoint
    • String ID: (
    • API String ID: 840757265-3887548279
    • Opcode ID: a79dc2dd8930488a7ea4d0f31b4a7c64c4ad55476e83000ddbbc9e1f618365f7
    • Instruction ID: 9a3453f53d58505bac341be4e8a409ac1d5f4a54cf87d702b9c160e103f31a19
    • Opcode Fuzzy Hash: a79dc2dd8930488a7ea4d0f31b4a7c64c4ad55476e83000ddbbc9e1f618365f7
    • Instruction Fuzzy Hash: EFA2F671E00619DFCF25CF68C984AEDBBB5BF49300F1845BAE849AB256DB709981CF50
    Function 0055C213 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 457keyboardCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0055C21A
    • GetParent.USER32(?), ref: 0055C275
    • GetParent.USER32(?), ref: 0055C291
    • UpdateWindow.USER32(?), ref: 0055C2D9
    • SetCursor.USER32 ref: 0055C2FE
    • GetAsyncKeyState.USER32(00000012), ref: 0055C360
    • UpdateWindow.USER32(?), ref: 0055C466
    • InflateRect.USER32(?,00000002,00000002), ref: 0055C4C6
    • SetCapture.USER32(?), ref: 0055C4CF
    • SetCursor.USER32(00000000), ref: 0055C4E7
    • IsWindow.USER32(?), ref: 0055C585
    • GetCursorPos.USER32(?), ref: 0055C5C4
    • ScreenToClient.USER32(?,?), ref: 0055C5D1
    • PtInRect.USER32(?,?,?), ref: 0055C5ED
    • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0055C661
    • GetParent.USER32(?), ref: 0055C67C
    • GetParent.USER32(?), ref: 0055C690
    • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000), ref: 0055C6A2
    • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0055C6C4
    • GetParent.USER32(?), ref: 0055C6CD
    • GetParent.USER32(?), ref: 0055C6E8
    • GetParent.USER32(?), ref: 0055C6F3
    • InvalidateRect.USER32(?,?,00000001), ref: 0055C72B
    • RedrawWindow.USER32(?,00000000,00000000,00000505,00000000,?,00000000), ref: 0055C863
      • Part of subcall function 005599E6: InvalidateRect.USER32(?,?,00000001), ref: 00559A5B
      • Part of subcall function 005599E6: InflateRect.USER32(?,?,?), ref: 00559AA1
      • Part of subcall function 005599E6: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00559AB4
    • UpdateWindow.USER32(?), ref: 0055C7C3
    • UpdateWindow.USER32(?), ref: 0055C822
    • SetCapture.USER32(?,?,00000000), ref: 0055C82D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Parent$RectRedraw$Update$Cursor$CaptureInflateInvalidate$AsyncClientH_prolog3_ScreenState
    • String ID: pxf
    • API String ID: 991125134-3901195985
    • Opcode ID: 948cfaa811e9c599c5716582422b2bca54e147e5bd9e45644a075d5b0cde17e9
    • Instruction ID: 47fe191c5f65a6586aacb1b5b898777e9997ca84cfef5cc1da1194e5a1c7f5b9
    • Opcode Fuzzy Hash: 948cfaa811e9c599c5716582422b2bca54e147e5bd9e45644a075d5b0cde17e9
    • Instruction Fuzzy Hash: 0A022A745003159FCB15AF64C8A8AA97FB6FF49712F1412BAFC069B2A5DB309848CF60
    Function 00598206 Relevance: 27.4, APIs: 18, Instructions: 386windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • MessageBeep.USER32 ref: 0059822D
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00598272
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0059831F
    • SendMessageW.USER32(?,000000B0,?,?), ref: 005984B9
    • GetKeyState.USER32(00000010), ref: 005984EE
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00598504
    • GetKeyState.USER32(00000011), ref: 00598530
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00598546
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0059858E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Send$State$Beep
    • String ID:
    • API String ID: 4138746095-0
    • Opcode ID: 93c6dafec63b51e1b6e9121d1c13b8f6fe4ddc6764c9e4633aa7977ddc3760c6
    • Instruction ID: 5e83dbb7b01e2e10c4fc8c0910c076e235cbee2142440ded3455a9d3072109ab
    • Opcode Fuzzy Hash: 93c6dafec63b51e1b6e9121d1c13b8f6fe4ddc6764c9e4633aa7977ddc3760c6
    • Instruction Fuzzy Hash: BBD12A7520060ABBCF21DF54CC84EFE3BA9FF49754F104A16FA2AC6190DB30EA559B61
    Function 005CE67D Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 340COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005CE684
      • Part of subcall function 0059E8CB: FillRect.USER32(?,00000020), ref: 0059E8DF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FillH_prolog3Rect
    • String ID: d
    • API String ID: 1863035756-2564639436
    • Opcode ID: b6f639034b57a93014d72d115a98ee3a46fb39696594b736c8c19950e7fa14a5
    • Instruction ID: 12d1d1a3826ce09a4d00fda19d9aa591ea71a5b8dda914230d83b71733b4a709
    • Opcode Fuzzy Hash: b6f639034b57a93014d72d115a98ee3a46fb39696594b736c8c19950e7fa14a5
    • Instruction Fuzzy Hash: 40C1877190022ADFCB15DFE8CC86AAEBFB5FF48301F10462EF951A6291C7349955DBA0
    Function 00587DE2 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 430windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00587E34
    • IsRectEmpty.USER32(?), ref: 00587E3E
    • IsIconic.USER32(?), ref: 00587E99
    • BeginDeferWindowPos.USER32(00000000), ref: 00587ED3
    • GetClientRect.USER32(?,?), ref: 00587EFD
    • IsRectEmpty.USER32(?), ref: 00587F07
    • IsRectEmpty.USER32(?), ref: 00587F9D
    • EqualRect.USER32(?,?), ref: 00587FE2
    • GetParent.USER32(?), ref: 005881DE
    • GetWindowRect.USER32(?,?), ref: 00588089
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6E9
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6F6
    • EndDeferWindowPos.USER32(?), ref: 005882CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Client$EmptyWindow$DeferScreen$BeginEqualIconicParent
    • String ID: pxf$\g
    • API String ID: 3453398311-4203734659
    • Opcode ID: cfe40e634c77fe4a1692722bb82dc8ffaf8cb8623c6beb21103d4a38acb2d49b
    • Instruction ID: e557812d8ef218685a8f8e3887764a5b9ba84ecc5b092a5942b9eca59cff00c6
    • Opcode Fuzzy Hash: cfe40e634c77fe4a1692722bb82dc8ffaf8cb8623c6beb21103d4a38acb2d49b
    • Instruction Fuzzy Hash: AEF16831A0060A9FCF14EFA4C988AEEBBB6FF49304F544468ED06BB255DB70AD45CB50
    Function 0057688A Relevance: 21.3, APIs: 14, Instructions: 280keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 0057696E
    • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 0057698A
    • GetCapture.USER32 ref: 00576A04
    • GetKeyState.USER32(00000011), ref: 00576A66
    • GetKeyState.USER32(00000010), ref: 00576A73
    • ImmGetContext.IMM32(?), ref: 00576A81
    • ImmGetOpenStatus.IMM32(00000000,?), ref: 00576A8E
    • ImmReleaseContext.IMM32(?,00000000,?), ref: 00576AB0
    • GetFocus.USER32 ref: 00576ADA
    • IsWindow.USER32(?), ref: 00576B1B
    • IsWindow.USER32(?), ref: 00576BA1
    • ClientToScreen.USER32(?,?), ref: 00576BB1
    • IsWindow.USER32(?), ref: 00576BD7
    • ClientToScreen.USER32(?,?), ref: 00576C06
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
    • String ID:
    • API String ID: 1155058817-0
    • Opcode ID: 4767bf7288ed7ed3bbefa39411d6fbba8956f55ac60151d839f19cbaa3c6f735
    • Instruction ID: 6e221c8fe07271076e2b9d0b0449b5abb9f4b435b4ebe5e0ab24d6e27f6612d5
    • Opcode Fuzzy Hash: 4767bf7288ed7ed3bbefa39411d6fbba8956f55ac60151d839f19cbaa3c6f735
    • Instruction Fuzzy Hash: A3A19031500A06EFDF259FA1E894ABA7FA5FF04304F10C82AE65ED2051EB31EC50EB51
    Function 005749CC Relevance: 21.3, APIs: 14, Instructions: 268keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 00574AA5
    • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00574AC1
    • GetCapture.USER32 ref: 00574B41
    • GetKeyState.USER32(00000011), ref: 00574B94
    • GetKeyState.USER32(00000010), ref: 00574BA1
    • ImmGetContext.IMM32(?), ref: 00574BAF
    • ImmGetOpenStatus.IMM32(00000000,?), ref: 00574BBC
    • ImmReleaseContext.IMM32(00000000,00000000,?), ref: 00574BDE
    • GetFocus.USER32 ref: 00574C08
    • IsWindow.USER32(?), ref: 00574C49
    • IsWindow.USER32(?), ref: 00574CCF
    • ClientToScreen.USER32(?,?), ref: 00574CDF
    • IsWindow.USER32(?), ref: 00574D05
    • ClientToScreen.USER32(?,?), ref: 00574D34
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ClientContextScreenState$CaptureFocusMessageOpenReleaseSendStatus
    • String ID:
    • API String ID: 1155058817-0
    • Opcode ID: fb61c21e481cd50e192f7ad7955d91db46d6c01f46e9b7b946bfab156d12b14c
    • Instruction ID: b9195510bb0208177df400e2462c972829b895393d52c72c65878e5db852ba9e
    • Opcode Fuzzy Hash: fb61c21e481cd50e192f7ad7955d91db46d6c01f46e9b7b946bfab156d12b14c
    • Instruction Fuzzy Hash: 7391A031900606AFDF259FA4E894A7EBFAAFF04305F10C92AE55E82061D731DD90EF55
    Function 0055CC9C Relevance: 21.3, APIs: 14, Instructions: 262windowCOMMON
    Download Yara Rule
    APIs
    • SetRectEmpty.USER32(?), ref: 0055CD19
    • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 0055CD37
    • ReleaseCapture.USER32 ref: 0055CD3D
    • SetCapture.USER32(?), ref: 0055CD50
    • ReleaseCapture.USER32 ref: 0055CDC5
    • SetCapture.USER32(?), ref: 0055CDD8
    • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0055CEB1
    • UpdateWindow.USER32(?), ref: 0055CF14
    • SendMessageW.USER32(?,00000111,000000FF,00000000), ref: 0055CF5C
    • IsWindow.USER32(?), ref: 0055CF67
    • IsIconic.USER32(?), ref: 0055CF74
    • IsZoomed.USER32(?), ref: 0055CF81
    • IsWindow.USER32(?), ref: 0055CF95
    • UpdateWindow.USER32(?), ref: 0055CFE1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Capture$MessageReleaseSendUpdate$EmptyIconicRectRedrawZoomed
    • String ID:
    • API String ID: 2500574155-0
    • Opcode ID: ee0f865602ba649feaaca550fa86a88611ee17ab802bc3f17da659e6a6abebbd
    • Instruction ID: cbeb3304d35355ab85a510c851994a3e8aad03d52413153a0984f99daf7c91d7
    • Opcode Fuzzy Hash: ee0f865602ba649feaaca550fa86a88611ee17ab802bc3f17da659e6a6abebbd
    • Instruction Fuzzy Hash: ABA11C31600305AFCF119F64CC99AAD7FB6BF89312F1441BAFC1A9B2A1DB319945DB10
    Function 005B0FB1 Relevance: 16.7, APIs: 11, Instructions: 220windowkeyboardCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 005B0FDF
    • GetFocus.USER32 ref: 005B0FED
    • IsChild.USER32(?,?), ref: 005B1021
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B1055
    • IsChild.USER32(?,?), ref: 005B1071
    • SendMessageW.USER32(?,00000100,?,00000000), ref: 005B10A0
    • IsIconic.USER32(?), ref: 005B10E1
    • GetAsyncKeyState.USER32(00000011), ref: 005B1167
    • GetAsyncKeyState.USER32(00000012), ref: 005B1179
    • GetAsyncKeyState.USER32(00000010), ref: 005B1186
    • IsWindowVisible.USER32(?), ref: 005B11E7
      • Part of subcall function 005DFE91: RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 005DFEBE
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AsyncStateWindow$ChildMessageSend$FocusIconicRedrawVisible
    • String ID:
    • API String ID: 763474574-0
    • Opcode ID: f13897caa8333f8febf14db5f3dda8a7a1ddda7008ceecd60ec93d4ec7584d7c
    • Instruction ID: b768a09022062ba311c9280505674b6fbce20ecf054961b85a821578f90fae2a
    • Opcode Fuzzy Hash: f13897caa8333f8febf14db5f3dda8a7a1ddda7008ceecd60ec93d4ec7584d7c
    • Instruction Fuzzy Hash: 6371E175A00A499FDF60AFA4CCE8BE97FB6BB09300F544068E946D7261DB31BC45CB14
    Function 00535516 Relevance: 16.6, APIs: 11, Instructions: 149windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 0053555B
    • SendMessageW.USER32(?,00000027,?,00000000), ref: 0053557F
    • GetSystemMetrics.USER32(0000000B), ref: 0053558D
    • GetSystemMetrics.USER32(0000000C), ref: 00535595
    • GetClientRect.USER32(?,?), ref: 005355B1
    • DrawIcon.USER32(?,?,?,?), ref: 005355E5
      • Part of subcall function 0053BBA7: __EH_prolog3.LIBCMT ref: 0053BBAE
      • Part of subcall function 0053BBA7: EndPaint.USER32(?,?,00000004,00539FF5,?,?,00000058,00535600), ref: 0053BBC9
    • GetWindowRect.USER32(?,?), ref: 00535626
    • ScreenToClient.USER32(?,?), ref: 0053565F
    • ScreenToClient.USER32(?,?), ref: 00535669
    • GetDC.USER32(?), ref: 00535686
    • SelectObject.GDI32(?,?), ref: 005356CF
      • Part of subcall function 0053BB53: __EH_prolog3.LIBCMT ref: 0053BB5A
      • Part of subcall function 0053BB53: BeginPaint.USER32(?,?,00000004,00539FCF,?,00000058,00535600), ref: 0053BB86
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Client$H_prolog3MetricsPaintRectScreenSystem$BeginDrawIconIconicMessageObjectSelectSendWindow
    • String ID:
    • API String ID: 2616362336-0
    • Opcode ID: e97bcc4fe4ca6652a7aee37372a30869e6e7d182395e829ab31e1727ee98501c
    • Instruction ID: 7d9f0bce01b50a1fd9eabde4bd565ebfa11a22b80c4b9d5121378df85f77b4b6
    • Opcode Fuzzy Hash: e97bcc4fe4ca6652a7aee37372a30869e6e7d182395e829ab31e1727ee98501c
    • Instruction Fuzzy Hash: 8351E4715087419FD711DF69DD85A6ABBE9FF88710F000A1EF696822A0DB71A904CB52
    Function 005B1A40 Relevance: 16.6, APIs: 11, Instructions: 99windowCOMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000021), ref: 005B1A62
    • GetSystemMetrics.USER32(00000020), ref: 005B1A69
    • IsIconic.USER32(?), ref: 005B1A7D
    • GetWindowRect.USER32(?,00000020), ref: 005B1ABE
    • IsIconic.USER32(?), ref: 005B1AE2
    • GetSystemMetrics.USER32(00000004), ref: 005B1AEE
    • OffsetRect.USER32(00000020,?,?), ref: 005B1B00
    • GetSystemMetrics.USER32(00000004), ref: 005B1B08
    • IsIconic.USER32(?), ref: 005B1B36
    • GetSystemMetrics.USER32(00000021), ref: 005B1B42
    • GetSystemMetrics.USER32(00000020), ref: 005B1B49
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$Iconic$RectWindow$LongOffset
    • String ID:
    • API String ID: 993849457-0
    • Opcode ID: 9902780fb4f457dc9e1156b08583c2edaa459d1636cc693bd8deb616cfd6d4d6
    • Instruction ID: 41f684d14aa705845b0c9a2ff4154bf96069cf7173cb64200306c7fc76e5d0ca
    • Opcode Fuzzy Hash: 9902780fb4f457dc9e1156b08583c2edaa459d1636cc693bd8deb616cfd6d4d6
    • Instruction Fuzzy Hash: F541D5B1A0020A9FCB44DFA9DD85AAEBBF5FF48300F144069E609E7251DB70A940CF95
    Function 005B1D40 Relevance: 15.1, APIs: 10, Instructions: 146windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 005B1D66
    • ScreenToClient.USER32(?,?), ref: 005B1DE4
    • GetSystemMetrics.USER32(00000021), ref: 005B1DF2
    • GetSystemMetrics.USER32(00000020), ref: 005B1DFB
    • IsIconic.USER32(?), ref: 005B1E09
    • GetSystemMetrics.USER32(00000004), ref: 005B1E15
    • PtInRect.USER32(00000000,?,?), ref: 005B1E5C
    • PtInRect.USER32(?,?,?), ref: 005B1E85
    • GetSystemMetrics.USER32(00000004), ref: 005B1E9B
    • PtInRect.USER32(00000020,?,?), ref: 005B1EB3
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$Rect$ClientIconicScreenVisibleWindow
    • String ID:
    • API String ID: 1122842830-0
    • Opcode ID: 67814e48788840f7cbd83d6bbd1f7a4453ce36e30a2b4ba014c64682b613071d
    • Instruction ID: 5e382e94e940d403527de34a9b9edd80290200b75114c84b9322c6872a40b1cc
    • Opcode Fuzzy Hash: 67814e48788840f7cbd83d6bbd1f7a4453ce36e30a2b4ba014c64682b613071d
    • Instruction Fuzzy Hash: FE514831A0061AAFCF50DFA4C894AEEBFFABF48350F544169E905EB250DB30ED018B95
    Function 005E0863 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005E0899
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow
    • String ID: y
    • API String ID: 861336768-4225443349
    • Opcode ID: e728b44c1d4c06f94846b37eee852a4b1dd0513ec8c11d16e5b96242fbbc267c
    • Instruction ID: 696afd91316dd5d07c06d00ebb081a4b6b3bcb4b8d3e247d94bdf34f8eacebe9
    • Opcode Fuzzy Hash: e728b44c1d4c06f94846b37eee852a4b1dd0513ec8c11d16e5b96242fbbc267c
    • Instruction Fuzzy Hash: 4E31C372D00245ABEF28DF6ADC457AE7FB4FB58301F10642AE995E7183D6B089808F91
    Function 0056A6C3 Relevance: 12.1, APIs: 8, Instructions: 132filestringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0056A6CD
    • GetFullPathNameW.KERNEL32(00000000,00000104,?,?,00000268,0056A8A8,?,?,00000000,?,0061FADA,?,?,?), ref: 0056A70B
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • PathIsUNCW.SHLWAPI(?,?,?,00000000,?,0061FADA,?,?,?), ref: 0056A787
    • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,?,?,00000000,00000000,?,0061FADA,?,?,?), ref: 0056A7AE
    • CharUpperW.USER32(?,?,0061FADA,?,?,?), ref: 0056A7E1
    • FindFirstFileW.KERNEL32(?,?,?,0061FADA,?,?,?), ref: 0056A7FD
    • FindClose.KERNEL32(00000000,?,0061FADA,?,?,?), ref: 0056A809
    • lstrlenW.KERNEL32(?,?,0061FADA,?,?,?), ref: 0056A827
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FindPath$CharCloseException@8FileFirstFullH_prolog3H_prolog3_InformationNameThrowUpperVolumelstrlen
    • String ID:
    • API String ID: 624941980-0
    • Opcode ID: 2b3a58814750b419815e02dde1571f0a81dc2c0b3bc9bd20294282e346d2b7ac
    • Instruction ID: 98b684c711396160577dcb62c78d54f899d999484a970f189c4498c54a0b5078
    • Opcode Fuzzy Hash: 2b3a58814750b419815e02dde1571f0a81dc2c0b3bc9bd20294282e346d2b7ac
    • Instruction Fuzzy Hash: 22418371904216ABDF14AF60CC9DBBE7B79FF50311F14069CB909A3192DB359E80CE52
    Function 0056C51E Relevance: 9.1, APIs: 6, Instructions: 116keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 0056C5A0
    • UpdateWindow.USER32(?), ref: 0056C5B7
    • GetKeyState.USER32(00000079), ref: 0056C5DC
    • GetKeyState.USER32(00000012), ref: 0056C5E9
    • GetParent.USER32(?), ref: 0056C69F
    • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 0056C6BB
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageState$Exception@8H_prolog3ParentPostSendThrowUpdateWindow
    • String ID:
    • API String ID: 2390574533-0
    • Opcode ID: 8e86cf6c52b770e7d0295c3b1e4e7253744f0e2caf8543ccd506697fa2367d00
    • Instruction ID: 4a6e5e9a4a8a3e0397c591add05ad9dcfffc8b9aa0fccf3559a65cb06f02dfbc
    • Opcode Fuzzy Hash: 8e86cf6c52b770e7d0295c3b1e4e7253744f0e2caf8543ccd506697fa2367d00
    • Instruction Fuzzy Hash: 9241D2312007059BEB208F28CC48FBA7FE1BF54701F155A28E8DA471A1DBB0A880DB59
    Function 00598DC6 Relevance: 7.6, APIs: 5, Instructions: 86keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00598DFA
    • GetKeyState.USER32(00000012), ref: 00598E2C
    • GetKeyState.USER32(00000011), ref: 00598E35
    • SendMessageW.USER32(?,00000157,00000000,00000000), ref: 00598E4E
    • SendMessageW.USER32(?,0000014F,00000001,00000000), ref: 00598E5F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSendState$Parent
    • String ID:
    • API String ID: 1284845784-0
    • Opcode ID: 4dc5cabe657c46770edcb401e9945e8cf8fe813cfe1f66fe301486d903ac687e
    • Instruction ID: dab1b3e3d3f99550015f8933c781294524dfbc5637cc6d9513340bc5d5922d8a
    • Opcode Fuzzy Hash: 4dc5cabe657c46770edcb401e9945e8cf8fe813cfe1f66fe301486d903ac687e
    • Instruction Fuzzy Hash: 5F216833300615ABCF2666688C68E7E7E6FFFC6B41F540929F2019B160DF71AC019B60
    Function 00533507 Relevance: 7.6, APIs: 5, Instructions: 81networkCOMMON
    Download Yara Rule
    APIs
    • recv.WS2_32(?,?,00000598,00000000), ref: 0053351C
    • SetLastError.KERNEL32(00000000,?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 00533548
    • WSASetLastError.WS2_32(0000000D,?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 00533583
      • Part of subcall function 005340F4: WSASetLastError.WS2_32(0000000D,?,?,00000004), ref: 00534128
    • GetLastError.KERNEL32(?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 00533595
    • WSAGetLastError.WS2_32(?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 005335C9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ErrorLast$recv
    • String ID:
    • API String ID: 316788870-0
    • Opcode ID: 9e62c0db6a60c1b40b830f0d2db153cc37090dc31c14a6ea476e5344d3658830
    • Instruction ID: 5205d09cd9102a37967c408c7b5fb7fbe9555b9f9b004e53c6e8f47b0cb5dfe3
    • Opcode Fuzzy Hash: 9e62c0db6a60c1b40b830f0d2db153cc37090dc31c14a6ea476e5344d3658830
    • Instruction Fuzzy Hash: D321F5B15442019BDF649FA4C8C8B653FA9FB05322F1415AAEE05CE296D772CA809F61
    Function 006347AC Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • IsDebuggerPresent.KERNEL32 ref: 0063AD3F
    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0063AD54
    • UnhandledExceptionFilter.KERNEL32(00680330), ref: 0063AD5F
    • GetCurrentProcess.KERNEL32(C0000409), ref: 0063AD7B
    • TerminateProcess.KERNEL32(00000000), ref: 0063AD82
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
    • String ID:
    • API String ID: 2579439406-0
    • Opcode ID: 9cd199e46e5de9d349ef30949f9f135c5ac233211966fa4bac3bb8574a2eae1a
    • Instruction ID: 6902b2276738ef0b727368e1995006fb1e9cfdb15e854180db2bd2126fa91fbc
    • Opcode Fuzzy Hash: 9cd199e46e5de9d349ef30949f9f135c5ac233211966fa4bac3bb8574a2eae1a
    • Instruction Fuzzy Hash: 9E21E6B5900308DFDB00EFA8FD447443BE6FB4A325F10A11AE51993371EBB46A808F96
    Function 00537502 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
    Download Yara Rule
    APIs
    • GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 00537549
    • __snwprintf_s.LIBCMT ref: 0053757B
    • LoadLibraryW.KERNEL32(?), ref: 005375B6
      • Part of subcall function 005357FA: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 005357FA: __EH_prolog3.LIBCMT ref: 00536474
      • Part of subcall function 0063521D: __getptd_noexit.LIBCMT ref: 0063521D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Exception@8H_prolog3InfoLibraryLoadLocaleThrow__getptd_noexit__snwprintf_s
    • String ID: LOC
    • API String ID: 3193016053-519433814
    • Opcode ID: 2b81808945ad09e3cb41bdeeacfc7570d5b4c2da326a2841c1c319685780148c
    • Instruction ID: d55b63f6c57206f92a8fbb6ec9c69c46e5af909f6e1992092a45764182b8292b
    • Opcode Fuzzy Hash: 2b81808945ad09e3cb41bdeeacfc7570d5b4c2da326a2841c1c319685780148c
    • Instruction Fuzzy Hash: 9911E7B1D4420CABDB24BBB4CC46FAA3BADBB45310F150469B101A7091EF709F008AB5
    Function 0053A4D3 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,00000000,00000005), ref: 0053A4FE
    • LoadResource.KERNEL32(?,00000000), ref: 0053A506
    • LockResource.KERNEL32(00000000), ref: 0053A518
    • FreeResource.KERNEL32(00000000), ref: 0053A566
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeLoadLock
    • String ID:
    • API String ID: 1078018258-0
    • Opcode ID: 0f270f571e2aee4e74456ba694ab2df863d71d7bc083693bcde4978751bcdc5d
    • Instruction ID: a39c6ff3e0bcfe4599c60a2d98d9ea43ccc65f15581f5f624e302f3e33da6fba
    • Opcode Fuzzy Hash: 0f270f571e2aee4e74456ba694ab2df863d71d7bc083693bcde4978751bcdc5d
    • Instruction Fuzzy Hash: 1611E336100711EFDB21CFA5C888A7ABBF5FF04315F108129E89293590E774ED54DB62
    Function 005B09E6 Relevance: 4.5, APIs: 3, Instructions: 32keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000010), ref: 005B0A11
    • GetKeyState.USER32(00000011), ref: 005B0A1A
    • GetKeyState.USER32(00000012), ref: 005B0A23
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: State
    • String ID:
    • API String ID: 1649606143-0
    • Opcode ID: bd7e0668bec3da2e0a21ab802afd9d6dbce6a48d5d749d9e0cc210a0bd0e4f12
    • Instruction ID: 0a55099444e28fecb78b3de6789d06bdec95fbdd1af975eab80faa1f12fb5c64
    • Opcode Fuzzy Hash: bd7e0668bec3da2e0a21ab802afd9d6dbce6a48d5d749d9e0cc210a0bd0e4f12
    • Instruction Fuzzy Hash: 27F0E5756A03299ADF00A6909C00FE67F94EB047C0F006871EA44670C0CBA0FD81A6A0
    Function 005B2E90 Relevance: 3.1, APIs: 2, Instructions: 57windowCOMMON
    Download Yara Rule
    APIs
    • IsIconic.USER32(?), ref: 005B2EE4
    • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 005B2F34
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: IconicLongMessagePostWindow
    • String ID:
    • API String ID: 1855654840-0
    • Opcode ID: 0bef785cce5d01da452d8b9b0151457f09f3d1ea9869d8c8a97c8a8460d2a7db
    • Instruction ID: 8513bc8e869e657116e810e856a887c3a3c2fde8c354af43d608112ab7ee8720
    • Opcode Fuzzy Hash: 0bef785cce5d01da452d8b9b0151457f09f3d1ea9869d8c8a97c8a8460d2a7db
    • Instruction Fuzzy Hash: D211A1732207028BD7359A79DC8ABF6BAB6FB54311F080B25F042C2192D764F8409661
    Function 0056CD1F Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: IconicVisibleWindow
    • String ID:
    • API String ID: 1797901696-0
    • Opcode ID: 05b29d64c80a9d6e3382180c4e08fdd6d7a71356219fcc0a4b57bf43d99577e6
    • Instruction ID: c1495cff344a6eede03ae304fefecf18e5641f9e2f675a92f8b58dd8e79734fb
    • Opcode Fuzzy Hash: 05b29d64c80a9d6e3382180c4e08fdd6d7a71356219fcc0a4b57bf43d99577e6
    • Instruction Fuzzy Hash: 2BF08232300550278A201A3ADC09E7EBE7AFFD1B74B54433AF596931F0FA608C4281A1
    Function 0054A66C Relevance: 3.0, APIs: 2, Instructions: 34comCOMMON
    Download Yara Rule
    APIs
    • CoInitialize.OLE32(00000000), ref: 0054A69A
    • CoCreateInstance.OLE32(00683D00,00000000,00000001,0065D114,006A8B64,-0000043C,?,?,00570EBF,00000000,?,005D8F3F), ref: 0054A6B8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CreateInitializeInstance
    • String ID:
    • API String ID: 3519745914-0
    • Opcode ID: ff2ce76cd0985b2b6b42ec9be182e3bec1754484c37683360094075000abcf18
    • Instruction ID: 6a4f1e83de8f96e22fc6ffa77666407ba936fd3fb05f7378666cf21a4e22bff1
    • Opcode Fuzzy Hash: ff2ce76cd0985b2b6b42ec9be182e3bec1754484c37683360094075000abcf18
    • Instruction Fuzzy Hash: 5BF05E726C4212AFE7709E909CCCAD67BB6FB9470EF7A043DE1059A150C7725886CB62
    Function 00572018 Relevance: 1.5, APIs: 1, Instructions: 28windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Iconic
    • String ID:
    • API String ID: 110040809-0
    • Opcode ID: 3dd1942b9c1290899a342a4fb15a3bf6061fa8bfc36e91f9ef52f448a1ab366b
    • Instruction ID: 766e9abafef96b1b895933a9eca6914c1077035a21c98900af091b3e5ccb28b7
    • Opcode Fuzzy Hash: 3dd1942b9c1290899a342a4fb15a3bf6061fa8bfc36e91f9ef52f448a1ab366b
    • Instruction Fuzzy Hash: A6E0D83235C5026A96146A39BC4DD7A2FD5FBC5721B15052AF10AC20E0EE109802A160
    Function 005A2705 Relevance: 52.8, APIs: 28, Strings: 2, Instructions: 323fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005A270F
    • GetModuleFileNameW.KERNEL32(00000000,#dU,00000104,?,?,00000A90,005A2CC3,?,00000000,00000084,005A316A,0000000A,0000000A,0000000A,00000000,00000014), ref: 005A27BE
    • __wsplitpath_s.LIBCMT ref: 005A27EA
    • __wsplitpath_s.LIBCMT ref: 005A2809
    • __wmakepath_s.LIBCMT ref: 005A2836
    • _wcslen.LIBCMT ref: 005A2842
    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?,?,00000A90,005A2CC3,?,00000000,00000084,005A316A,0000000A), ref: 005A287A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: File__wsplitpath_s$CreateH_prolog3_ModuleName__wmakepath_s_wcslen
    • String ID: $#dU
    • API String ID: 1221639053-136844049
    • Opcode ID: 97951476397b681d2c815a04571ac966cdc6dfe8adef2bf49966268304a8ae9f
    • Instruction ID: 7ba6b9e84a41ff38efa3bab8df967b1a7f23a76fa1b4330a47286d6168be19e2
    • Opcode Fuzzy Hash: 97951476397b681d2c815a04571ac966cdc6dfe8adef2bf49966268304a8ae9f
    • Instruction Fuzzy Hash: 7DD13A71A00329AFDF20AF64CC86AADBB79BF0A310F0041E9F509A2551DB755F84DF62
    Function 005819CC Relevance: 49.9, APIs: 33, Instructions: 446COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00581A0B
    • PtInRect.USER32(?,?,?), ref: 00581A21
    • GetClientRect.USER32(?,?), ref: 00581A3E
    • PtInRect.USER32(?,?,?), ref: 00581A59
    • GetSystemMetrics.USER32(0000000D), ref: 00581A85
    • GetSystemMetrics.USER32(0000000E), ref: 00581A90
    • PtInRect.USER32(?,?,?), ref: 00581AD4
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$MetricsSystem$ClientWindow
    • String ID:
    • API String ID: 2286436557-0
    • Opcode ID: 34dad3d56a2eceda562e2ee727c40e83988673f6b5ba30e34fc60c1f8c0c173a
    • Instruction ID: 62319c32cb231af0cff8c815946bda62a211df6ba43659c855ff26551650d997
    • Opcode Fuzzy Hash: 34dad3d56a2eceda562e2ee727c40e83988673f6b5ba30e34fc60c1f8c0c173a
    • Instruction Fuzzy Hash: DBF1B671A0060EAFDF04EFA4CD84EEEBBBDBF48344F104529E915E7250DA31EA159B64
    Function 00564238 Relevance: 40.8, APIs: 27, Instructions: 344COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A40: GetWindowLongW.USER32(?,000000EC), ref: 00545A4B
    • GetClientRect.USER32(?,?), ref: 005642AA
    • CopyRect.USER32(?,?), ref: 005642DC
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6E9
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6F6
    • IntersectRect.USER32(?,?,?), ref: 0056432B
    • SetRectEmpty.USER32(?), ref: 00564339
    • IntersectRect.USER32(?,?,?), ref: 0056436B
    • SetRectEmpty.USER32(?), ref: 00564379
    • IsRectEmpty.USER32(?), ref: 00564389
    • IsRectEmpty.USER32(?), ref: 00564393
    • GetWindowRect.USER32(?,?), ref: 005643BE
    • GetWindowRect.USER32(?,?), ref: 005643E1
    • UnionRect.USER32(?,?,?), ref: 005643FE
    • EqualRect.USER32(?,?), ref: 0056440C
    • GetWindowRect.USER32(?,?), ref: 00564497
    • IsRectEmpty.USER32(?), ref: 00564501
    • MapWindowPoints.USER32(?,?,?,00000002), ref: 0056451E
    • RedrawWindow.USER32(?,?,00000000,00000185), ref: 00564532
    • IsRectEmpty.USER32(?), ref: 0056454C
    • EqualRect.USER32(?,?), ref: 0056455A
    • MapWindowPoints.USER32(?,?,?,00000002), ref: 00564577
    • RedrawWindow.USER32(?,?,00000000,00000185), ref: 0056458B
    • UpdateWindow.USER32(?), ref: 005645A0
    • IsRectEmpty.USER32(?), ref: 005645E4
    • InvalidateRect.USER32(?,?,00000001), ref: 005645F9
    • IsRectEmpty.USER32(?), ref: 005645FF
    • EqualRect.USER32(?,?), ref: 00564611
    • InvalidateRect.USER32(?,?,00000001), ref: 00564624
    • UpdateWindow.USER32(?), ref: 00564629
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$Empty$ClientEqual$IntersectInvalidatePointsRedrawScreenUpdate$CopyLongUnion
    • String ID:
    • API String ID: 4119827998-0
    • Opcode ID: 9d00ca653b0d836dd2508fc3c36a33b8b24f1e1dc52f912043db6a481503e1da
    • Instruction ID: dd70400c36fd24bf663ac638722975142d59a3d2d24826774313125d6ecd81d6
    • Opcode Fuzzy Hash: 9d00ca653b0d836dd2508fc3c36a33b8b24f1e1dc52f912043db6a481503e1da
    • Instruction Fuzzy Hash: EBD1087290021D9FCF11DFA4C984AEEBBB9FF09301F1042AAE909E7255DB71AA45CF51
    Function 005A3172 Relevance: 37.8, APIs: 25, Instructions: 260COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005A317C
    • CopyImage.USER32(?,00000000,00000000,00000000,00002000), ref: 005A31BF
    • GetObjectW.GDI32(?,00000018,?), ref: 005A31F9
    • DeleteObject.GDI32(?), ref: 005A3276
    • CreateCompatibleDC.GDI32(00000000), ref: 005A32B0
    • GetObjectW.GDI32(?,00000018,?), ref: 005A32CC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$CompatibleCopyCreateDeleteH_prolog3_Image
    • String ID:
    • API String ID: 641560573-0
    • Opcode ID: 15a6c0c6865aecd2c3b6e0727cf6abd9a0aee4e65098444d871b1b3473d32ba8
    • Instruction ID: e2f6c12acdb0f796213bb7aab3e8cc5a0858479c50f3e76e7bdc89f4c1cb9fd8
    • Opcode Fuzzy Hash: 15a6c0c6865aecd2c3b6e0727cf6abd9a0aee4e65098444d871b1b3473d32ba8
    • Instruction Fuzzy Hash: 6DC1F1718006299FCF61AF60CC89BEDBBB5BF4A305F1045E9E649A2260DB315F94DF50
    Function 005A3AFE Relevance: 37.0, APIs: 20, Strings: 1, Instructions: 278windowCOMMON
    Download Yara Rule
    APIs
    • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 005A3BE7
    • GetObjectW.GDI32(?,00000018,?), ref: 005A3C18
    • DeleteObject.GDI32(?), ref: 005A3C25
    • CreateCompatibleDC.GDI32(00000000), ref: 005A3C69
    • GetObjectW.GDI32(?,00000018,?), ref: 005A3C81
    • SelectObject.GDI32(?,?), ref: 005A3CA7
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 005A3CC5
    • SelectObject.GDI32(?,?), ref: 005A3CD8
    • CreateCompatibleDC.GDI32(?), ref: 005A3CEE
    • SelectObject.GDI32(?,?), ref: 005A3D03
    • SelectObject.GDI32(?,?), ref: 005A3D12
    • DeleteObject.GDI32(?), ref: 005A3D17
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 005A3D37
    • GetPixel.GDI32(?,?,?), ref: 005A3D56
    • SetPixel.GDI32(?,?,?,00000000), ref: 005A3D8C
    • SelectObject.GDI32(?,?), ref: 005A3DAE
    • SelectObject.GDI32(?,?), ref: 005A3DB6
    • DeleteObject.GDI32(?), ref: 005A3DBB
    • DeleteObject.GDI32(?), ref: 005A3E3D
    • __EH_prolog3.LIBCMT ref: 005A3B05
      • Part of subcall function 005477C2: DeleteObject.GDI32(00000000), ref: 005477DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Select$Delete$CompatibleCreate$Pixel$BitmapH_prolog3ImageLoad
    • String ID:
    • API String ID: 2657855633-3916222277
    • Opcode ID: 074ffea6c73b812c48ed6f85a16901755058d77d6bb261b719cdbcabcdc8d6da
    • Instruction ID: fd903eb6796e4c924a84621874b17160831dbae0ff28f82f296d01ac5ea059ef
    • Opcode Fuzzy Hash: 074ffea6c73b812c48ed6f85a16901755058d77d6bb261b719cdbcabcdc8d6da
    • Instruction Fuzzy Hash: B4B1037190020AEFCF11EFA0CD899EDBFB6BF09348F108129F915A6161DB359E54DB61
    Function 00589BB3 Relevance: 35.4, APIs: 19, Strings: 1, Instructions: 446windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00589BBD
    • IsWindow.USER32(?), ref: 00589C5F
    • GetMenuItemCount.USER32(00000001), ref: 00589DBD
    • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00589DD3
    • AppendMenuW.USER32(00000001,00000000,00000000,00000000), ref: 00589DEE
    • SendMessageW.USER32(?,0000040C,00000000,00000000), ref: 00589E64
    • SendMessageW.USER32(?,0000041C,00000000,?), ref: 00589EA1
    • GetMenuItemCount.USER32(00000001), ref: 00589EF7
    • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00589F0D
    • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00589F2E
    • GetMenuItemCount.USER32(00000001), ref: 00589F95
    • AppendMenuW.USER32(00000001,00000800,00000000,00000000), ref: 00589FAB
    • AppendMenuW.USER32(00000001,00000000,00000000,?), ref: 00589FCC
    • AppendMenuW.USER32(00000002,00000000,00000000,?), ref: 0058A0B4
    • GetWindow.USER32(?,00000005), ref: 0058A0E5
    • AppendMenuW.USER32(00000003,00000000,00000000,?), ref: 0058A16B
    • GetMenuItemCount.USER32(00000000), ref: 0058A1B0
    • AppendMenuW.USER32(00000000,00000800,00000000,00000000), ref: 0058A1C6
    • AppendMenuW.USER32(00000000,00000000,00000000,?), ref: 0058A1DB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Append$CountItem$MessageSendWindow$H_prolog3_
    • String ID: pxf
    • API String ID: 2495817426-3901195985
    • Opcode ID: a8ddcd275645501320b41c26a48c596840d3f96ee55badceb3ad1a3962d49146
    • Instruction ID: 3c18249c302b5a46d9d8a3d1858a20bb12ae166751f1e0a01f1089197aa7bacc
    • Opcode Fuzzy Hash: a8ddcd275645501320b41c26a48c596840d3f96ee55badceb3ad1a3962d49146
    • Instruction Fuzzy Hash: EF022C30A002169FEF24AFA4CC99BADBBB5BF45305F1440A9F909A7292DF709944CF51
    Function 005418B3 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 191windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • GetParent.USER32(?), ref: 005418ED
    • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0054190E
    • GetWindowRect.USER32(?,?), ref: 0054192D
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0054195F
    • MonitorFromWindow.USER32(00000000,00000001), ref: 00541993
    • GetMonitorInfoW.USER32(00000000), ref: 0054199A
    • CopyRect.USER32(?,?), ref: 005419AE
    • CopyRect.USER32(?,?), ref: 005419B8
    • GetWindowRect.USER32(00000000,?), ref: 005419C1
    • MonitorFromWindow.USER32(00000000,00000002), ref: 005419CE
    • GetMonitorInfoW.USER32(00000000), ref: 005419D5
    • CopyRect.USER32(?,?), ref: 005419E3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Rect$Monitor$Copy$FromInfoLong$MessageParentSend
    • String ID: ($,T$,T
    • API String ID: 783970248-494927581
    • Opcode ID: 0d4b52a6837e24985e19b43809cfea9b35b01d6ca99d8b55afc2b4a3842e4140
    • Instruction ID: 8bd770d291240d974b0224d90d6449eabf7313532b652cdde5719b96113526c9
    • Opcode Fuzzy Hash: 0d4b52a6837e24985e19b43809cfea9b35b01d6ca99d8b55afc2b4a3842e4140
    • Instruction Fuzzy Hash: 90611572900629ABCB00DFE8DD88AEEBBB9FF48715F141216F505F3250DB70A941CBA4
    Function 0058BCBE Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 429stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: String$Variant$ClearFree_memset$ChangeException@8H_prolog3ThrowTypelstrlen
    • String ID: `<u
    • API String ID: 4128688680-3367579956
    • Opcode ID: 5626ecd8ff8016214b8df325c183a564b9bfef374b0155babfe83fa4fc5d520b
    • Instruction ID: 8f2feaf8b8651e1778d7578dc74ba62ae1b3b57f62c0b957dbc4f03133250877
    • Opcode Fuzzy Hash: 5626ecd8ff8016214b8df325c183a564b9bfef374b0155babfe83fa4fc5d520b
    • Instruction Fuzzy Hash: B3F1987190020ADFDF21EFA8C888AAEBFB9FF85300F244559E901BB261D7749951CF61
    Function 0058BD05 Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 380stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: String_memset$ClearFreeH_prolog3Variantlstrlen
    • String ID: `<u
    • API String ID: 516204547-3367579956
    • Opcode ID: a4572f650f93daf987a306d50c1c289253b7b530c89cc14f0228d26c3346f9d4
    • Instruction ID: 6981b1a9e15899f557a9d64e4e8cbddc16b99ed0ef9865f3c19f1d5e7b55c222
    • Opcode Fuzzy Hash: a4572f650f93daf987a306d50c1c289253b7b530c89cc14f0228d26c3346f9d4
    • Instruction Fuzzy Hash: 86E1687190020ADFDF21EFA8C888AAEBFB9FF45300F244559E901BB261D7749A51CF61
    Function 00604E0E Relevance: 31.9, APIs: 16, Strings: 2, Instructions: 368COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00604E15
    • GetCursorPos.USER32(?), ref: 00604EC7
    • IsRectEmpty.USER32(00000000), ref: 00604EFB
    • IsRectEmpty.USER32(?), ref: 00604F21
    • IsRectEmpty.USER32(00000000), ref: 00604F3D
    • GetWindowRect.USER32(?,00000000), ref: 00604F63
    • SetRectEmpty.USER32(?), ref: 0060501A
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • GetWindowRect.USER32(?,00000000), ref: 00604F97
    • PtInRect.USER32(00000000,?,00000000), ref: 00604FD7
    • OffsetRect.USER32(00000000,?,00000000), ref: 00604FEF
      • Part of subcall function 005E3AB8: __EH_prolog3.LIBCMT ref: 005E3ABF
      • Part of subcall function 005E3AB8: SetRectEmpty.USER32(?), ref: 005E3BC6
      • Part of subcall function 005E3AB8: SetRectEmpty.USER32(?), ref: 005E3BCF
    • OffsetRect.USER32(00000000,?,?), ref: 00605179
    • IsRectEmpty.USER32(?), ref: 0060519E
    • IsRectEmpty.USER32(?), ref: 006051C3
    • PtInRect.USER32(00000000,?,?), ref: 006051D3
    • OffsetRect.USER32(00000000,?,?), ref: 006051FC
    • IsRectEmpty.USER32(?), ref: 00605213
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$Offset$Window$CursorH_prolog3H_prolog3__malloc
    • String ID: X'f$pxf
    • API String ID: 1330315114-3105597543
    • Opcode ID: 365966ea392398c1e2bcabc90b637f5e339c1ca3abc04aaf462d5d884190389d
    • Instruction ID: 4ba7b7b673a62a9c93862466cf2d35db3b91d603d1f74391ee632644caa93dc1
    • Opcode Fuzzy Hash: 365966ea392398c1e2bcabc90b637f5e339c1ca3abc04aaf462d5d884190389d
    • Instruction Fuzzy Hash: B6E16B71900615DFCF29DFA4C888AAFBBBAFF49300F144159E906AB299DB71D941CF90
    Function 005A11AC Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 237COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005A11B6
    • GetObjectW.GDI32(?,00000018,?), ref: 005A11F8
    • CreateCompatibleDC.GDI32(00000000), ref: 005A1234
    • SelectObject.GDI32(?,?), ref: 005A1257
    • _memset.LIBCMT ref: 005A1287
    • GetObjectW.GDI32(?,00000054,?), ref: 005A12A8
    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 005A130A
    • CreateCompatibleDC.GDI32(?), ref: 005A134F
    • SelectObject.GDI32(?,?), ref: 005A136D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Create$CompatibleSelect$H_prolog3_Section_memset
    • String ID: (
    • API String ID: 1904682052-3887548279
    • Opcode ID: c79e864e58910ef1b9adf2e5e1ce7c3a97c47208d5ed93eb9f15863f88d17cf9
    • Instruction ID: 8c9d4dc49e399ed5a5a79945575cfc1693b101345f29c2753fce9d593669bc97
    • Opcode Fuzzy Hash: c79e864e58910ef1b9adf2e5e1ce7c3a97c47208d5ed93eb9f15863f88d17cf9
    • Instruction Fuzzy Hash: C0B10774900718DFDB61DF64CC85F9ABBB5FF49300F1085AAE94EA6252DB305A84DF21
    Function 0058D3B5 Relevance: 30.1, APIs: 16, Strings: 1, Instructions: 315windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0058D41A
    • SendMessageW.USER32(?,0000100C,00000000,00000002), ref: 0058D44D
    • ClientToScreen.USER32(?,?), ref: 0058D487
    • ScreenToClient.USER32(?,?), ref: 0058D49F
    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0058D4B9
    • _memset.LIBCMT ref: 0058D4F5
    • SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 0058D527
    • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0058D559
    • SendMessageW.USER32(?,0000104B,00000000,00000004), ref: 0058D576
    • CreatePopupMenu.USER32 ref: 0058D605
    • TrackPopupMenu.USER32(?,00000102,?,?,00000000,?,00000000), ref: 0058D64A
    • GetMenuDefaultItem.USER32(?,00000000,00000000), ref: 0058D666
    • GetParent.USER32(?), ref: 0058D6B6
    • GetParent.USER32(?), ref: 0058D6F3
    • GetParent.USER32(?), ref: 0058D706
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 0058D71F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$MenuParent$ClientPopupScreen$CreateDefaultException@8H_prolog3ItemThrowTrack_memset
    • String ID: $
    • API String ID: 3041658061-3993045852
    • Opcode ID: f2b65d2b1e935f942d97d3b4ea94a7e6c31fe24a7ad36beadd98e8ef293d316f
    • Instruction ID: e34b9409801deb5f361c96719b0526bf2abd1b8e049513ccc38cd49611f7d6c9
    • Opcode Fuzzy Hash: f2b65d2b1e935f942d97d3b4ea94a7e6c31fe24a7ad36beadd98e8ef293d316f
    • Instruction Fuzzy Hash: 57C1B675A00209EFDB10EFA4D984AAEBBF9FF48304F108569F955E72A0D771A941CF60
    Function 0059EDB0 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 263windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0059EDBA
    • CreateCompatibleDC.GDI32(00000000), ref: 0059EDEF
    • GetObjectW.GDI32(?,00000018,?), ref: 0059EE10
    • SelectObject.GDI32(?,?), ref: 0059EE62
    • CreateCompatibleDC.GDI32(?), ref: 0059EE8F
    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 0059EEF7
    • SelectObject.GDI32(?,?), ref: 0059EF13
    • SelectObject.GDI32(?,00000000), ref: 0059EF30
    • SelectObject.GDI32(?,?), ref: 0059EF48
    • DeleteObject.GDI32(?), ref: 0059EF50
    • BitBlt.GDI32(?,00000000,00000000,?,000000FF,?,00000000,00000000,00CC0020), ref: 0059EF79
    • GetObjectW.GDI32(?,00000054,?), ref: 0059EFAF
    • SelectObject.GDI32(?,?), ref: 0059F1A4
    • SelectObject.GDI32(?,?), ref: 0059F1B2
    • DeleteObject.GDI32(?), ref: 0059F1BA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Select$Create$CompatibleDelete$H_prolog3_Section
    • String ID: $(
    • API String ID: 339215182-55695022
    • Opcode ID: fac2dd52473723d2ad9b9d4ac9a009496c0d251f2bb793914e969efd4b447097
    • Instruction ID: 8e08f7e5668e29fc24ab384ea2ff9783973b5841fc43d549da288013a907ac31
    • Opcode Fuzzy Hash: fac2dd52473723d2ad9b9d4ac9a009496c0d251f2bb793914e969efd4b447097
    • Instruction Fuzzy Hash: A8C13770900229DBDF64DF64CD45BADBFB5BF49300F0085EAE58DA6292DB305A88DF61
    Function 0059EAD0 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 237windowCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0059EADA
    • CreateCompatibleDC.GDI32(00000000), ref: 0059EB41
    • GetObjectW.GDI32(?,00000018,000000FF), ref: 0059EB5F
    • SelectObject.GDI32(?,?), ref: 0059EB9D
    • CreateCompatibleDC.GDI32(?), ref: 0059EBBB
    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 0059EC11
    • SelectObject.GDI32(?,?), ref: 0059EC26
    • SelectObject.GDI32(?,00000000), ref: 0059EC3C
    • SelectObject.GDI32(?,?), ref: 0059EC4B
    • DeleteObject.GDI32(?), ref: 0059EC52
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0059ECA4
    • GetPixel.GDI32(?,?,00000000), ref: 0059ED6C
    • SetPixel.GDI32(?,?,00000000,?), ref: 0059ED81
    • SelectObject.GDI32(?,?), ref: 0059ED9E
    • SelectObject.GDI32(?,?), ref: 0059EDA6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Select$Create$CompatiblePixel$DeleteH_prolog3_Section
    • String ID: (
    • API String ID: 1942225872-3887548279
    • Opcode ID: b25021d572c3028e7153575e0694c09acd610f94fe0153d8467094e2de989a2f
    • Instruction ID: c4aa390fc92b4bf44550e81bf9a51e818e36c49f722000df8e6edbe7909b9def
    • Opcode Fuzzy Hash: b25021d572c3028e7153575e0694c09acd610f94fe0153d8467094e2de989a2f
    • Instruction Fuzzy Hash: 04A11171C00219DFDF21EFA4C986AADBFB6BF09301F20462AE556A7261DB306E45DF10
    Function 0054A7ED Relevance: 28.1, APIs: 7, Strings: 9, Instructions: 72libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00537416: ActivateActCtx.KERNEL32(?,?,0068E768,00000010,00537604,KERNEL32.DLL), ref: 00537436
    • GetProcAddress.KERNEL32(00000000,DrawThemeParentBackground), ref: 0054A817
    • GetProcAddress.KERNEL32(745C0000,DrawThemeTextEx), ref: 0054A82A
    • GetProcAddress.KERNEL32(745C0000,BeginBufferedPaint), ref: 0054A83D
    • GetProcAddress.KERNEL32(745C0000,EndBufferedPaint), ref: 0054A850
    • GetProcAddress.KERNEL32(00000000,DwmExtendFrameIntoClientArea), ref: 0054A89A
    • GetProcAddress.KERNEL32(73B00000,DwmDefWindowProc), ref: 0054A8AD
    • GetProcAddress.KERNEL32(73B00000,DwmIsCompositionEnabled), ref: 0054A8C0
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressProc$Activate
    • String ID: BeginBufferedPaint$DrawThemeParentBackground$DrawThemeTextEx$DwmDefWindowProc$DwmExtendFrameIntoClientArea$DwmIsCompositionEnabled$EndBufferedPaint$UxTheme.dll$dwmapi.dll
    • API String ID: 2388279185-3875329446
    • Opcode ID: e49d3f97f9f3029631383833c5e43bec46d7ba710fc9a652ca7e14f3447add18
    • Instruction ID: a0efd485fe5a0baac28518f670d38bea09faafe00aa79a8cc5226338064842ae
    • Opcode Fuzzy Hash: e49d3f97f9f3029631383833c5e43bec46d7ba710fc9a652ca7e14f3447add18
    • Instruction Fuzzy Hash: 2D2144B0980B46ABC7316F718C88ADBFFE5FF49305F124C3EE9AA93251C67464418E41
    Function 00590A38 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 230windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$ClientCreateDesktopFolderH_prolog3_MenuParentPopupScreen_memset
    • String ID: $
    • API String ID: 937397865-3993045852
    • Opcode ID: 6244fb6b82e3a821fbd4d982fb82fd9b780d7127a28f05c45f0dd5c2948c5b66
    • Instruction ID: e193f4801a0f561c8a00fbbd498dbd3272e214facce776425568de1d091708df
    • Opcode Fuzzy Hash: 6244fb6b82e3a821fbd4d982fb82fd9b780d7127a28f05c45f0dd5c2948c5b66
    • Instruction Fuzzy Hash: 68911471A00219AFCF11DFA4C8889ADBFBABF48B10F145A19F505E72A0C7719D41CFA0
    Function 00567AC7 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 206timewindowCOMMON
    Download Yara Rule
    APIs
    • KillTimer.USER32(?,00000001), ref: 00567AD8
    • KillTimer.USER32(?,00000002), ref: 00567ADF
    • IsWindow.USER32(?), ref: 00567B2F
    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00567B4C
    • GetCursorPos.USER32(?), ref: 00567B89
    • ScreenToClient.USER32(?,?), ref: 00567B96
    • KillTimer.USER32(?,00000001), ref: 00567BAB
    • PtInRect.USER32(?,?,?), ref: 00567BDA
    • KillTimer.USER32(?,00000002), ref: 00567C4F
    • GetParent.USER32(?), ref: 00567C64
    • PtInRect.USER32(?,?,?), ref: 00567C8F
    • KillTimer.USER32(?,00000014), ref: 00567CDD
    • GetClientRect.USER32(?,?), ref: 00567CF6
    • PtInRect.USER32(?,?,?), ref: 00567D06
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: KillTimer$Rect$Client$CursorMessageParentPostScreenWindow
    • String ID: pe
    • API String ID: 2803392424-324909747
    • Opcode ID: 6e4d3e6c9d98941b5a51652718f1ac8c8378b70b5aac18ab0105d1f93b84891a
    • Instruction ID: e56ec7991a7d76ed9cbb2a4c90b228c2c9d30cf176b1b564dcc13983a4144d33
    • Opcode Fuzzy Hash: 6e4d3e6c9d98941b5a51652718f1ac8c8378b70b5aac18ab0105d1f93b84891a
    • Instruction Fuzzy Hash: 7F71A1716007099FCB219FA4C888EBEBBB6FF89319F104929F55697260EB70AC41DB51
    Function 0057B248 Relevance: 26.3, APIs: 7, Strings: 8, Instructions: 73libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
      • Part of subcall function 00537416: ActivateActCtx.KERNEL32(?,?,0068E768,00000010,00537604,KERNEL32.DLL), ref: 00537436
    • GetProcAddress.KERNEL32(00000000,OpenThemeData), ref: 0057B2AA
    • GetProcAddress.KERNEL32(?,CloseThemeData), ref: 0057B2B7
    • GetProcAddress.KERNEL32(?,DrawThemeBackground), ref: 0057B2C4
    • GetProcAddress.KERNEL32(?,GetThemeColor), ref: 0057B2D1
    • GetProcAddress.KERNEL32(?,GetThemeSysColor), ref: 0057B2DE
    • GetProcAddress.KERNEL32(?,GetCurrentThemeName), ref: 0057B2EB
    • GetProcAddress.KERNEL32(?,GetWindowTheme), ref: 0057B2F8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressProc$Activate
    • String ID: CloseThemeData$DrawThemeBackground$GetCurrentThemeName$GetThemeColor$GetThemeSysColor$GetWindowTheme$OpenThemeData$UxTheme.dll
    • API String ID: 2388279185-1975976892
    • Opcode ID: dcdfbdd369212be7943367a10c064db2a56b56cbcadbc94c983813805ac15948
    • Instruction ID: 5e5a9b8c48a19402f49619991322ed16a58285b245bf80c67490aafe3c1b6734
    • Opcode Fuzzy Hash: dcdfbdd369212be7943367a10c064db2a56b56cbcadbc94c983813805ac15948
    • Instruction Fuzzy Hash: 6B3144B0951B949FC730AF6B9958807FEFABFA4B007128D1FE58683A60D7B5A044DF44
    Function 00583443 Relevance: 25.8, APIs: 17, Instructions: 271windowCOMMON
    Download Yara Rule
    APIs
    • InflateRect.USER32(?,00000004,00000004), ref: 005834A0
    • InvalidateRect.USER32(?,?,00000001), ref: 005834B2
    • UpdateWindow.USER32(?), ref: 005834BB
    • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 005834FA
    • DispatchMessageW.USER32(?), ref: 00583508
    • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00583516
    • GetCapture.USER32 ref: 00583522
    • SetCapture.USER32(?), ref: 0058352E
    • GetCapture.USER32 ref: 0058353A
    • GetWindowRect.USER32(?,?), ref: 00583564
    • SetCursorPos.USER32(?,?), ref: 00583587
    • GetCapture.USER32 ref: 0058358D
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005835A5
    • DispatchMessageW.USER32(?), ref: 005835CB
    • ReleaseCapture.USER32 ref: 00583609
    • IsWindow.USER32(?), ref: 00583612
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0058362B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Capture$RectWindow$Dispatch$CursorInflateInvalidatePeekReleaseSendUpdate
    • String ID:
    • API String ID: 4077352625-0
    • Opcode ID: 522512d8cceae5fe1c6c4a76020faa6386a45b431cc2db1a419fb28bdd036b85
    • Instruction ID: bfb741f73fdaaca76ae403084a30011309cbe16c60d65598fd354be6d8afe46e
    • Opcode Fuzzy Hash: 522512d8cceae5fe1c6c4a76020faa6386a45b431cc2db1a419fb28bdd036b85
    • Instruction Fuzzy Hash: 50914E71A00219AFCB14EFE9DC89DAE7FB9FF48714F140529F905A7261EB30AE448B51
    Function 005375CE Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 132libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00537416: ActivateActCtx.KERNEL32(?,?,0068E768,00000010,00537604,KERNEL32.DLL), ref: 00537436
    • GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00537613
    • _memset.LIBCMT ref: 0053763F
    • _wcstoul.LIBCMT ref: 00537687
      • Part of subcall function 0063677B: wcstoxl.LIBCMT ref: 0063678B
    • _wcslen.LIBCMT ref: 005376A8
      • Part of subcall function 0063521D: __getptd_noexit.LIBCMT ref: 0063521D
    • GetUserDefaultUILanguage.KERNEL32 ref: 005376B8
    • ConvertDefaultLocale.KERNEL32(?), ref: 005376DF
    • ConvertDefaultLocale.KERNEL32(?), ref: 005376EE
    • GetSystemDefaultUILanguage.KERNEL32 ref: 005376F7
    • ConvertDefaultLocale.KERNEL32(?), ref: 00537713
    • ConvertDefaultLocale.KERNEL32(?), ref: 00537722
    • GetModuleFileNameW.KERNEL32(00530000,?,00000105), ref: 0053775A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Default$ConvertLocale$Language$ActivateAddressFileModuleNameProcSystemUser__getptd_noexit_memset_wcslen_wcstoulwcstoxl
    • String ID: GetThreadPreferredUILanguages$KERNEL32.DLL$e
    • API String ID: 2246399177-2285706205
    • Opcode ID: 96be0bca01a4630eb54b8c827963a64c10dcf95c1982e000a9a8dcb623183488
    • Instruction ID: 81ce9857126d2ed1d66fbefd9c92d195e559557b66fd60e7ba90813d2f50795e
    • Opcode Fuzzy Hash: 96be0bca01a4630eb54b8c827963a64c10dcf95c1982e000a9a8dcb623183488
    • Instruction Fuzzy Hash: 874194B1A0021DABCB759FA4DC45BAE7BB9BF48700F4104A9E90DE7140D774AF418F91
    Function 00556F56 Relevance: 24.2, APIs: 16, Instructions: 245windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00556F5D
    • CreateRectRgnIndirect.GDI32(?), ref: 00556F9A
    • CopyRect.USER32(?,?), ref: 00556FB0
    • InflateRect.USER32(?,?,?), ref: 00556FC6
    • IntersectRect.USER32(?,?,?), ref: 00556FD4
    • CreateRectRgnIndirect.GDI32(?), ref: 00556FDE
    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00556FF3
      • Part of subcall function 00556C69: CombineRgn.GDI32(?,?,?,?), ref: 00556C8E
    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0055705B
    • SetRectRgn.GDI32(?,0000000A,?,?,?), ref: 00557078
    • CopyRect.USER32(?,0000000A), ref: 00557083
    • InflateRect.USER32(?,?,?), ref: 00557099
    • IntersectRect.USER32(?,?,0000000A), ref: 005570A5
    • SetRectRgn.GDI32(?,?,?,?,0000000A), ref: 005570BA
    • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 005570E6
      • Part of subcall function 00556DB8: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00556E01
      • Part of subcall function 00556DB8: CreatePatternBrush.GDI32(00000000), ref: 00556E0E
      • Part of subcall function 00556DB8: DeleteObject.GDI32(00000000), ref: 00556E1A
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,00000000), ref: 0053BDA8
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,?), ref: 0053BDBE
    • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 00557157
    • PatBlt.GDI32(?,?,?,?,?,005A0049), ref: 005571AC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Create$Object$CopyIndirectInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3_Pattern
    • String ID:
    • API String ID: 3107162742-0
    • Opcode ID: e4c74a5c583fa240dfd3275ee0c6ff063b9e91f953eda2d1a9716d37830b961b
    • Instruction ID: cdccbd7da8d0bfea267193fd801371808f821f7a139b1c34a020d8e75f2fd048
    • Opcode Fuzzy Hash: e4c74a5c583fa240dfd3275ee0c6ff063b9e91f953eda2d1a9716d37830b961b
    • Instruction Fuzzy Hash: A0A10372900219AFCF05EFE4DD99DEEBBBABF48301F14411AF606A7251DB349A05CB61
    Function 00547308 Relevance: 24.2, APIs: 16, Instructions: 182windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,00000000,00000201,00000201,00000001), ref: 005473A1
    • SendMessageW.USER32(00000000,00000084,00000000,?), ref: 005473BE
    • ReleaseCapture.USER32 ref: 005473F9
    • GetMessageW.USER32(?,00000000,000000A1,000000A1), ref: 00547408
    • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 0054741C
    • DispatchMessageW.USER32(?), ref: 00547423
    • DispatchMessageW.USER32(?), ref: 005474CE
    • GetCursorPos.USER32(?), ref: 005474D8
    • PeekMessageW.USER32(?,00000000,?,?,00000001), ref: 005474F9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Peek$Dispatch$CaptureCursorReleaseSend
    • String ID:
    • API String ID: 597789953-0
    • Opcode ID: 9fd0dda17ca758dce693636fceb1fff16c42d4d3f385759ed16dfaade8b75ba5
    • Instruction ID: f97e349138dfb8de32793434bc6f3e1b815c35fbbe0d78cb1ed3489d2a030545
    • Opcode Fuzzy Hash: 9fd0dda17ca758dce693636fceb1fff16c42d4d3f385759ed16dfaade8b75ba5
    • Instruction Fuzzy Hash: 14519B74608309BBEB209BA4CC88EFF7FBDFB49709F104819F952D2151C7749A809B22
    Function 0059E8E9 Relevance: 24.2, APIs: 16, Instructions: 157windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0059E8F0
    • CreateCompatibleDC.GDI32(00000000), ref: 0059E926
    • GetObjectW.GDI32(?,00000018,?), ref: 0059E93D
    • SelectObject.GDI32(?,?), ref: 0059E969
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 0059E98B
    • SelectObject.GDI32(?,00000000), ref: 0059E99E
    • CreateCompatibleDC.GDI32(?), ref: 0059E9B1
    • SelectObject.GDI32(?,?), ref: 0059E9C2
    • SelectObject.GDI32(?,00000000), ref: 0059E9D3
    • DeleteObject.GDI32(?), ref: 0059E9D8
    • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 0059EA04
    • GetPixel.GDI32(?,?,?), ref: 0059EA23
    • SetPixel.GDI32(?,?,?,00000000), ref: 0059EA6A
    • SelectObject.GDI32(?,?), ref: 0059EA8E
    • SelectObject.GDI32(?,00000000), ref: 0059EA96
    • DeleteObject.GDI32(?), ref: 0059EA9E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Select$CompatibleCreate$DeletePixel$BitmapH_prolog3
    • String ID:
    • API String ID: 3639146769-0
    • Opcode ID: 46ce555c6a57a14e0301e7ca5890d4604b12251bae96dc68d4438425f6a6b6fe
    • Instruction ID: 9c90ddfcd8f3475ec64774e8d1f973614d012f3871bb8ee04a911171a8173ad0
    • Opcode Fuzzy Hash: 46ce555c6a57a14e0301e7ca5890d4604b12251bae96dc68d4438425f6a6b6fe
    • Instruction Fuzzy Hash: 6351083180020AEBCF62DFA4CD4AAEEBF72FF48311F244525F515B21A1DB315A56DB61
    Function 005A21C8 Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 318windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$IntersectObjectSelect$Stretch
    • String ID: hTb
    • API String ID: 401711590-3303988142
    • Opcode ID: d27cf6da9cfde424ecd25bb8d7103a96fa00d1edbafafd213f49ef01611d3779
    • Instruction ID: 047df441db136900a08979c6e9e343ea66c1619085fdd31dd213a65343bdfa3f
    • Opcode Fuzzy Hash: d27cf6da9cfde424ecd25bb8d7103a96fa00d1edbafafd213f49ef01611d3779
    • Instruction Fuzzy Hash: CBC1F17290020AAFCF05CFA8C985AEEBBBABF49314F155619F915E7204D734E945CFA0
    Function 005677AF Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 257timewindowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 005677CA
    • GetCursorPos.USER32(?), ref: 005677E9
    • ScreenToClient.USER32(?,?), ref: 005677F6
    • GetParent.USER32(?), ref: 00567899
    • SetTimer.USER32(?,00000002,FFFFFFFE,00000000), ref: 005678F2
    • InvalidateRect.USER32(?,000000AB,00000001), ref: 00567901
    • UpdateWindow.USER32(?), ref: 0056790A
    • KillTimer.USER32(00000002,00000002,00000000), ref: 00567917
    • KillTimer.USER32(?,00000002), ref: 005679CD
    • GetParent.USER32(?), ref: 005679E8
    • GetParent.USER32(?), ref: 00567A3E
    • SendMessageW.USER32(?,0000011F,00000000,?), ref: 00567ABA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ParentTimer$KillWindow$ClientCursorInvalidateMessageRectScreenSendUpdate
    • String ID: pe
    • API String ID: 2010726786-324909747
    • Opcode ID: cc2390285f581d96aba87ac0729425b0f8e234960d843b42d5e011ac7503afd4
    • Instruction ID: 38420593119b814ba4278d73f8cb35e9b9174db76d7505001821583f685d58da
    • Opcode Fuzzy Hash: cc2390285f581d96aba87ac0729425b0f8e234960d843b42d5e011ac7503afd4
    • Instruction Fuzzy Hash: 3E91B031608709EFDB149FA0C898BAE7FB6FF88319F14456DE44A9B1A1DB709E40DB50
    Function 00563C5E Relevance: 22.7, APIs: 15, Instructions: 232timeCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00563C94
    • InflateRect.USER32(?,00000000,00000000), ref: 00563CC3
    • SetRectEmpty.USER32(?), ref: 00563D61
    • SetRectEmpty.USER32(?), ref: 00563D6A
    • GetSystemMetrics.USER32(00000002), ref: 00563D8B
    • KillTimer.USER32(?,00000002), ref: 00563E25
    • EqualRect.USER32(?,?), ref: 00563E47
    • EqualRect.USER32(?,?), ref: 00563E58
    • EqualRect.USER32(?,?), ref: 00563EA9
    • InvalidateRect.USER32(?,?,00000001), ref: 00563EC2
    • InvalidateRect.USER32(?,?,00000001), ref: 00563ECA
    • EqualRect.USER32(?,?), ref: 00563EDE
    • InvalidateRect.USER32(?,?,00000001), ref: 00563EF1
    • InvalidateRect.USER32(?,?,00000001), ref: 00563EF9
    • UpdateWindow.USER32(?), ref: 00563F0C
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EqualInvalidate$Empty$ClientInflateKillMetricsSystemTimerUpdateWindow
    • String ID:
    • API String ID: 2140115980-0
    • Opcode ID: 44d0c4cb524401d0944ebe88053c02b0d62003f73643c7f983cf8b9ba57f999a
    • Instruction ID: db2b2d24395a755d1de4c1d3051cf196c2f3ae01b43623767d119e02d3f9dc39
    • Opcode Fuzzy Hash: 44d0c4cb524401d0944ebe88053c02b0d62003f73643c7f983cf8b9ba57f999a
    • Instruction Fuzzy Hash: F291F67190021AAFCF11CFA4C984AEE7BB9FF08700F1445B9EC05AB255DB71AA41CFA1
    Function 0056C880 Relevance: 22.7, APIs: 15, Instructions: 199windowCOMMON
    Download Yara Rule
    APIs
    • GetDlgCtrlID.USER32(?), ref: 0056C8EA
    • GetDlgItem.USER32(?,?), ref: 0056C974
    • ShowWindow.USER32(00000000,00000000), ref: 0056C97F
    • GetMenu.USER32(?), ref: 0056C991
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0056C9AC
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • GetDlgItem.USER32(?,0000E900), ref: 0056C9E9
    • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 0056CA06
    • GetDlgItem.USER32(0000EA21,0000EA21), ref: 0056CA1F
    • GetDlgItem.USER32(0000E900,0000E900), ref: 0056CA35
    • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 0056CA47
    • SetWindowLongW.USER32(?,000000F4,0000E900), ref: 0056CA53
    • InvalidateRect.USER32(00000001,00000000,00000001), ref: 0056CA66
    • SetMenu.USER32(00000000,00000000), ref: 0056CA7D
    • GetDlgItem.USER32(?,00000000), ref: 0056CAC4
    • ShowWindow.USER32(?,00000005), ref: 0056CAD2
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ItemWindow$Long$InvalidateMenuRectShow$CtrlException@8H_prolog3Throw
    • String ID:
    • API String ID: 3935238147-0
    • Opcode ID: 6d4cb12fe492702c8ca53819ecd43d1d0cbe350d6e7833376dffaaa45259acba
    • Instruction ID: 16a2c22f9cd2178279ecc1d425ef13a61bf701bf84820f2c20880b863ef23c2c
    • Opcode Fuzzy Hash: 6d4cb12fe492702c8ca53819ecd43d1d0cbe350d6e7833376dffaaa45259acba
    • Instruction Fuzzy Hash: 17814134600704EFDB21DF64C888A6ABFF5FF89711F148A69F59ADB260D731A840CB41
    Function 00556282 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 185COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00556289
      • Part of subcall function 00536156: __EH_prolog3.LIBCMT ref: 0053615D
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
      • Part of subcall function 0059B6E1: __EH_prolog3.LIBCMT ref: 0059B6E8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$_malloc
    • String ID: MFCButton$MFCColorButton$MFCEditBrowse$MFCFontComboBox$MFCLink$MFCMaskedEdit$MFCMenuButton$MFCPropertyGrid$MFCShellList$MFCShellTree$MFCVSListBox
    • API String ID: 1683881009-2110171958
    • Opcode ID: cb8d5f4392f82f1c0fd2c4e5ce5f7b30d588537b4b4622015d7f0a4b916940a4
    • Instruction ID: ffe43d4451c3896163655651266261cead71d875f5527d001c260ad94825cf3c
    • Opcode Fuzzy Hash: cb8d5f4392f82f1c0fd2c4e5ce5f7b30d588537b4b4622015d7f0a4b916940a4
    • Instruction Fuzzy Hash: 7F51E330644287E6CF64E764D9B666CAF913F54746F94842EFC0A972C2DFB08A4CC692
    Function 0059F2A7 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 172COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0059F2B1
    • GetObjectW.GDI32(00000000,00000018,?), ref: 0059F2E3
    • GetObjectW.GDI32(?,00000054,?), ref: 0059F31B
    • CreateCompatibleDC.GDI32(00000000), ref: 0059F3B1
    • SelectObject.GDI32(?,?), ref: 0059F3D0
    • GetPixel.GDI32(?,?,00000000), ref: 0059F45D
    • GetPixel.GDI32(?,?,00000000), ref: 0059F46F
    • SetPixel.GDI32(?,?,00000000,00000000), ref: 0059F47E
    • SetPixel.GDI32(?,?,00000000,?), ref: 0059F490
    • SelectObject.GDI32(?,?), ref: 0059F4C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ObjectPixel$Select$CompatibleCreateH_prolog3_
    • String ID: $
    • API String ID: 1266819874-227171996
    • Opcode ID: 7f50879ed5c8c3a9b365430bfcfe1f1e6e664a94d72d66374b6fd327c1ec29ce
    • Instruction ID: 839f4b2aa81c3eeb69e54fbe644afdb2089b2c55be07268d0b75e9c254ee6a97
    • Opcode Fuzzy Hash: 7f50879ed5c8c3a9b365430bfcfe1f1e6e664a94d72d66374b6fd327c1ec29ce
    • Instruction Fuzzy Hash: 43710175D00219DBDF20DFA9CC84AADBBB6FF58314F2045AAE909EB252D7319981DF40
    Function 0053305F Relevance: 21.1, APIs: 14, Instructions: 133networkstringCOMMON
    Download Yara Rule
    APIs
    • socket.WS2_32(00000002,00000002,00000011), ref: 00533081
    • WSAIoctl.WS2_32(00000000,9800000C,?,00000004,00000000,00000000,?,00000000,00000000), ref: 005330AE
    • setsockopt.WS2_32(?,0000FFFF,000000FB,?,00000004), ref: 005330CA
    • setsockopt.WS2_32(?,0000FFFF,00000004,?,00000004), ref: 005330DC
    • WSACreateEvent.WS2_32 ref: 005330DE
    • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 005330F4
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 005330FC
    • lstrlenW.KERNEL32(?,00000000,?,00000000,00000000), ref: 00533119
    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000000), ref: 00533121
    • gethostbyname.WS2_32(?), ref: 00533131
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ByteCharMultiWidelstrlensetsockopt$CreateEventIoctlgethostbynamesocket
    • String ID:
    • API String ID: 2536029566-0
    • Opcode ID: 1490a1f9ebdc855fe4a1bcdff294a62fdae65ec38dcf3d01fc6898bafc21d2a2
    • Instruction ID: 42ad65fe91c2cd88814bdaab7deb71139e228fd5aa837e74575101c808b6b953
    • Opcode Fuzzy Hash: 1490a1f9ebdc855fe4a1bcdff294a62fdae65ec38dcf3d01fc6898bafc21d2a2
    • Instruction Fuzzy Hash: F14108B1900209AFEB10DFA4CC89EBEBBB9FF48315F100629F611A62A0D7759D41DB61
    Function 00564ACF Relevance: 19.8, APIs: 13, Instructions: 269windowCOMMON
    Download Yara Rule
    APIs
    • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 00564B0E
    • DispatchMessageW.USER32(?), ref: 00564B20
    • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00564B30
    • GetCapture.USER32 ref: 00564B36
    • SetCapture.USER32(?), ref: 00564B43
    • GetWindowRect.USER32(?,?), ref: 00564B67
    • GetCapture.USER32 ref: 00564BC6
    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00564BE1
    • DispatchMessageW.USER32(?), ref: 00564C05
    • GetScrollPos.USER32(?,00000002), ref: 00564D1C
    • RedrawWindow.USER32(?,00000000,00000000,00000581), ref: 00564D36
      • Part of subcall function 00545B7D: ShowWindow.USER32(?,?,?,00541B96,00000001,?,00000000,?,?,00000064), ref: 00545B8E
    • ReleaseCapture.USER32 ref: 00564DC2
    • IsWindow.USER32(?), ref: 00564DCB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$CaptureWindow$Dispatch$PeekRectRedrawReleaseScrollShow
    • String ID:
    • API String ID: 1149966214-0
    • Opcode ID: faf081fa9d08117abac5b27914aa78461252c58740e151aba33c170fdbc68c4c
    • Instruction ID: d229f941deabd9237c9d2905075f72b05adf32c03f8c83da0ab6835a8e8e67d6
    • Opcode Fuzzy Hash: faf081fa9d08117abac5b27914aa78461252c58740e151aba33c170fdbc68c4c
    • Instruction Fuzzy Hash: D5A12871A0060A9FDB24DFA8C998ABEBBFAFF48301F14452EE15697251CB70AC418F50
    Function 00569084 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 397keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000010), ref: 005690E2
    • GetAsyncKeyState.USER32(00000011), ref: 00569141
    • IsRectEmpty.USER32(?), ref: 00569208
    • IsRectEmpty.USER32(?), ref: 005692AF
    • SendMessageW.USER32(?,00000100,00000024,00000000), ref: 005693E6
    • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 005694B3
    • GetClientRect.USER32(?,?), ref: 0056951B
    • InvalidateRect.USER32(?,?,00000001), ref: 00569554
    • InvalidateRect.USER32(?,?,00000001), ref: 0056955F
    • UpdateWindow.USER32(?), ref: 00569564
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyInvalidateMessageSendState$AsyncClientUpdateWindow
    • String ID: !
    • API String ID: 348497913-2657877971
    • Opcode ID: 9c49bb7a402e95fd562e0caf8192dcd58e934adcd5e8ca34efd15d4e0e02c778
    • Instruction ID: 7314174667557eddfbf522c5569ad62d3619d39e67a070158af97c138ae08a3e
    • Opcode Fuzzy Hash: 9c49bb7a402e95fd562e0caf8192dcd58e934adcd5e8ca34efd15d4e0e02c778
    • Instruction Fuzzy Hash: 93E18035A012159FDF21DF64C984BEDBFB9BF99710F19416AEC09AB295DB30AC40CB90
    Function 00586603 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 286keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyState.USER32(00000011), ref: 00586621
    • GetWindowRect.USER32(?,?), ref: 00586689
    • GetCursorPos.USER32(?), ref: 005866D3
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CursorRectStateWindow
    • String ID: X'f$pxf
    • API String ID: 3412758350-3105597543
    • Opcode ID: ab7377383af76b02dfcb1ae3efcc604f653e2f64f9c7d8f317b19c254e871873
    • Instruction ID: 1a351e3a6dfc0a69f89dfd5002f6bfd0601c1dd5b9ea93791ce943e25959884b
    • Opcode Fuzzy Hash: ab7377383af76b02dfcb1ae3efcc604f653e2f64f9c7d8f317b19c254e871873
    • Instruction Fuzzy Hash: 1BB1E470A00209AFCB14EFA5D889AEDBBF6FF49314F14446EE95AA7251DB309940CF61
    Function 0053C4C3 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 158windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 0053C4F1
      • Part of subcall function 00563F25: GetClientRect.USER32(?,0053C51A), ref: 00563F56
      • Part of subcall function 00563F25: PtInRect.USER32(0053C51A,?,?), ref: 00563F70
    • ScreenToClient.USER32(?,?), ref: 0053C563
    • PtInRect.USER32(?,?,?), ref: 0053C573
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0053C59F
    • GetParent.USER32(?), ref: 0053C5BE
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0053C627
    • GetFocus.USER32 ref: 0053C62D
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0053C66A
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 0053C68E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Rect$Client$FocusParentScreenWindow
    • String ID: (e$pe
    • API String ID: 4216724418-3688049780
    • Opcode ID: 9f0bac95562e83a59dd702581052a739cb73cf630856bde41cddf13d57453f65
    • Instruction ID: 7a602aa847279ff67ffbd068d48ed9db1299feefd9ab771bf2a83a951efb36e7
    • Opcode Fuzzy Hash: 9f0bac95562e83a59dd702581052a739cb73cf630856bde41cddf13d57453f65
    • Instruction Fuzzy Hash: 7D512E76A00205AFDB11EFA8C88AEA97FF6FB4D704F246465E909E7261D730ED008F51
    Function 005CE286 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 137COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005CE28D
    • GetObjectW.GDI32(00000018,00000018,00667718), ref: 005CE2A9
    • _memmove.LIBCMT ref: 005CE307
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3Object_memmove
    • String ID:
    • API String ID: 107514201-3916222277
    • Opcode ID: f53611e1fad14f909985680bd46bc607667f185a0bc7d926ad8cab23d3663b97
    • Instruction ID: aad7cce68c195a51f607ff46ade193b8fbac380ccc8b6eb7056f27b2868507c0
    • Opcode Fuzzy Hash: f53611e1fad14f909985680bd46bc607667f185a0bc7d926ad8cab23d3663b97
    • Instruction Fuzzy Hash: 8841E572C00159AFDF15DFE4DC86AAEBF76FF44310F50852AE512A72A0DB346A05DB90
    Function 005358DD Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 123registrysleepCOMMON
    Download Yara Rule
    APIs
    • _memmove.LIBCMT ref: 00535966
    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE,00000000,00000102,?), ref: 00535983
    • RegDeleteValueW.ADVAPI32(?,IpDates_info), ref: 00535992
    • RegSetValueExW.ADVAPI32(?,IpDates_info,00000000,00000003,006AD400,000012A0), ref: 005359A3
    • RegCloseKey.ADVAPI32(?), ref: 005359AC
    • OpenProcess.KERNEL32(00000400,00000000,i2024), ref: 005359E5
    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 005359F4
    • Sleep.KERNEL32(00000BB8), ref: 00535A0C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: OpenProcessValue$CloseCodeDeleteExitSleep_memmove
    • String ID: FaCai2024$IpDates_info$SOFTWARE
    • API String ID: 2965120854-764131473
    • Opcode ID: 36589628135058d575db79923812fdae28401fab2b36e3fd9dd8f4286a222b42
    • Instruction ID: e709f74d72711a830be658908141893ef786361696e2399433cf1250879ab3ad
    • Opcode Fuzzy Hash: 36589628135058d575db79923812fdae28401fab2b36e3fd9dd8f4286a222b42
    • Instruction Fuzzy Hash: CA41B03290064AEFDB119FE4DC89ABFBFBAFF44325F506128E511A7190EB709905CB61
    Function 005A1566 Relevance: 18.2, APIs: 12, Instructions: 226windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005A156D
    • TransparentBlt.MSIMG32(00000000,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,000000FF,00000048,005A2196,00000000,?,?), ref: 005A15C5
    • CreateCompatibleDC.GDI32(?), ref: 005A160A
    • CreateCompatibleDC.GDI32(?), ref: 005A1627
    • CreateCompatibleBitmap.GDI32(?,00000000,00000000), ref: 005A1645
    • StretchBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00000000,00000000,00CC0020), ref: 005A16A9
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,?,?,00000000,00CC0020), ref: 005A16D7
    • CreateBitmap.GDI32(00000000,00000000,00000001,00000001,00000000), ref: 005A16E4
    • BitBlt.GDI32(0057F49D,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00CC0020), ref: 005A171D
    • BitBlt.GDI32(00000000,00000000,00000000,00000000,00000000,0057F49D,00000000,00000000,008800C6), ref: 005A174B
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,0057F49D,00000000,00000000,008800C6), ref: 005A1778
    • BitBlt.GDI32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00EE0086), ref: 005A1793
      • Part of subcall function 00534EC8: __EH_prolog3_catch.LIBCMT ref: 00534EE7
      • Part of subcall function 0053BA1C: DeleteDC.GDI32(00000000), ref: 0053BA2E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Create$Compatible$Bitmap$DeleteH_prolog3H_prolog3_catchStretchTransparent
    • String ID:
    • API String ID: 11848205-0
    • Opcode ID: f4a22730099ac4032d3299b193f672234799a765ca31523da2f3e04540d762c4
    • Instruction ID: 4e7ba6b640917e7366d58b39fbeab3916fb2f17e6053a6f7aa4de830750ed078
    • Opcode Fuzzy Hash: f4a22730099ac4032d3299b193f672234799a765ca31523da2f3e04540d762c4
    • Instruction Fuzzy Hash: 2B91DF7280010AAFDF12EFA0CD85DEEBF7ABF59344F144518F615A61A0C7319E25EB61
    Function 00547508 Relevance: 18.2, APIs: 12, Instructions: 150windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00547190: LoadCursorW.USER32(00000000,00007F8B), ref: 005471B1
      • Part of subcall function 00547190: LoadCursorW.USER32(?,00007901), ref: 005471CA
    • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 00547540
    • PostMessageW.USER32(?,00000111,0000E145,00000000), ref: 005475A3
    • SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 005475C5
    • GetCursorPos.USER32(?), ref: 005475E0
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0054760C
    • ReleaseCapture.USER32 ref: 00547659
    • SetCapture.USER32(?), ref: 0054765E
    • ReleaseCapture.USER32 ref: 0054766A
    • SendMessageW.USER32(?,00000362,?,00000000), ref: 0054767E
    • SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 005476A9
    • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 005476C7
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$CaptureCursorSend$LoadPeekPostRelease
    • String ID:
    • API String ID: 291007519-0
    • Opcode ID: 19bba74c81fae337d47463436c0ac1ae69b995b8e674b6a0045629aef2e6f56e
    • Instruction ID: 38c154474fddb58ad24fa2909fa80256972bd268c1b47f6a26d484ca3154975e
    • Opcode Fuzzy Hash: 19bba74c81fae337d47463436c0ac1ae69b995b8e674b6a0045629aef2e6f56e
    • Instruction Fuzzy Hash: 50513C7160470DAFDB11AFA4CC88AEEBBBAFF48309F114969F556A6161DB309D40DF10
    Function 0059AE01 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 234windowCOMMON
    Download Yara Rule
    APIs
    • RealizePalette.GDI32(?), ref: 0059AE49
    • InflateRect.USER32(?,000000FE,000000FE), ref: 0059AF20
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059AF3C
      • Part of subcall function 0059ACCC: __EH_prolog3.LIBCMT ref: 0059ACD3
      • Part of subcall function 0059ACCC: GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 0059AD3B
      • Part of subcall function 0059ACCC: CreatePalette.GDI32(00000000), ref: 0059AD86
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059AF58
    • GetNearestPaletteIndex.GDI32(?,000000FF), ref: 0059AF7B
    • FillRect.USER32(?,?,?), ref: 0059AFA1
    • InflateRect.USER32(?,000000FE,000000FE), ref: 0059AFC8
    • FillRect.USER32(?,?), ref: 0059B01A
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059B061
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Inflate$Palette$Fill$CreateEntriesH_prolog3IndexNearestRealizeSystem
    • String ID: iii
    • API String ID: 1028858568-940974255
    • Opcode ID: 98bd83d8697274da3ba1f0d7361c523cd6bc10385b394eff79e3ae80a3d96caf
    • Instruction ID: 75ea978115190f0d1e4f4eac55f4bd873af8f3012a4f59f3b8c4b94602eb7787
    • Opcode Fuzzy Hash: 98bd83d8697274da3ba1f0d7361c523cd6bc10385b394eff79e3ae80a3d96caf
    • Instruction Fuzzy Hash: 3E915B71900209AFCF01DFA8DD84ADEBBBAFF49321F104625F925A7290CB75A905CF51
    Function 005C6A2A Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 199windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005C6A34
    • GetSystemMenu.USER32(?,00000000,00000214,00574998,00000000,00000000,00000001,?), ref: 005C6A96
    • IsMenu.USER32(?), ref: 005C6AAF
    • IsMenu.USER32(?), ref: 005C6AC9
    • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 005C6AFE
    • GetClassLongW.USER32(?,000000DE), ref: 005C6B14
    • GetWindowLongW.USER32(?,000000F0), ref: 005C6B5F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Long$ClassH_prolog3_MessageSendSystemWindow
    • String ID: 0
    • API String ID: 859179710-4108050209
    • Opcode ID: 29fe9060fbfc7f3082835eda50463e43915c342d7451affc7715ac5569ac0e2f
    • Instruction ID: c1068eb3550235e8d108cb37610fd0deae061947d8427b1d5268c6d9663521d1
    • Opcode Fuzzy Hash: 29fe9060fbfc7f3082835eda50463e43915c342d7451affc7715ac5569ac0e2f
    • Instruction Fuzzy Hash: 85813E30500656DFDB21DFA4CC89FAEBBB5FF44311F2446AEA89A96191DB309E41CF50
    Function 0058CE4B Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 163windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0058CE60
    • SendMessageW.USER32(?,0000104B,00000000,?), ref: 0058CE82
    • SHGetDesktopFolder.SHELL32(?), ref: 0058CEC1
    • CreatePopupMenu.USER32 ref: 0058CF35
    • GetMenuDefaultItem.USER32(00000000,00000000,00000000), ref: 0058CF64
    • GetParent.USER32(?), ref: 0058CF91
    • GetParent.USER32(?), ref: 0058CFD6
    • GetParent.USER32(?), ref: 0058CFE5
    • SendMessageW.USER32(?,?,00000000,00000000), ref: 0058CFFA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$MenuMessageSend$CreateDefaultDesktopFolderItemPopup_memset
    • String ID: $
    • API String ID: 2190390364-3993045852
    • Opcode ID: f3c8c76f4fa15044a69e3a7bcc9c599bcd5642974ee0ce573c9dcd689285c368
    • Instruction ID: e59f9ea7a38a8687e840021882e0b3156ae96b16e100e8327f8dc10bbb8750a7
    • Opcode Fuzzy Hash: f3c8c76f4fa15044a69e3a7bcc9c599bcd5642974ee0ce573c9dcd689285c368
    • Instruction Fuzzy Hash: F2511A74A00218EFCB21AFA5C888E9EBFB9FF48744F244559F905EB250E771D941DBA0
    Function 005DCC1D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 005DCC4C
    • MonitorFromPoint.USER32(?,?,00000002), ref: 005DCC7E
    • GetMonitorInfoW.USER32(00000000), ref: 005DCC85
    • CopyRect.USER32(005824D4,?), ref: 005DCC97
    • SystemParametersInfoW.USER32(00000030,00000000,005824D4,00000000), ref: 005DCCA7
    • OffsetRect.USER32(?,005824D4,00000000), ref: 005DCCD1
    • OffsetRect.USER32(?,?,00000000), ref: 005DCCFC
    • OffsetRect.USER32(?,00000000,00000000), ref: 005DCD29
    • OffsetRect.USER32(?,00000000,?), ref: 005DCD4E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Offset$InfoMonitor$CopyCursorFromParametersPointSystem
    • String ID: (
    • API String ID: 4030222242-3887548279
    • Opcode ID: 0ed785b907c9fa29548b974a55417c8bb108c75f43b225f65e28096ef162675a
    • Instruction ID: d2928efc89b2107372a7c072697130dba73121c1832a29154a4a7fde937322d2
    • Opcode Fuzzy Hash: 0ed785b907c9fa29548b974a55417c8bb108c75f43b225f65e28096ef162675a
    • Instruction Fuzzy Hash: AD41DA75A0020A9FDB24DFA9C984AAEFFBAFF48300F24452AE515A7350D770AD46CB51
    Function 00533AA2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 74libraryloadersynchronizationCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(kernel32.dll), ref: 00533AB0
    • GetProcAddress.KERNEL32(00000000,ResetEvent), ref: 00533ABC
    • timeGetTime.WINMM ref: 00533AC2
    • InterlockedExchange.KERNEL32(?,00000000), ref: 00533AD7
    • WaitForSingleObject.KERNEL32(?,00001770), ref: 00533B18
    • ResetEvent.KERNEL32(?), ref: 00533B33
      • Part of subcall function 0053372B: GetCurrentThreadId.KERNEL32 ref: 00533731
      • Part of subcall function 0053372B: SetEvent.KERNEL32(?,00000000,00040000,?,?,?,?,0053300E), ref: 00533788
      • Part of subcall function 0053372B: SetLastError.KERNEL32(0000139F,?,?,?,?,0053300E,?,?,?,?,?,?,?,?,?,00000000), ref: 005337B1
    • InterlockedExchange.KERNEL32(?,00000001), ref: 00533B43
    • ResetEvent.KERNEL32(?), ref: 00533B48
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Event$ExchangeInterlockedReset$AddressCurrentErrorLastLibraryLoadObjectProcSingleThreadTimeWaittime
    • String ID: ResetEvent$kernel32.dll
    • API String ID: 3281960137-3031989070
    • Opcode ID: 0afe14f3a844ca81ef561f330cea86f04e0bb1ee86ce0f15da8bceeec8acf436
    • Instruction ID: f1cd21a6c108250ddeb84d91654f8c5be965c91fd9d50afdf2f6e9d3268d3b75
    • Opcode Fuzzy Hash: 0afe14f3a844ca81ef561f330cea86f04e0bb1ee86ce0f15da8bceeec8acf436
    • Instruction Fuzzy Hash: 67218B71100704ABCB209FA5DC89D9BBBFAFF49721F104A29F546C7260DB74EA45CB61
    Function 0057174C Relevance: 16.8, APIs: 11, Instructions: 269COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005717EA
    • GetParent.USER32(?), ref: 005717F7
    • IsZoomed.USER32(?), ref: 0057185B
    • SetWindowRgn.USER32(?,00000000,00000001), ref: 005718BA
    • GetClientRect.USER32(?,?), ref: 005718E2
    • GetClientRect.USER32(?,?), ref: 005718F7
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B72A
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B737
    • GetWindowRect.USER32(?,?), ref: 00571917
      • Part of subcall function 00545D83: SetWindowPos.USER32(?,00000000,00000064,?,?,?,?,?,0053A8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00545DAB
    • SetWindowRgn.USER32(?,00000000,00000001), ref: 00571AA2
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ClientRect$Screen$ParentZoomed
    • String ID:
    • API String ID: 2314217310-0
    • Opcode ID: 8721860e419d2ee09705edca8b23b7fcbad830311d500339fc1e04dc6c1721f0
    • Instruction ID: 94abe0c7f5e90a4c6ea01a5fb4ed284e7616eadd71788a2dbcf02a819bb974fa
    • Opcode Fuzzy Hash: 8721860e419d2ee09705edca8b23b7fcbad830311d500339fc1e04dc6c1721f0
    • Instruction Fuzzy Hash: C3B15E7190161A9FCF11DFA8D888AEEBFB5FF48700F144169FD09AB216DB309940DBA5
    Function 005652D0 Relevance: 16.7, APIs: 11, Instructions: 192timeCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 00565303
    • ScreenToClient.USER32(?,?), ref: 00565310
    • PtInRect.USER32(?,?,?), ref: 0056533E
    • PtInRect.USER32(?,?,?), ref: 00565363
    • KillTimer.USER32(?,00000002), ref: 00565393
    • InvalidateRect.USER32(?,?,00000001), ref: 005653B1
    • InvalidateRect.USER32(?,?,00000001), ref: 005653BF
    • _clock.LIBCMT ref: 005653D4
    • KillTimer.USER32(?,00000001), ref: 005654D9
    • ValidateRect.USER32(?,00000000), ref: 005654F5
    • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00565533
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$InvalidateKillTimer$ClientCursorRedrawScreenValidateWindow_clock
    • String ID:
    • API String ID: 3482734790-0
    • Opcode ID: e2797263c6dcc93948c7b66e07222ed9499828b10ffb9681b030aba847046f6e
    • Instruction ID: d8f2e621afa6c8014ca2da6a717b03626477b95baffaf36b8356ec254aecaf38
    • Opcode Fuzzy Hash: e2797263c6dcc93948c7b66e07222ed9499828b10ffb9681b030aba847046f6e
    • Instruction Fuzzy Hash: 17716E31600B05DFCB21DF64C988AAABFF6FF99341F14492EE44AD7250EB70A980DB51
    Function 0053A780 Relevance: 16.6, APIs: 11, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 0053A787
    • FindResourceW.KERNEL32(?,?,00000005,00000024,005354E9), ref: 0053A7BD
    • LoadResource.KERNEL32(?,00000000), ref: 0053A7C5
      • Part of subcall function 005420A6: UnhookWindowsHookEx.USER32(?), ref: 005420D6
    • LockResource.KERNEL32(?,00000024,005354E9), ref: 0053A7D6
    • GetDesktopWindow.USER32 ref: 0053A809
    • IsWindowEnabled.USER32(?), ref: 0053A817
    • EnableWindow.USER32(?,00000000), ref: 0053A826
      • Part of subcall function 00545BA4: IsWindowEnabled.USER32(?), ref: 00545BAD
      • Part of subcall function 00545BBF: EnableWindow.USER32(?,00000000), ref: 00545BD0
    • EnableWindow.USER32(?,00000001), ref: 0053A90B
    • GetActiveWindow.USER32 ref: 0053A916
    • SetActiveWindow.USER32(?,?,00000024,005354E9), ref: 0053A924
    • FreeResource.KERNEL32(?,?,00000024,005354E9), ref: 0053A940
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
    • String ID:
    • API String ID: 964565984-0
    • Opcode ID: 9a2c68b0ccc01fcdb4441ad6c845ad826dee24b2199c340e1886a0827447026b
    • Instruction ID: ad6f5d9c29d8f3180981f83c388ae4697cb4654d48490e55f9c81dfe677791cd
    • Opcode Fuzzy Hash: 9a2c68b0ccc01fcdb4441ad6c845ad826dee24b2199c340e1886a0827447026b
    • Instruction Fuzzy Hash: 44516F30A007059FDB21AFA5C8896AEFFB2FF88702F14452DE142B62A1DB754D42CF56
    Function 00592A21 Relevance: 16.6, APIs: 11, Instructions: 137windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 00592A5D
    • ReleaseCapture.USER32 ref: 00592A67
    • GetClientRect.USER32(?,?), ref: 00592A80
    • GetSystemMetrics.USER32(00000015), ref: 00592AA7
    • GetSystemMetrics.USER32(00000015), ref: 00592ACB
    • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00592B04
    • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00592B26
    • GetCapture.USER32 ref: 00592B4B
    • ReleaseCapture.USER32 ref: 00592B55
    • GetClientRect.USER32(?,?), ref: 00592B6E
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00592BBC
      • Part of subcall function 00591D81: __EH_prolog3_GS.LIBCMT ref: 00591D88
      • Part of subcall function 00591D81: IsRectEmpty.USER32(?), ref: 00591DA3
      • Part of subcall function 00591D81: InvertRect.USER32(?,?), ref: 00591DB9
      • Part of subcall function 00591D81: SetRectEmpty.USER32(?), ref: 00591DC7
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Capture$ClientEmptyMessageMetricsReleaseSendSystem$H_prolog3_InvertRedrawWindow
    • String ID:
    • API String ID: 174338775-0
    • Opcode ID: cee532a92c7c5b7b86dcdfce9b4f5ddaa50074c4672a3601155e63b5acc74c14
    • Instruction ID: 7f820694eabc860411434c6b054553edb4af81513f4b599b15f3d5f183b80b40
    • Opcode Fuzzy Hash: cee532a92c7c5b7b86dcdfce9b4f5ddaa50074c4672a3601155e63b5acc74c14
    • Instruction Fuzzy Hash: 80512C71A00709AFCB11DFA8CD849AEBBF6FF88301F15452DE45AA7251D770AA41CF91
    Function 005340F4 Relevance: 16.6, APIs: 11, Instructions: 105networktimeCOMMON
    Download Yara Rule
    APIs
    • WSASetLastError.WS2_32(0000000D,?,?,00000004), ref: 00534128
    • EnterCriticalSection.KERNEL32(00000204,?,?,00000004), ref: 0053413D
    • WSASetLastError.WS2_32(00002746), ref: 0053414F
    • LeaveCriticalSection.KERNEL32(?), ref: 00534158
    • timeGetTime.WINMM ref: 0053417A
    • timeGetTime.WINMM ref: 005341A2
    • SetEvent.KERNEL32(?), ref: 005341D0
    • InterlockedExchange.KERNEL32(?,00000001), ref: 005341DC
    • WSASetLastError.WS2_32(00002746), ref: 005341F2
    • LeaveCriticalSection.KERNEL32(?), ref: 005341FB
    • LeaveCriticalSection.KERNEL32(?), ref: 0053420C
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$ErrorLastLeave$Timetime$EnterEventExchangeInterlocked
    • String ID:
    • API String ID: 1405026782-0
    • Opcode ID: dfac7da9be3c8bbff94dc3cb2915aaf07ec38404606d63439d5578182fc01e71
    • Instruction ID: 166978e71b43d6c4e76d23570a9f1b48c7ca5e09074488475fe6e85b05a45f13
    • Opcode Fuzzy Hash: dfac7da9be3c8bbff94dc3cb2915aaf07ec38404606d63439d5578182fc01e71
    • Instruction Fuzzy Hash: A941C0356007009FDB30DFA4D84DA6ABFF6BF28312F044658E586972A1D7B0B881CF51
    Function 005A0400 Relevance: 16.2, APIs: 6, Strings: 3, Instructions: 469COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Delete_memset$H_prolog3
    • String ID: dvf$dvf$dvf
    • API String ID: 1235337548-726822980
    • Opcode ID: 673824eb96f78a4c1d527a334500701c14b8be0415d491c22182cfdb6cf3f3dc
    • Instruction ID: 37a36ec83b332e2d06c5d6a00689663a4e298bf3e1eb968c4d8f43cd8ff25869
    • Opcode Fuzzy Hash: 673824eb96f78a4c1d527a334500701c14b8be0415d491c22182cfdb6cf3f3dc
    • Instruction Fuzzy Hash: 7B1214B0D1022ADFCF24DFA4C985AEDBBB5FF09300F10819AE559A7291D7309A95CF94
    Function 005A0A17 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 240windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0059DAE0: GdipGetImagePixelFormat.GDIPLUS(?,006AA600,00000000,00000000,?,005A0A41,00000000,00000000,006AA600), ref: 0059DAF0
    • _free.LIBCMT ref: 005A0B4A
    • _free.LIBCMT ref: 005A0B96
    • GdipBitmapLockBits.GDIPLUS(?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,006AA600), ref: 005A0C5F
    • _free.LIBCMT ref: 005A0C8F
      • Part of subcall function 0059DB02: GdipGetImagePaletteSize.GDIPLUS(?,00000000,00000000,00000000,?,005A0AFB,00000000,?,?,00000000,00000000,00000000,00000000,00000000), ref: 0059DB16
    • GdipBitmapUnlockBits.GDIPLUS(00000005,?,?,00000000,00000001,00000000,?,00000000,?,?,00000000,00000000,00000000,00000000,00000000,006AA600), ref: 005A0D0B
    • _free.LIBCMT ref: 005A0D86
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Gdip_free$BitmapBitsImage$FormatLockPalettePixelSizeUnlock
    • String ID: &
    • API String ID: 4092590016-3042966939
    • Opcode ID: 84ef29e47702c5a180ea31fc135dff1929e6cf8a2215fb7d101351ecf92ec68a
    • Instruction ID: c35f57f81f27e9d33866d744e470572b6858165c76711f26a46db5191b2547e1
    • Opcode Fuzzy Hash: 84ef29e47702c5a180ea31fc135dff1929e6cf8a2215fb7d101351ecf92ec68a
    • Instruction Fuzzy Hash: CFA17BB19002299BCF20DF14CD80B9DBBB5BF85314F1095E9E609A7291CB74AEC5CF68
    Function 005B151E Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005B1587
    • MonitorFromPoint.USER32(?,?,00000002), ref: 005B15C0
    • GetMonitorInfoW.USER32(00000000), ref: 005B15C7
    • CopyRect.USER32(?,?), ref: 005B15DF
    • CopyRect.USER32(?,?), ref: 005B15E9
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005B1620
    • GetSystemMetrics.USER32(00000022), ref: 005B169E
    • GetSystemMetrics.USER32(00000023), ref: 005B16A5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectSystem$CopyInfoMetricsMonitor$Exception@8FromH_prolog3ParametersPointThrowWindow
    • String ID: (
    • API String ID: 348238172-3887548279
    • Opcode ID: 4602d436e84e426ffeccd44b190dd859bc18814fee7675a055e17e157bd07926
    • Instruction ID: ab28ae51ceca3b7ab81bcc02930d2b66825c0dfd030927e0d36144beb9f39c0d
    • Opcode Fuzzy Hash: 4602d436e84e426ffeccd44b190dd859bc18814fee7675a055e17e157bd07926
    • Instruction Fuzzy Hash: E6512AB1D006099FCB54DFA9C999AEEBBF9FF88300F14412AE505E7254DB70AA01CF65
    Function 00592F21 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 137windowCOMMON
    Download Yara Rule
    APIs
    • SetRectEmpty.USER32(?), ref: 00592F4A
    • LoadCursorW.USER32(?,00007904), ref: 00592F71
    • LoadCursorW.USER32(?,00007905), ref: 00592F93
    • SendMessageW.USER32(?,0000120A,00000000,00000006), ref: 00592FDA
    • SendMessageW.USER32(?,0000120A,00000001,00000006), ref: 00592FFE
    • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 00593038
    • SendMessageW.USER32(?,00000418,00000000,FFFFFFFF), ref: 00593052
    • GetParent.USER32(?), ref: 0059307C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$CursorLoad$EmptyParentRect
    • String ID: d
    • API String ID: 2284761715-2564639436
    • Opcode ID: 7cc6ea933e41d9ca5934b0754cd04ccb93e51e716a984aedcb6ea8f107d33464
    • Instruction ID: 653c8eb9fc1ebb315642332676eccf2dafc5c57adb1736f419c95a808bf25a87
    • Opcode Fuzzy Hash: 7cc6ea933e41d9ca5934b0754cd04ccb93e51e716a984aedcb6ea8f107d33464
    • Instruction Fuzzy Hash: F3513971610609AFDB11EF69CD89EAEBBFAFF89300F100159F616972A1DB71AD018F50
    Function 00567E03 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • ScreenToClient.USER32(?,?), ref: 00567E20
    • GetParent.USER32(?), ref: 00567E37
    • GetClientRect.USER32(?,?), ref: 00567EC5
    • MapWindowPoints.USER32(?,?,?,00000002), ref: 00567ED8
    • PtInRect.USER32(?,?,?), ref: 00567EE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientRect$ParentPointsScreenWindow
    • String ID: pe
    • API String ID: 1402249346-324909747
    • Opcode ID: 61e83fb3da91bc1340a1dc89b9ed4295140ea003b2df4156bd3f4a33d6c8ea63
    • Instruction ID: 9d1937983ab186d245581a8004fe8426bd5dccd2ab3e398b724270b5acb5dfc1
    • Opcode Fuzzy Hash: 61e83fb3da91bc1340a1dc89b9ed4295140ea003b2df4156bd3f4a33d6c8ea63
    • Instruction Fuzzy Hash: 8C311A7260420AAFCB01DFA4CC488AEBBBEFF8C354B240569F946D7621EB71DD059B51
    Function 0056E37E Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 92COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0056E385
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • swprintf.LIBCMT ref: 0056E3CF
    • _wcslen.LIBCMT ref: 0056E3D8
      • Part of subcall function 00536906: _wcsnlen.LIBCMT ref: 0053693A
      • Part of subcall function 00536906: _wmemcpy_s.LIBCPMT ref: 0053696E
    • _wcslen.LIBCMT ref: 0056E3F3
    • _wcslen.LIBCMT ref: 0056E42A
    • swprintf.LIBCMT ref: 0056E456
    • _wcslen.LIBCMT ref: 0056E45F
      • Part of subcall function 00536988: _wcslen.LIBCMT ref: 0053699A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _wcslen$swprintf$H_prolog3_LongWindow_wcsnlen_wmemcpy_s
    • String ID: - $:%d
    • API String ID: 472068148-2359489159
    • Opcode ID: aa4c933d8d9c00a1931906e47eead1ba1f527a4bd82c6511864de1273cd3e54b
    • Instruction ID: 80f5d60cbb66579206ecc64ad48798917a8f0a6caa97491c6f663c5fa3b9edba
    • Opcode Fuzzy Hash: aa4c933d8d9c00a1931906e47eead1ba1f527a4bd82c6511864de1273cd3e54b
    • Instruction Fuzzy Hash: B83132729005096BDB15EBE0CE87EEEBB6DBF50300F048429B502AB156DF74AE19CB94
    Function 00535E10 Relevance: 15.8, APIs: 3, Strings: 6, Instructions: 38libraryloaderinjectionCOMMON
    Download Yara Rule
    APIs
    • LoadLibraryW.KERNEL32(KERNEL32.dll,?), ref: 00535E4E
    • GetProcAddress.KERNEL32(00000000), ref: 00535E55
    • WriteProcessMemory.KERNEL32(?,00000000,?,?,00000000), ref: 00535E74
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressLibraryLoadMemoryProcProcessWrite
    • String ID: +aS$Ex$KERNEL32.dll$Virt$lloc$ualA
    • API String ID: 3389589582-3108020248
    • Opcode ID: e4324814c8ff9ddcc498d87a295bb2e08ad6980d580a5cfbc1ff86b76ff18722
    • Instruction ID: e5ac092974751fd4d5c6426af6dfaccb1192106802ea901b04d48950d1d06cb3
    • Opcode Fuzzy Hash: e4324814c8ff9ddcc498d87a295bb2e08ad6980d580a5cfbc1ff86b76ff18722
    • Instruction Fuzzy Hash: 1401CD70A00309BBDB11DFE5CD49BAE7BB9EF45701F105158A605AA291DBB4A6008BA9
    Function 0059759C Relevance: 15.4, APIs: 10, Instructions: 368windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005975A3
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • SendMessageW.USER32(?,000000B0,?,?), ref: 005975EE
    • MessageBeep.USER32(000000FF), ref: 00597665
      • Part of subcall function 0063A07E: __towupper_l.LIBCMT ref: 0063A088
    • SendMessageW.USER32(?,000000C2,00000001,00000000), ref: 005976DD
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00597713
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0059777E
    • MessageBeep.USER32(000000FF), ref: 00597829
    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00597922
      • Part of subcall function 00594225: __EH_prolog3_GS.LIBCMT ref: 0059422C
      • Part of subcall function 00594225: _wcslen.LIBCMT ref: 0059426B
      • Part of subcall function 00594225: _wmemcpy_s.LIBCMT ref: 00594291
      • Part of subcall function 00536906: _wcsnlen.LIBCMT ref: 0053693A
      • Part of subcall function 00536906: _wmemcpy_s.LIBCPMT ref: 0053696E
    • SendMessageW.USER32(?,000000B0,?,?), ref: 0059798B
    • MessageBeep.USER32(000000FF), ref: 005979A1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Send$Beep$_wmemcpy_s$H_prolog3H_prolog3_LongWindow__towupper_l_wcslen_wcsnlen
    • String ID:
    • API String ID: 1061238856-0
    • Opcode ID: 96cc0f8f81f930786431320d57f2d04c78b513762e1916d0ffa3c30dc4551e11
    • Instruction ID: b6e689b8fc488669b1739ab372d395f8d532157fad3846b21e7c33bf5c666023
    • Opcode Fuzzy Hash: 96cc0f8f81f930786431320d57f2d04c78b513762e1916d0ffa3c30dc4551e11
    • Instruction Fuzzy Hash: 1DD17A71A1451AAFDF15DF94C889EFEBBBAFF88700F10411AF552A7291DB30A941CB60
    Function 005DD0A5 Relevance: 15.3, APIs: 10, Instructions: 269COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$CopyParentWindow
    • String ID:
    • API String ID: 642869531-0
    • Opcode ID: 5b908519b8524dca9817e3c55319ab97e8f0f0a4096e1baad97fc83f172b6261
    • Instruction ID: 98257667468967dd0cbd11ee021afb952428c46e50e1504c96a5d886307f098e
    • Opcode Fuzzy Hash: 5b908519b8524dca9817e3c55319ab97e8f0f0a4096e1baad97fc83f172b6261
    • Instruction Fuzzy Hash: B9B1ADB1A0021A9BCF21DFA8C984AEEBBF5FF48340F14456BE815E6354E7759A41CB60
    Function 0053C732 Relevance: 15.2, APIs: 10, Instructions: 158windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ClientMessageScreenSend
    • String ID:
    • API String ID: 526472501-0
    • Opcode ID: 8e7f3f88e0d7bd5c1877ff16718413d2ebd0f30c84e63de2d3dda23b67adad80
    • Instruction ID: 2601a581b17cc631fd7fa61ba13f8e8f54e3a835dd59c6aa7806f87320b11238
    • Opcode Fuzzy Hash: 8e7f3f88e0d7bd5c1877ff16718413d2ebd0f30c84e63de2d3dda23b67adad80
    • Instruction Fuzzy Hash: 1D518F76A00201ABDF219FA4CC88A7EBFF6FB08781F248869E495F2161D735DE40DB11
    Function 005B16BB Relevance: 15.1, APIs: 10, Instructions: 112windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(00000000), ref: 005B16EE
    • IsWindowVisible.USER32(00000000), ref: 005B16FD
    • GetSystemMetrics.USER32(00000021), ref: 005B172F
    • GetSystemMetrics.USER32(00000021), ref: 005B1736
    • GetSystemMetrics.USER32(00000020), ref: 005B173C
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • IsWindowVisible.USER32(00000000), ref: 005B1764
    • IsWindowVisible.USER32(00000000), ref: 005B1773
    • IsZoomed.USER32(00000000), ref: 005B1799
    • GetSystemMetrics.USER32 ref: 005B17B5
    • GetSystemMetrics.USER32(00000004), ref: 005B17F8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$VisibleWindow$Exception@8H_prolog3ThrowZoomed
    • String ID:
    • API String ID: 1383962431-0
    • Opcode ID: eb162e1867abf980a229fc39f6eb894b8b2ec5840dd883dd74aab779958cb0e9
    • Instruction ID: 3bc00865b93f152266e9fbb5efa77878d40745b700458b2f091cc690b27385cc
    • Opcode Fuzzy Hash: eb162e1867abf980a229fc39f6eb894b8b2ec5840dd883dd74aab779958cb0e9
    • Instruction Fuzzy Hash: E9418C35200B02DFDB61DBA5C898BE67BE5FF48355F448068E5998B1A1DB70FC40CB99
    Function 00591D81 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00591D88
      • Part of subcall function 0053BA35: __EH_prolog3.LIBCMT ref: 0053BA3C
      • Part of subcall function 0053BA35: GetDC.USER32(00000000), ref: 0053BA68
    • IsRectEmpty.USER32(?), ref: 00591DA3
    • InvertRect.USER32(?,?), ref: 00591DB9
    • SetRectEmpty.USER32(?), ref: 00591DC7
    • GetClientRect.USER32(?,?), ref: 00591E0E
    • GetSystemMetrics.USER32(00000015), ref: 00591E35
    • GetSystemMetrics.USER32(00000015), ref: 00591E59
    • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 00591E92
    • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 00591EB4
    • InvertRect.USER32(?,?), ref: 00591EBC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyInvertMessageMetricsSendSystem$ClientH_prolog3H_prolog3_
    • String ID:
    • API String ID: 3401445556-0
    • Opcode ID: 79a437b1ec54defce144bf1e5609b5875453c36b6a755975203350368d6cf81a
    • Instruction ID: e53115344874f5f07d845cd5521cfef44e52a039b6a9cce9d59bf52a63fe3d47
    • Opcode Fuzzy Hash: 79a437b1ec54defce144bf1e5609b5875453c36b6a755975203350368d6cf81a
    • Instruction Fuzzy Hash: 654115729006299FDF05DFA4C989AEE7FB9FF48301F050169E909AB251DB306E44CFA5
    Function 00532ED6 Relevance: 15.1, APIs: 10, Instructions: 104COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053301F: CreateWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 00533027
    • InterlockedIncrement.KERNEL32(006AF1DC), ref: 00532F38
    • InterlockedIncrement.KERNEL32(006AF1DC), ref: 00532F42
    • setsockopt.WS2_32(?,0000FFFF,00001001,?,00000004), ref: 00532F68
    • setsockopt.WS2_32(?,0000FFFF,00001002,00040000,00000004), ref: 00532F80
    • ResetEvent.KERNEL32(?), ref: 00532FB9
    • SetLastError.KERNEL32 ref: 00532FCD
    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,00000000), ref: 00532FFF
      • Part of subcall function 0053372B: GetCurrentThreadId.KERNEL32 ref: 00533731
      • Part of subcall function 0053372B: SetEvent.KERNEL32(?,00000000,00040000,?,?,?,?,0053300E), ref: 00533788
      • Part of subcall function 0053372B: SetLastError.KERNEL32(0000139F,?,?,?,?,0053300E,?,?,?,?,?,?,?,?,?,00000000), ref: 005337B1
    • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,00000000), ref: 0053300F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ErrorLast$EventIncrementInterlockedsetsockopt$CreateCurrentResetThreadTimerWaitable
    • String ID:
    • API String ID: 1321792636-0
    • Opcode ID: d6d61143e7e3ccef4a69984008db93e68a46736d4aa8c7243aad8c4ba10ebc89
    • Instruction ID: 877f2c8b6b3a9adf0285f3ddb74c9c98d6654334621693c74860c6953cfea90e
    • Opcode Fuzzy Hash: d6d61143e7e3ccef4a69984008db93e68a46736d4aa8c7243aad8c4ba10ebc89
    • Instruction Fuzzy Hash: A2317EB1500B00AFD760EFA5CC89A6BBFF9FF88305F114919E546C3650D7B5A9409F51
    Function 005471ED Relevance: 15.1, APIs: 10, Instructions: 98threadCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 0054720B
    • WindowFromPoint.USER32(?,?), ref: 0054721A
    • GetActiveWindow.USER32 ref: 0054723C
    • GetCurrentThreadId.KERNEL32 ref: 00547254
    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00547263
    • GetDesktopWindow.USER32 ref: 0054726F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Thread$ActiveCaptureCurrentDesktopFromPointProcess
    • String ID:
    • API String ID: 1298419125-0
    • Opcode ID: 8940ae099c2c70fe8f5f5315ea1ee8678b438028e377f223eafab343d3bcd979
    • Instruction ID: 309e880e7590ff1683e795c45360dc371d9af311424b10b68a24185bba2f4bf6
    • Opcode Fuzzy Hash: 8940ae099c2c70fe8f5f5315ea1ee8678b438028e377f223eafab343d3bcd979
    • Instruction Fuzzy Hash: E4315E79908219EFCB11EFE4C9888EEBFB6FB4C309B100555F802A7210DB748E41DBA1
    Function 0053372B Relevance: 15.1, APIs: 10, Instructions: 95networkthreadCOMMON
    Download Yara Rule
    APIs
    • GetCurrentThreadId.KERNEL32 ref: 00533731
    • SetLastError.KERNEL32(0000139F,?,?,?,?,0053300E,?,?,?,?,?,?,?,?,?,00000000), ref: 005337B1
      • Part of subcall function 00532718: InterlockedCompareExchange.KERNEL32(?,00000001,00000000), ref: 0053272E
      • Part of subcall function 00532718: SwitchToThread.KERNEL32(?,?,00000000,00533751,00040000,?,?,?,?,0053300E), ref: 00532740
    • SetEvent.KERNEL32(?,00000000,00040000,?,?,?,?,0053300E), ref: 00533788
    • CloseHandle.KERNEL32(?,00000000,00040000,?,?,?,?,0053300E), ref: 005337C1
    • send.WS2_32(?,00684488,00000010,00000000), ref: 005337E4
    • SetEvent.KERNEL32(00040000,00000000,00040000,?,?,?,?,0053300E), ref: 005337FE
    • InterlockedExchange.KERNEL32(?,00000000), ref: 00533805
    • WSACloseEvent.WS2_32(?), ref: 00533814
    • shutdown.WS2_32(?,00000001), ref: 00533828
    • closesocket.WS2_32(?), ref: 00533831
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Event$CloseExchangeInterlockedThread$CompareCurrentErrorHandleLastSwitchclosesocketsendshutdown
    • String ID:
    • API String ID: 1297919148-0
    • Opcode ID: ffff58962bb0efc2ab750eafd19c9149b783f3a20d1ab46f8d6e530e3c526db7
    • Instruction ID: 1d828737102f44f5cb4162d63ae54ff54f3a88c0e660ba05209521c650bf869c
    • Opcode Fuzzy Hash: ffff58962bb0efc2ab750eafd19c9149b783f3a20d1ab46f8d6e530e3c526db7
    • Instruction Fuzzy Hash: 163133B0600A16BFCB15AFA8DD89A99BBBAFF04715F100615F501D7A60D771FA60CBD0
    Function 00538EA8 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 245memoryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00538EB2
    • MapDialogRect.USER32(?,?), ref: 00538F50
    • SysAllocStringLen.OLEAUT32(?,?), ref: 00538F6F
    • CLSIDFromString.OLE32(?,?,00000000), ref: 0053906D
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • CLSIDFromProgID.OLE32(?,?,00000000), ref: 00539075
    • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,00000013,00000001,00000000,?,00000000,?,?,00000000,?,00000000), ref: 0053911D
    • SysFreeString.OLEAUT32(00000000), ref: 0053916F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: String$From$AllocDialogFreeH_prolog3_ProgRectWindow_malloc
    • String ID: `<u
    • API String ID: 2980224915-3367579956
    • Opcode ID: 3170248a1369edcc040283a72ff2ab86308e34831ec48997eecd59ffb23eba2e
    • Instruction ID: 1e57f71e58f6046981afdd22d29e26e4a5f718b98e5c181da0adb6c2ff578716
    • Opcode Fuzzy Hash: 3170248a1369edcc040283a72ff2ab86308e34831ec48997eecd59ffb23eba2e
    • Instruction Fuzzy Hash: 4FB1F3B5D00219DFDB14DFE8C988AEDBBB5FF48304F14412AE819AB251E774AA84CF51
    Function 0056841F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 225windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0056843F
    • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0056847F
    • GetParent.USER32(?), ref: 00568513
    • PostMessageW.USER32(?,-00000111,?,00000000), ref: 005685B7
    • GetParent.USER32(?), ref: 0056861B
    • InvalidateRect.USER32(?,?,00000001,?), ref: 0056868D
    • UpdateWindow.USER32(?), ref: 00568699
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$Message$InvalidatePostRectSendUpdateWindow
    • String ID: pe
    • API String ID: 896913059-324909747
    • Opcode ID: 402392e006237a950c04879adda0653e7b89b9ea5f7b38a86630854b26fd1bde
    • Instruction ID: d987f9942fc8e02c9abbb429193130bded45afa1c0419565eb5a3debea5de868
    • Opcode Fuzzy Hash: 402392e006237a950c04879adda0653e7b89b9ea5f7b38a86630854b26fd1bde
    • Instruction Fuzzy Hash: DF71A031600212AFCB25AF68CC59BBE7FB6BF84711F150629F906DB291DF719D408B91
    Function 005878EA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82COMMON
    Download Yara Rule
    APIs
    • LockWindowUpdate.USER32(00000000,00000000,?,?,?,00604BED,00000000), ref: 0058792B
    • ValidateRect.USER32(?,00000000,?,?,00604BED,00000000), ref: 00587960
    • UpdateWindow.USER32(?), ref: 00587965
    • LockWindowUpdate.USER32(00000000,?,00604BED,00000000), ref: 00587978
    • ValidateRect.USER32(?,00000000,?,?,00604BED,00000000), ref: 0058799F
    • UpdateWindow.USER32(?), ref: 005879A4
    • LockWindowUpdate.USER32(00000000,?,00604BED,00000000), ref: 005879B7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: UpdateWindow$Lock$RectValidate
    • String ID: X'f
    • API String ID: 797752328-3824865298
    • Opcode ID: 4cc305068a9a3ce4739f5381236ef3fd09b0e9e6846a8275a5b10d43f703679e
    • Instruction ID: 9235f98c3b69a8bc8ef5029682b95309f354f5a5024de42e573e6d485933273d
    • Opcode Fuzzy Hash: 4cc305068a9a3ce4739f5381236ef3fd09b0e9e6846a8275a5b10d43f703679e
    • Instruction Fuzzy Hash: 98216D32608219EFCB25AF54C884B68BBB2FB48761F354629E9496B160D731EC50DB90
    Function 00543BE3 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ActiveFocus$MessageSend
    • String ID: u
    • API String ID: 1556911595-4067256894
    • Opcode ID: 0ddcd5d54e3ecc37399e59da9beec9a36f969b3d0d9aeb4159aea35f3bf02056
    • Instruction ID: 0528e94518553821da784992135bb9d686cf30b62239110df35ee0b32e88b7a1
    • Opcode Fuzzy Hash: 0ddcd5d54e3ecc37399e59da9beec9a36f969b3d0d9aeb4159aea35f3bf02056
    • Instruction Fuzzy Hash: 7B118E32900305BBDB249BB8CD8C9EE7EA6FF88319F054525F905A21B1EB34CF10DA90
    Function 00555BFB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • GetStockObject.GDI32(00000011), ref: 00555C23
    • GetStockObject.GDI32(0000000D), ref: 00555C2B
    • GetObjectW.GDI32(00000000,0000005C,?), ref: 00555C38
    • GetDC.USER32(00000000), ref: 00555C47
    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00555C5B
    • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00555C67
    • ReleaseDC.USER32(00000000,00000000), ref: 00555C73
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Stock$CapsDeviceRelease
    • String ID: System
    • API String ID: 46613423-3470857405
    • Opcode ID: fa5fd9c9580090cf847608ba42ca5a6a14a7216a26cb206010a6ce73d2b98d22
    • Instruction ID: 2c59caceb00180743b78c97b93ab5bf4c0cbc2d1807cdf6752e563acac3b2b48
    • Opcode Fuzzy Hash: fa5fd9c9580090cf847608ba42ca5a6a14a7216a26cb206010a6ce73d2b98d22
    • Instruction Fuzzy Hash: B7118F71640718ABDB10EBE0DD59FAE7BB9FB55746F00011AFA05AB1D0EB709C04CBA1
    Function 00619ED6 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 40COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00619EDD
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F8B
      • Part of subcall function 00569F51: InitializeCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F9D
      • Part of subcall function 00569F51: LeaveCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FAA
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FBA
    • GetProfileIntW.KERNEL32(windows,DragScrollInset,0000000B), ref: 00619F2D
    • GetProfileIntW.KERNEL32(windows,DragScrollDelay,00000032), ref: 00619F3C
    • GetProfileIntW.KERNEL32(windows,DragScrollInterval,00000032), ref: 00619F4B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$Profile$Enter$H_prolog3InitializeLeave
    • String ID: DragScrollDelay$DragScrollInset$DragScrollInterval$windows
    • API String ID: 4229786687-1024936294
    • Opcode ID: a362d353ef248b08e3af6592e9345493c0290f3bb54c8a9c0ac8052801e5dc63
    • Instruction ID: 204dc70490db95cffb37b0b5e035a9faf8325b18ac577217e20ce7e066e12e59
    • Opcode Fuzzy Hash: a362d353ef248b08e3af6592e9345493c0290f3bb54c8a9c0ac8052801e5dc63
    • Instruction Fuzzy Hash: 990184B09807009ED761EF659D46705BEEAFF90700F05651EF209AB691CBF069408FA9
    Function 005979BE Relevance: 13.9, APIs: 9, Instructions: 366windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005979C5
    • SendMessageW.USER32(?,000000B0,?,?), ref: 005979E3
    • MessageBeep.USER32(000000FF), ref: 00597A82
    • MessageBeep.USER32(000000FF), ref: 00597DD3
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Beep$H_prolog3Send
    • String ID:
    • API String ID: 491126482-0
    • Opcode ID: d9d2cb706fcca0a8bd9b1ace59d5a0515ebd39eb3529f56ab3ab49118abafa70
    • Instruction ID: 7d34d590f63de9709d29fa8534f6a241b3492e861076eadb221f99a05f487cc2
    • Opcode Fuzzy Hash: d9d2cb706fcca0a8bd9b1ace59d5a0515ebd39eb3529f56ab3ab49118abafa70
    • Instruction Fuzzy Hash: ABD17B71A1461A9BCF15DF94C985EFFBBB9FF88700F10411AE512A7291EB34AE41CB60
    Function 00597DF0 Relevance: 13.9, APIs: 9, Instructions: 354windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00597DF7
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00597E15
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00597E23
    • MessageBeep.USER32(000000FF), ref: 00597E8F
    • SendMessageW.USER32(?,000000B0,?,?), ref: 00598025
    • MessageBeep.USER32(000000FF), ref: 005980C2
    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00598177
    • SendMessageW.USER32(?,000000B0,?,?), ref: 005981D3
    • MessageBeep.USER32(000000FF), ref: 005981E9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Send$Beep$H_prolog3
    • String ID:
    • API String ID: 204075910-0
    • Opcode ID: 51044e9d0d4b8f05057973821232ed1ea43682309fdb652d41605a218f3695d6
    • Instruction ID: f58f0da0d739fbeb321a1a27cb026364fffa1440ef1248543ad82112ae3801c0
    • Opcode Fuzzy Hash: 51044e9d0d4b8f05057973821232ed1ea43682309fdb652d41605a218f3695d6
    • Instruction Fuzzy Hash: 85D19E7190051AABCF11DB94C884EFEFBBAFF88304F24415AF512B7291DB30A945CB60
    Function 005725DC Relevance: 13.7, APIs: 9, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005725E6
    • GetWindowRect.USER32(?,?), ref: 00572635
    • OffsetRect.USER32(?,?,?), ref: 0057264B
      • Part of subcall function 0053BA35: __EH_prolog3.LIBCMT ref: 0053BA3C
      • Part of subcall function 0053BA35: GetDC.USER32(00000000), ref: 0053BA68
    • CreateCompatibleDC.GDI32(?), ref: 005726BC
    • SelectObject.GDI32(?,?), ref: 005726DC
    • SelectObject.GDI32(?,?), ref: 0057271E
    • CreateCompatibleDC.GDI32(?), ref: 00572837
    • SelectObject.GDI32(?,?), ref: 00572857
    • SelectObject.GDI32(?,00000000), ref: 00572887
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ObjectSelect$CompatibleCreateRect$H_prolog3H_prolog3_OffsetWindow
    • String ID:
    • API String ID: 2818906880-0
    • Opcode ID: 39560218128c8e243501bbfb6ba9a25a206fcb5e362e76960801c1035c984095
    • Instruction ID: 1ba443fc7c8a9f253b216fcdafdab159c74a9cd814962af19ac0ae9b4384ed0b
    • Opcode Fuzzy Hash: 39560218128c8e243501bbfb6ba9a25a206fcb5e362e76960801c1035c984095
    • Instruction Fuzzy Hash: 51A11371D0021AAFCF15EFA4D989AEDBBB6BF48300F108159EA09B7251DB305A45DFA1
    Function 00536C40 Relevance: 13.7, APIs: 9, Instructions: 233filecomstringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00536C47
    • OleDuplicateData.OLE32(?,?,00000000), ref: 00536CC8
    • GlobalLock.KERNEL32(00000000), ref: 00536CF7
    • CopyMetaFileW.GDI32(?,00000000), ref: 00536D03
    • GlobalUnlock.KERNEL32(?), ref: 00536D13
    • GlobalFree.KERNEL32(?), ref: 00536D1C
    • GlobalUnlock.KERNEL32(?), ref: 00536D28
      • Part of subcall function 00536156: __EH_prolog3.LIBCMT ref: 0053615D
    • lstrlenW.KERNEL32(?,0000005C,00614C8C,?,?,?), ref: 00536D88
    • CopyFileW.KERNEL32(?,?,00000000,?,?,0000005C,00614C8C,?,?,?), ref: 00536E80
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$CopyFileUnlock$DataDuplicateFreeH_prolog3H_prolog3_LockMetalstrlen
    • String ID:
    • API String ID: 3994854817-0
    • Opcode ID: c6250f7995968d80ba82fa694f377f6734a8e5cdb0cedb2303198975f8e39c8c
    • Instruction ID: 878477a67b99e8617b977ccbfe9d2d41bd702e4bf47023fc71967df470625df2
    • Opcode Fuzzy Hash: c6250f7995968d80ba82fa694f377f6734a8e5cdb0cedb2303198975f8e39c8c
    • Instruction Fuzzy Hash: A0813AB590060ABFDB249FA4CD8892ABFBAFF48345B10C91DE456DB650D730EC51DB60
    Function 00592079 Relevance: 13.7, APIs: 9, Instructions: 189COMMON
    Download Yara Rule
    APIs
    • SetRectEmpty.USER32(?), ref: 005920EC
    • InvalidateRect.USER32(?,?,00000001), ref: 0059214F
    • InvalidateRect.USER32(?,?,00000001), ref: 0059215A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Invalidate$Empty
    • String ID:
    • API String ID: 1126320529-0
    • Opcode ID: 1d81ac1b60d7a25cbd5b7f6b8bda0036904f1129db2c05cff664f27842733ad6
    • Instruction ID: 38963536ac02aaea973e39f5aae58540b57260188ad373091e17edbad26207e4
    • Opcode Fuzzy Hash: 1d81ac1b60d7a25cbd5b7f6b8bda0036904f1129db2c05cff664f27842733ad6
    • Instruction Fuzzy Hash: 80612875A00209AFCF11CF64C884AEEBBF6FF49700F154169E905AB251D771AE51CFA1
    Function 00570B37 Relevance: 13.7, APIs: 9, Instructions: 168windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D7477: GetParent.USER32(?), ref: 005D7483
      • Part of subcall function 005D7477: GetParent.USER32(00000000), ref: 005D7486
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • GetParent.USER32(?), ref: 00570B98
    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00570BAD
    • GetClientRect.USER32(?,?), ref: 00570C14
    • GetClientRect.USER32(?,?), ref: 00570C29
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B72A
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B737
    • GetWindowRect.USER32(?,?), ref: 00570C49
      • Part of subcall function 00545D83: SetWindowPos.USER32(?,00000000,00000064,?,?,?,?,?,0053A8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00545DAB
    • GetParent.USER32(?), ref: 00570C98
    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00570CAC
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00570D01
    • PostMessageW.USER32(?,00000000,00000000), ref: 00570D23
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientMessageParent$RectSendWindow$Screen$LongPost
    • String ID:
    • API String ID: 3884207962-0
    • Opcode ID: a10c895825118b13300ce526af94b53b599aaf8a147da586b4daebba555b962c
    • Instruction ID: 27dd71666ba6834515c1975630d93ade681c300e442c84ea503dd02a62a1c0b2
    • Opcode Fuzzy Hash: a10c895825118b13300ce526af94b53b599aaf8a147da586b4daebba555b962c
    • Instruction Fuzzy Hash: FE612AB1900209AFCF11DFA9DD849EEBBF9FF88304F14516AE905AB261D7715901CF64
    Function 0056C373 Relevance: 13.6, APIs: 9, Instructions: 150windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00547A7F: GetFocus.USER32 ref: 00547A85
      • Part of subcall function 00547A7F: GetParent.USER32(00000000), ref: 00547AAD
      • Part of subcall function 00547A7F: GetWindowLongW.USER32(?,000000F0), ref: 00547AC8
      • Part of subcall function 00547A7F: GetParent.USER32(?), ref: 00547AD6
      • Part of subcall function 00547A7F: GetDesktopWindow.USER32 ref: 00547ADA
      • Part of subcall function 00547A7F: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00547AEE
    • GetMenu.USER32(?), ref: 0056C3ED
    • GetMenuItemCount.USER32(?), ref: 0056C41D
    • GetSubMenu.USER32(?,00000000), ref: 0056C42E
    • GetMenuItemCount.USER32(?), ref: 0056C450
    • GetMenuItemID.USER32(?,00000000), ref: 0056C471
    • GetSubMenu.USER32(?,00000000), ref: 0056C489
    • GetMenuItemID.USER32(?,00000000), ref: 0056C4A1
    • GetMenuItemCount.USER32(?), ref: 0056C4D8
    • GetMenuItemID.USER32(?,00000000), ref: 0056C4F3
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
    • String ID:
    • API String ID: 4186786570-0
    • Opcode ID: f9e32ac294c2a334bec9e5942872e425deebdda8f4b0026c0da72f8ffd3d6ec1
    • Instruction ID: 2781a93a06a9da2647864afa3e92909668935aa06e72a38396eecfa804b296b3
    • Opcode Fuzzy Hash: f9e32ac294c2a334bec9e5942872e425deebdda8f4b0026c0da72f8ffd3d6ec1
    • Instruction Fuzzy Hash: A5514D31A00206DBCF11DFA4C985ABEBFB5FF58302F208569E496A7161DB31ED41DB21
    Function 0055AFB0 Relevance: 13.6, APIs: 9, Instructions: 129windowCOMMON
    Download Yara Rule
    APIs
    • EnableMenuItem.USER32(?,0000420F,00000001), ref: 0055B004
    • EnableMenuItem.USER32(?,0000420E,00000001), ref: 0055B020
    • CheckMenuItem.USER32(?,00004213,00000008), ref: 0055B055
    • EnableMenuItem.USER32(?,00004212,00000001), ref: 0055B075
    • EnableMenuItem.USER32(?,00004212,00000001), ref: 0055B099
    • EnableMenuItem.USER32(?,00004213,00000001), ref: 0055B0A5
    • EnableMenuItem.USER32(?,00004214,00000001), ref: 0055B0B1
    • EnableMenuItem.USER32(?,00004215,00000001), ref: 0055B0F9
    • CheckMenuItem.USER32(?,00004215,00000008), ref: 0055B10D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ItemMenu$Enable$Check
    • String ID:
    • API String ID: 1852492618-0
    • Opcode ID: 2ba5de914059f5b9e1a2a5574b68bfc8f976b387cb34db0a6987783a3888a7bd
    • Instruction ID: a539a5d88354d4287c2742e99eaad348cb2530082927a75ec80b5b145e4cd358
    • Opcode Fuzzy Hash: 2ba5de914059f5b9e1a2a5574b68bfc8f976b387cb34db0a6987783a3888a7bd
    • Instruction Fuzzy Hash: 10416E70740601EBEB208F14CDAEB16BBA5BF14702F148166FE25AB1F1D7B1DC48DA91
    Function 00590905 Relevance: 13.6, APIs: 9, Instructions: 108windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0059090C
    • _memset.LIBCMT ref: 0059092C
    • SendMessageW.USER32 ref: 00590954
    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00590974
    • SHGetDesktopFolder.SHELL32(?), ref: 0059099C
    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005909C5
    • SendMessageW.USER32(?,00001115,00000000,?), ref: 005909FC
    • SendMessageW.USER32(0058FE88,0000000B,00000001,00000000), ref: 00590A06
    • RedrawWindow.USER32(0058FE88,00000000,00000000,00000105), ref: 00590A12
      • Part of subcall function 00544EE7: __EH_prolog3_catch_GS.LIBCMT ref: 00544EF1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$DesktopFolderH_prolog3H_prolog3_catch_RedrawWindow_memset
    • String ID:
    • API String ID: 3540180273-0
    • Opcode ID: eceb162220f07b12185c0dc0df48ba217f3cbfabff6ccacefa5ad22c48f2248b
    • Instruction ID: dedef7fdc1f8a98b1bd335a92518121e3d5a6888493f995403b837f62c642c25
    • Opcode Fuzzy Hash: eceb162220f07b12185c0dc0df48ba217f3cbfabff6ccacefa5ad22c48f2248b
    • Instruction Fuzzy Hash: 9A4108B0900209AFDF10EFA0CC89DAEBFB9FF48344F104928F656AB2A1D7719D518B50
    Function 005468FD Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00546904
    • EnterCriticalSection.KERNEL32(?,00000010,00546ACD,?,00000000,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546915
    • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546933
    • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546967
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 005469D3
    • _memset.LIBCMT ref: 005469F2
    • TlsSetValue.KERNEL32(?,00000000,?,00535501,434C7695), ref: 00546A03
    • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546A24
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
    • String ID:
    • API String ID: 1891723912-0
    • Opcode ID: b305ff009872c8b3e1400dad85c50122e88c6e506b67e72f20a8fb989d46db2c
    • Instruction ID: 412274ecacb4398999a3483fe67e1da55d91c8d1c7ab5df3b292a295896ff273
    • Opcode Fuzzy Hash: b305ff009872c8b3e1400dad85c50122e88c6e506b67e72f20a8fb989d46db2c
    • Instruction Fuzzy Hash: AF317071400B06EFCB24EF50D889EAABFB2FF45318B10C52DE556A7660CB71A950CB92
    Function 00534063 Relevance: 13.6, APIs: 9, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • SetLastError.KERNEL32(0000139F,?,?,?,?,00533E9E,00000000), ref: 00534076
    • TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,00533E9E,00000000), ref: 0053408F
    • TryEnterCriticalSection.KERNEL32(?,?,?,?,?,?,00533E9E,00000000), ref: 00534099
    • SetLastError.KERNEL32(0000139F,?,?,?,?,?,00533E9E,00000000), ref: 005340B0
    • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,00533E9E,00000000), ref: 005340B9
    • LeaveCriticalSection.KERNEL32(00000004,?,?,?,?,?,00533E9E,00000000), ref: 005340BE
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorLastLeave
    • String ID:
    • API String ID: 4082018349-0
    • Opcode ID: 3f1a39ddc1303c3bdbf80cf766675909914b76c5f3226e56e9930a25b2ee7ec7
    • Instruction ID: d1c1f7b4d5cf224e6cb960d361f68fc2e15934558704b1f3be98db23f176f364
    • Opcode Fuzzy Hash: 3f1a39ddc1303c3bdbf80cf766675909914b76c5f3226e56e9930a25b2ee7ec7
    • Instruction Fuzzy Hash: A001A175600709EBC724ABA5CC4D96BBFEDFF88355F054929E642D7020DA70F885CE61
    Function 0059CA22 Relevance: 12.6, APIs: 6, Strings: 1, Instructions: 387COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0059CA29
      • Part of subcall function 005438F9: GetWindowTextLengthW.USER32(?), ref: 0054390A
      • Part of subcall function 005438F9: GetWindowTextW.USER32(?,00000000,00000001), ref: 00543921
    • InflateRect.USER32(?,?,?), ref: 0059CB46
    • SetRectEmpty.USER32(?), ref: 0059CB52
    • InflateRect.USER32(?,00000000,00000000), ref: 0059CBE3
    • OffsetRect.USER32(?,00000001,00000001), ref: 0059CC70
    • IsRectEmpty.USER32(?), ref: 0059CCFD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyInflateTextWindow$H_prolog3_LengthOffset
    • String ID: mmm
    • API String ID: 2648887860-1545505134
    • Opcode ID: d633ad2213bbdb1cc8cb4b6830b41d4a88b30ea3bc6e391d7c4175b28a54cf4f
    • Instruction ID: 0284830dc6e2c92cac106f8184cc4c28428076bdd4285d54aa7d417a85f959d1
    • Opcode Fuzzy Hash: d633ad2213bbdb1cc8cb4b6830b41d4a88b30ea3bc6e391d7c4175b28a54cf4f
    • Instruction Fuzzy Hash: 71E16E71900649DFCF15DFA8C888AEEBFB5FF89301F184579E806AB255DB30A945CB60
    Function 00564FEB Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 246windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 00565100
    • GetWindowRect.USER32(?,?), ref: 00565119
    • PtInRect.USER32(?,?,?), ref: 00565137
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 00565148
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005651A0
      • Part of subcall function 005438C1: GetParent.USER32(?), ref: 005438CB
    • GetFocus.USER32 ref: 0056527C
      • Part of subcall function 0058442A: __EH_prolog3_GS.LIBCMT ref: 00584434
      • Part of subcall function 0058442A: GetWindowRect.USER32(?,?), ref: 005844CD
      • Part of subcall function 0058442A: SetRect.USER32(00000019,00000000,00000000,?,?), ref: 005844EF
      • Part of subcall function 0058442A: CreateCompatibleDC.GDI32(?), ref: 005844FB
      • Part of subcall function 0058442A: CreateCompatibleBitmap.GDI32(?,00000019,?), ref: 00584525
      • Part of subcall function 0058442A: GetWindowRect.USER32(?,?), ref: 00584587
      • Part of subcall function 0058442A: GetClientRect.USER32(?,?), ref: 00584590
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$CompatibleCreateMessageSend$BitmapClientCursorFocusH_prolog3_Parent
    • String ID: X'f
    • API String ID: 2914356772-3824865298
    • Opcode ID: 1e4841a93310c702e42d75e91109c8f5488db1a5e723f85ef068c8bba6a5bd40
    • Instruction ID: 036751fff39965d0cb6ef33e70e8c01ed5f184a82803a840612d450fb09ca18a
    • Opcode Fuzzy Hash: 1e4841a93310c702e42d75e91109c8f5488db1a5e723f85ef068c8bba6a5bd40
    • Instruction Fuzzy Hash: D581B570640A019FCB26AF64C899ABDBFF6FFCA701F24056AE4458B252EB719C41CF51
    Function 0058B3C9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 238stringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch_GS.LIBCMT ref: 0058B3D0
      • Part of subcall function 0053EC52: ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,0058B3E3,000000FF,00000050), ref: 0053EC75
    • lstrlenA.KERNEL32(00000000,000000FF,00000050,0054D484,00000000,00000001,?,?,000000FF,?,?,?,?,?,?,00000034), ref: 0058B401
      • Part of subcall function 005366C4: _memcpy_s.LIBCMT ref: 005366D5
    • _memset.LIBCMT ref: 0058B4B0
      • Part of subcall function 0058B13D: __EH_prolog3.LIBCMT ref: 0058B144
    • VariantClear.OLEAUT32(?), ref: 0058B59E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ActivateClearH_prolog3H_prolog3_catch_Variant_memcpy_s_memsetlstrlen
    • String ID: `<u
    • API String ID: 3853244332-3367579956
    • Opcode ID: 91a84369a29d0f9d5bd521d12ffb8ab683d62da4073b8a5013995f2559216397
    • Instruction ID: daff79ec292801bf19afe0c1912c60892073f3930abe7dfef259d79edf2771d5
    • Opcode Fuzzy Hash: 91a84369a29d0f9d5bd521d12ffb8ab683d62da4073b8a5013995f2559216397
    • Instruction Fuzzy Hash: 13918F71C0060ADBEF14EFA4C8856AEBFB5FF05310F144559E811BB2A2E7319E41DBA1
    Function 0058B7A4 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120memoryCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0058B7C7
    • SysAllocString.OLEAUT32(-00000010), ref: 0058B82A
    • SysAllocString.OLEAUT32(00000010), ref: 0058B854
    • SysAllocString.OLEAUT32(00000000), ref: 0058B8A3
    • SysAllocString.OLEAUT32(00000000), ref: 0058B8D2
    • SysAllocString.OLEAUT32(00000000), ref: 0058B907
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AllocString$_memset
    • String ID: h/f
    • API String ID: 287750986-256425866
    • Opcode ID: 679f49d4edf7ff668df393e76fb919ea1f9f54f867c337d0f77dcf610d552b3a
    • Instruction ID: 28b32e6f6e2d45c44f2eb6c5a81024c3e671d76f926cea98422541698f017eda
    • Opcode Fuzzy Hash: 679f49d4edf7ff668df393e76fb919ea1f9f54f867c337d0f77dcf610d552b3a
    • Instruction Fuzzy Hash: B24170719007059FCB20EF64CC49BA9BBF9BF84314F108669E565A72A2DB34E984CF44
    Function 0053AC12 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053AB60: GetParent.USER32(00000000), ref: 0053ABB4
      • Part of subcall function 0053AB60: GetLastActivePopup.USER32(00000000), ref: 0053ABC5
      • Part of subcall function 0053AB60: IsWindowEnabled.USER32(00000000), ref: 0053ABD9
      • Part of subcall function 0053AB60: EnableWindow.USER32(00000000,00000000), ref: 0053ABEC
    • EnableWindow.USER32(?,00000001), ref: 0053AC5F
    • GetWindowThreadProcessId.USER32(?,?), ref: 0053AC73
    • GetCurrentProcessId.KERNEL32(?,?), ref: 0053AC7D
    • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 0053AC95
    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,?), ref: 0053AD11
    • EnableWindow.USER32(00000000,00000001), ref: 0053AD58
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
    • String ID: 0
    • API String ID: 1877664794-4108050209
    • Opcode ID: 5f6157ffd7a1348b150b8f3688483d0e2665dbfd302d47b339cecfb1cc79ccf8
    • Instruction ID: 3442f2ca60212142f2144bc9f599f38469dd0d0adbf9c2876ee0bde65001d52e
    • Opcode Fuzzy Hash: 5f6157ffd7a1348b150b8f3688483d0e2665dbfd302d47b339cecfb1cc79ccf8
    • Instruction Fuzzy Hash: 0C41CF32A4031DAFDB20DF64DC89BAABBB9FF44311F141699F955D6290D770CE808B92
    Function 00595B32 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 113COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00595B39
      • Part of subcall function 005C4001: __EH_prolog3.LIBCMT ref: 005C4008
      • Part of subcall function 006108DB: SetRectEmpty.USER32(?), ref: 0061090B
    • SetRectEmpty.USER32(?), ref: 00595C81
    • SetRectEmpty.USER32(?), ref: 00595C90
    • SetRectEmpty.USER32(?), ref: 00595C99
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$H_prolog3
    • String ID: False$Le$True
    • API String ID: 3752103406-1924975550
    • Opcode ID: 081696943b873e24dcc824ac22141092d55eb83fad3ff5203aa08d5a7997270e
    • Instruction ID: 7556f51d07e25c8f2055184cfe527fa380f10e500b29b920faef9c48b431f3ee
    • Opcode Fuzzy Hash: 081696943b873e24dcc824ac22141092d55eb83fad3ff5203aa08d5a7997270e
    • Instruction Fuzzy Hash: CA51BEB0801B418FC366DF7AC5997DAFBE8BFA4300F50495EE0AE96261DBB02644CF15
    Function 005904AA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100windowmemoryCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005904B1
    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?,00000078,00590797,?,00590815), ref: 005904D4
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • SHGetDesktopFolder.SHELL32(?,?,00590815), ref: 005904E9
    • GlobalAlloc.KERNEL32(00000040,0000000C,?,00590815), ref: 005904FE
    • SendMessageW.USER32(?,00001132,00000000,?), ref: 005905A7
    • SendMessageW.USER32(?,00001102,00000002,00000000), ref: 005905B4
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FolderH_prolog3MessageSend$AllocDesktopException@8GlobalLocationSpecialThrow
    • String ID: g
    • API String ID: 2027722222-30677878
    • Opcode ID: f5117d9f427bd64ab932a12643c8f2f085f1f656a2d9ef2fa16edf9d406b5d8e
    • Instruction ID: d5dc0d15149e80e310437905adc21deb5febf4f3d0e2988cbe25bcfedc6b0f3d
    • Opcode Fuzzy Hash: f5117d9f427bd64ab932a12643c8f2f085f1f656a2d9ef2fa16edf9d406b5d8e
    • Instruction Fuzzy Hash: F7314D71A002169FDF10DFA4CC89AAEBBFAFF49300F014569F505EB291DB749941CB61
    Function 00590CF0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 79windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000110A,00000004,?), ref: 00590D37
    • _memset.LIBCMT ref: 00590D44
    • SendMessageW.USER32(?,00001102,00008001,?), ref: 00590DAD
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00590D76
    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00590D81
    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00590D9B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Exception@8H_prolog3Throw_memset
    • String ID: @
    • API String ID: 3199205413-2766056989
    • Opcode ID: e65485179eb06c181889a3df259d4e2b2a35178cab66043b177edd137ac9b994
    • Instruction ID: 80a133290a47294cc747d033b5b986e8ff21993da0b2dc8dc818b4dc023d227f
    • Opcode Fuzzy Hash: e65485179eb06c181889a3df259d4e2b2a35178cab66043b177edd137ac9b994
    • Instruction Fuzzy Hash: 07218E72640308BFEF219F95CC81FAA7BA9BF58751F145815FA44AA1E0E6B1EC408B60
    Function 00591A1B Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00591A25
      • Part of subcall function 0054D942: SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0054D94B
    • SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 00591A91
    • SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00591A9E
    • SendMessageW.USER32(FFFFFFFF,00000030,?,00000001), ref: 00591ABE
    • SendMessageW.USER32(FFFFFFFF,000000D4,00000000,00000000), ref: 00591AC8
    • ~_Task_impl.LIBCPMT ref: 00591AE8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$H_prolog3_Task_impl
    • String ID: d
    • API String ID: 731318678-2564639436
    • Opcode ID: 941722925e6ec87f8444ee6be2e188f3256aebe8f306cff246b56412d5fea30d
    • Instruction ID: d9f7c925d4228dc5da34d42b08fd9ca32851f1655aa21c4db034704070a4d069
    • Opcode Fuzzy Hash: 941722925e6ec87f8444ee6be2e188f3256aebe8f306cff246b56412d5fea30d
    • Instruction Fuzzy Hash: 58216270900219AFEF21DFA1CD86FEDBEB9BF04304F500269A608A7191CB745E40CF94
    Function 0055C871 Relevance: 12.3, APIs: 8, Instructions: 309timewindowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0055C878
    • SetCursor.USER32(00000040,0055D007,00000000,00000000,?), ref: 0055C912
      • Part of subcall function 0053BA35: __EH_prolog3.LIBCMT ref: 0053BA3C
      • Part of subcall function 0053BA35: GetDC.USER32(00000000), ref: 0053BA68
      • Part of subcall function 00556F56: __EH_prolog3_GS.LIBCMT ref: 00556F5D
      • Part of subcall function 00556F56: CreateRectRgnIndirect.GDI32(?), ref: 00556F9A
      • Part of subcall function 00556F56: CopyRect.USER32(?,?), ref: 00556FB0
      • Part of subcall function 00556F56: InflateRect.USER32(?,?,?), ref: 00556FC6
      • Part of subcall function 00556F56: IntersectRect.USER32(?,?,?), ref: 00556FD4
      • Part of subcall function 00556F56: CreateRectRgnIndirect.GDI32(?), ref: 00556FDE
      • Part of subcall function 00556F56: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00556FF3
      • Part of subcall function 00556F56: CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 0055705B
      • Part of subcall function 0053BA89: __EH_prolog3.LIBCMT ref: 0053BA90
      • Part of subcall function 0053BA89: ReleaseDC.USER32(?,00000000), ref: 0053BAAD
    • GetFocus.USER32 ref: 0055C9B1
    • SetTimer.USER32(?,00000014,000001F4,00000000), ref: 0055CA71
    • SendMessageW.USER32(?,00000362,0000E001,00000000), ref: 0055CB16
    • KillTimer.USER32(?,00000014), ref: 0055CC42
    • SetTimer.USER32(?,00000014,000001F4,00000000), ref: 0055CC5F
    • UpdateWindow.USER32(?), ref: 0055CC7E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Create$Timer$H_prolog3H_prolog3_Indirect$CopyCursorFocusInflateIntersectKillMessageReleaseSendUpdateWindow
    • String ID:
    • API String ID: 2399994607-0
    • Opcode ID: 36c1c1051a0b0878fd5c3376bb2096759336a6ea74e5f811258d42180848da23
    • Instruction ID: 9eb27eb5698d0d4e0ed848b6e4bc3ca9b3a3258a1d2ffd150898effece4c8681
    • Opcode Fuzzy Hash: 36c1c1051a0b0878fd5c3376bb2096759336a6ea74e5f811258d42180848da23
    • Instruction Fuzzy Hash: 6FC16D715003049FDF25DF64C8E9BA93FB1BB44326F24427AED199E295DB709D88CB60
    Function 005E038D Relevance: 12.2, APIs: 8, Instructions: 183windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005E0394
    • GetSystemMenu.USER32(?,00000000,00000038,005749C6,00000000,00000000,?), ref: 005E0442
    • IsMenu.USER32(?), ref: 005E0457
    • IsMenu.USER32(?), ref: 005E0468
    • GetWindowLongW.USER32(?,000000F0), ref: 005E0490
    • _memset.LIBCMT ref: 005E0572
    • GetMenuItemInfoW.USER32(00000000,0000F060,00000000,?), ref: 005E058D
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 005E05E2
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Window$H_prolog3InfoItemLongRedrawSystem_memset
    • String ID:
    • API String ID: 428562733-0
    • Opcode ID: 20de61226fe037fc809ff2520241834604782dcba0e0979a8fa303d14e30df7d
    • Instruction ID: 1358e9348adfc5ec1a1e747cd0449e5e024b24e7c7f7bc16a9c4c86743f993a8
    • Opcode Fuzzy Hash: 20de61226fe037fc809ff2520241834604782dcba0e0979a8fa303d14e30df7d
    • Instruction Fuzzy Hash: 9E719E709007469BDB15DF65C948BAEBBF5FF44310F20561EE496972D1DBB09A81CF10
    Function 005A715B Relevance: 12.1, APIs: 8, Instructions: 149windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$CaptureDestroyEmptyMessageParentPointsRectReleaseSendVisible
    • String ID:
    • API String ID: 3509494761-0
    • Opcode ID: 3599af2f517624876aeb0e0a00cebde7872be83cb65e4ace44fc159bdd45ca24
    • Instruction ID: 4026e86ee6de55380d6dd00cccdb7e4cac4eca06ff0c1b3e8f80a6ed8e516d2b
    • Opcode Fuzzy Hash: 3599af2f517624876aeb0e0a00cebde7872be83cb65e4ace44fc159bdd45ca24
    • Instruction Fuzzy Hash: F3514B31204209ABDF15DFA4CC99BAE3BB6BF4A301F0505B9FD069E192DB719D05CB61
    Function 0058EF1A Relevance: 12.1, APIs: 8, Instructions: 146windowCOMMON
    Download Yara Rule
    APIs
    • GetFocus.USER32 ref: 0058EF63
    • ScreenToClient.USER32(00000000,?), ref: 0058EFA8
    • SendMessageW.USER32(?,0000102C,00000000,00000003), ref: 0058EFE6
    • SetCapture.USER32(?), ref: 0058F00C
    • ReleaseCapture.USER32 ref: 0058F047
    • ScreenToClient.USER32(?,?), ref: 0058F066
    • GetSystemMetrics.USER32(00000044), ref: 0058F0A1
    • GetSystemMetrics.USER32(00000045), ref: 0058F0BD
      • Part of subcall function 0058E4D4: SendMessageW.USER32(0058EF4A,00001018,00000000,00000000), ref: 0058E4E0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CaptureClientMessageMetricsScreenSendSystem$FocusRelease
    • String ID:
    • API String ID: 3871486171-0
    • Opcode ID: a3354da45223c7880570582cebbbcd6953eb02a2b6121b06ea76cb3a45706c9b
    • Instruction ID: fc3cd61a77ac4dac784ee555736e0ad406c6f6ca3d7fc202aa912e8a50e028d1
    • Opcode Fuzzy Hash: a3354da45223c7880570582cebbbcd6953eb02a2b6121b06ea76cb3a45706c9b
    • Instruction Fuzzy Hash: AA512E75A00605EFCB10EFB8C949AAABFF5FF58300F20452AF996D7251DB70A981CB50
    Function 00542771 Relevance: 12.1, APIs: 8, Instructions: 134windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 005427B4
    • BeginDeferWindowPos.USER32(00000008), ref: 005427CC
    • GetTopWindow.USER32(?), ref: 005427E1
    • GetDlgCtrlID.USER32(00000000), ref: 005427F0
    • SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 00542822
    • GetWindow.USER32(00000000,00000002), ref: 0054282B
    • CopyRect.USER32(?,?), ref: 00542849
    • EndDeferWindowPos.USER32(00000000), ref: 005428C0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
    • String ID:
    • API String ID: 1228040700-0
    • Opcode ID: 095e48f058085bbc1ce56e9c66c969eb3291f0ae877707bf4a617e4e331be2d2
    • Instruction ID: 31c192c642ff4a97ff9d71201a723a012f2df70bc0870549a5d22fcd84aa4c01
    • Opcode Fuzzy Hash: 095e48f058085bbc1ce56e9c66c969eb3291f0ae877707bf4a617e4e331be2d2
    • Instruction Fuzzy Hash: 2F510272900229DFCF11DFA8C8889EEBBB5FF88315F54826AF805A7250D7319941CFA5
    Function 00623A74 Relevance: 12.1, APIs: 8, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00623A7B
    • EqualRect.USER32(?,?), ref: 00623A9A
    • EqualRect.USER32(?,?), ref: 00623AAB
    • CreateRectRgn.GDI32(00000000,00000000,?,?), ref: 00623AFB
    • CreateRectRgn.GDI32(?,00000000,?,?), ref: 00623B2E
    • CreateRectRgnIndirect.GDI32(?), ref: 00623B3A
    • SetWindowRgn.USER32(?,?,00000000), ref: 00623B61
    • RedrawWindow.USER32(?,00000000,00000000,00000105,006A8640,?,?,?,00000001,00000058), ref: 00623BD9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Create$EqualWindow$H_prolog3IndirectRedraw
    • String ID:
    • API String ID: 1234839666-0
    • Opcode ID: 1144977876c92c33e56db42574a46bd3c496ffa569636f863f6fdb5526759074
    • Instruction ID: d3d0211682d67ecc6577d0be2587f34d923aad704af04c45cee3d058ed612ad2
    • Opcode Fuzzy Hash: 1144977876c92c33e56db42574a46bd3c496ffa569636f863f6fdb5526759074
    • Instruction Fuzzy Hash: 8D51387180061AAFCF01DFA4C989EEE7B6ABF45301F008219FD05AB255DB74AA05CFA0
    Function 00559AD2 Relevance: 12.1, APIs: 8, Instructions: 111COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005A80F8: ReleaseCapture.USER32 ref: 005A8126
      • Part of subcall function 005A80F8: IsWindow.USER32(?), ref: 005A814A
      • Part of subcall function 005A80F8: DestroyWindow.USER32(?), ref: 005A815A
    • SetRectEmpty.USER32(?), ref: 00559B05
    • ReleaseCapture.USER32 ref: 00559B0B
    • SetCapture.USER32(?), ref: 00559B1A
    • GetCapture.USER32 ref: 00559B5C
    • ReleaseCapture.USER32 ref: 00559B6C
    • SetCapture.USER32(?), ref: 00559B7B
    • RedrawWindow.USER32(?,?,?,00000505), ref: 00559BE6
    • RedrawWindow.USER32(?,00000000,00000000,00000505), ref: 00559C25
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Capture$Window$Release$Redraw$DestroyEmptyRect
    • String ID:
    • API String ID: 2209428161-0
    • Opcode ID: 7a9aed4251e7090d1aceffdfecd2aae4380bc4e57dc30e697971a6512d3fa341
    • Instruction ID: 7a14ea831eb6e66f45878ade50aa6a40f26849957968dd74439de0efcc3b99f3
    • Opcode Fuzzy Hash: 7a9aed4251e7090d1aceffdfecd2aae4380bc4e57dc30e697971a6512d3fa341
    • Instruction Fuzzy Hash: 704180712047019FE724AB74D85DF9B7FA6FFC8326F10065DE85A872A1DB34E8048B11
    Function 00596112 Relevance: 12.1, APIs: 8, Instructions: 109windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00596156
    • InvalidateRect.USER32(?,00000000,00000001), ref: 00596197
    • TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 005961E4
    • GetParent.USER32(?), ref: 005961F3
    • SendMessageW.USER32(?,00000111,?,?), ref: 00596229
    • InvalidateRect.USER32(?,00000000,00000001,00000000), ref: 00596247
    • UpdateWindow.USER32(?), ref: 00596250
    • ReleaseCapture.USER32 ref: 0059625F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$InvalidateWindow$CaptureMenuMessageParentPopupReleaseSendTrackUpdate
    • String ID:
    • API String ID: 2465089168-0
    • Opcode ID: 4daa5a685d15d16b83f7f676554fcb87858956f64c83f6b1bcdd2d5d325cd0d6
    • Instruction ID: 95b51909b28af12042f09ce14566beb2def570bdf4b09196181a61478518c4b4
    • Opcode Fuzzy Hash: 4daa5a685d15d16b83f7f676554fcb87858956f64c83f6b1bcdd2d5d325cd0d6
    • Instruction Fuzzy Hash: 0B41E775900B04EFCB219FA5CC849ABBFF6FF89702F10091AE59A92221D7756844DF51
    Function 0059C6DD Relevance: 12.1, APIs: 8, Instructions: 102windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0059C777
    • SendMessageW.USER32(?,00000111,?,?), ref: 0059C7A5
    • IsWindow.USER32(?), ref: 0059C7B4
    • RedrawWindow.USER32(?,00000000,00000000,00000105,?,?,?,?,?,005963C9,?,?,?), ref: 0059C7C4
    • IsWindow.USER32(?), ref: 0059C7D4
    • ReleaseCapture.USER32 ref: 0059C7E2
    • KillTimer.USER32(?,00000001,?,?,?,?,?,005963C9,?,?,?), ref: 0059C7FB
    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0059C81A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$MessageSend$CaptureKillParentRedrawReleaseTimer
    • String ID:
    • API String ID: 3014619129-0
    • Opcode ID: 95b914d71dc2b2159cc028f3ebde4035e002ee737b0d1cccf2bc9a711dd5f499
    • Instruction ID: 1a9c3a24d39b15874cc0e45913daa04956c127b559e8009b236506c4fc44d5a2
    • Opcode Fuzzy Hash: 95b914d71dc2b2159cc028f3ebde4035e002ee737b0d1cccf2bc9a711dd5f499
    • Instruction Fuzzy Hash: 3B313E71910B00EFCB319BB58948BABFEF5FF84B41F140A2EE59A91151E7716840DF12
    Function 00537CAC Relevance: 12.1, APIs: 8, Instructions: 96COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _free$AtomDeleteGlobal$H_prolog3_catch_
    • String ID:
    • API String ID: 1844215989-0
    • Opcode ID: b50b9319121f5514bef784c3bc3eb7394f3c900a9108f20f6a8820baf29081f5
    • Instruction ID: e71614ac67c5688c6e30eb5ac9827e108107fa7bd702ea821dead0a43450899e
    • Opcode Fuzzy Hash: b50b9319121f5514bef784c3bc3eb7394f3c900a9108f20f6a8820baf29081f5
    • Instruction Fuzzy Hash: FB3143B05047459FDB25AF64C499A69BFE2FF08304F5488ADF1568B6A2CB71EC40CF54
    Function 00533609 Relevance: 12.1, APIs: 8, Instructions: 86networkCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?), ref: 00533636
    • LeaveCriticalSection.KERNEL32(?), ref: 0053364C
    • send.WS2_32(?,?,?,00000000), ref: 00533669
    • EnterCriticalSection.KERNEL32(?), ref: 0053367E
    • LeaveCriticalSection.KERNEL32(?), ref: 00533691
    • WSAGetLastError.WS2_32 ref: 005336AC
    • EnterCriticalSection.KERNEL32(?), ref: 005336C4
    • LeaveCriticalSection.KERNEL32 ref: 005336FC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave$ErrorLastsend
    • String ID:
    • API String ID: 3480985631-0
    • Opcode ID: 8fa868b4835e26de25c6657786cf139ad6bb2185bcff7955799c32de813cd15c
    • Instruction ID: 23ee86b5d35a816cc8ab53683d0b531ea927a3a2cfc002666e92b7a32e9a6462
    • Opcode Fuzzy Hash: 8fa868b4835e26de25c6657786cf139ad6bb2185bcff7955799c32de813cd15c
    • Instruction Fuzzy Hash: FD310AB1504B059FD320DF79C889AABBBF8FB48311F404E2EE4AAC3650E731E6058B51
    Function 0057EA64 Relevance: 12.1, APIs: 8, Instructions: 75keyboardCOMMON
    Download Yara Rule
    APIs
    • GetAsyncKeyState.USER32(00000012), ref: 0057EA94
    • GetAsyncKeyState.USER32(00000012), ref: 0057EAAE
    • _memset.LIBCMT ref: 0057EACD
    • GetKeyboardState.USER32(?), ref: 0057EADC
    • GetKeyboardLayout.USER32(?), ref: 0057EAF3
    • MapVirtualKeyW.USER32(?,00000000), ref: 0057EB0F
    • ToUnicodeEx.USER32(?,00000000), ref: 0057EB17
    • CharUpperW.USER32(?), ref: 0057EB24
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: State$AsyncKeyboard$CharLayoutUnicodeUpperVirtual_memset
    • String ID:
    • API String ID: 3224171628-0
    • Opcode ID: 4b4f7647d5f03db062c9b5902d85ce3219ba250413e5f59e6c3905594f2c0643
    • Instruction ID: 3e336929d8f2f9b10da68e6fa6d4f0107be4fd790754f18096e36bdefbebf822
    • Opcode Fuzzy Hash: 4b4f7647d5f03db062c9b5902d85ce3219ba250413e5f59e6c3905594f2c0643
    • Instruction Fuzzy Hash: ED21C531900309ABDB10EBA0EC4AFED7B7DBB58701F044095F645D2081EFB099849FA1
    Function 00536568 Relevance: 12.1, APIs: 8, Instructions: 74windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemCount.USER32(?), ref: 0053657A
    • GetMenuItemCount.USER32(?), ref: 00536582
    • GetSubMenu.USER32(?,-00000001), ref: 0053659F
    • GetMenuItemCount.USER32(00000000), ref: 005365AF
    • GetSubMenu.USER32(00000000,00000000), ref: 005365C0
    • RemoveMenu.USER32(00000000,00000000,00000400), ref: 005365DD
    • GetSubMenu.USER32(?,?), ref: 005365F7
    • RemoveMenu.USER32(?,?,00000400), ref: 00536615
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$CountItem$Remove
    • String ID:
    • API String ID: 3494307843-0
    • Opcode ID: ed5fef72c7c0f308f8c0ade4650a97fe0bc272875153538f3402d2c04c146a3b
    • Instruction ID: 14171478f9b278427578a78f80049bd1a29ef796735782e2b5575b93e3f36b70
    • Opcode Fuzzy Hash: ed5fef72c7c0f308f8c0ade4650a97fe0bc272875153538f3402d2c04c146a3b
    • Instruction Fuzzy Hash: E021293590020AFBCF11DFA4CD8599EBFB5FB48341F20886AE911A6111D771DB91EF90
    Function 00537302 Relevance: 12.1, APIs: 8, Instructions: 66memorystringCOMMON
    Download Yara Rule
    APIs
    • GlobalLock.KERNEL32(?), ref: 00537321
    • lstrcmpW.KERNEL32(00000000,?), ref: 0053732E
    • OpenPrinterW.WINSPOOL.DRV(?,?,00000000), ref: 00537340
    • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00537360
    • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00537368
    • GlobalLock.KERNEL32(00000000), ref: 00537372
    • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002), ref: 0053737F
    • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002), ref: 00537397
      • Part of subcall function 005477E9: GlobalFlags.KERNEL32(?), ref: 005477F8
      • Part of subcall function 005477E9: GlobalUnlock.KERNEL32(?), ref: 00547809
      • Part of subcall function 005477E9: GlobalFree.KERNEL32(?), ref: 00547813
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
    • String ID:
    • API String ID: 168474834-0
    • Opcode ID: d28aca5323f72bb04036188bb3759e1f2de99a265ed34efb572764ab8437441a
    • Instruction ID: 3614214ac8b78d5076bdb26099e2e7c43d30b2e04b2a007fad46aae7b639d237
    • Opcode Fuzzy Hash: d28aca5323f72bb04036188bb3759e1f2de99a265ed34efb572764ab8437441a
    • Instruction Fuzzy Hash: 7F114FB2500608BFDB32ABA5CC89DAF7FBEFB89B54B000519FA04D6121D635D950EB24
    Function 0054A1B6 Relevance: 12.1, APIs: 8, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • GetSystemMetrics.USER32(00000031), ref: 0054A1CC
    • GetSystemMetrics.USER32(00000032), ref: 0054A1D6
    • SetRectEmpty.USER32(006A8AA4), ref: 0054A1E5
    • EnumDisplayMonitors.USER32(00000000,00000000,0054A131,006A8AA4,?,?,?,0053E2E4,?), ref: 0054A1F5
    • SystemParametersInfoW.USER32(00000030,00000000,006A8AA4,00000000), ref: 0054A210
    • SystemParametersInfoW.USER32(00001002,00000000,006A8AD0,00000000), ref: 0054A230
    • SystemParametersInfoW.USER32(00001012,00000000,006A8AD4,00000000), ref: 0054A248
    • SystemParametersInfoW.USER32 ref: 0054A268
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: System$InfoParameters$Metrics$DisplayEmptyEnumMonitorsRect
    • String ID:
    • API String ID: 2614369430-0
    • Opcode ID: c1ed1033482328827d696064231e0f746a5c6642d121197e4a58bd98af5e91fd
    • Instruction ID: 1023761bd84d6f7ecb5fc8d8a093281780b1cdfc2290c220a463ef5fbca1bffc
    • Opcode Fuzzy Hash: c1ed1033482328827d696064231e0f746a5c6642d121197e4a58bd98af5e91fd
    • Instruction Fuzzy Hash: F3111CB5541740AFE3318F668C49EE7BAFCFFC9B01F00091EE59A86140D7B16941DB61
    Function 00536796 Relevance: 12.1, APIs: 8, Instructions: 52memoryCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$Size$LockUnlock$Alloc
    • String ID:
    • API String ID: 2344174106-0
    • Opcode ID: 163343738f141ba9e090d5db534fd8d07a2af5a85ccda3e79aecebda7eea96e1
    • Instruction ID: b55f67d61fa0bb6477814d776adc05d6aa25304a0cacbe0606b3fbfa8073e296
    • Opcode Fuzzy Hash: 163343738f141ba9e090d5db534fd8d07a2af5a85ccda3e79aecebda7eea96e1
    • Instruction Fuzzy Hash: B9017C71900229BFEF11AFA58C88C5EBF6DFF442A4B10842AFD0593211EA719D10DAA0
    Function 005DB3EB Relevance: 10.8, APIs: 7, Instructions: 348COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005DB3F2
    • GetWindow.USER32(?,00000005), ref: 005DB456
      • Part of subcall function 005DAADC: __EH_prolog3.LIBCMT ref: 005DAAE3
      • Part of subcall function 005DAADC: GetWindow.USER32(?,00000005), ref: 005DAB03
      • Part of subcall function 005DAADC: GetWindow.USER32(?,00000002), ref: 005DAB39
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$H_prolog3
    • String ID:
    • API String ID: 1351209170-0
    • Opcode ID: a01ac780a0c6bf68e94055397fef8da802f7147ef60e475f402cc9ff484f502b
    • Instruction ID: 09ea02a0d58188833f8b7cd3d028017671650501dc085555200f9c1a6ec7389a
    • Opcode Fuzzy Hash: a01ac780a0c6bf68e94055397fef8da802f7147ef60e475f402cc9ff484f502b
    • Instruction Fuzzy Hash: 28D13D74A00206DFEF24DFA8C899AADBBB6FF48300F15056AF516A7392DB349D41CB51
    Function 005C2566 Relevance: 10.8, APIs: 7, Instructions: 325windowstringCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005C2570
    • GetMenuItemCount.USER32(0000000D), ref: 005C25B9
    • GetMenuItemID.USER32(0000000D,?), ref: 005C25DC
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
      • Part of subcall function 005A60F6: __EH_prolog3.LIBCMT ref: 005A60FD
      • Part of subcall function 00536156: __EH_prolog3.LIBCMT ref: 0053615D
      • Part of subcall function 005476D2: __EH_prolog3.LIBCMT ref: 005476D9
    • lstrlenW.KERNEL32(00000000,?), ref: 005C26FE
    • CharUpperBuffW.USER32(00000002,00000001), ref: 005C2713
    • lstrlenW.KERNEL32(00000000), ref: 005C271B
    • GetSubMenu.USER32(00000000,?), ref: 005C284D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$Menu$Itemlstrlen$BuffCharCountException@8H_prolog3_ThrowUpper
    • String ID:
    • API String ID: 4251509382-0
    • Opcode ID: f527ce60e22c196b5dff6c573af198058f963d47ec3a12d407c81169e8b60d0c
    • Instruction ID: 6ea75154d12989ef2c88d2ff27b08bc0a7d73a9a5b657e93868627c03614b3c1
    • Opcode Fuzzy Hash: f527ce60e22c196b5dff6c573af198058f963d47ec3a12d407c81169e8b60d0c
    • Instruction Fuzzy Hash: 19D1773090022AAFDF25EBA4CC99BEDBB74BF49320F1442DDE519A6291DB305E85CF51
    Function 00553C33 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 308COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00553C3A
    • VariantClear.OLEAUT32(?), ref: 00553CFE
    • CoTaskMemFree.OLE32(?,00000014,005546A1,0000000C,0055485F), ref: 00553DA2
    • CoTaskMemFree.OLE32(?,00000014,005546A1,0000000C,0055485F), ref: 00553DB0
    • __EH_prolog3.LIBCMT ref: 00553E3D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FreeH_prolog3Task$ClearVariant
    • String ID: (
    • API String ID: 3826790346-3887548279
    • Opcode ID: 6e72090f79213421832c97b21c643f3ce6f4913e711cfd081007b2656ce65e65
    • Instruction ID: a08a50f5511d1ee157409775ec58da381023ebf35381b7024dd734dedb470082
    • Opcode Fuzzy Hash: 6e72090f79213421832c97b21c643f3ce6f4913e711cfd081007b2656ce65e65
    • Instruction Fuzzy Hash: DAC18F31600706DFCB24DFA4C8E596ABBF6BF84341B14492EF95A9B651CB30EE49CB50
    Function 0056568D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 294keyboardCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A40: GetWindowLongW.USER32(?,000000EC), ref: 00545A4B
    • GetClientRect.USER32(?,?), ref: 005657B8
    • GetAsyncKeyState.USER32(00000011), ref: 0056585E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AsyncClientLongRectStateWindow
    • String ID: '$(e
    • API String ID: 304971295-3596048104
    • Opcode ID: 5a51a085f9ed0ccdea9cb5e2e19a205edad89a8f9b6934653fcb4308dabbf3a5
    • Instruction ID: ca08ebf6cb7dec4718884a6c1ccd2cc02be1e3113b88f93bb2a0b29283a6e815
    • Opcode Fuzzy Hash: 5a51a085f9ed0ccdea9cb5e2e19a205edad89a8f9b6934653fcb4308dabbf3a5
    • Instruction Fuzzy Hash: 42B17F30740A06CBDB299FA4C499BBD7BF2BF88341F14466DE546DB291EB709D81CB81
    Function 0058632D Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 258keyboardCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$StateWindow
    • String ID: X'f$pxf
    • API String ID: 2684165152-3105597543
    • Opcode ID: a6cb27bc0ec66605d306bfc9179f8cd28bdfa74e96ff7d031215bfaf1b7cdbbf
    • Instruction ID: ad15dffa93b6ff5bfad4bd665a777b2270bacb791e8648bba623b0b1b206042b
    • Opcode Fuzzy Hash: a6cb27bc0ec66605d306bfc9179f8cd28bdfa74e96ff7d031215bfaf1b7cdbbf
    • Instruction Fuzzy Hash: AB916D31A002069FDF15EFA4D889BEEBFB6FF89310F144169F905AB255DB709940CBA1
    Function 005CED1E Relevance: 10.7, APIs: 7, Instructions: 242COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005CED25
    • CreateCompatibleDC.GDI32(00000002), ref: 005CED82
      • Part of subcall function 0059E8CB: FillRect.USER32(?,00000020), ref: 0059E8DF
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CompatibleCreateFillH_prolog3Rect
    • String ID:
    • API String ID: 2215992850-0
    • Opcode ID: 35ba1c7c1f0b3c54a74134a38564e1b630e88c18bb78967ca914d8bc853a7d97
    • Instruction ID: 479b9e0ee6be522a91e1920371a1039eecbd8feec9e68a559b1ee91db2b0ebd7
    • Opcode Fuzzy Hash: 35ba1c7c1f0b3c54a74134a38564e1b630e88c18bb78967ca914d8bc853a7d97
    • Instruction Fuzzy Hash: 08916871A0021A9FDB14DFA8CC8AAAEBFB5FF44301F14462DF951E6291DB34D905DB60
    Function 00575B76 Relevance: 10.7, APIs: 7, Instructions: 176windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00575B80
      • Part of subcall function 005B3552: __EH_prolog3.LIBCMT ref: 005B3559
    • GetMenuItemCount.USER32(?), ref: 00575BEA
    • GetMenuItemID.USER32(?,?), ref: 00575C0D
    • GetMenuItemCount.USER32(?), ref: 00575C50
    • GetMenuItemID.USER32(?,?), ref: 00575C84
    • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 00575CF6
    • GetMenuState.USER32(?,?,00000400), ref: 00575D4E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Item$Count$H_prolog3H_prolog3_MessageSendState
    • String ID:
    • API String ID: 999183886-0
    • Opcode ID: cef981fd890c0faf0823b1f6c888d9b9268ded27a91b3efacd7522c1617c056a
    • Instruction ID: b72322180b17ded65badb0af485fa40b364a0f8eec99dd06c28695ca8a85678d
    • Opcode Fuzzy Hash: cef981fd890c0faf0823b1f6c888d9b9268ded27a91b3efacd7522c1617c056a
    • Instruction Fuzzy Hash: 67717C3180066A9BCF24DF64CC89AEDBBB5BB45314F1442E9E929A3191DB705F80DF40
    Function 00614C18 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 00614C1F
      • Part of subcall function 00614B90: OleGetClipboard.OLE32(?), ref: 00614BA8
    • ReleaseStgMedium.OLE32(?), ref: 00614C94
    • ReleaseStgMedium.OLE32(?), ref: 00614CD9
    • CoTaskMemFree.OLE32(?), ref: 00614D81
    • ReleaseStgMedium.OLE32(?), ref: 00614CF9
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MediumRelease$ClipboardFreeH_prolog3_catchTask_malloc
    • String ID: '
    • API String ID: 3930503942-1997036262
    • Opcode ID: 1a3e639208fa47fedee280d966f18d8bb550947d43c1bf3e4ab88bee62f12f4f
    • Instruction ID: baf79ad7450c8f6a169ef36a050cd2aacf89ca99339bca4628b7c94bc6a76a73
    • Opcode Fuzzy Hash: 1a3e639208fa47fedee280d966f18d8bb550947d43c1bf3e4ab88bee62f12f4f
    • Instruction Fuzzy Hash: F4517F71901209EECF11DFA4D984AED7BB6BF48300F288429F505AB251DF719E84DBA1
    Function 005A35CA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 136windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005A35D1
      • Part of subcall function 0053BAC4: __EH_prolog3.LIBCMT ref: 0053BACB
      • Part of subcall function 0053BAC4: GetWindowDC.USER32(00000000,00000004,0054B273,00000000,?,?,00667718), ref: 0053BAF7
    • CreateCompatibleDC.GDI32(00000000), ref: 005A3606
    • CreateDIBSection.GDI32(?,?,00000000,?,00000000,00000000), ref: 005A368A
    • CreateCompatibleBitmap.GDI32(?,?,?), ref: 005A36D6
      • Part of subcall function 0053BD26: SelectObject.GDI32(?,?), ref: 0053BD31
    • FillRect.USER32(?,?,00000000), ref: 005A3711
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Create$Compatible$BitmapFillH_prolog3H_prolog3_ObjectRectSectionSelectWindow
    • String ID: (
    • API String ID: 2680359821-3887548279
    • Opcode ID: 63b656d8d11fed434b2ba85c1d8bcef9f399cf33f2f60c529ecc1fbb012b8701
    • Instruction ID: 6b574f5ebaca765d943abe5e2c9206ee0a5bc4ded9b67a60a9e0f88b0cd25751
    • Opcode Fuzzy Hash: 63b656d8d11fed434b2ba85c1d8bcef9f399cf33f2f60c529ecc1fbb012b8701
    • Instruction Fuzzy Hash: 2F5100B1C00259AFDF10EFE5C9859AEBFB9FF49314F20812AE505AB261DB345A49CF50
    Function 005B0C9F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 134COMMON
    Download Yara Rule
    APIs
    • MonitorFromPoint.USER32(?,?,00000002), ref: 005B0D81
    • GetMonitorInfoW.USER32(00000000), ref: 005B0D88
    • CopyRect.USER32(?,?), ref: 005B0D9A
    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005B0DAA
    • IntersectRect.USER32(?,?,?), ref: 005B0DDD
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: InfoMonitorRect$CopyFromIntersectParametersPointSystem
    • String ID: (
    • API String ID: 2931574886-3887548279
    • Opcode ID: f910bc086339626c07edee8b35488b6eef11e7c11a7d98733bb9b057b14ed8fe
    • Instruction ID: 3f995401aaf199a524d4fc95a33d84dc96e54e5f0e642b399b49eaa4cbeb5c18
    • Opcode Fuzzy Hash: f910bc086339626c07edee8b35488b6eef11e7c11a7d98733bb9b057b14ed8fe
    • Instruction Fuzzy Hash: 5751D4B19002099FCB24CFA9D989AEEFBF9FF98300F14551AE516A7290D770A905CF61
    Function 0058867F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(00000000), ref: 005886BE
    • ShowWindow.USER32(00000000,00000004), ref: 005886F0
    • IsWindow.USER32(?), ref: 00588735
    • IsWindowVisible.USER32(?), ref: 00588740
    • ShowWindow.USER32(?,00000000), ref: 0058877B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Show$Visible
    • String ID: X'f
    • API String ID: 2757229004-3824865298
    • Opcode ID: a672a669fb704fece86ce864c31b9efa861b6be963130833e54698314608fd1d
    • Instruction ID: 702fc72e7d9bc5dfbd2aea5f27ebcad927ac245c97e3ca050451124a9f8b020b
    • Opcode Fuzzy Hash: a672a669fb704fece86ce864c31b9efa861b6be963130833e54698314608fd1d
    • Instruction Fuzzy Hash: 7D41A135200305ABDB20BF65C889BBA3FB9FF85751F644129ED06EB141EE31E8408BA0
    Function 00559E18 Relevance: 10.6, APIs: 7, Instructions: 126COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005A5045: __EH_prolog3_catch.LIBCMT ref: 005A504C
    • UpdateWindow.USER32(?), ref: 00559EAC
    • EqualRect.USER32(?,?), ref: 00559EE2
    • InflateRect.USER32(?,00000002,00000002), ref: 00559EFA
    • InvalidateRect.USER32(?,?,00000001), ref: 00559F09
    • InflateRect.USER32(?,00000002,00000002), ref: 00559F1E
    • InvalidateRect.USER32(?,?,00000001), ref: 00559F30
    • UpdateWindow.USER32(?), ref: 00559F39
      • Part of subcall function 005599E6: InvalidateRect.USER32(?,?,00000001), ref: 00559A5B
      • Part of subcall function 005599E6: InflateRect.USER32(?,?,?), ref: 00559AA1
      • Part of subcall function 005599E6: RedrawWindow.USER32(?,?,00000000,00000401,?,?), ref: 00559AB4
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$InflateInvalidateWindow$Update$EqualH_prolog3_catchRedraw
    • String ID:
    • API String ID: 1041772997-0
    • Opcode ID: 8bb9df01605a5009c3042fb96371c333b94e8e64387be7d6bf578956bbc27dd4
    • Instruction ID: 769884887288a47daba8c92e236f83d6f2703008a01c0372265c741d45aaab31
    • Opcode Fuzzy Hash: 8bb9df01605a5009c3042fb96371c333b94e8e64387be7d6bf578956bbc27dd4
    • Instruction Fuzzy Hash: B8419D75600205DFCB11CF64C898BAA7BB9FF48312F144279ED0ADB296CB349945CB61
    Function 0057F8C7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120fileCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 0057F8D1
    • CloseHandle.KERNEL32(005D1150,00000080,005D1150,?,00000000,?,00000000), ref: 0057F90A
    • GetTempPathW.KERNEL32(00000104,00000000,00000104,00000000,00000080,005D1150,?,00000000,?,00000000), ref: 0057F931
    • GetTempFileNameW.KERNEL32(00000000,AFX,00000000,00000000,00000104,00000000,?,00000000), ref: 0057F968
    • CreateFileW.KERNEL32(?,C0000000,00000000,00000000,00000002,04000100,00000000,?,00000000), ref: 0057F98A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FileTemp$CloseCreateH_prolog3_catchHandleNamePath
    • String ID: AFX
    • API String ID: 1737446630-1300893600
    • Opcode ID: 9952a99435dbd4965551d5ec7598eca155306ee0fb76439a65144f4fe70a5d88
    • Instruction ID: 184531de49643fe7c87b3824a4947f52740c32c92bf16d3f26e51b2876992300
    • Opcode Fuzzy Hash: 9952a99435dbd4965551d5ec7598eca155306ee0fb76439a65144f4fe70a5d88
    • Instruction Fuzzy Hash: A5415E7180014A9BCB15EFA4CD59EEEBFB8BF85314F108259B516B72E2DB306A05CB61
    Function 0059C827 Relevance: 10.6, APIs: 7, Instructions: 119windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000407,00000000,?), ref: 0059C86A
    • GetParent.USER32(?), ref: 0059C89A
    • SendMessageW.USER32(?,00000111,?), ref: 0059C8BF
    • GetParent.USER32(?), ref: 0059C8E2
    • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 0059C94A
    • GetParent.USER32(?), ref: 0059C953
    • GetWindowLongW.USER32(?,000000F4), ref: 0059C96D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$MessageSendWindow$LongRedraw
    • String ID:
    • API String ID: 4271267155-0
    • Opcode ID: 4eaa3e90d3871aa8b4f9ade8ea4f8e1c13f3d014d17db77f5ad8ec7bab1b8401
    • Instruction ID: 34cd13fcdcf68a003983159ef69d85fc41932592a577d999b41d1bdcc0bdae6f
    • Opcode Fuzzy Hash: 4eaa3e90d3871aa8b4f9ade8ea4f8e1c13f3d014d17db77f5ad8ec7bab1b8401
    • Instruction Fuzzy Hash: FF41D331600700EBEF245B61CD89F7A7EA9FF88341F144529F5869A1A1D770ED80CB65
    Function 005A9100 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005A9107
      • Part of subcall function 0054AD30: __EH_prolog3.LIBCMT ref: 0054AD37
      • Part of subcall function 0054AD30: LoadCursorW.USER32(00000000,00007F00), ref: 0054AD63
      • Part of subcall function 0054AD30: GetClassInfoW.USER32(?,00000000,?), ref: 0054ADA7
    • CopyRect.USER32(?,?), ref: 005A91BB
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B72A
      • Part of subcall function 0053B719: ClientToScreen.USER32(?,?), ref: 0053B737
    • IsRectEmpty.USER32(?), ref: 005A91D4
    • IsRectEmpty.USER32(?), ref: 005A91EC
    • IsRectEmpty.USER32(?), ref: 005A9201
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$ClientScreen$ClassCopyCursorH_prolog3H_prolog3_InfoLoad
    • String ID: Afx:ControlBar
    • API String ID: 2202805320-4244778371
    • Opcode ID: c6cfb9f8f71e7195b00078382f7e5becb79ec39899a7e42b855876d98ed68e65
    • Instruction ID: 9886fd854a937cdc4f1f36bbd3b41e500cb57dde5b57bba98db6a6bbf4b6d858
    • Opcode Fuzzy Hash: c6cfb9f8f71e7195b00078382f7e5becb79ec39899a7e42b855876d98ed68e65
    • Instruction Fuzzy Hash: 064117759002199BDF01DFA4CC88AEE7BB6BF4A311F040569FD05BB252DB71AD05CB60
    Function 00541AAB Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00541ADE
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00541B02
    • UpdateWindow.USER32(?), ref: 00541B1D
    • SendMessageW.USER32(?,00000121,00000000,?), ref: 00541B3E
    • SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 00541B56
    • UpdateWindow.USER32(?), ref: 00541B99
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 00541BCA
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$Window$PeekSendUpdate$LongParent
    • String ID:
    • API String ID: 2853195852-0
    • Opcode ID: f660f7af0f292ea135ec80a6ec84438ea8e3c4e2c3617a4dc00a8345da05dafb
    • Instruction ID: 5f0c398c6d806cfe82f39861526cbd3bc6296e8459a814951c859ae5f6818ac5
    • Opcode Fuzzy Hash: f660f7af0f292ea135ec80a6ec84438ea8e3c4e2c3617a4dc00a8345da05dafb
    • Instruction Fuzzy Hash: AE417630A00B49ABCF219FA6CD48EEEBFB5FF84749F10455DE441A2151E7718A80DB59
    Function 005795CD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 114COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FillParentRect
    • String ID: <g$(e$`Ag
    • API String ID: 1540079046-2367815612
    • Opcode ID: 79b16e90c5c21d2b30e3746ae44b3bf219e626357eec4321ad7c8bb46bfb673b
    • Instruction ID: aa90b0b0f6d216ccb29abfb3cc1063d92042f84d512d3930110002c2908ace3f
    • Opcode Fuzzy Hash: 79b16e90c5c21d2b30e3746ae44b3bf219e626357eec4321ad7c8bb46bfb673b
    • Instruction Fuzzy Hash: 26316D71500205EBCF04EFA9D889EEB3BAAFF46314F104669F9099B151DB70DD00EB61
    Function 00572151 Relevance: 10.6, APIs: 7, Instructions: 111COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005720BE: _malloc.LIBCMT ref: 005720D1
    • _free.LIBCMT ref: 0057217A
    • _memset.LIBCMT ref: 00572193
    • _memset.LIBCMT ref: 005721CD
    • _memcpy_s.LIBCMT ref: 005721E7
      • Part of subcall function 005357FA: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 005357FA: __EH_prolog3.LIBCMT ref: 00536474
    • CreateDIBSection.GDI32(00000000,00000000,00000000,00000008,00000000,00000000), ref: 00572200
    • _free.LIBCMT ref: 00572212
    • _free.LIBCMT ref: 00572245
      • Part of subcall function 00634D52: RtlFreeHeap.NTDLL(00000000,00000000,?,0063D74D,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1), ref: 00634D68
      • Part of subcall function 00634D52: GetLastError.KERNEL32(00000000,?,0063D74D,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1,?), ref: 00634D7A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _free$_memset$CreateErrorException@8FreeH_prolog3HeapLastSectionThrow_malloc_memcpy_s
    • String ID:
    • API String ID: 3135816610-0
    • Opcode ID: 6e70f0b26222ee07145025a9fe526ac2ba2f88d1c2505a003969390d65bbfe86
    • Instruction ID: e2d05028069fffa5f9575ea1f5a5f928dfd5d84f48515335ea38a467f78a12e5
    • Opcode Fuzzy Hash: 6e70f0b26222ee07145025a9fe526ac2ba2f88d1c2505a003969390d65bbfe86
    • Instruction Fuzzy Hash: EF31E276900615ABDB20DF64DC41B6B7BA8FF01324F108929F959E7241DB70EE0097A0
    Function 00625064 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0062506B
    • RedrawWindow.USER32(?,00000000,00000000,00000105,0000005C,0062532F,?,00625468,?,?,?,005E2E62,00000004,?,00000001,?), ref: 00625090
    • GetClientRect.USER32(?,?), ref: 006250AE
    • CreateCompatibleDC.GDI32(hTb), ref: 00625116
    • UpdateLayeredWindow.USER32(?,00000000,00000000,?,?,?,00000000,?,00000002), ref: 00625176
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ClientCompatibleCreateH_prolog3_LayeredRectRedrawUpdate
    • String ID: hTb
    • API String ID: 2227077885-3303988142
    • Opcode ID: e12be7975cbba4b3a9223c915acfbc9ccb89d247a042390844e71afd314a5efc
    • Instruction ID: bd27c2a0412ec39d77305fba5a39aa9b143feb53ce574041b5cacae612b2ac09
    • Opcode Fuzzy Hash: e12be7975cbba4b3a9223c915acfbc9ccb89d247a042390844e71afd314a5efc
    • Instruction Fuzzy Hash: D041F071C01628ABCF11EFE4D989AEEBFBABF08700F10414AF905A6251DB705A05CFA1
    Function 0054213F Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 110windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 005421D8
    • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 00542201
    • GetWindowLongW.USER32(?,000000FC), ref: 00542213
    • GetWindowLongW.USER32(?,000000FC), ref: 00542224
    • SetWindowLongW.USER32(?,000000FC,?), ref: 00542240
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: LongWindow$MessageSend_memset
    • String ID: ,
    • API String ID: 2997958587-3772416878
    • Opcode ID: 1264b116bb307efa4ed1e50d02382afe9815e4a9897979acda03ddbfbab27008
    • Instruction ID: 350a16a5076a075f87a0a661d666afa1be47023098e1b9ba7961b5c8b17618ed
    • Opcode Fuzzy Hash: 1264b116bb307efa4ed1e50d02382afe9815e4a9897979acda03ddbfbab27008
    • Instruction Fuzzy Hash: CF41AF74600315ABDB20EFB4C888AAEBBF5BF88314F54162DF58297691DB70ED00CB90
    Function 005B18ED Relevance: 10.6, APIs: 7, Instructions: 110windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 005B1920
      • Part of subcall function 005E0E67: RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 005E0EDE
    • IsWindowVisible.USER32(?), ref: 005B194A
    • IsWindowVisible.USER32(?), ref: 005B198E
    • RedrawWindow.USER32(?,00000000,00000000,00000585), ref: 005B19B0
    • RedrawWindow.USER32(?,00000000,00000000,00000501), ref: 005B19C2
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 005B19E4
    • RedrawWindow.USER32(?,?,00000000,00000541), ref: 005B1A15
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Redraw$Visible
    • String ID:
    • API String ID: 1637130220-0
    • Opcode ID: 008c041e9411e444e9ba7473b94c506d297d2534bea35e71d0bc644adec0376e
    • Instruction ID: b5804f9f3fd3eb917ee99ff096aae1e639b9e2178dd68fe4edca42f74138b475
    • Opcode Fuzzy Hash: 008c041e9411e444e9ba7473b94c506d297d2534bea35e71d0bc644adec0376e
    • Instruction Fuzzy Hash: 80418B71600A4ADFCB209FA4CDA1EAABFB6BF48344F500479E58696161D730AC40CB94
    Function 00630DE6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 109memoryCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0054664C: __EH_prolog3_catch.LIBCMT ref: 00546653
    • GetUserDefaultUILanguage.KERNEL32(00000000,00000005,00630DC7,00000000,?,?,0061B1B0,00000000,?,0061B54B,00000000,0000001C,0061B2DE,00000000,0061B54B), ref: 00630E2E
    • FindResourceExW.KERNEL32(00000000,00000005,?,0000FC11,?,?,0061B1B0,00000000,?,0061B54B,00000000,0000001C,0061B2DE,00000000,0061B54B), ref: 00630E6C
    • FindResourceW.KERNEL32(00000000,?,00000005,?,?,0061B1B0,00000000,?,0061B54B,00000000,0000001C,0061B2DE,00000000,0061B54B), ref: 00630E85
    • LoadResource.KERNEL32(00000000,00000000,?,?,0061B1B0,00000000,?,0061B54B,00000000,0000001C,0061B2DE,00000000,0061B54B), ref: 00630E93
    • GlobalAlloc.KERNEL32(00000040,00000000,00000005,00630DC7,00000000,?,?,0061B1B0,00000000,?,0061B54B,00000000,0000001C,0061B2DE,00000000,0061B54B), ref: 00630EC3
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$Find$AllocDefaultException@8GlobalH_prolog3H_prolog3_catchLanguageLoadThrowUser
    • String ID: MS UI Gothic
    • API String ID: 2010067809-1905310704
    • Opcode ID: ed8a4fa937ecb8739fb8b8d707b9480172bf509431be9e1f4696955b1b3c5d2f
    • Instruction ID: dc90259a60e001388f6b1eb8f48de938ab998df4d69ac3dc64131f783c645c38
    • Opcode Fuzzy Hash: ed8a4fa937ecb8739fb8b8d707b9480172bf509431be9e1f4696955b1b3c5d2f
    • Instruction Fuzzy Hash: A131C575A00216AFEB10AF65CC5ADAA7BAAFF84710F048428FD05DB391EF30DD44DA90
    Function 0055D401 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • CallNextHookEx.USER32(00000000,?,?), ref: 0055D41D
    • WindowFromPoint.USER32(?,?), ref: 0055D448
    • ScreenToClient.USER32(?,00000000), ref: 0055D479
    • GetParent.USER32(?), ref: 0055D4E7
    • UpdateWindow.USER32(?), ref: 0055D53F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$CallClientFromHookNextParentPointScreenUpdate
    • String ID: pe
    • API String ID: 160110263-324909747
    • Opcode ID: 20a60fbe3b2489bab8af3894e9027ab58654c620e6bf387d9367af37d02f6b9c
    • Instruction ID: a39c1cf920ef95de8dd827ac6d9c23359dec6589f4132c1df10cf35f4a4ab8e5
    • Opcode Fuzzy Hash: 20a60fbe3b2489bab8af3894e9027ab58654c620e6bf387d9367af37d02f6b9c
    • Instruction Fuzzy Hash: 20318376500201EFCB14AFA4DC18EA97FB6FB89355F14916EF91587261DF31A904CF21
    Function 0059C45D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0059C482
    • SendMessageW.USER32(?,000000F1,00000001,00000000), ref: 0059C515
    • GetParent.USER32(?), ref: 0059C521
    • GetWindowLongW.USER32(?,000000F4), ref: 0059C53B
    • SendMessageW.USER32(?,00000111,?), ref: 0059C54B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageParentSend$LongWindow
    • String ID: kf
    • API String ID: 2933145521-3337216669
    • Opcode ID: fbf5a9085f7fe9457cf629c751b4ed57d76b05e8b0a92e65c0a8903816f6badb
    • Instruction ID: 69233650d21b59ba9f30d0da2190960629e07387073bd67bd62ca295157acac3
    • Opcode Fuzzy Hash: fbf5a9085f7fe9457cf629c751b4ed57d76b05e8b0a92e65c0a8903816f6badb
    • Instruction Fuzzy Hash: 4B21F632600715BFDF20AB74CC85BAEBEA5FF44354F154529F94A93151DA70EC40CBA0
    Function 00560FC3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientCursorMessageScreenSend_free_memset
    • String ID: ,
    • API String ID: 628317799-3772416878
    • Opcode ID: b1b8bda59ab313a6aa41674a5154bf51a64ffc7560a9434a30e72f0e05fa748a
    • Instruction ID: 82fbf17bf235c497763e7c395f6daffd7eba6f104c80c7b0c898abad3fe56537
    • Opcode Fuzzy Hash: b1b8bda59ab313a6aa41674a5154bf51a64ffc7560a9434a30e72f0e05fa748a
    • Instruction Fuzzy Hash: 94316C35A00609AFCF18EBA4EC49A6EBBFAFB48311F140629F415D32A1DB70A944CF54
    Function 0057296C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 90libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00572018: IsIconic.USER32(?), ref: 00572038
    • GetWindowRect.USER32(?,?), ref: 005729E4
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6E9
      • Part of subcall function 0053B6D8: ScreenToClient.USER32(?,?), ref: 0053B6F6
      • Part of subcall function 005725DC: __EH_prolog3_GS.LIBCMT ref: 005725E6
      • Part of subcall function 005725DC: GetWindowRect.USER32(?,?), ref: 00572635
      • Part of subcall function 005725DC: OffsetRect.USER32(?,?,?), ref: 0057264B
      • Part of subcall function 005725DC: CreateCompatibleDC.GDI32(?), ref: 005726BC
      • Part of subcall function 005725DC: SelectObject.GDI32(?,?), ref: 005726DC
    • GetModuleHandleW.KERNEL32(DWMAPI), ref: 00572A1C
    • GetProcAddress.KERNEL32(00000000,DwmSetIconicLivePreviewBitmap), ref: 00572A2C
    • DeleteObject.GDI32(00000000), ref: 00572A43
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$ClientObjectScreenWindow$AddressCompatibleCreateDeleteH_prolog3_HandleIconicModuleOffsetProcSelect
    • String ID: DWMAPI$DwmSetIconicLivePreviewBitmap
    • API String ID: 3205686482-239049650
    • Opcode ID: 7fd460ca06b8bee6519b2add1233a4f918b470c300f939cc25b9aa49d3a7dd4a
    • Instruction ID: 35d6808c18eb141062f3f04ebc7c11f082ee25f9d0c08514b545a1103fb12915
    • Opcode Fuzzy Hash: 7fd460ca06b8bee6519b2add1233a4f918b470c300f939cc25b9aa49d3a7dd4a
    • Instruction Fuzzy Hash: 2E314171A002069F8B14DFA9DD898BEFBF9FF88300B10452DE116E3261DA709D01CB50
    Function 0056D1C2 Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON
    Download Yara Rule
    APIs
    • SetFocus.USER32(00000000,00000000), ref: 0056D1E2
    • GetParent.USER32(?), ref: 0056D1F0
    • GetWindowThreadProcessId.USER32(?,?), ref: 0056D20B
    • GetCurrentProcessId.KERNEL32 ref: 0056D211
    • GetActiveWindow.USER32 ref: 0056D264
    • SendMessageW.USER32(?,00000006,00000001,00000000), ref: 0056D278
    • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 0056D28C
      • Part of subcall function 00545BBF: EnableWindow.USER32(?,00000000), ref: 00545BD0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
    • String ID:
    • API String ID: 2169720751-0
    • Opcode ID: 27bc029ebcecdc1aca4e282e1774a8176c54972129d32ae39c9fdd7fc2743127
    • Instruction ID: 332db1c0a9a54f5e4d905a387acfab4381d565351cdbee88f711f2225c1e35e2
    • Opcode Fuzzy Hash: 27bc029ebcecdc1aca4e282e1774a8176c54972129d32ae39c9fdd7fc2743127
    • Instruction Fuzzy Hash: D3219F75600704ABCB219F65DC89F5A7FB5FF84754F144A18F58A871A0CBB1E8808B60
    Function 005B133A Relevance: 10.6, APIs: 7, Instructions: 80windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 005B1352
    • SendMessageW.USER32(?,0000020A,?,?), ref: 005B1384
    • GetFocus.USER32 ref: 005B1398
    • IsChild.USER32(?,?), ref: 005B13BA
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005B13EB
    • IsWindowVisible.USER32(?), ref: 005B1400
    • SendMessageW.USER32(?,0000020A,?,?), ref: 005B141E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Window$ChildFocusVisible
    • String ID:
    • API String ID: 1252167185-0
    • Opcode ID: 743575a15b3e474bd38d6a9d95ff7d98f4a7c8f9f315ee42c953005efc6355d1
    • Instruction ID: 2d2bdebf43fcc904622b4904480e5ed2d07b797aa3a6bbba0d7f69739e214814
    • Opcode Fuzzy Hash: 743575a15b3e474bd38d6a9d95ff7d98f4a7c8f9f315ee42c953005efc6355d1
    • Instruction Fuzzy Hash: 7021BB32610A01ABDB609FA0CC55FA53FE6BB09341F544924A849DB571E770FC00DF68
    Function 00539883 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 78registryCOMMON
    Download Yara Rule
    APIs
    • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 005398BE
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 005398E9
    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 00539914
    • RegCloseKey.ADVAPI32(?), ref: 00539928
    • RegCloseKey.ADVAPI32(?), ref: 00539932
      • Part of subcall function 005397A8: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 005397BA
      • Part of subcall function 005397A8: GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 005397CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CloseCreate$AddressHandleModuleOpenProc
    • String ID: software
    • API String ID: 550756860-2010147023
    • Opcode ID: 6f502592f5e16ce08df61080ce26d6e01d5929811f2fb290c042327e8c1754b3
    • Instruction ID: 7ae0f0d008d447cc5f10ec32490074bf2ea7029326d40478d78cb8de46ce5a91
    • Opcode Fuzzy Hash: 6f502592f5e16ce08df61080ce26d6e01d5929811f2fb290c042327e8c1754b3
    • Instruction Fuzzy Hash: 002115B2900118FA8B219F86CC88DAFBFBAFFC6710F24015AF505A2150D6B15E40DBA1
    Function 005C3C15 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005C3C1C
      • Part of subcall function 005C3B63: __EH_prolog3.LIBCMT ref: 005C3B6A
      • Part of subcall function 005C3B63: GetProfileIntW.KERNEL32(windows,DragMinDist,00000002), ref: 005C3BC2
      • Part of subcall function 005C3B63: GetProfileIntW.KERNEL32(windows,DragDelay,000000C8), ref: 005C3BD4
    • CopyRect.USER32(?,?), ref: 005C3C4A
    • GetCursorPos.USER32(?), ref: 005C3C5C
    • SetRect.USER32(?,?,?,?,?), ref: 005C3C72
    • IsRectEmpty.USER32(?), ref: 005C3C8D
    • InflateRect.USER32(?,00000002,00000002), ref: 005C3C9F
    • DoDragDrop.OLE32(00000000,00000000,?,00000000), ref: 005C3CF6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Profile$CopyCursorDragDropEmptyH_prolog3H_prolog3_Inflate
    • String ID:
    • API String ID: 1837043813-0
    • Opcode ID: 12e832eb9f5dd0d0eaa612078db10afed277d14c354189b6a10cddbb691fe043
    • Instruction ID: ef1f7fdb9331f80de086eb3dda91608b4665630d9fc16f6373c36dce29fa18c4
    • Opcode Fuzzy Hash: 12e832eb9f5dd0d0eaa612078db10afed277d14c354189b6a10cddbb691fe043
    • Instruction Fuzzy Hash: 0D210A719102599FDB01EFE0C988AAEBBBABF48701F10851DE502AB254EB74AE05DF51
    Function 00579AA1 Relevance: 10.6, APIs: 7, Instructions: 76windowCOMMON
    Download Yara Rule
    APIs
    • FillRect.USER32(?,?), ref: 00579AC3
    • InflateRect.USER32(?,000000FF,000000FF), ref: 00579AD1
    • PatBlt.GDI32(?,?,?,00000001,?,005A0049), ref: 00579AFD
    • PatBlt.GDI32(?,?,?,?,00000001,005A0049), ref: 00579B12
    • PatBlt.GDI32(?,00000000,?,00000001,?,005A0049), ref: 00579B27
    • PatBlt.GDI32(?,?,?,00000000,00000001,005A0049), ref: 00579B3D
    • FillRect.USER32(?,?), ref: 00579B52
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Fill$Inflate
    • String ID:
    • API String ID: 2224923502-0
    • Opcode ID: c0d841d0e0ad072f2025a1c072e4fd279ed65249bafb4b199f026f3d4d1a97fd
    • Instruction ID: d0a70aaf1fbe121563deb0ac74eaf6bc77abdd17d70ff5e2e14389a0ac55b0aa
    • Opcode Fuzzy Hash: c0d841d0e0ad072f2025a1c072e4fd279ed65249bafb4b199f026f3d4d1a97fd
    • Instruction Fuzzy Hash: 5221B576100149FFDF01DF58DD89DAA7FAAFB49320F048115BE189A2A4C771E960DF61
    Function 00564104 Relevance: 10.6, APIs: 7, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(00000000,00000407,00000000,?), ref: 00564130
    • IsRectEmpty.USER32(?), ref: 0056414F
    • IsRectEmpty.USER32(?), ref: 0056415C
    • GetCursorPos.USER32(00000000), ref: 0056416E
    • ScreenToClient.USER32(?,00000000), ref: 0056417B
    • PtInRect.USER32(?,00000000,00000000), ref: 0056418E
    • PtInRect.USER32(?,00000000,00000000), ref: 005641A1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$ClientCursorMessageScreenSend
    • String ID:
    • API String ID: 703117857-0
    • Opcode ID: 89c64cd1bb8ba939c32188e65eecca744433ec26394fa4f7752199339b9defd6
    • Instruction ID: ab9c8f58da0d3845b63a3624108327769ff0e9bd9648cea08b33e4eecc0d9db7
    • Opcode Fuzzy Hash: 89c64cd1bb8ba939c32188e65eecca744433ec26394fa4f7752199339b9defd6
    • Instruction Fuzzy Hash: 7021687690020ABBDF219BA0CC08EEA7FFAFF58395F000564E555A3161DB31EA81DF60
    Function 005479BD Relevance: 10.6, APIs: 7, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • RealChildWindowFromPoint.USER32(?,?,?), ref: 005479E2
    • ClientToScreen.USER32(?,?), ref: 00547A01
    • GetWindow.USER32(?,00000005), ref: 00547A64
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$ChildClientFromPointRealScreen
    • String ID:
    • API String ID: 2518355518-0
    • Opcode ID: b77b48addf81973e536048be7d6ba8a4296fbca63b6b1675448728e49deab92c
    • Instruction ID: a4cd5a53bd70d28249b27ceda3aeefa934c3c33f161fdaaee9676c9b0371e681
    • Opcode Fuzzy Hash: b77b48addf81973e536048be7d6ba8a4296fbca63b6b1675448728e49deab92c
    • Instruction Fuzzy Hash: 94214F7290121AAFDB10DFA5DC48BFEBBB9FF09316F140219E501E3290D7789A01CB95
    Function 005470AE Relevance: 10.6, APIs: 7, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
    • GetCapture.USER32 ref: 005470BB
    • SendMessageW.USER32(?,00000365,00000000,00000000), ref: 005470D6
    • GetFocus.USER32 ref: 005470EB
    • SendMessageW.USER32(?,00000365,00000000,00000000), ref: 005470F9
    • GetLastActivePopup.USER32(?), ref: 00547122
    • SendMessageW.USER32(?,00000365,00000000,00000000), ref: 0054712F
      • Part of subcall function 00543B71: GetWindowLongW.USER32(?,000000F0), ref: 00543B97
      • Part of subcall function 00543B71: GetParent.USER32(?), ref: 00543BA5
    • SendMessageW.USER32(?,00000111,0000E147,00000000), ref: 00547155
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$ActiveCaptureFocusLastLongParentPopupWindow
    • String ID:
    • API String ID: 3338174999-0
    • Opcode ID: 808909fb774b61146454699596f88b71958aa0a0ecc8731cc3db9daf2e66b87b
    • Instruction ID: 598ca75cb3e57031da8946e72f444af9529cf24a04327812e1eae3a26d3e52de
    • Opcode Fuzzy Hash: 808909fb774b61146454699596f88b71958aa0a0ecc8731cc3db9daf2e66b87b
    • Instruction Fuzzy Hash: 5011ECB590511DFFDF15ABA1CD8ADAEBE7DFB48788F105475F601A2230D7718E009A60
    Function 00630D36 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 00630D58
    • _wcslen.LIBCMT ref: 00630D5E
    • GetDC.USER32(00000000), ref: 00630D8D
    • EnumFontFamiliesExW.GDI32(00000000,?,00630CF4,?,00000000,?,?,?,?,?,?,000003EE,?), ref: 00630DA8
    • ReleaseDC.USER32(00000000,00000000), ref: 00630DB0
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EnumException@8FamiliesFontH_prolog3ReleaseThrow_memset_wcslen
    • String ID: MS UI Gothic
    • API String ID: 2708522728-1905310704
    • Opcode ID: 342fb69502e7767b777d34b0dac8fb9da79305e22427843dbac0126c06f9dd05
    • Instruction ID: c69e808beea1e879370ffcd72e024333f1dcfec468deb6231b8265d48ee0bd8d
    • Opcode Fuzzy Hash: 342fb69502e7767b777d34b0dac8fb9da79305e22427843dbac0126c06f9dd05
    • Instruction Fuzzy Hash: EB015271900318ABDB10EBE49D49DAF7BFEEF85700F100019F905D7241DA74AA0586E5
    Function 00537186 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 53libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00537198
    • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryInProgress), ref: 005371B5
    • GetProcAddress.KERNEL32(00000000,ApplicationRecoveryFinished), ref: 005371BF
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
    • String ID: ApplicationRecoveryFinished$ApplicationRecoveryInProgress$KERNEL32.DLL
    • API String ID: 417325364-4287352451
    • Opcode ID: 717c35eab035df384d216fca96d9468c84c6c1d009156007646b8caef0e09df9
    • Instruction ID: b9b06bc2d3af75a81368b31bcee8e683d5f54a0f1d44a952c222164ce8b3efc1
    • Opcode Fuzzy Hash: 717c35eab035df384d216fca96d9468c84c6c1d009156007646b8caef0e09df9
    • Instruction Fuzzy Hash: 46017576A0031AAFD72097F58C49A6F7BA9EF89761F151169E901D3240DB74DD01C6B0
    Function 0053711A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(KERNEL32.DLL), ref: 00537127
    • GetProcAddress.KERNEL32(00000000,RegisterApplicationRestart), ref: 00537144
    • GetProcAddress.KERNEL32(00000000,RegisterApplicationRecoveryCallback), ref: 0053714E
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    • KERNEL32.DLL, xrefs: 00537122
    • RegisterApplicationRecoveryCallback, xrefs: 00537146
    • RegisterApplicationRestart, xrefs: 0053713E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressProc$Exception@8H_prolog3HandleModuleThrow
    • String ID: KERNEL32.DLL$RegisterApplicationRecoveryCallback$RegisterApplicationRestart
    • API String ID: 417325364-723216104
    • Opcode ID: 939191e3e836bb9e02a0350c5ddaec991bcfe0d16ce0561b59a60ba41ebaa147
    • Instruction ID: c7620e543cd0e1922cf9e77ab659d5581d3f0d0428175ebc210c237935ae0de2
    • Opcode Fuzzy Hash: 939191e3e836bb9e02a0350c5ddaec991bcfe0d16ce0561b59a60ba41ebaa147
    • Instruction Fuzzy Hash: ADF0443390436EBB4F225EE59C44C5B3F6AEF98791F010121FD14D2120DB71CD11DAA1
    Function 00533848 Relevance: 10.5, APIs: 7, Instructions: 42memoryCOMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,00000000,00533842,00040000,?,?,?,?,0053300E), ref: 0053385C
    • ResetEvent.KERNEL32(?,?,00000000,00533842,00040000,?,?,?,?,0053300E), ref: 0053386E
    • ResetEvent.KERNEL32(?,?,00000000,00533842,00040000,?,?,?,?,0053300E), ref: 00533876
    • ResetEvent.KERNEL32(?,?,00000000,00533842,00040000,?,?,?,?,0053300E), ref: 0053387E
    • HeapFree.KERNEL32(?,00000000,00000000), ref: 00533892
    • SetEvent.KERNEL32(?,?), ref: 005338CE
    • LeaveCriticalSection.KERNEL32(?), ref: 005338D5
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Event$Reset$CriticalSection$EnterFreeHeapLeave
    • String ID:
    • API String ID: 1940115254-0
    • Opcode ID: 881782a3e9c7caa9f0ce18ee729e6929e359fe82c1b02bb059f5d4c2d5bb587e
    • Instruction ID: 46db31530b5cf08842e50fea29f145efd3909de1ebe6bfe14aba3163bd40b940
    • Opcode Fuzzy Hash: 881782a3e9c7caa9f0ce18ee729e6929e359fe82c1b02bb059f5d4c2d5bb587e
    • Instruction Fuzzy Hash: 2401D371000B059FD722EBB0DC49B9ABBE9FF88302F001829E19A82021DB31A545DB11
    Function 00546D93 Relevance: 10.5, APIs: 7, Instructions: 30COMMON
    Download Yara Rule
    APIs
    • GetSysColor.USER32(0000000F), ref: 00546DA1
    • GetSysColor.USER32(00000010), ref: 00546DA8
    • GetSysColor.USER32(00000014), ref: 00546DAF
    • GetSysColor.USER32(00000012), ref: 00546DB6
    • GetSysColor.USER32(00000006), ref: 00546DBD
    • GetSysColorBrush.USER32(0000000F), ref: 00546DCA
    • GetSysColorBrush.USER32(00000006), ref: 00546DD1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Color$Brush
    • String ID:
    • API String ID: 2798902688-0
    • Opcode ID: 61cc07317a19eb72500b45818e72e7d6f3339f981f449b7ff460cadee4d185b6
    • Instruction ID: 4e720653a856032382ba3636f52c81389549131b73034358e739f968cd653d2b
    • Opcode Fuzzy Hash: 61cc07317a19eb72500b45818e72e7d6f3339f981f449b7ff460cadee4d185b6
    • Instruction Fuzzy Hash: 83F012719417445BD730BFB25D09B47BAE1FFC4710F02192ED2458B990D6B5E441DF40
    Function 0055BB2B Relevance: 9.3, APIs: 6, Instructions: 299COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0055BBA5
    • GetClientRect.USER32(?,?), ref: 0055BBB8
    • GetWindowRect.USER32(?,?), ref: 0055BC06
    • GetParent.USER32(?), ref: 0055BC0F
    • GetParent.USER32(?), ref: 0055BE2C
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0055BE50
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$RectWindow$ClientRedraw
    • String ID:
    • API String ID: 443302174-0
    • Opcode ID: a2ed0bce04d51c0b37fe8dbfb334e60e881a1d1d7398a20ca2d2a5d3b21aa79b
    • Instruction ID: 17e6a71fa0b776257956ed484d041961c10bda3fc3b570a01c3cd186e96ce5ce
    • Opcode Fuzzy Hash: a2ed0bce04d51c0b37fe8dbfb334e60e881a1d1d7398a20ca2d2a5d3b21aa79b
    • Instruction Fuzzy Hash: A6B17B31A00219EFDF10DFA8C898AEEBFB5FF48711F14416AE806AB254CB709944CF61
    Function 0058609C Relevance: 9.2, APIs: 6, Instructions: 221COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005860CE
      • Part of subcall function 00545A40: GetWindowLongW.USER32(?,000000EC), ref: 00545A4B
    • GetWindowRect.USER32(?,?), ref: 005861C9
    • GetParent.USER32(?), ref: 005861D6
    • GetParent.USER32(?), ref: 005861F0
    • OffsetRect.USER32(?,?,?), ref: 005862BD
    • OffsetRect.USER32(?,?,?), ref: 005862C9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$OffsetParent$Long
    • String ID:
    • API String ID: 2171155602-0
    • Opcode ID: be7076b6f8adeb387dd50271e1f8c45d189987d1f6beb169c91b175e9340bcbe
    • Instruction ID: 2ff854e845a0587aa723ac3645f6a72ba55709f0221f325e3b2389d25a345b88
    • Opcode Fuzzy Hash: be7076b6f8adeb387dd50271e1f8c45d189987d1f6beb169c91b175e9340bcbe
    • Instruction Fuzzy Hash: 3691BF75D00209EFCF15DFA8C988AEEBBB5FF88301F14456AE906B7251DB746A41CB60
    Function 0058E5B6 Relevance: 9.2, APIs: 6, Instructions: 177windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0058E5BD
    • GetClientRect.USER32(?,?), ref: 0058E603
      • Part of subcall function 0053BA35: __EH_prolog3.LIBCMT ref: 0053BA3C
      • Part of subcall function 0053BA35: GetDC.USER32(00000000), ref: 0053BA68
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,00000000), ref: 0053BDA8
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,?), ref: 0053BDBE
    • SendMessageW.USER32(?,00000030,?,00000000), ref: 0058E654
    • GetTextMetricsW.GDI32(?,?), ref: 0058E661
    • GetParent.USER32(?), ref: 0058E746
    • SendMessageW.USER32(?,00000030,?,00000000), ref: 0058E771
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageObjectSelectSend$ClientH_prolog3H_prolog3_MetricsParentRectText
    • String ID:
    • API String ID: 1207058154-0
    • Opcode ID: 92f74a0793fe18dde07650da6d6f798cb5354055181fc4b4a21e048fb2f69df0
    • Instruction ID: 06b9c2b19dade78f0273d555db5e91286d862522b25560ff09a5cf2150ce7586
    • Opcode Fuzzy Hash: 92f74a0793fe18dde07650da6d6f798cb5354055181fc4b4a21e048fb2f69df0
    • Instruction Fuzzy Hash: 0D516072A006169BDF15EFA8CC85AEE7BB6FF88700F154129ED19EB255DB309D01CB50
    Function 0055D603 Relevance: 9.2, APIs: 6, Instructions: 155windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(00000000), ref: 0055D67C
    • SendMessageW.USER32(00000000,0000040C,00000000,00000000), ref: 0055D6BB
    • SendMessageW.USER32(00000000,0000041C,00000000,?), ref: 0055D6EA
    • SetRectEmpty.USER32(?), ref: 0055D744
    • SendMessageW.USER32(00000000,0000040B,00000000,?), ref: 0055D7AA
    • RedrawWindow.USER32(00000000,00000000,00000000,00000505), ref: 0055D7D0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$EmptyParentRectRedrawWindow
    • String ID:
    • API String ID: 3879113052-0
    • Opcode ID: b934d313174a1738c33466f7948ecbf9d326e7803a6460af0624e7b904ab9fd1
    • Instruction ID: 85b4173ab8859043d5fdf7b6c8d9b9fdc3744daaee105ce048286ea277123a26
    • Opcode Fuzzy Hash: b934d313174a1738c33466f7948ecbf9d326e7803a6460af0624e7b904ab9fd1
    • Instruction Fuzzy Hash: 67517D72A006099FDB20DFB8C894BADBBF5FF48305F20016AE94AE7251EB709945CF55
    Function 0053A5BC Relevance: 9.1, APIs: 6, Instructions: 139COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 0053A5C3
    • GlobalLock.KERNEL32(?), ref: 0053A6A9
    • CreateDialogIndirectParamW.USER32(?,?,?,00539F19,00000000), ref: 0053A6D8
    • DestroyWindow.USER32(00000000,?,00000064,00000000), ref: 0053A752
    • GlobalUnlock.KERNEL32(?), ref: 0053A762
    • GlobalFree.KERNEL32(?), ref: 0053A76B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
    • String ID:
    • API String ID: 3003189058-0
    • Opcode ID: 808b3fd248c574039474e603c052c07d62faf682c90b4eaa9b8a0eaf26d0d996
    • Instruction ID: 8479de7db6aa78e0bf124e6827b5ed36715a7458976fe1c85244fc2b616475a0
    • Opcode Fuzzy Hash: 808b3fd248c574039474e603c052c07d62faf682c90b4eaa9b8a0eaf26d0d996
    • Instruction Fuzzy Hash: 94517C3190024A9FCF14EFA4C89A9EEBFB1BF54315F54052DF542A72A2DB309A41CB52
    Function 00592526 Relevance: 9.1, APIs: 6, Instructions: 137windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 00592585
    • SendMessageW.USER32(?,0000120C,00000000,00000001), ref: 005925C7
    • SendMessageW.USER32(?,0000120C,00000001,00000001), ref: 005925E9
    • SendMessageW.USER32(?,00000201,00000000,00000000), ref: 00592663
    • SendMessageW.USER32(?,00000202,00000000,00000000), ref: 0059267B
    • PtInRect.USER32(?,?,?), ref: 00592697
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Rect$Client
    • String ID:
    • API String ID: 4194289498-0
    • Opcode ID: 7eacb03bd39e6766a04ffd93b1324d08b39d75ecc5760bada2c0174fe5c00897
    • Instruction ID: 6a537a78cb02b075d148b6fe4d9192aaa1f2c18235b56d1394ff28e36eee13c7
    • Opcode Fuzzy Hash: 7eacb03bd39e6766a04ffd93b1324d08b39d75ecc5760bada2c0174fe5c00897
    • Instruction Fuzzy Hash: BD510A71500219AFCF11DF64C988AAE7BF9FF49710F1501A9E9099B265CB71A941CFA0
    Function 0059B493 Relevance: 9.1, APIs: 6, Instructions: 125COMMON
    Download Yara Rule
    APIs
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059B54C
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059B57D
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059B5AC
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0059B5CE
      • Part of subcall function 0055731F: __EH_prolog3.LIBCMT ref: 00557326
    • InflateRect.USER32(?,000000FE,000000FE), ref: 0059B5DB
    • InflateRect.USER32(?,000000FE,000000FE), ref: 0059B60E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: InflateRect$H_prolog3
    • String ID:
    • API String ID: 3346915232-0
    • Opcode ID: 7641b3df6afe33cd7ab41b1fffef5ace3a908994ec537a4cb1947aba024652f6
    • Instruction ID: 4ffa2adf032b9672a08a91b0819b1e71396c92a4fce389dd25f79ba454772f70
    • Opcode Fuzzy Hash: 7641b3df6afe33cd7ab41b1fffef5ace3a908994ec537a4cb1947aba024652f6
    • Instruction Fuzzy Hash: 1A418031404205EFEF129F58ED40AAA7F66BB86331F25432AFC242B2E5DB319944DF52
    Function 00551277 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053EC52: ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,0058B3E3,000000FF,00000050), ref: 0053EC75
    • VariantClear.OLEAUT32(?), ref: 005512F3
    • _memset.LIBCMT ref: 00551328
    • _memset.LIBCMT ref: 00551334
    • SysFreeString.OLEAUT32(?), ref: 00551373
    • SysFreeString.OLEAUT32(?), ref: 0055137D
    • SysFreeString.OLEAUT32(?), ref: 00551387
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FreeString$_memset$ActivateClearException@8H_prolog3ThrowVariant
    • String ID:
    • API String ID: 3894960473-0
    • Opcode ID: 035bef236a683f6bc49fc8175d2d5f38522ef3478df07b1a16e313e544ca1479
    • Instruction ID: b91a0fb32fd9452b73441321b1889cd73e85002424601b982930c35ad98d2b91
    • Opcode Fuzzy Hash: 035bef236a683f6bc49fc8175d2d5f38522ef3478df07b1a16e313e544ca1479
    • Instruction Fuzzy Hash: 42416975D00608EFDB11DFE5C898AADFFB9FF84305F248A1AE405A7250E770A949CB54
    Function 00561E1E Relevance: 9.1, APIs: 6, Instructions: 95windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00561E4F
    • OffsetRect.USER32(?,?,?), ref: 00561E6D
    • SendMessageW.USER32(00000000,0000000B,00000000,00000000), ref: 00561E7A
    • IsWindowVisible.USER32(?), ref: 00561E83
    • SendMessageW.USER32(00000014,0000000B,00000001,00000000), ref: 00561EF6
    • RedrawWindow.USER32(00000105,00000000,00000000,00000105), ref: 00561F06
      • Part of subcall function 00545D83: SetWindowPos.USER32(?,00000000,00000064,?,?,?,?,?,0053A8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00545DAB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$MessageRectSend$OffsetRedrawVisible
    • String ID:
    • API String ID: 2707749077-0
    • Opcode ID: bafc4626c7c2ef8dba8540a2634cb0376c5b9834e8ce0e6eb1751a734cca8072
    • Instruction ID: 867a3499d2a53813639ca7958ccdfdd93c07ee40054e7259ec8cb22570306406
    • Opcode Fuzzy Hash: bafc4626c7c2ef8dba8540a2634cb0376c5b9834e8ce0e6eb1751a734cca8072
    • Instruction Fuzzy Hash: 48310C71A00609BFDB11DFA4CD89EBFBBF9FF48340F100619B556A2251DA71AD009B61
    Function 00593534 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000120B,00000000,00000001), ref: 00593583
    • GetClientRect.USER32(?,?), ref: 0059359C
    • GetSystemMetrics.USER32(00000015), ref: 005935C7
    • GetSystemMetrics.USER32(00000015), ref: 005935EF
    • InvalidateRect.USER32(?,?,00000001), ref: 0059360F
    • UpdateWindow.USER32(?), ref: 00593618
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsRectSystem$ClientException@8H_prolog3InvalidateMessageSendThrowUpdateWindow
    • String ID:
    • API String ID: 1842141341-0
    • Opcode ID: 5e7c79ca4783cb144d51e70120c57e4b7c3d85d7c7ce9aa0604b40ba321d36f9
    • Instruction ID: d97a812a96e5f9d4a2f949cabf2c972a2bb7ffbf423a7a9e66c2b6669a2c4569
    • Opcode Fuzzy Hash: 5e7c79ca4783cb144d51e70120c57e4b7c3d85d7c7ce9aa0604b40ba321d36f9
    • Instruction Fuzzy Hash: CC312972A00609EFCF11DFB9CD459AEBFF5FF88310F12411AE155A7260DA70AA05CB91
    Function 005549F9 Relevance: 9.1, APIs: 6, Instructions: 86windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 00554A19
    • GetWindow.USER32(?,00000002), ref: 00554A3F
    • GetWindow.USER32(?,00000002), ref: 00554A51
    • GetWindowLongW.USER32(?,000000EC), ref: 00554A61
    • IsWindowVisible.USER32(?), ref: 00554A79
    • GetTopWindow.USER32(?), ref: 00554AA5
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$LongParentVisible
    • String ID:
    • API String ID: 506644340-0
    • Opcode ID: 183cf69a266932c9ce14494fee0d91b75be2fdba4c3a5aadbeab170a5fd3ee3b
    • Instruction ID: 72188e78dbcf2ab80870c8b279fa190c67405acf60e678cc9ef76d04ceff9157
    • Opcode Fuzzy Hash: 183cf69a266932c9ce14494fee0d91b75be2fdba4c3a5aadbeab170a5fd3ee3b
    • Instruction Fuzzy Hash: C921E232580611BBCB616BA4CC19EAF3F6AFF8475AF094612FC41A7150D730EC848FA8
    Function 00563101 Relevance: 9.1, APIs: 6, Instructions: 79timeCOMMON
    Download Yara Rule
    APIs
    • PtInRect.USER32(?,?,?), ref: 00563121
    • ReleaseCapture.USER32 ref: 0056312F
    • PtInRect.USER32(?,?,?), ref: 00563181
    • InvalidateRect.USER32(?,?,00000001), ref: 005631CF
    • SetTimer.USER32(?,00000002,00000050,00000000), ref: 005631F1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$CaptureInvalidateReleaseTimer
    • String ID:
    • API String ID: 2903485716-0
    • Opcode ID: 8c4a07ececc31a736d659b11d732f6591f52ac130c33cb578fa0aaba9dd8807a
    • Instruction ID: 350a1c7f3389ec6dd0efd8b9d579d72dd69ce090863bda2baa328f8193a2ae50
    • Opcode Fuzzy Hash: 8c4a07ececc31a736d659b11d732f6591f52ac130c33cb578fa0aaba9dd8807a
    • Instruction Fuzzy Hash: 6E213C35200746EBDB219F64CC44FAA7BE5FB49391F14092AE566825A0DB31AA41EB90
    Function 00598A4A Relevance: 9.1, APIs: 6, Instructions: 77COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00598A51
      • Part of subcall function 00545BA4: IsWindowEnabled.USER32(?), ref: 00545BAD
    • InvalidateRect.USER32(?,00000000,00000001,0000000C,00598B66), ref: 00598A7D
    • UpdateWindow.USER32(?), ref: 00598A86
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$EnabledH_prolog3InvalidateRectUpdate
    • String ID:
    • API String ID: 262192325-0
    • Opcode ID: 80ac807db914f7d79c9550b23ea1a60e57e3a076a31ed26dcf598529236bc5de
    • Instruction ID: 88cc9fc15bbbb6b7ed034ac2380b50756fbc526dd9e18fb67b3c74a1d627972e
    • Opcode Fuzzy Hash: 80ac807db914f7d79c9550b23ea1a60e57e3a076a31ed26dcf598529236bc5de
    • Instruction Fuzzy Hash: 9C215A71800B05ABCB21EBB8CD49AAFBFF9FF89311F104629F15696191DB356A009F12
    Function 005A0E12 Relevance: 9.1, APIs: 6, Instructions: 74memoryCOMMON
    Download Yara Rule
    APIs
    • GlobalAlloc.KERNEL32(00000002,?,?,?,?,?,005A0F5B,00000000,00000000,?,?,005A2D96,?,?,?,00000084), ref: 005A0E22
    • GlobalLock.KERNEL32(00000000), ref: 005A0E3A
    • _memmove.LIBCMT ref: 005A0E47
    • CreateStreamOnHGlobal.OLE32(00000000,00000000,00000000,?), ref: 005A0E56
    • EnterCriticalSection.KERNEL32(006AA600,00000000), ref: 005A0E6F
    • LeaveCriticalSection.KERNEL32(006AA600,00000000), ref: 005A0ED6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Global$CriticalSection$AllocCreateEnterLeaveLockStream_memmove
    • String ID:
    • API String ID: 861836607-0
    • Opcode ID: 554dffab50365ddcd2140c3c8e2626b61ab64da043868234a50b28b12665339a
    • Instruction ID: 181f5628cdc2b89f5ee2b06c17a4b3dbfbdad5a3b852c0d9ac760dadba0fcec3
    • Opcode Fuzzy Hash: 554dffab50365ddcd2140c3c8e2626b61ab64da043868234a50b28b12665339a
    • Instruction Fuzzy Hash: 9C219F31A10215AFDF10ABF0EC0DA5E7FAEBB46351F006829F901D6291EB74DD00DA62
    Function 0053AB60 Relevance: 9.1, APIs: 6, Instructions: 69COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0053AB93
    • GetParent.USER32(00000000), ref: 0053ABA1
    • GetParent.USER32(00000000), ref: 0053ABB4
    • GetLastActivePopup.USER32(00000000), ref: 0053ABC5
    • IsWindowEnabled.USER32(00000000), ref: 0053ABD9
    • EnableWindow.USER32(00000000,00000000), ref: 0053ABEC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
    • String ID:
    • API String ID: 670545878-0
    • Opcode ID: e69fac41296d1953ce30f929a03a0594d0fcf1ee791d5d1f0d4d2418c9e6d671
    • Instruction ID: 3c7904bc0ed4bd05c7e6dc6bd9f428a21345c9f691778e6f4b6126d0a6e2d9eb
    • Opcode Fuzzy Hash: e69fac41296d1953ce30f929a03a0594d0fcf1ee791d5d1f0d4d2418c9e6d671
    • Instruction Fuzzy Hash: AF11CA365013225BD7325AA99C64F2EFFAF7F55B61F190215ED81E7200D724CC4142E3
    Function 0056B288 Relevance: 9.1, APIs: 6, Instructions: 65COMMON
    Download Yara Rule
    APIs
    • GetDesktopWindow.USER32 ref: 0056B294
    • GetWindow.USER32(00000000), ref: 0056B29B
    • GetWindowLongW.USER32(00000000,000000F0), ref: 0056B2D7
    • ShowWindow.USER32(00000000,00000000), ref: 0056B2F2
    • ShowWindow.USER32(00000000,00000004), ref: 0056B316
    • GetWindow.USER32(00000000,00000002), ref: 0056B31F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Show$DesktopLong
    • String ID:
    • API String ID: 3178490500-0
    • Opcode ID: d8d8329397e5e125869d93f8c872734313a77b0f1c53bb4f9d547f6124533caa
    • Instruction ID: ace660f0d55ec04976286fc18bbd453aacbcaf384f1d8406b9e3dd215845e567
    • Opcode Fuzzy Hash: d8d8329397e5e125869d93f8c872734313a77b0f1c53bb4f9d547f6124533caa
    • Instruction Fuzzy Hash: 0C11BC31700344ABE72197658D89F2F7EBABB95765FA40628F901DB292CB38CC809610
    Function 00539A90 Relevance: 9.1, APIs: 6, Instructions: 62registryCOMMON
    Download Yara Rule
    APIs
    • RegDeleteKeyW.ADVAPI32(00000000,?), ref: 00539AB8
    • RegDeleteValueW.ADVAPI32(00000000,?), ref: 00539AD7
    • RegCloseKey.ADVAPI32(00000000), ref: 00539B04
      • Part of subcall function 00539883: RegCloseKey.ADVAPI32(?), ref: 00539928
      • Part of subcall function 00539883: RegCloseKey.ADVAPI32(?), ref: 00539932
    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00539B1F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Close$Delete$PrivateProfileStringValueWrite
    • String ID:
    • API String ID: 1330817964-0
    • Opcode ID: f86751065a2654f19b8fd0cbb886f71def21dfde11a512a5c0a5f370e29f47e7
    • Instruction ID: 58423f908a4ae0fedce6d94f365e8c97a0b1d34b2e2e9e4ab28f1e5eff931971
    • Opcode Fuzzy Hash: f86751065a2654f19b8fd0cbb886f71def21dfde11a512a5c0a5f370e29f47e7
    • Instruction Fuzzy Hash: A8119EB2414215FFCF216FA0EC88CAE7F6AFF48355F044529FA0685020D7B28D51EBA1
    Function 0059C05A Relevance: 9.1, APIs: 6, Instructions: 56windowtimeCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0059C06D
      • Part of subcall function 00545AF9: GetDlgCtrlID.USER32(?), ref: 00545B02
    • SendMessageW.USER32(?,00000111,?,?), ref: 0059C096
    • SetCapture.USER32(?,?,?,?,0059634D,?,?,?), ref: 0059C0BF
    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,0059634D,?,?,?), ref: 0059C0D7
    • UpdateWindow.USER32(?), ref: 0059C0E0
    • SetTimer.USER32(?,00000001,?,00000000), ref: 0059C0F7
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CaptureCtrlInvalidateMessageParentRectSendTimerUpdateWindow
    • String ID:
    • API String ID: 171814724-0
    • Opcode ID: 5609fb5d9eed13e77549b8e9ebe76fa682645ef12e1e5bbd91d988d729dd3415
    • Instruction ID: f56a2cab2fddb59e8870699b9ed7bdc8493d9ae4131d1df3eafb4b43b18b4465
    • Opcode Fuzzy Hash: 5609fb5d9eed13e77549b8e9ebe76fa682645ef12e1e5bbd91d988d729dd3415
    • Instruction Fuzzy Hash: 6B114C36200B00EFD7219BB5CC48F6BBEFAFFC8702F100519F59A92120DB71A8419B25
    Function 00547925 Relevance: 9.1, APIs: 6, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • ClientToScreen.USER32(?,?), ref: 00547941
    • GetDlgCtrlID.USER32(00000000), ref: 00547952
    • GetWindowLongW.USER32(00000000,000000F0), ref: 00547962
    • GetWindowRect.USER32(00000000,00000000), ref: 00547984
    • PtInRect.USER32(00000000,00000000,00000000), ref: 00547994
    • GetWindow.USER32(?,00000005), ref: 005479A1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Rect$ClientCtrlLongScreen
    • String ID:
    • API String ID: 1315500227-0
    • Opcode ID: 3b41020d076330281a0abb8a050b0f9554f4cd9cb6589527f42e05542e2737b3
    • Instruction ID: a1701b8fd71eec3a5fcb43c93dee9eb74c4c6f2554796fad4c8b20f1945d4aeb
    • Opcode Fuzzy Hash: 3b41020d076330281a0abb8a050b0f9554f4cd9cb6589527f42e05542e2737b3
    • Instruction Fuzzy Hash: 6511A07690161DAFDB01DFA4DC08BEE7BB9FF09326F204215F901A2190CB74DA01CB96
    Function 00547A7F Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
    • GetFocus.USER32 ref: 00547A85
    • GetParent.USER32(00000000), ref: 00547AAD
      • Part of subcall function 00547872: GetWindowLongW.USER32(?,000000F0), ref: 00547893
      • Part of subcall function 00547872: GetClassNameW.USER32(?,?,0000000A), ref: 005478A8
      • Part of subcall function 00547872: CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,00540D31,?,?), ref: 005478C2
    • GetWindowLongW.USER32(?,000000F0), ref: 00547AC8
    • GetParent.USER32(?), ref: 00547AD6
    • GetDesktopWindow.USER32 ref: 00547ADA
    • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00547AEE
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$LongParent$ClassCompareDesktopFocusMessageNameSendString
    • String ID:
    • API String ID: 1233893325-0
    • Opcode ID: 847e3550ee59935b6d7804c833dde0bb1eaa83b170706aee5b2ea99687039823
    • Instruction ID: 052c36ec57c0480947189d72b333372bd43cf7cd4b524d69c47cb416e5ceba97
    • Opcode Fuzzy Hash: 847e3550ee59935b6d7804c833dde0bb1eaa83b170706aee5b2ea99687039823
    • Instruction Fuzzy Hash: 1D01D63224430A37D7219A765C88FAF2DAEBBCCB59F190125F611A2180DF64DD0181A1
    Function 006407B4 Relevance: 9.0, APIs: 6, Instructions: 47COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 006407C0
      • Part of subcall function 0063D75C: __getptd_noexit.LIBCMT ref: 0063D75F
      • Part of subcall function 0063D75C: __amsg_exit.LIBCMT ref: 0063D76C
    • __amsg_exit.LIBCMT ref: 006407E0
    • __lock.LIBCMT ref: 006407F0
    • InterlockedDecrement.KERNEL32(?), ref: 0064080D
    • _free.LIBCMT ref: 00640820
    • InterlockedIncrement.KERNEL32(02DF1660), ref: 00640838
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock_free
    • String ID:
    • API String ID: 3470314060-0
    • Opcode ID: 7c654cd3982968b7585f476460077a7dd7e28b7c76092d3fa65b7a41c5806b09
    • Instruction ID: a99933e5c19392b522efbe44719d934fdb958e0693b98e94db1bfcb08d067a8f
    • Opcode Fuzzy Hash: 7c654cd3982968b7585f476460077a7dd7e28b7c76092d3fa65b7a41c5806b09
    • Instruction Fuzzy Hash: 7201AD31D02B21ABEB60AF6498057DD77A2BF04720F445019F904A72A1CB34B981CFD6
    Function 0054558F Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 243COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _memset
    • String ID: @$@$AfxFrameOrView100su$AfxMDIFrame100su
    • API String ID: 2102423945-2639805938
    • Opcode ID: 7070b7206e16ee7048c9458ecde77434971f73ad55d0d9e305f10dc5e4d496eb
    • Instruction ID: 5f03a38f8f471a90f698b91bd31b0ece6508fca9285766dcf6ba2bb85f6067c4
    • Opcode Fuzzy Hash: 7070b7206e16ee7048c9458ecde77434971f73ad55d0d9e305f10dc5e4d496eb
    • Instruction Fuzzy Hash: 2F911D72C00619ABDB51DFA4C589BDEBFF8BB44348F618065FE08E7182E7748A44CB91
    Function 0059BC51 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 136COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Delete
    • String ID:
    • API String ID: 774837909-3916222277
    • Opcode ID: 7ec79627a0a4799cb7af3957d0147941eb162532c42a6bf152ab6169d74fabcb
    • Instruction ID: 5f47fc6e7232a4409858c39e72febf1d0b1a0c2adbd30ee7e3407fa235c64581
    • Opcode Fuzzy Hash: 7ec79627a0a4799cb7af3957d0147941eb162532c42a6bf152ab6169d74fabcb
    • Instruction Fuzzy Hash: 55514D7090070ADBFF21DF64EA846AEBFB5FB84711F24456AE855A3240DB309E85DF50
    Function 00555AD7 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 110stringCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: GlobalLock_wcslenlstrlen
    • String ID: System
    • API String ID: 2647411976-3470857405
    • Opcode ID: 412b49bbf8885799d80e3db9956b3bcd394f0afd2b8fe81dd55b5cdc0720c7cd
    • Instruction ID: d919c12ea6b89a35f13f7a7e23aec422defc28cade1c7261bbadd6999ab3d1ac
    • Opcode Fuzzy Hash: 412b49bbf8885799d80e3db9956b3bcd394f0afd2b8fe81dd55b5cdc0720c7cd
    • Instruction Fuzzy Hash: 6841D271900616EFCF14DFA0C8699AEBBB5FF04325F10856AE816A7241E7749E88CB90
    Function 0053D094 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuCheckMarkDimensions.USER32 ref: 0053D0AC
    • _memset.LIBCMT ref: 0053D124
    • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 0053D186
    • LoadBitmapW.USER32(00000000,00007FE3), ref: 0053D19E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
    • String ID:
    • API String ID: 4271682439-3916222277
    • Opcode ID: 35377fc4dbbf8479ef10984253d0dcdfac94f090f78e9345cbf1a6588882fca1
    • Instruction ID: 218634c2fdbab632515dfcefdf8798d8f746672e060728a9105b690e1ad81812
    • Opcode Fuzzy Hash: 35377fc4dbbf8479ef10984253d0dcdfac94f090f78e9345cbf1a6588882fca1
    • Instruction Fuzzy Hash: A9312771E002149FEB20DF68EC85BA97BB5FB45704F4540AAE548D7282DE74DD45CB60
    Function 00552025 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ArrayDestroyFreeSafeTask
    • String ID: `<u
    • API String ID: 3253174383-3367579956
    • Opcode ID: 1eaef00f5d7b1b794ce77dec4abdbdbfa09603e8eade9734e6bcdd21af4b8b23
    • Instruction ID: f1765066fe55060177a7db8676379193f3a826fe6140046a07aff87ad224ef9b
    • Opcode Fuzzy Hash: 1eaef00f5d7b1b794ce77dec4abdbdbfa09603e8eade9734e6bcdd21af4b8b23
    • Instruction Fuzzy Hash: A9215171101205EFCB25CF58C89C965BFAAFB86712B288915FD49D71E0C732DC44CB20
    Function 00603920 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 77COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3Window
    • String ID: $Lf$$Lf$Fg
    • API String ID: 616115145-899622730
    • Opcode ID: f06d9ff6b8bf65d820925e71f91305a4e068fb0d294032be885158fad5f30d6d
    • Instruction ID: 02458569a02d4824e099d2959ac9d29251ca14aa911a546ddb3c8cd73081d54f
    • Opcode Fuzzy Hash: f06d9ff6b8bf65d820925e71f91305a4e068fb0d294032be885158fad5f30d6d
    • Instruction Fuzzy Hash: F221B774700612AFCF05FFA4884AAFEBBAABF89711F000119F502A73D2DF745A418B95
    Function 0053A0DA Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID:
    • String ID: Edit
    • API String ID: 0-554135844
    • Opcode ID: 2aca50d350b13d062203b680fda75233fea6f33c2a1db81d9f24459bd665ba12
    • Instruction ID: 9e731f425420bc133184dbfd711457ee4386441cb1108ad1f611618133b39fed
    • Opcode Fuzzy Hash: 2aca50d350b13d062203b680fda75233fea6f33c2a1db81d9f24459bd665ba12
    • Instruction Fuzzy Hash: 6211A5302002057BDB221A35CC0DB66BFA9BF447A1F145535F586D20F1EF72DC51C662
    Function 0056F78D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(COMCTL32.DLL), ref: 0056F7A9
    • GetProcAddress.KERNEL32(00000000,TaskDialogIndirect), ref: 0056F7B9
    • _memset.LIBCMT ref: 0056F7D2
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressException@8H_prolog3HandleModuleProcThrow_memset
    • String ID: COMCTL32.DLL$TaskDialogIndirect
    • API String ID: 2638756577-244319309
    • Opcode ID: 0729376715d7e6426c17634a328e3750187078f1fe01e19a1a7c17dcb518b326
    • Instruction ID: 9f272cacb4aec68ecb0a3a78768a6c85c40b37e892a4ed91ae3b8df8f7846ad5
    • Opcode Fuzzy Hash: 0729376715d7e6426c17634a328e3750187078f1fe01e19a1a7c17dcb518b326
    • Instruction Fuzzy Hash: 61115171900319ABDB10DBA4DD49BCE7BFDBB44715F104129B50AD7180DB74EA04CBA1
    Function 005728E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(DWMAPI), ref: 0057290E
    • GetProcAddress.KERNEL32(00000000,DwmSetIconicThumbnail), ref: 0057291E
    • DeleteObject.GDI32(00000000), ref: 00572958
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressDeleteHandleModuleObjectProc
    • String ID: DWMAPI$DwmSetIconicThumbnail
    • API String ID: 3128169092-3761315311
    • Opcode ID: 1f5e825560f56d79d0865ad083b4354599325ae188d64963fb585a21ed381a45
    • Instruction ID: eeaf495fef0ec36c8bb75faf2751de28ac144351ef059b5a9cdfb467fd285400
    • Opcode Fuzzy Hash: 1f5e825560f56d79d0865ad083b4354599325ae188d64963fb585a21ed381a45
    • Instruction Fuzzy Hash: ED019671300705BBDB10AFA59C48EAE7BEDFF88315F048125FA0597251DB74D941D760
    Function 00580043 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Destroy
    • String ID: pxf
    • API String ID: 3707531092-3901195985
    • Opcode ID: 654c818933968e91a8d67f9773ba1dd98381efad163b8f58dad10478a0f3252e
    • Instruction ID: 23a27e1914cbd593681f17c64e498cba67bc9088deca8c76f88979d74a0e7e84
    • Opcode Fuzzy Hash: 654c818933968e91a8d67f9773ba1dd98381efad163b8f58dad10478a0f3252e
    • Instruction Fuzzy Hash: 44018035201600EFE721AB24DC4DBA6BFBAFF80365F541229F85893190DB75EC54DB60
    Function 0056A07F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 46libraryfileloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0056A093
    • GetProcAddress.KERNEL32(00000000,CreateFileTransactedW), ref: 0056A0A3
    • CreateFileW.KERNEL32(?,?,?,?,?,?,00000000), ref: 0056A0E2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressCreateFileHandleModuleProc
    • String ID: CreateFileTransactedW$kernel32.dll
    • API String ID: 2580138172-2053874626
    • Opcode ID: e6e5bd3a3315c13a9343ba09bb166b06c573308755cfe701ebd373b8a55cabdf
    • Instruction ID: a482a5bd5ce849e1495c8b41758749aa4387335ae92362a4ae277979a14d01fa
    • Opcode Fuzzy Hash: e6e5bd3a3315c13a9343ba09bb166b06c573308755cfe701ebd373b8a55cabdf
    • Instruction Fuzzy Hash: 7501DA3200020ABBCF225F95DC08C9A7F77FF99762B248615FA6662021C7328861FF52
    Function 00547BF9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00547C22
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00547C32
      • Part of subcall function 0053D8CA: GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0053D8DE
      • Part of subcall function 0053D8CA: GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0053D8EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyExW
    • API String ID: 1646373207-2191092095
    • Opcode ID: 24a4823b4b1578ed62aa80ff8d76c6ae99b0ee439224f227da8712ac076a5db1
    • Instruction ID: 1e5fa40ba8be5ea4854f994b45157d14a2fd25268b1981f07d2714c8361f0dc4
    • Opcode Fuzzy Hash: 24a4823b4b1578ed62aa80ff8d76c6ae99b0ee439224f227da8712ac076a5db1
    • Instruction Fuzzy Hash: 9FF08C35208308EFDF219FA0ED88FD57FEAFB0A74AF141419F549921A0CB76A950AB54
    Function 005DAADC Relevance: 7.9, APIs: 5, Instructions: 369windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005DAAE3
    • GetWindow.USER32(?,00000005), ref: 005DAB03
    • GetWindow.USER32(?,00000002), ref: 005DAB39
    • IsWindowVisible.USER32(?), ref: 005DAC1D
    • GetWindow.USER32(?,00000002), ref: 005DAEAD
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$H_prolog3Visible
    • String ID:
    • API String ID: 3969123015-0
    • Opcode ID: 4fc7e5f3ed64f58196bbc9373e67ecd08196f67cbc711f5d1b342efc539a8d73
    • Instruction ID: 9bfa01d39b8ad3920972c19ce80eac796d27539d48bb58bfb34f092815026446
    • Opcode Fuzzy Hash: 4fc7e5f3ed64f58196bbc9373e67ecd08196f67cbc711f5d1b342efc539a8d73
    • Instruction Fuzzy Hash: C2D16271A002069FCF25DF68C899AFE7BB6BF88310F14456AF816AB391DB349D41CB51
    Function 005B470A Relevance: 7.9, APIs: 5, Instructions: 362COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005B4771
    • GetWindowRect.USER32(?,?), ref: 005B4849
    • InflateRect.USER32(?,00000000,?), ref: 005B486F
    • GetWindowRect.USER32(?,?), ref: 005B4924
    • GetWindowRect.USER32(?,?), ref: 005B4A2F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$Inflate
    • String ID:
    • API String ID: 1123775244-0
    • Opcode ID: ba772dbd4a70702fd171f2fdf9947ea4493e0351fbbb6da57821bde7c40d5428
    • Instruction ID: 694473a84842bf4303253477b32afdcaef952447b99a57308ec7b375cea0f477
    • Opcode Fuzzy Hash: ba772dbd4a70702fd171f2fdf9947ea4493e0351fbbb6da57821bde7c40d5428
    • Instruction Fuzzy Hash: 95E11571E0021AAFCB24DFA8C985AEEBBF5FF48310F144569E515A7242DB70AD40CF94
    Function 0055A2B0 Relevance: 7.8, APIs: 5, Instructions: 338COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Empty$Client
    • String ID:
    • API String ID: 1457177775-0
    • Opcode ID: 8ebf8325cbc4903eab900c0945ee3d96d669d5d84b508d25a7de0f607b5c829f
    • Instruction ID: 122d8feb2befe1a82424886d934c1c8234fed87f46156029ba3eac4b7277aebb
    • Opcode Fuzzy Hash: 8ebf8325cbc4903eab900c0945ee3d96d669d5d84b508d25a7de0f607b5c829f
    • Instruction Fuzzy Hash: 9FD13A30D0061ACFCF15CFA8C5949AEBBB2BF49311F24466AEC15AB240E775AD45CF91
    Function 005830CE Relevance: 7.7, APIs: 5, Instructions: 205COMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 00583122
    • GetParent.USER32(?), ref: 00583141
    • GetParent.USER32(?), ref: 00583150
      • Part of subcall function 005707FA: SetParent.USER32(?,?), ref: 0057080D
    • GetWindowRect.USER32(?,?), ref: 005831E7
    • GetClientRect.USER32(?,?), ref: 00583260
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$RectWindow$Client
    • String ID:
    • API String ID: 3043635113-0
    • Opcode ID: d7c16c2ec9d5780ba580f33abeb298228e7dc8fb80ca26a28a15d3aca9876519
    • Instruction ID: a56e6535f756ff48f0ca7c3af4f5807d9333122ae67fa28c1f5294f9a0d412ef
    • Opcode Fuzzy Hash: d7c16c2ec9d5780ba580f33abeb298228e7dc8fb80ca26a28a15d3aca9876519
    • Instruction Fuzzy Hash: 39711D74700615AFCB14AFA5CC9CEAEBBFABF89700F0405B9F506EB252CA719905CB51
    Function 00564720 Relevance: 7.7, APIs: 5, Instructions: 182COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 0056476E
    • InflateRect.USER32(?,00000000,00000000), ref: 0056479A
    • GetSystemMetrics.USER32(00000002), ref: 00564817
    • _memset.LIBCMT ref: 0056483D
      • Part of subcall function 00545D83: SetWindowPos.USER32(?,00000000,00000064,?,?,?,?,?,0053A8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00545DAB
      • Part of subcall function 0053FFBD: GetScrollInfo.USER32(?,?,?), ref: 0053FFF1
      • Part of subcall function 0053FF7D: SetScrollInfo.USER32(?,?,?,?), ref: 0053FFAE
    • EnableScrollBar.USER32(?,00000002,00000000), ref: 00564920
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Scroll$InfoRect$ClientEnableInflateMetricsSystemWindow_memset
    • String ID:
    • API String ID: 4263531605-0
    • Opcode ID: ff8d9fade0a12d27429deace34ce6c3d0830a7948694eb868d10bc82c491dbd5
    • Instruction ID: 1e16f069de6174bc543f2e918ceadd99254dda61a140349c6998e7762ea4b03a
    • Opcode Fuzzy Hash: ff8d9fade0a12d27429deace34ce6c3d0830a7948694eb868d10bc82c491dbd5
    • Instruction Fuzzy Hash: 78612971A00219EFDF10DFA8C984AEEBBB5FF48704F14456AE909EB245D7B1AD018F61
    Function 005B453C Relevance: 7.7, APIs: 5, Instructions: 168COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005B45B6
    • EqualRect.USER32(?,?), ref: 005B45E1
    • BeginDeferWindowPos.USER32(?), ref: 005B45EE
    • EndDeferWindowPos.USER32(?), ref: 005B4613
      • Part of subcall function 005A7E09: GetWindowRect.USER32(?,?), ref: 005A7E1F
      • Part of subcall function 005A7E09: GetParent.USER32(?), ref: 005A7E61
      • Part of subcall function 005A7E09: GetParent.USER32(?), ref: 005A7E71
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • GetWindowRect.USER32(?,?), ref: 005B46C8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Rect$DeferParent$BeginEqualException@8H_prolog3Throw
    • String ID:
    • API String ID: 601628497-0
    • Opcode ID: 9b2d3660bf80755b21e1de36304bbafdf583d9e9927d938d236ae26f4006f944
    • Instruction ID: 0fec55ff65a8480021c20999e0ca7f259e2cafd176b39313ca7bd45112621d07
    • Opcode Fuzzy Hash: 9b2d3660bf80755b21e1de36304bbafdf583d9e9927d938d236ae26f4006f944
    • Instruction Fuzzy Hash: 7A51E971D002199FCB20DFA9C9849EEBFF9BF89310B24456AE515A7212DB70AD44CF61
    Function 0058D04E Relevance: 7.7, APIs: 5, Instructions: 162stringCOMMON
    Download Yara Rule
    APIs
    • SHGetPathFromIDListW.SHELL32(?,?), ref: 0058D0F7
    • SHGetPathFromIDListW.SHELL32(?,?), ref: 0058D127
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 0058D1DA
    • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000408), ref: 0058D1FB
    • lstrcmpiW.KERNEL32(?,?), ref: 0058D20F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FileFromInfoListPath$Exception@8H_prolog3Throwlstrcmpi
    • String ID:
    • API String ID: 4171047833-0
    • Opcode ID: d12cdaacfb0014f9755cc61c0615ed43ba980af3f4c096a718c782dbbd86ff84
    • Instruction ID: d96c60a95f21acfb5864d69bea47198d9dd64410fec3a8baf909da74a9531737
    • Opcode Fuzzy Hash: d12cdaacfb0014f9755cc61c0615ed43ba980af3f4c096a718c782dbbd86ff84
    • Instruction Fuzzy Hash: D95147759102299BCF60AB54CD44AADBFF9BF88340F1045DAE90AB3191DB31DE81DFA0
    Function 00624BD8 Relevance: 7.7, APIs: 5, Instructions: 154COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 00624BDF
    • CreateCompatibleDC.GDI32(00000002), ref: 00624C2D
    • GetBoundsRect.GDI32(?,?,00000000,00000000), ref: 00624C55
    • CreateSolidBrush.GDI32 ref: 00624C6F
    • FillRect.USER32(00000001,?,?), ref: 00624C88
      • Part of subcall function 00623F92: FrameRgn.GDI32(00000002,?,00000002,00000001,00000001), ref: 00623FBA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CreateRect$BoundsBrushCompatibleFillFrameH_prolog3_Solid
    • String ID:
    • API String ID: 2864772683-0
    • Opcode ID: c9fc65e63e00bc2574140cbee3713cacd7b7b877d59560dd37dda83caa035c30
    • Instruction ID: 526691a5e966a17be814715636e9b763d32b6b33055cdcf1185dbd8df675227f
    • Opcode Fuzzy Hash: c9fc65e63e00bc2574140cbee3713cacd7b7b877d59560dd37dda83caa035c30
    • Instruction Fuzzy Hash: A6518A71D10629EFCF11EFA4D885AEDBBB6FF08700F04412AF901AA251CBB05A44CFA1
    Function 005B1B61 Relevance: 7.7, APIs: 5, Instructions: 153windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005B1B68
    • RedrawWindow.USER32(?,?,?,00000541), ref: 005B1D2E
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • GetSystemMenu.USER32(?,00000000), ref: 005B1BA2
    • IsMenu.USER32(?), ref: 005B1BC1
    • IsMenu.USER32(?), ref: 005B1BCF
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Menu$Window$H_prolog3LongRedrawSystem
    • String ID:
    • API String ID: 1445310841-0
    • Opcode ID: 4c436b85446cb99e40dfb105c2f1ce5600b351f20e576ca9fa80d204cb0a8b34
    • Instruction ID: 9067f3b4f156873b6d1dc9f7f53f010745c1598872247d6b99dd5a32402e2525
    • Opcode Fuzzy Hash: 4c436b85446cb99e40dfb105c2f1ce5600b351f20e576ca9fa80d204cb0a8b34
    • Instruction Fuzzy Hash: 3E51B171A006068BDF44EFB4C959BEE7FB5BF44310F584529E906EB295DB34AD00CB68
    Function 0057AE90 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0057AEDD
    • GetWindowRect.USER32(?,?), ref: 0057AEFF
    • GetClientRect.USER32(?,?), ref: 0057AF8F
    • MapWindowPoints.USER32(?,?,?,00000002), ref: 0057AFA2
    • FillRect.USER32(?,?), ref: 0057AFE2
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$ClientFillParentPoints
    • String ID:
    • API String ID: 1064458942-0
    • Opcode ID: ada68f11a9d1c92b51d5f2dc83c14919f308367da83f763ef7ae7dca7bca38d5
    • Instruction ID: fadc69a1e39fb9e9d17e28dafd991bb70088f21ab85b193ef15af057b70b7309
    • Opcode Fuzzy Hash: ada68f11a9d1c92b51d5f2dc83c14919f308367da83f763ef7ae7dca7bca38d5
    • Instruction Fuzzy Hash: 8D512CB5A1121AAFCB11DFA4D8848EEBFB9FF88700B14815AF809E7211D7709D41DFA1
    Function 005C970C Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • GetWindowRect.USER32(?,00561D5E), ref: 005C9740
    • GetSystemMetrics.USER32(00000021), ref: 005C974E
    • GetSystemMetrics.USER32(00000020), ref: 005C9754
    • GetKeyState.USER32(00000002), ref: 005C9774
    • InflateRect.USER32(00561D5E,00000000,00000000), ref: 005C97AA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsRectSystemWindow$InflateLongState
    • String ID:
    • API String ID: 2406722796-0
    • Opcode ID: ebb102bb44677fb246c50ab39ef2c605386803b61c79d48424f01e6a91ce61ce
    • Instruction ID: b85c8d15cd7523d1f584a169b4be7e6740e78e56382c4d9621500413b64de67b
    • Opcode Fuzzy Hash: ebb102bb44677fb246c50ab39ef2c605386803b61c79d48424f01e6a91ce61ce
    • Instruction Fuzzy Hash: 54315D32A212199FDB14DFF8C88DFAEBBE5FB8A350F64441DD406EB151DA749A40CB90
    Function 0055D2C3 Relevance: 7.6, APIs: 5, Instructions: 108windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$FocusMessageSendUpdateWindow
    • String ID:
    • API String ID: 2438739141-0
    • Opcode ID: 742eb22fb2632b0e53d9ca174687e5a052878b8f78fbc63350a2ad7544a2d94e
    • Instruction ID: 325c5c292c2b6f65f729487043496535df83c59ce24dc77e19d7f8316b694327
    • Opcode Fuzzy Hash: 742eb22fb2632b0e53d9ca174687e5a052878b8f78fbc63350a2ad7544a2d94e
    • Instruction Fuzzy Hash: 2131D572200701DFCB259B748859A6EBFF5FF84725F210A1EF466C7290EF3499058B25
    Function 0055A8FD Relevance: 7.6, APIs: 5, Instructions: 99COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientCursorScreen$Rect
    • String ID:
    • API String ID: 1082406499-0
    • Opcode ID: 32d60389b9e70ad9d5e88f7391c0d8bb8519137c37b4fbad545c058c0aff9972
    • Instruction ID: c11d054fb45b61b99945b62a5f4787600bd24675714bfcaf1d6b6788d5c704da
    • Opcode Fuzzy Hash: 32d60389b9e70ad9d5e88f7391c0d8bb8519137c37b4fbad545c058c0aff9972
    • Instruction Fuzzy Hash: C5313CB1900209DFCB10EFA5D9949AEBBB5FF48311B11452BE906A3250EB34AD05CF52
    Function 005631FD Relevance: 7.6, APIs: 5, Instructions: 96COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00563251
      • Part of subcall function 00545A40: GetWindowLongW.USER32(?,000000EC), ref: 00545A4B
    • OffsetRect.USER32(?,?,00000000), ref: 005632AC
    • UnionRect.USER32(?,?,?), ref: 005632CA
    • EqualRect.USER32(?,?), ref: 005632D8
    • UpdateWindow.USER32(?), ref: 00563314
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$EqualLongOffsetUnionUpdate
    • String ID:
    • API String ID: 4261707372-0
    • Opcode ID: cb689609c3d113d67d468b3f99addfcb6fc788888b6eca174cc203af3a01d87c
    • Instruction ID: d62e65fdd24b2b1ae02a1d8bf0fb2196fd288826958c1fbff4ce3cdb21f61b68
    • Opcode Fuzzy Hash: cb689609c3d113d67d468b3f99addfcb6fc788888b6eca174cc203af3a01d87c
    • Instruction Fuzzy Hash: D631F9B1A01209EFCB10DFA9DD849EEBBF9FF48315F10462EE556A3251DB30AA41CB50
    Function 005D7CCC Relevance: 7.6, APIs: 5, Instructions: 95COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005D7477: GetParent.USER32(?), ref: 005D7483
      • Part of subcall function 005D7477: GetParent.USER32(00000000), ref: 005D7486
    • GetWindowLongW.USER32(?,000000EC), ref: 005D7D3B
    • RedrawWindow.USER32(?,00000000,00000000,00000081,?,?,?,?,?,005D80E7,00000000), ref: 005D7D8C
    • SetWindowLongW.USER32(?,000000EC,?), ref: 005D7D9B
    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000137,?,?,?,?,?,005D80E7,00000000), ref: 005D7DB1
    • GetClientRect.USER32(?,?), ref: 005D7DC5
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$LongParent$ClientRectRedraw
    • String ID:
    • API String ID: 556606033-0
    • Opcode ID: 9204c0081d5e6aa0466f3e25121046732f54d496618b8a4515aa35ea0ebb7f50
    • Instruction ID: 0d5e189c68644b368f0cb48ca857bb7724c79d4df1fa20b714bc778aec1c49c0
    • Opcode Fuzzy Hash: 9204c0081d5e6aa0466f3e25121046732f54d496618b8a4515aa35ea0ebb7f50
    • Instruction Fuzzy Hash: 7421B972514209AFDB317BA8CC899BE7EABFFC8351F24097BF516932A1F6305D409650
    Function 00568942 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(?), ref: 0056898E
    • GetClientRect.USER32(?,?), ref: 005689CF
    • PtInRect.USER32(?,?,?), ref: 005689E7
    • MapWindowPoints.USER32(?,?,?,00000001), ref: 00568A11
    • SendMessageW.USER32(?,00000200,?,?), ref: 00568A30
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$ClientCursorMessagePointsSendWindow
    • String ID:
    • API String ID: 1257894355-0
    • Opcode ID: 793855ab355a7c56a3b22d865ec8959ae768bc02ba053620ff738b50f927c3e7
    • Instruction ID: 0780e16a495c9bbfbae56d760100da445a57510e4383b8cb9e717941359ce5dc
    • Opcode Fuzzy Hash: 793855ab355a7c56a3b22d865ec8959ae768bc02ba053620ff738b50f927c3e7
    • Instruction Fuzzy Hash: 5C311C71A0020AAFDB04DFA5CC849BEBFBAFF48311F10462AF91593250DB71A951DBA0
    Function 0054B5D2 Relevance: 7.6, APIs: 5, Instructions: 92windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0054B5D9
    • CreateRectRgnIndirect.GDI32(?), ref: 0054B5FB
      • Part of subcall function 0053B64D: SelectClipRgn.GDI32(?,00000000), ref: 0053B673
      • Part of subcall function 0053B64D: SelectClipRgn.GDI32(?,?), ref: 0053B689
    • GetParent.USER32(?), ref: 0054B61B
    • MapWindowPoints.USER32(?,00000000,?,00000001), ref: 0054B673
    • SendMessageW.USER32(?,00000014,?,00000000), ref: 0054B6A0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClipSelect$CreateH_prolog3IndirectMessageParentPointsRectSendWindow
    • String ID:
    • API String ID: 3362736716-0
    • Opcode ID: 880efe3a02747a5cb16df7bde0b18339e21af92acbef686251206ab4b954ee92
    • Instruction ID: ccc8cc64487a603e158d1a6d365e558947fe3a6b20c3cf86a9a2395e5956f4e2
    • Opcode Fuzzy Hash: 880efe3a02747a5cb16df7bde0b18339e21af92acbef686251206ab4b954ee92
    • Instruction Fuzzy Hash: CF310C71A0021A9FDF14DFA4CC459AEBBB5FF48304F014529FA16A7291D730DE119BA1
    Function 0058398F Relevance: 7.6, APIs: 5, Instructions: 91windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 005839D9
    • SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 005839F5
    • SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00583A38
      • Part of subcall function 005C4444: SendMessageW.USER32(?,00000433,00000000,?), ref: 005C4477
    • SendMessageW.USER32(?,0000040D,00000000,00000000), ref: 00583A23
    • SetRectEmpty.USER32(?), ref: 00583A58
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$EmptyRect
    • String ID:
    • API String ID: 4004678023-0
    • Opcode ID: a3c8105448793f930fe1c3d767fd8a9abed9ab15b10c1490abaada4d7dacaa72
    • Instruction ID: 0789cd7f81998cacbcad1cbc4a13394f124a63db662b15aa942c77a392e4d1dc
    • Opcode Fuzzy Hash: a3c8105448793f930fe1c3d767fd8a9abed9ab15b10c1490abaada4d7dacaa72
    • Instruction Fuzzy Hash: 9431F4B1900209AFDB18DF64DD82EFEBBF9FF48700F11456DE695A7250DA70AD418B90
    Function 005D7ECF Relevance: 7.6, APIs: 5, Instructions: 90windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
      • Part of subcall function 005D7477: GetParent.USER32(?), ref: 005D7483
      • Part of subcall function 005D7477: GetParent.USER32(00000000), ref: 005D7486
    • SendMessageW.USER32(?,00000234,00000000,00000000), ref: 005D7F4A
    • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 005D7F71
    • SendMessageW.USER32(?,00000229,00000000,00000000), ref: 005D7F8E
    • SendMessageW.USER32(?,00000222,?,00000000), ref: 005D7FA5
    • SendMessageW.USER32(?,00000222,00000000,?), ref: 005D7FCA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Parent$LongWindow
    • String ID:
    • API String ID: 4191550487-0
    • Opcode ID: 75d579a6568228f2deeb52a6181dd91b33e8b235299b68c3139c87ea6374cc9b
    • Instruction ID: 491bbcb4e317c3c736047154c82c5de5ee2ec824409642a9a0fdf1628dea592b
    • Opcode Fuzzy Hash: 75d579a6568228f2deeb52a6181dd91b33e8b235299b68c3139c87ea6374cc9b
    • Instruction Fuzzy Hash: ED21A63171410E7BDB396B68CC8BFED6D56BB8C314F140527F605DA2D1EAB0AC40C690
    Function 005DCFA1 Relevance: 7.6, APIs: 5, Instructions: 89windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 005DCFE4
    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005DD017
    • GetWindowRect.USER32(?,?), ref: 005DD026
    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005DD07C
    • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 005DD08E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$MessageSend$RectRedrawVisible
    • String ID:
    • API String ID: 1695962874-0
    • Opcode ID: 709cb43f76feb58789194d3c8ee4268abda99ecd8f3a36b98a084f89a02c5dd0
    • Instruction ID: 10fbfd5fe40b4f991aebd57f282260d44238628d87b36e5890daa8eb2e55b8ed
    • Opcode Fuzzy Hash: 709cb43f76feb58789194d3c8ee4268abda99ecd8f3a36b98a084f89a02c5dd0
    • Instruction Fuzzy Hash: 25312071900245AFCB21DFADCD48EAFBBF5FB89710F10464AF565A72A0D771A901CB50
    Function 005B1244 Relevance: 7.6, APIs: 5, Instructions: 87COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window
    • String ID:
    • API String ID: 924285169-0
    • Opcode ID: 040f7dbb1f10de3261f93f000c0dcdc1af77a37d1cc378534a4c95d61fd41c2f
    • Instruction ID: 8716f43e2c77d6baaa364224cf5aa091584200f46ec491a86063bf84785ea205
    • Opcode Fuzzy Hash: 040f7dbb1f10de3261f93f000c0dcdc1af77a37d1cc378534a4c95d61fd41c2f
    • Instruction Fuzzy Hash: 5D310FB5E10219EFCB51EFA9D8848EEBBF9FB4D710B50446AE405E7220D770A900CFA4
    Function 0054172D Relevance: 7.6, APIs: 5, Instructions: 81windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 00541750
    • GetWindowRect.USER32(00000000,?), ref: 0054177D
    • SetWindowPos.USER32(00000000,00000000,?,?,00000000,00000000,00000015), ref: 005417A2
    • GetWindow.USER32(?,00000005), ref: 005417AB
    • ScrollWindow.USER32(?,?,?,?,?), ref: 005417C6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$RectScrollVisible
    • String ID:
    • API String ID: 2639402888-0
    • Opcode ID: 4568c304c4b4b3ebff0b8d6719540cca3c891ce0be1d31a9b66d553e9d60a2ec
    • Instruction ID: 2ac45b190811f2a99dc99b9ebe2e7e7465fe0cfcc3f762669d583f1863f9b27b
    • Opcode Fuzzy Hash: 4568c304c4b4b3ebff0b8d6719540cca3c891ce0be1d31a9b66d553e9d60a2ec
    • Instruction Fuzzy Hash: 6E214675900609ABCF11DF99CC89DAEBFF9FF88305F10450AF641A6222D7709940CB95
    Function 00543189 Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00543193
    • GetTopWindow.USER32(00000000), ref: 005431B8
    • GetDlgCtrlID.USER32(00000000), ref: 005431CA
    • SendMessageW.USER32(?,00000087,00000000,00000000), ref: 00543226
    • GetWindow.USER32(00000000,00000002), ref: 00543266
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$CtrlH_prolog3MessageSend
    • String ID:
    • API String ID: 849854284-0
    • Opcode ID: 3dca91a33bf3e850112372aca249bf608ce99db5d31a70bf58bf3e82c4570fde
    • Instruction ID: 63d7a23a0619b654c01c9b6c0b8fa566b0825de1b18c176595cbed955177a34f
    • Opcode Fuzzy Hash: 3dca91a33bf3e850112372aca249bf608ce99db5d31a70bf58bf3e82c4570fde
    • Instruction Fuzzy Hash: 1521DD75904219ABDF21EBA4CC89EEEBF7ABF95304F200259F016A31A0DB704F40DB61
    Function 005DD452 Relevance: 7.6, APIs: 5, Instructions: 78windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005DD459
    • SendMessageW.USER32(?,0000007F,00000000,00000000), ref: 005DD480
    • SendMessageW.USER32(?,0000007F,00000001,00000000), ref: 005DD494
    • GetClassLongW.USER32(?,000000DE), ref: 005DD50C
    • GetClassLongW.USER32(?,000000F2), ref: 005DD51A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClassLongMessageSend$H_prolog3
    • String ID:
    • API String ID: 350087385-0
    • Opcode ID: 7f65e26e4b28803825f5268e400429b3720302b1f80df9ed94e416b84622bcf0
    • Instruction ID: 3056fa8739cb7b6cefae5eb4f40485a22d4d35922be2ae72a7e50a1e98bebb6c
    • Opcode Fuzzy Hash: 7f65e26e4b28803825f5268e400429b3720302b1f80df9ed94e416b84622bcf0
    • Instruction Fuzzy Hash: 8B2188719402166BDF31EB68CC86FAD7BB5BF95710F150216F951BB2E2DA60DD008760
    Function 00560E9F Relevance: 7.6, APIs: 5, Instructions: 73windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00560904: __EH_prolog3_GS.LIBCMT ref: 0056090B
      • Part of subcall function 00560904: GetWindowRect.USER32(?,?), ref: 0056094C
      • Part of subcall function 00560904: CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00560976
      • Part of subcall function 00560904: SetWindowRgn.USER32(?,?,00000000), ref: 0056098C
    • GetSystemMenu.USER32(?,00000000), ref: 00560F13
    • DeleteMenu.USER32(?,0000F120,00000000,00000000), ref: 00560F34
    • DeleteMenu.USER32(?,0000F020,00000000), ref: 00560F40
    • DeleteMenu.USER32(?,0000F030,00000000), ref: 00560F4C
    • EnableMenuItem.USER32(?,0000F060,00000001), ref: 00560F66
      • Part of subcall function 00559AD2: SetRectEmpty.USER32(?), ref: 00559B05
      • Part of subcall function 00559AD2: ReleaseCapture.USER32 ref: 00559B0B
      • Part of subcall function 00559AD2: SetCapture.USER32(?), ref: 00559B1A
      • Part of subcall function 00559AD2: GetCapture.USER32 ref: 00559B5C
      • Part of subcall function 00559AD2: ReleaseCapture.USER32 ref: 00559B6C
      • Part of subcall function 00559AD2: SetCapture.USER32(?), ref: 00559B7B
      • Part of subcall function 00559AD2: RedrawWindow.USER32(?,?,?,00000505), ref: 00559BE6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CaptureMenu$DeleteRectWindow$Release$CreateEmptyEnableH_prolog3_ItemRedrawRoundSystem
    • String ID:
    • API String ID: 2818640433-0
    • Opcode ID: 8133e264220f63725163b63a19fb760a32d1b2b97b24d6e375cbb2bf8f2521aa
    • Instruction ID: fd5b8fb8509fab12ca4e10621f5451dd8bf316dd8ee159cbe3063c55e874fbe5
    • Opcode Fuzzy Hash: 8133e264220f63725163b63a19fb760a32d1b2b97b24d6e375cbb2bf8f2521aa
    • Instruction Fuzzy Hash: 35218C71340225ABDB216B60CC89FAEBF6AFF84750F001576F5059B2A2CB719C51DB91
    Function 0059E7F2 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
    Download Yara Rule
    APIs
    • SelectObject.GDI32(?,00000000), ref: 0059E818
      • Part of subcall function 005477C2: DeleteObject.GDI32(00000000), ref: 005477DB
    • SelectObject.GDI32(?,00000000), ref: 0059E82E
    • DeleteObject.GDI32(00000000), ref: 0059E899
    • DeleteDC.GDI32(00000000), ref: 0059E8A8
    • LeaveCriticalSection.KERNEL32(006AA600), ref: 0059E8C1
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$Delete$Select$CriticalLeaveSection
    • String ID:
    • API String ID: 3849354926-0
    • Opcode ID: 0337a825e46e065f6cef5cc1573204c1005430326b3a3736495a6b4c92cc3896
    • Instruction ID: b92268d2e2e101c788d2539b4c5853a7ff311ece2831ff037c9148a2b0850452
    • Opcode Fuzzy Hash: 0337a825e46e065f6cef5cc1573204c1005430326b3a3736495a6b4c92cc3896
    • Instruction Fuzzy Hash: 2421AC31900205DFCF11EFA5DC899997FB6FF8A311F04816AEA049F166C7719841CF91
    Function 00591ED6 Relevance: 7.6, APIs: 5, Instructions: 72COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053BA35: __EH_prolog3.LIBCMT ref: 0053BA3C
      • Part of subcall function 0053BA35: GetDC.USER32(00000000), ref: 0053BA68
    • IsRectEmpty.USER32(?), ref: 00591EFF
    • InvertRect.USER32(?,?), ref: 00591F0D
    • SetRectEmpty.USER32(?), ref: 00591F1D
    • GetClientRect.USER32(?,?), ref: 00591F3A
    • InvertRect.USER32(?,?), ref: 00591F87
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyInvert$ClientH_prolog3
    • String ID:
    • API String ID: 1656078942-0
    • Opcode ID: 85883746b3137a9ac60c23c21ac12946afd110b189a111afad21f6b4987552b7
    • Instruction ID: 3aefd9129575d80f63e109f173b57839ee3dc3e1f76ddc9564097f0729cdae38
    • Opcode Fuzzy Hash: 85883746b3137a9ac60c23c21ac12946afd110b189a111afad21f6b4987552b7
    • Instruction Fuzzy Hash: 7E21E971900609EFCF01DFA9D985AEEBFB5FF49311F105069E809EA211EB709A40CFA1
    Function 00566593 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056659A
    • DestroyMenu.USER32(?,00000004,00566A18), ref: 005665D6
    • IsWindow.USER32(?), ref: 005665E7
    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 005665FB
    • ~_Task_impl.LIBCPMT ref: 00566674
      • Part of subcall function 005CC1EF: GetParent.USER32(?), ref: 005CC255
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: DestroyH_prolog3MenuMessageParentSendTask_implWindow
    • String ID:
    • API String ID: 1857064102-0
    • Opcode ID: 5892eaaa83251d8e7aa663dd84b007d16730fb5c4f76204ac60c24f889432f69
    • Instruction ID: c22b9f4ee09dc0451e819444965a7eb7adf4ada9e16350a280e55d02e5d03be8
    • Opcode Fuzzy Hash: 5892eaaa83251d8e7aa663dd84b007d16730fb5c4f76204ac60c24f889432f69
    • Instruction Fuzzy Hash: AB31CE70501682CEDB22EBB8C559BAEBFF1BF95304F14094CE49A47282CB752A05EB12
    Function 0056B962 Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 0056B9C9
    • SendMessageW.USER32(?,00000086,00000000,00000000), ref: 0056B9E0
    • GetDesktopWindow.USER32 ref: 0056B9E4
    • SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 0056BA05
    • GetWindow.USER32(00000000), ref: 0056BA0A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSendWindow$DesktopLong
    • String ID:
    • API String ID: 2272707703-0
    • Opcode ID: 77b127f18e297b1d5817ddcf40bbb979c28c68140a955a3753d80cacbaf16f2b
    • Instruction ID: a0b3c5b354d8d10ac21a227be62e80a41a559e395afc616342c20990259b8c0a
    • Opcode Fuzzy Hash: 77b127f18e297b1d5817ddcf40bbb979c28c68140a955a3753d80cacbaf16f2b
    • Instruction Fuzzy Hash: C111C431240B5577FB316B528C9AFAA3E55BF84755F210114FB469B1E1CBA2CC81C790
    Function 005B075B Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 005B078F
    • SHAppBarMessage.SHELL32(00000007,?), ref: 005B07AD
    • SHAppBarMessage.SHELL32(00000007,?), ref: 005B07C7
    • SHAppBarMessage.SHELL32(00000007,?), ref: 005B07DD
    • SHAppBarMessage.SHELL32(00000007,?), ref: 005B07F6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$_memset
    • String ID:
    • API String ID: 2485647581-0
    • Opcode ID: 691f25f924a4403a6a4dcc55e21d1a3b6c0cb62a7c87485e02bb91caeb2d9a8d
    • Instruction ID: c7c21eb5f2c33a5e898a80c3aa2ec90738da2ab9069e000268af0e183b08e788
    • Opcode Fuzzy Hash: 691f25f924a4403a6a4dcc55e21d1a3b6c0cb62a7c87485e02bb91caeb2d9a8d
    • Instruction Fuzzy Hash: E2213B71A0120AAAEB44DFA5DC81FDABFB8FB04754F14102AE515E6180DB75FA45CBA0
    Function 0056888F Relevance: 7.6, APIs: 5, Instructions: 68windowCOMMON
    Download Yara Rule
    APIs
    • EnableMenuItem.USER32(?,00004212,00000001), ref: 005688C9
    • EnableMenuItem.USER32(?,00004213,00000000), ref: 005688D5
    • EnableMenuItem.USER32(?,00004214,00000000), ref: 00568901
    • CheckMenuItem.USER32(?,00004213,00000008), ref: 0056892A
    • CheckMenuItem.USER32(?,00004214,00000000), ref: 00568936
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ItemMenu$Enable$Check
    • String ID:
    • API String ID: 1852492618-0
    • Opcode ID: 16096b8788ae7752d961b6e9cc07189091017ab253c2bf6f5a12e76ae33e1fbb
    • Instruction ID: f91f5ea5b6f908b5cefa0caf9532e04bf3439dd26dc2c3635c034b2af6a55d6f
    • Opcode Fuzzy Hash: 16096b8788ae7752d961b6e9cc07189091017ab253c2bf6f5a12e76ae33e1fbb
    • Instruction Fuzzy Hash: 0611C471244300AFD724AB15DD46F267BA9FFD4710F904825FA1AAB1A1CA70EC40DB60
    Function 00636ADB Relevance: 7.6, APIs: 5, Instructions: 68COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _malloc.LIBCMT ref: 00636AE9
      • Part of subcall function 00634CBE: __FF_MSGBANNER.LIBCMT ref: 00634CD7
      • Part of subcall function 00634CBE: __NMSG_WRITE.LIBCMT ref: 00634CDE
      • Part of subcall function 00634CBE: RtlAllocateHeap.NTDLL(00000000,00000001,00000001,00000000,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1), ref: 00634D03
    • _free.LIBCMT ref: 00636AFC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AllocateHeap_free_malloc
    • String ID:
    • API String ID: 1020059152-0
    • Opcode ID: 0de7d9115c4efe0ec2844a1757c8ac7449aadb1c785ad0a7ca0ea950e854011b
    • Instruction ID: 7a76fea8c893cc12f09da7055939647bd663fff8646807bbbd31a0b349fc8858
    • Opcode Fuzzy Hash: 0de7d9115c4efe0ec2844a1757c8ac7449aadb1c785ad0a7ca0ea950e854011b
    • Instruction Fuzzy Hash: 7E119432804615BACB212BB4EC0569A7A979F453B0F218129F957D7250EF3189628FE8
    Function 00591C70 Relevance: 7.6, APIs: 5, Instructions: 68stringwindowCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?), ref: 00591CBC
    • SendMessageW.USER32(?,0000120C,00000000,00000002), ref: 00591CE0
    • lstrlenW.KERNEL32(00000000), ref: 00591CE9
    • SendMessageW.USER32(?,0000120C,00000001,00000002), ref: 00591D07
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 00591D20
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSendlstrlen$Exception@8H_prolog3RedrawThrowWindow
    • String ID:
    • API String ID: 524015339-0
    • Opcode ID: f961668d43e8182dc6036adad03e2998f285ad8f4f6e16105f0c4b9456d3186d
    • Instruction ID: 8d0f44e07a4981b6a0c9e87b0afdf27e4e3bdcecd1350a69ac5689279ca0cae5
    • Opcode Fuzzy Hash: f961668d43e8182dc6036adad03e2998f285ad8f4f6e16105f0c4b9456d3186d
    • Instruction Fuzzy Hash: 72218835600615AFDB11EF68CC89FAEBBF5FF88310F040158F54AA72A0DBB0A800CB94
    Function 0056C16C Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
    Download Yara Rule
    APIs
    • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 0056C1E6
    • GlobalAddAtomW.KERNEL32(?), ref: 0056C1F5
    • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 0056C20B
    • GlobalAddAtomW.KERNEL32(?), ref: 0056C214
    • SendMessageW.USER32(?,000003E4,?,?), ref: 0056C23E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AtomGlobal$Name$MessageSend
    • String ID:
    • API String ID: 1515195355-0
    • Opcode ID: 84e2024d23d6eeeae34ae48c37005c6df77269c2b1cd4e59bfb6a85c6de280fe
    • Instruction ID: e9404e516eaae14af95ef6e33988a980586aa80676a744070203d1ea709241b5
    • Opcode Fuzzy Hash: 84e2024d23d6eeeae34ae48c37005c6df77269c2b1cd4e59bfb6a85c6de280fe
    • Instruction Fuzzy Hash: F22187759002189BDB20DFA8CD95AE9B7F9FF48300F008599E59DD7141D774EE84CB54
    Function 0057A459 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ParentRect$ClientFillPointsWindow
    • String ID:
    • API String ID: 3058756167-0
    • Opcode ID: 39ac6bc529fc842cd5018a3767e042bd45b1abdc12cb5052562686cca110d4d9
    • Instruction ID: 68f485cab0d1093170d2a0a5ded4b4b74a995c7151d542c094fc32d711623825
    • Opcode Fuzzy Hash: 39ac6bc529fc842cd5018a3767e042bd45b1abdc12cb5052562686cca110d4d9
    • Instruction Fuzzy Hash: 1D214D71900209AFCF00EFA4DD498AFBFB6FF89311B114569F805A7221DB71AA05CF91
    Function 00534233 Relevance: 7.6, APIs: 5, Instructions: 62networkCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0053423A
    • EnterCriticalSection.KERNEL32(00000204,00000004,00533573,?,00000000,?,?,?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 00534256
    • WSASetLastError.WS2_32(000005B6,?,?,00000000,?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 0053426A
    • LeaveCriticalSection.KERNEL32(00000204,?,?,00000000,?,?,005332D1,?,?,00000000,000000FF,00000000), ref: 00534271
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$EnterErrorH_prolog3LastLeave
    • String ID:
    • API String ID: 3795183752-0
    • Opcode ID: 1d96f1a1a60e7e190a1762d2c9bd473b100873fe42d6f879a987af71014071f0
    • Instruction ID: 6dffb37b04a15c574822fa1486ad6ab8e77815101860a3c3dcbd804ccef218d0
    • Opcode Fuzzy Hash: 1d96f1a1a60e7e190a1762d2c9bd473b100873fe42d6f879a987af71014071f0
    • Instruction Fuzzy Hash: 1611CE39240B02EBDF119FA8CC09A6F7FA9BB44721F100A1AF912EA491DBB1E4509F11
    Function 0058E810 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • GetObjectW.GDI32(?,0000005C,?), ref: 0058E844
    • CreateFontIndirectW.GDI32(?), ref: 0058E859
    • IsWindow.USER32(?), ref: 0058E877
    • InvalidateRect.USER32(?,00000000,00000001), ref: 0058E895
    • UpdateWindow.USER32(?), ref: 0058E89E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$CreateFontIndirectInvalidateObjectRectUpdate
    • String ID:
    • API String ID: 1602852816-0
    • Opcode ID: bcd0727e95adb8bfedad6a6867cb9a5f53df4c9b4747d0e8419a8e5268e97850
    • Instruction ID: 22bf102fa53ae134c86131711a5fb8573274f299fcc557547623df4ff25afac9
    • Opcode Fuzzy Hash: bcd0727e95adb8bfedad6a6867cb9a5f53df4c9b4747d0e8419a8e5268e97850
    • Instruction Fuzzy Hash: 38114231600305ABDB20FBB5CD4AAAEBBB9FF54701F045529B946A71A0EF70ED04CB51
    Function 00556C98 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • GetMapMode.GDI32(?,00000000,?,?,?,?,0054F9E5,?,00000000), ref: 00556CAA
    • GetDeviceCaps.GDI32(?,00000058), ref: 00556CE4
    • GetDeviceCaps.GDI32(?,0000005A), ref: 00556CED
      • Part of subcall function 0053B810: MulDiv.KERNEL32(?,00000000,00000000), ref: 0053B852
      • Part of subcall function 0053B810: MulDiv.KERNEL32(?,00000000,00000000), ref: 0053B86F
    • MulDiv.KERNEL32(?,000009EC,00000060), ref: 00556D11
    • MulDiv.KERNEL32(?,000009EC,?), ref: 00556D1C
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CapsDevice$Mode
    • String ID:
    • API String ID: 696222070-0
    • Opcode ID: a147d395cbaf0717565d511cb578ad04b33c2247b25bca88133d72f407362250
    • Instruction ID: f4d2475fb11e28e3eda35f61e4a73ecc80bafcf025e2a3a552206e1048fffb17
    • Opcode Fuzzy Hash: a147d395cbaf0717565d511cb578ad04b33c2247b25bca88133d72f407362250
    • Instruction Fuzzy Hash: 9F11A031600744AFDB21AF99CC44C1EBFEAFF88711B12441AF98697360CB71AC419F50
    Function 00556D28 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • GetMapMode.GDI32(?,00000000,?,?,?,?,0054F97A,?,00000000), ref: 00556D3A
    • GetDeviceCaps.GDI32(?,00000058), ref: 00556D74
    • GetDeviceCaps.GDI32(?,0000005A), ref: 00556D7D
      • Part of subcall function 0053B7A5: MulDiv.KERNEL32(?,00000000,00000000), ref: 0053B7E7
      • Part of subcall function 0053B7A5: MulDiv.KERNEL32(?,00000000,00000000), ref: 0053B804
    • MulDiv.KERNEL32(?,00000060,000009EC), ref: 00556DA1
    • MulDiv.KERNEL32(?,?,000009EC), ref: 00556DAC
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CapsDevice$Mode
    • String ID:
    • API String ID: 696222070-0
    • Opcode ID: 43ce7fdcddb2020a3b0ae0f703b47ba65151822a2d2bdb67657b10f5ed8e1063
    • Instruction ID: 068d11be52194ee20ff90d725d79242c420e228761dce9c50ec238d108f15a14
    • Opcode Fuzzy Hash: 43ce7fdcddb2020a3b0ae0f703b47ba65151822a2d2bdb67657b10f5ed8e1063
    • Instruction Fuzzy Hash: DE11AC76700704AFDB21AF55CC48C1EBFFAEF89751B11481AE9819B3A0CB31AC418F90
    Function 00560904 Relevance: 7.6, APIs: 5, Instructions: 58COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 0056090B
    • GetWindowRect.USER32(?,?), ref: 0056094C
    • CreateRoundRectRgn.GDI32(00000000,00000000,?,?,00000004,00000004), ref: 00560976
    • SetWindowRgn.USER32(?,?,00000000), ref: 0056098C
      • Part of subcall function 00534EC8: __EH_prolog3_catch.LIBCMT ref: 00534EE7
    • SetWindowRgn.USER32(?,00000000,00000000), ref: 005609A8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Rect$CreateH_prolog3_H_prolog3_catchRound
    • String ID:
    • API String ID: 3306422325-0
    • Opcode ID: d3ed1a9a1e5b32731a4e343e1e738e29e88bf731afb980025d55bbb70f70a7e7
    • Instruction ID: a323533f02c5e525646b50e0c4a3be94c1a3045339d9f4f695a9fe9ae2eb71ea
    • Opcode Fuzzy Hash: d3ed1a9a1e5b32731a4e343e1e738e29e88bf731afb980025d55bbb70f70a7e7
    • Instruction Fuzzy Hash: 7D1117718006099BDB20DFA5C9499AEFFBAFF88301F14121EE682A32A1DB315941DB65
    Function 00580782 Relevance: 7.6, APIs: 5, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • SetCapture.USER32(?), ref: 0058079A
    • GetCursorPos.USER32(?), ref: 005807D9
    • LoadCursorW.USER32(00000000,00007F86), ref: 00580803
    • SetCursor.USER32(00000000), ref: 0058080A
    • GetCursorPos.USER32(?), ref: 00580817
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Cursor$CaptureLoad
    • String ID:
    • API String ID: 1460996051-0
    • Opcode ID: c1398f9418bee24ce8b9ef6a8c191b6cac578051c322a6d2d5b901c14ad653c6
    • Instruction ID: a6999c8a6a8f008ef3b0c9618d7b78cce387056c39bde5833fa289c33440bd1c
    • Opcode Fuzzy Hash: c1398f9418bee24ce8b9ef6a8c191b6cac578051c322a6d2d5b901c14ad653c6
    • Instruction Fuzzy Hash: AD1182316003059FDB24BBB8C80CF9A7FEABF99701F00152DE58A93291CB71A845CB91
    Function 00598F1E Relevance: 7.6, APIs: 5, Instructions: 55windowCOMMON
    Download Yara Rule
    APIs
    • IsWindow.USER32(?), ref: 00598F2A
    • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00598F56
    • SendMessageW.USER32(?,00000150,?,00000000), ref: 00598F69
    • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00598F83
    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00598F96
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$Exception@8H_prolog3ThrowWindow
    • String ID:
    • API String ID: 1622667542-0
    • Opcode ID: e91c52feb81b5c7f7df3ed87b7fbe638f9669cf86ecdb178da954df956411201
    • Instruction ID: 137d90ea36631d2a27b949ef193cd87c9b6915767605b8a6ff64c684c6a91107
    • Opcode Fuzzy Hash: e91c52feb81b5c7f7df3ed87b7fbe638f9669cf86ecdb178da954df956411201
    • Instruction Fuzzy Hash: 85014C31B40606BFEB115BA0CD45F6ABEBAFB49785F140125B605A65A0EAB1EC109B90
    Function 00547729 Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
    Download Yara Rule
    APIs
    • lstrlenW.KERNEL32(?,?,?), ref: 00547755
    • _memset.LIBCMT ref: 00547773
    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0054778D
    • lstrcmpW.KERNEL32(?,?,?,?), ref: 0054779F
    • SetWindowTextW.USER32(00000000,?), ref: 005477AB
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: TextWindow$Exception@8H_prolog3Throw_memsetlstrcmplstrlen
    • String ID:
    • API String ID: 4273134663-0
    • Opcode ID: 73e2c2194cc97d28f93162c2a5951aa41c5596f08cdd2b14fb03a3c96666965c
    • Instruction ID: 1465ba5fb7c7a3c5a327ba4a82296ada6dd917e63fa724587e9f46c7b0c32ace
    • Opcode Fuzzy Hash: 73e2c2194cc97d28f93162c2a5951aa41c5596f08cdd2b14fb03a3c96666965c
    • Instruction Fuzzy Hash: 0B0180B6600319ABDB10EBA4DD88DDF7BAEEF48344F405465FA05D3202DA74DE448BA1
    Function 005933C6 Relevance: 7.6, APIs: 5, Instructions: 53COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005933CD
    • IsWindow.USER32(?), ref: 005933F4
    • InflateRect.USER32(?,00000000,000000FF), ref: 00593410
    • InvalidateRect.USER32(?,?,00000001), ref: 00593425
    • UpdateWindow.USER32(?), ref: 00593434
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow$H_prolog3_InflateInvalidateUpdate
    • String ID:
    • API String ID: 2146894351-0
    • Opcode ID: f8cdcb26bcb8e016887b92b3f833a7136e21ba0102af33a4d391d16d3fb251d4
    • Instruction ID: 3f96e9000c933fd017a91a94020e55c2b7fa61e9e7642ef6e44aacd3d743c908
    • Opcode Fuzzy Hash: f8cdcb26bcb8e016887b92b3f833a7136e21ba0102af33a4d391d16d3fb251d4
    • Instruction Fuzzy Hash: 7F11D771600205DFDF04DF98C999FE93BB6FF09311F0442A8EA059F2A6DB71AA04CB61
    Function 0059C1A4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientCursorRect$Screen
    • String ID:
    • API String ID: 1023402310-0
    • Opcode ID: 8f20e64d37c175227eca96650d09056c9c979d0b66ddc9772eeb1c3b1b292d9d
    • Instruction ID: 1cf30d0cf8ad2ff0818f0a6cf97df64d18b8b53db16ad562e7cc798ac2d54bfb
    • Opcode Fuzzy Hash: 8f20e64d37c175227eca96650d09056c9c979d0b66ddc9772eeb1c3b1b292d9d
    • Instruction Fuzzy Hash: F611D671D0020AABCF11EFE5D9449AEFFF9FF98301B10452AE156A2120DB74AA06DF91
    Function 005A0EE4 Relevance: 7.6, APIs: 5, Instructions: 51COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,75296BA0,00000000,00667718,?,005A2D96,?,?,?,00000084,005A316A,0000000A,0000000A,0000000A,00000000), ref: 005A0F08
    • LoadResource.KERNEL32(?,00000000,?,005A2D96,?,?,?,00000084,005A316A,0000000A,0000000A,0000000A,00000000,00000014,0059B725,00000004), ref: 005A0F1E
    • LockResource.KERNEL32(00000000,?,?,005A2D96,?,?,?,00000084,005A316A,0000000A,0000000A,0000000A,00000000,00000014,0059B725,00000004), ref: 005A0F2D
    • FreeResource.KERNEL32(?,00000000,00000000,?,?,005A2D96,?,?,?,00000084,005A316A,0000000A,0000000A,0000000A,00000000,00000014), ref: 005A0F3E
    • SizeofResource.KERNEL32(?,00000000,?,?,005A2D96,?,?,?,00000084,005A316A,0000000A,0000000A,0000000A,00000000,00000014,0059B725), ref: 005A0F4B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeLoadLockSizeof
    • String ID:
    • API String ID: 4159136517-0
    • Opcode ID: 4a1c30b94abccb86a25fe3cd1b76ec30d32a798eff19039adedc10b5e83387e3
    • Instruction ID: f4f43e21f9e2cec2cf2f55a3e3b3278d8e27201baaa6ae09ce82b366ec4928ea
    • Opcode Fuzzy Hash: 4a1c30b94abccb86a25fe3cd1b76ec30d32a798eff19039adedc10b5e83387e3
    • Instruction Fuzzy Hash: D601DF7651062ABF8B219BE59C1889F7FADFF86361704A114FE01E3290DB30DD00CBA1
    Function 0053275E Relevance: 7.6, APIs: 5, Instructions: 50windowCOMMON
    Download Yara Rule
    APIs
    • MsgWaitForMultipleObjects.USER32(00000001,?,00000000,000000FF,000004FF), ref: 0053277C
    • TranslateMessage.USER32(?), ref: 005327A2
    • DispatchMessageW.USER32(?), ref: 005327AC
    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005327BB
    • SetLastError.KERNEL32(000005B4), ref: 005327C8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$DispatchErrorLastMultipleObjectsPeekTranslateWait
    • String ID:
    • API String ID: 2669921780-0
    • Opcode ID: 94dc463f9fd18aa8f4d1951d0ae5c70420cba4a1bd17fea99784fdea94dc3fce
    • Instruction ID: 5eff8387c99261605e8e0b42a91c23de2602bb38b27cce4de5246ac56dfd4e6c
    • Opcode Fuzzy Hash: 94dc463f9fd18aa8f4d1951d0ae5c70420cba4a1bd17fea99784fdea94dc3fce
    • Instruction Fuzzy Hash: 3901D13250162567CB20A7F49C4DDAB7FADFF45765F004621F615E20D1D664D48286E1
    Function 0056B7C8 Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
    Download Yara Rule
    APIs
    • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 0056B7EE
    • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 0056B806
    • GetCapture.USER32 ref: 0056B808
    • ReleaseCapture.USER32 ref: 0056B813
    • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 0056B841
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Message$CapturePost$PeekRelease
    • String ID:
    • API String ID: 1125932295-0
    • Opcode ID: b4e10d410fbbfedf82cf0a7121cf6050ed4ef7f143b8e4172721ede5be9eac12
    • Instruction ID: 40147f6f4a866ff12bee51bf3fcc3346f444b789f426e4aefefda202c27171dd
    • Opcode Fuzzy Hash: b4e10d410fbbfedf82cf0a7121cf6050ed4ef7f143b8e4172721ede5be9eac12
    • Instruction Fuzzy Hash: E7018F31600300BFEB256B71DC89F5B7ABDFB84705F50862DF186D3191EA60E8418761
    Function 00547023 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
    Download Yara Rule
    APIs
    • ScreenToClient.USER32(?,?), ref: 00547032
    • SendMessageW.USER32(?,00000366,00000000,?), ref: 0054704E
    • ClientToScreen.USER32(?,?), ref: 0054705B
    • GetWindowLongW.USER32(?,000000F0), ref: 00547064
    • GetParent.USER32(?), ref: 00547072
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientScreen$LongMessageParentSendWindow
    • String ID:
    • API String ID: 4240056119-0
    • Opcode ID: c7e63c1b7051bc685839273e115a52060823254c9b00446366adf91ec114201b
    • Instruction ID: 98c21dda7a923d0affffba30ac09e5eac3b53a225ce4a5e9319a59e735eba90c
    • Opcode Fuzzy Hash: c7e63c1b7051bc685839273e115a52060823254c9b00446366adf91ec114201b
    • Instruction Fuzzy Hash: B8F0817610662877E3214B599C08AFA3BADFF89762F154316FD29C6180DB34DE018AA5
    Function 005996CB Relevance: 7.5, APIs: 5, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • PtInRect.USER32(?,?,?), ref: 005996EB
    • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 00599703
    • PtInRect.USER32(?,?,?), ref: 0059971D
    • ReleaseCapture.USER32 ref: 0059972A
    • RedrawWindow.USER32(?,00000000,00000000,00000401), ref: 0059973A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectRedrawWindow$CaptureRelease
    • String ID:
    • API String ID: 1080614547-0
    • Opcode ID: ee44ec4cb4922ac930f739d5f4522fa3363830528b612708cf8cb4efaa0f784c
    • Instruction ID: a52a90eaf4f864c24c47c9165b7ac4aa4da2ba9edf96410f55953fa662015332
    • Opcode Fuzzy Hash: ee44ec4cb4922ac930f739d5f4522fa3363830528b612708cf8cb4efaa0f784c
    • Instruction Fuzzy Hash: 57010C71100B45ABCF229FA69C48DABBFFBFB89711F00991EF69682020DB31A451DB51
    Function 0056469F Relevance: 7.5, APIs: 5, Instructions: 44COMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(00000000), ref: 005646B5
    • ScreenToClient.USER32(?,00000000), ref: 005646C2
    • PtInRect.USER32(?,00000000,00000000), ref: 005646D5
    • LoadCursorW.USER32(00000000,00007F86), ref: 005646F4
    • SetCursor.USER32(00000000), ref: 00564700
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Cursor$ClientLoadRectScreen
    • String ID:
    • API String ID: 2747913190-0
    • Opcode ID: f1b57b333c2b94da60eb91bf13df4ffc0d53cf674f8a27a792a88b0377097c9a
    • Instruction ID: c0597ec5260fa97e898d91d5ff55c281e11fae8c2733a73698d6821f672595c8
    • Opcode Fuzzy Hash: f1b57b333c2b94da60eb91bf13df4ffc0d53cf674f8a27a792a88b0377097c9a
    • Instruction Fuzzy Hash: A90144B6910209BFDB10AFA0DC49EAE7FBEFB09356F005529F506D2160DB30AA41DF21
    Function 0057E9D9 Relevance: 7.5, APIs: 5, Instructions: 44keyboardCOMMON
    Download Yara Rule
    APIs
    • GetKeyboardState.USER32(?), ref: 0057E9F5
    • _memset.LIBCMT ref: 0057EA0F
    • GetKeyboardLayout.USER32(?), ref: 0057EA1F
    • MapVirtualKeyW.USER32(?,00000000), ref: 0057EA3D
    • ToUnicodeEx.USER32(?,00000000), ref: 0057EA47
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Keyboard$Exception@8H_prolog3LayoutStateThrowUnicodeVirtual_memset
    • String ID:
    • API String ID: 4204171240-0
    • Opcode ID: 16d5063f0eb2ae122d2bb0c5132980348302ae0d39afd39b261451ebba640673
    • Instruction ID: 73b08fd707f49d10fd98673251787b250fe3cae90432bc8dafce3e60bd70dac3
    • Opcode Fuzzy Hash: 16d5063f0eb2ae122d2bb0c5132980348302ae0d39afd39b261451ebba640673
    • Instruction Fuzzy Hash: 2E016271600208BFDB10EBA0DC4AFDE7BBDBF58701F504065B646D6091EEB0DA448F95
    Function 00534484 Relevance: 7.5, APIs: 6, Instructions: 43COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 0053449A
    • EnterCriticalSection.KERNEL32(?,?,?,00000000), ref: 005344A0
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 005344AF
    • LeaveCriticalSection.KERNEL32(?,?,?,00000000), ref: 005344B2
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$EnterLeave
    • String ID:
    • API String ID: 3168844106-0
    • Opcode ID: 988accdca2fcfbf8b0a09925f3e0660bd94fd687f4465f05a058b7c7d4cf3630
    • Instruction ID: 19ecb739f6d6796c7b2491b96b7240133780d2c711590746a508028f43ec6b21
    • Opcode Fuzzy Hash: 988accdca2fcfbf8b0a09925f3e0660bd94fd687f4465f05a058b7c7d4cf3630
    • Instruction Fuzzy Hash: 48F0AF7290262EAFCB00ABA0CC48B6ABFDCFF08326F050111E50593900C774B854CFE0
    Function 00640F35 Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __getptd.LIBCMT ref: 00640F41
      • Part of subcall function 0063D75C: __getptd_noexit.LIBCMT ref: 0063D75F
      • Part of subcall function 0063D75C: __amsg_exit.LIBCMT ref: 0063D76C
    • __getptd.LIBCMT ref: 00640F58
    • __amsg_exit.LIBCMT ref: 00640F66
    • __lock.LIBCMT ref: 00640F76
    • __updatetlocinfoEx_nolock.LIBCMT ref: 00640F8A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
    • String ID:
    • API String ID: 938513278-0
    • Opcode ID: 14b32e70acaa4e3a0424387289f725064cfcf2ba19edaa22af070b25b0887f45
    • Instruction ID: 4bd9fbbb8baf21574b50fe6e22fa11f642666a4c3a4fb10f48395fc3d0ae57ed
    • Opcode Fuzzy Hash: 14b32e70acaa4e3a0424387289f725064cfcf2ba19edaa22af070b25b0887f45
    • Instruction Fuzzy Hash: 78F09032A44724ABF7F0BB68980375E37A3AF00720F10521DFA55672C2CB7469068ADE
    Function 005FF0BA Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 432COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005FF0C1
    • IsRectEmpty.USER32(?), ref: 005FF4E0
    • OffsetRect.USER32(?,00000000,00000001), ref: 005FF51C
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyH_prolog3_Offset
    • String ID: !
    • API String ID: 307044148-2657877971
    • Opcode ID: ae7b27d6cd9b39a611dee082c74cd4e6319176d015c0f71b8de4238096976ba7
    • Instruction ID: 5f0ccdf42e111241041f85ac5a64c2ac25fc44ec5a91962e22adbeafdbd3478b
    • Opcode Fuzzy Hash: ae7b27d6cd9b39a611dee082c74cd4e6319176d015c0f71b8de4238096976ba7
    • Instruction Fuzzy Hash: 1F026C71A0021EDFCF04DFA4C889AEEBBB9FF49300F144569E916AB295DB34A945CF50
    Function 005F83CB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 239COMMON
    Download Yara Rule
    APIs
    • OffsetRect.USER32(-00000018,00000000,00000000), ref: 005F84A8
    • __EH_prolog3.LIBCMT ref: 005F84CB
    • GetSystemMetrics.USER32(00000002), ref: 005F8538
      • Part of subcall function 0055731F: __EH_prolog3.LIBCMT ref: 00557326
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$MetricsOffsetRectSystem
    • String ID: tg
    • API String ID: 1613555380-148077919
    • Opcode ID: 9c72170cd701d35f0ba6c1ff0c180b7b1b520775ec2534456e8438a9a90ddb0e
    • Instruction ID: 0df928a1d4fd15c10fc5df01f5c8592fc025c686b11919ba59220d233c24cc64
    • Opcode Fuzzy Hash: 9c72170cd701d35f0ba6c1ff0c180b7b1b520775ec2534456e8438a9a90ddb0e
    • Instruction Fuzzy Hash: E9A13931A0060ADFCB10DFA8C889ABEBBF1BF84319F14456DE656AB251DB74A944CB50
    Function 00586ACB Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 164COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00586B07
    • GetWindowRect.USER32(?,?), ref: 00586BA4
    • IsRectEmpty.USER32(?), ref: 00586BAE
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window$EmptyException@8H_prolog3Throw
    • String ID: \g
    • API String ID: 2711673171-568947263
    • Opcode ID: 764790cc8d352bd4adb8d1b267e865bf745eaf6666ea96d6f1e28ff15229de19
    • Instruction ID: f283b9266256eee4ef2e169677edcdf9cf9c3134acc8c3e6774b0417a7f91b03
    • Opcode Fuzzy Hash: 764790cc8d352bd4adb8d1b267e865bf745eaf6666ea96d6f1e28ff15229de19
    • Instruction Fuzzy Hash: 4561F2B5A1020A9FCB55EFA9C585AEEBBF5FF48301F244069D855F7240DB31AD40CB60
    Function 005B3552 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CreateFocusH_prolog3MenuPopup
    • String ID: (e
    • API String ID: 1810032065-457064121
    • Opcode ID: 6f17580085dcfb46114733286643e720a372baaeee220c2c1dd8a53f58cd6f7d
    • Instruction ID: 135a8182288f9bff704106b21a405b504472c3a4f2bf4a2ff96375d34a2a083b
    • Opcode Fuzzy Hash: 6f17580085dcfb46114733286643e720a372baaeee220c2c1dd8a53f58cd6f7d
    • Instruction Fuzzy Hash: 22417F71B006169FCF20AFA4C999AFD7BE6BB84301F14053DE546A7291DB70BE40CB91
    Function 00582AFD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 100windowCOMMON
    Download Yara Rule
    APIs
    • ReleaseCapture.USER32 ref: 00582C1D
      • Part of subcall function 00604B09: SetRectEmpty.USER32(?), ref: 00604B5F
      • Part of subcall function 00604B09: IsRectEmpty.USER32(?), ref: 00604B69
      • Part of subcall function 00604B09: SetRectEmpty.USER32(?), ref: 00604BC0
      • Part of subcall function 00604B09: SetRectEmpty.USER32(?), ref: 00604BC6
    • IsWindowVisible.USER32(?), ref: 00582B3A
    • GetParent.USER32(?), ref: 00582B6D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$CaptureParentReleaseVisibleWindow
    • String ID: pxf
    • API String ID: 1768054721-3901195985
    • Opcode ID: fe27d6708aa1957225f16708e0cd08d56276e3c380b7b36f55131e915ac264e6
    • Instruction ID: 2d49ca9b71ba4566366af5173f54e9b8941d49a4cac14362360d7e35e6ac8dfb
    • Opcode Fuzzy Hash: fe27d6708aa1957225f16708e0cd08d56276e3c380b7b36f55131e915ac264e6
    • Instruction Fuzzy Hash: A5317231300601AFD725BB29C84EFBD7FA6BF84701F14046DF58A972A2DB609C81CB51
    Function 005DB0A6 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_catch.LIBCMT ref: 005DB0B0
      • Part of subcall function 005C657B: __EH_prolog3.LIBCMT ref: 005C6582
      • Part of subcall function 0054C8C7: __EH_prolog3.LIBCMT ref: 0054C8CE
      • Part of subcall function 0054C885: __EH_prolog3.LIBCMT ref: 0054C88C
      • Part of subcall function 005C629E: __EH_prolog3.LIBCMT ref: 005C62A5
    • _free.LIBCMT ref: 005DB1A8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$H_prolog3_catch_free
    • String ID: %sMDIClientArea-%d$MDITabsState
    • API String ID: 276651542-353449602
    • Opcode ID: 3ad3ed4a150264a0e648addfdac52dd203fdab7b893610375b639292ff8d8b5f
    • Instruction ID: 346eb67b1e5d736c1e198ff87fa6eef945a6a31a9e14ae645084350963a88046
    • Opcode Fuzzy Hash: 3ad3ed4a150264a0e648addfdac52dd203fdab7b893610375b639292ff8d8b5f
    • Instruction Fuzzy Hash: 2441797490024AAFDF05EFE4C899AEDBFB5BF99304F14405EF5056B282DB705A48CB61
    Function 00606C99 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 94COMMON
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID:
    • String ID: @Kg$TKg$g}X
    • API String ID: 0-2589291378
    • Opcode ID: a01a8227ad01bf0ca6c1033087f1de524bc9fdc111435600120caf237c5bf24e
    • Instruction ID: 232b4b6e004748cdcaf2ddfa870b6569b5602ffe92cba97101e9dc5228399fff
    • Opcode Fuzzy Hash: a01a8227ad01bf0ca6c1033087f1de524bc9fdc111435600120caf237c5bf24e
    • Instruction Fuzzy Hash: DA312F71A00119AFDB14EFA4C8C59BFBBBAFF48304B10442DF506A7281DB709950CB61
    Function 005452B7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 94COMMON
    Download Yara Rule
    APIs
    • __snwprintf_s.LIBCMT ref: 00545302
    • __snwprintf_s.LIBCMT ref: 00545334
      • Part of subcall function 0063521D: __getptd_noexit.LIBCMT ref: 0063521D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __snwprintf_s$__getptd_noexit
    • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
    • API String ID: 101746997-2801496823
    • Opcode ID: 9ccb8a937f88a133a8b4952caa81558322e62288158e45f28dc3886f2136759c
    • Instruction ID: f3504271d1b05147515c75594326bfa30e11039dd75e1f734e1fe2cb328f369a
    • Opcode Fuzzy Hash: 9ccb8a937f88a133a8b4952caa81558322e62288158e45f28dc3886f2136759c
    • Instruction Fuzzy Hash: C13156B1900609EFCF01EFA9C8429DFBBB5FF48750F11441AF915AB262E7718A108FA5
    Function 00556B20 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _malloc$_free
    • String ID: ,nj
    • API String ID: 2384786199-2551163129
    • Opcode ID: 6280add3b41e168b7b83aad1ff3152212f57ccaecd14f9550dafe305ed889ece
    • Instruction ID: ab3728dee295152b785f964b0a739fc2ea09e5f95d9aefeb4b46cd6b5c8458a4
    • Opcode Fuzzy Hash: 6280add3b41e168b7b83aad1ff3152212f57ccaecd14f9550dafe305ed889ece
    • Instruction Fuzzy Hash: C32191315006519FCB25AF24C8A5A5EBFE1FF80732B90852AEC55DB296DB30EC45CA85
    Function 005794D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON
    Download Yara Rule
    APIs
    • RedrawWindow.USER32(?,00000000,00000000,00000585,?,74DEF550,?,00000000,?,?,0057B234,00000002,00000000,00000001,?,0054A8EB), ref: 00579515
    • RedrawWindow.USER32(?,00000000,00000000,00000585,?,74DEF550,?,00000000,?,?,0057B234,00000002,00000000,00000001,?,0054A8EB), ref: 0057953F
    • RedrawWindow.USER32(?,00000000,00000000,00000185,?,74DEF550,?,00000000,?,?,0057B234,00000002,00000000,00000001,?,0054A8EB), ref: 0057957E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RedrawWindow
    • String ID: pxf
    • API String ID: 2219533335-3901195985
    • Opcode ID: b5498fe18dd92e7b35eb15b413f9f1dcc77f435db3050e5ae9cc377396c179ff
    • Instruction ID: 5c262323514cd05260230206f38b99ac7b508ce187a5a6a451c0aec202321689
    • Opcode Fuzzy Hash: b5498fe18dd92e7b35eb15b413f9f1dcc77f435db3050e5ae9cc377396c179ff
    • Instruction Fuzzy Hash: 2211DA3274072277DB226724DC45F5A7BA5BFC4B50F254114FD48776A0EB61FD00ABA0
    Function 005A67ED Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005A67F4
      • Part of subcall function 005B0493: __EH_prolog3.LIBCMT ref: 005B049A
      • Part of subcall function 005B0493: SetRectEmpty.USER32(?), ref: 005B0530
      • Part of subcall function 00604648: SetRectEmpty.USER32(?), ref: 0060467A
      • Part of subcall function 00604648: SetRectEmpty.USER32(?), ref: 00604681
    • SetRectEmpty.USER32(?), ref: 005A68DA
    • SetRectEmpty.USER32(?), ref: 005A6903
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$H_prolog3
    • String ID: X'f
    • API String ID: 3752103406-3824865298
    • Opcode ID: 835c1e9b77fa2a4d5081a04ea31319ddca6ee854fdd0710d48f9a665e992ffe0
    • Instruction ID: 284e9ff86dd25f757f7f2c76e0aec91073dcc2826bac44f1340c61b326d60972
    • Opcode Fuzzy Hash: 835c1e9b77fa2a4d5081a04ea31319ddca6ee854fdd0710d48f9a665e992ffe0
    • Instruction Fuzzy Hash: 8F4146B0845B40CFC365DF7A89896C6FBE1BB5A301F908A2ED1AE8B341DB742144CF95
    Function 0054A27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72windowCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 0054A2A2
    • GetSysColor.USER32(00000014), ref: 0054A2EC
    • CreateDIBitmap.GDI32(?,00000028,00000004,?,00000028,00000000), ref: 0054A33F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: BitmapColorCreate_memset
    • String ID: (
    • API String ID: 3930187609-3887548279
    • Opcode ID: fab47b2cda57e41e51ab0b1befa3b0fda55a5c019db8a8fcff8631d9aacf6501
    • Instruction ID: 0ffd40885716296b7182377c637f4de791a7a76eb757f77a2d80530543e4857f
    • Opcode Fuzzy Hash: fab47b2cda57e41e51ab0b1befa3b0fda55a5c019db8a8fcff8631d9aacf6501
    • Instruction Fuzzy Hash: FC21F531A11258DFEB04DBB8CC05BEDBBF8AF95701F00846EE546E7281DE755908CBA5
    Function 00570DA7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,005D8F36), ref: 00570E1E
    • GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00570E2E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: DWMAPI$DwmInvalidateIconicBitmaps
    • API String ID: 1646373207-1098356003
    • Opcode ID: 32e6ebae5988c48bf6fcb56f6904cdc8670bae207b340bf88ffa247cac686016
    • Instruction ID: 8873e21a831ce800d2336d4862792e4940046187391bde3618d233ef9733452c
    • Opcode Fuzzy Hash: 32e6ebae5988c48bf6fcb56f6904cdc8670bae207b340bf88ffa247cac686016
    • Instruction Fuzzy Hash: A6118471A00305DBCB50DFB59D896AB7BEEBF49340B145978BD0AEB181DE70DD008B61
    Function 005877F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 00587830
    • GetWindowRect.USER32(?,?), ref: 00587867
    • PtInRect.USER32(?,?,?), ref: 00587877
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow$Exception@8H_prolog3ThrowVisible
    • String ID: X'f
    • API String ID: 672089062-3824865298
    • Opcode ID: 29b08227038a2a6108276c86074be34bef09babd2f5763a1b0de4fa17cb78a6f
    • Instruction ID: 928b5d092c69a69e6e5fffd294a24271f7d0f4f721c3e3081ba954be7e99c9db
    • Opcode Fuzzy Hash: 29b08227038a2a6108276c86074be34bef09babd2f5763a1b0de4fa17cb78a6f
    • Instruction Fuzzy Hash: D6113D32A0420AAB8F10BFA89C899AEBBB5FB49314B24406EE905A3111DB70DD01DF61
    Function 0054AD30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0054AD37
    • LoadCursorW.USER32(00000000,00007F00), ref: 0054AD63
    • GetClassInfoW.USER32(?,00000000,?), ref: 0054ADA7
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$ClassCursorException@8InfoLoadThrow
    • String ID: %s:%x:%x:%x:%x
    • API String ID: 3308755097-1000192757
    • Opcode ID: fc50412d07a70039699fd32be5ced02da06db8dabd77c4a4b1ad93b3aa3a9f65
    • Instruction ID: cb1d77c44017446e16afddf34d4e9ffbefa8f0bbd1cdeff9e32990cf2dacd870
    • Opcode Fuzzy Hash: fc50412d07a70039699fd32be5ced02da06db8dabd77c4a4b1ad93b3aa3a9f65
    • Instruction Fuzzy Hash: 08214AB4D0020AAFDB50EFA4D885ADEBFB5BF48304F10842DF514A7251DB749A41CFA5
    Function 005E3AB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005E3ABF
      • Part of subcall function 005A67ED: __EH_prolog3.LIBCMT ref: 005A67F4
      • Part of subcall function 005A67ED: SetRectEmpty.USER32(?), ref: 005A68DA
      • Part of subcall function 005A67ED: SetRectEmpty.USER32(?), ref: 005A6903
    • SetRectEmpty.USER32(?), ref: 005E3BC6
    • SetRectEmpty.USER32(?), ref: 005E3BCF
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$H_prolog3
    • String ID: Fg
    • API String ID: 3752103406-2445576420
    • Opcode ID: e8a9db7906b14327c401e527b4c83a648c248d96fa82ee22077ef673921d231f
    • Instruction ID: 352190ddbb005f09a9245af009cbd88b4203060f19cec39d3243c5406ce1b616
    • Opcode Fuzzy Hash: e8a9db7906b14327c401e527b4c83a648c248d96fa82ee22077ef673921d231f
    • Instruction Fuzzy Hash: E9312CB0842B468BC365DF6AC1C869AFBF9BF09300F90892ED1AE87211C7747244CF45
    Function 0057A3A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON
    Download Yara Rule
    APIs
    • FillRect.USER32(?,?), ref: 0057A3C9
    • InflateRect.USER32(?,000000FF,000000FF), ref: 0057A400
    • DrawEdge.USER32(?,?,00000000,0000000F), ref: 0057A420
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$DrawEdgeFillInflate
    • String ID: iii
    • API String ID: 785442924-940974255
    • Opcode ID: d6f345ccad18b3367fc578e79f4c22a20364350a4101ff4efe95b09e13a15955
    • Instruction ID: 5a41c9061d88d83f50276342cab6e0d82b8a8b08df29ea9b5a1efdc9834b0fff
    • Opcode Fuzzy Hash: d6f345ccad18b3367fc578e79f4c22a20364350a4101ff4efe95b09e13a15955
    • Instruction Fuzzy Hash: 9C110A75500209AFCF00DFA8DD849AF7BBAFB49321B104226B915E7191DB70AA05CB61
    Function 00583344 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 51windowCOMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow$Visible
    • String ID: pxf
    • API String ID: 3871264063-3901195985
    • Opcode ID: a7c45b7cb071f27802d7e8769b211eb5c8bf9d5f95b753c9dd707d851d783bda
    • Instruction ID: 50f155574866bdda3d112ef0d28ea7ab5a72351f0be823fbabb05b400c08bbb3
    • Opcode Fuzzy Hash: a7c45b7cb071f27802d7e8769b211eb5c8bf9d5f95b753c9dd707d851d783bda
    • Instruction Fuzzy Hash: E4018031A00209AFDB11EFA9DC089AEBFFAFF88700B10452AE845E2110DF71DE05DB61
    Function 00580665 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 0058067A
    • GetCursorPos.USER32(00000000), ref: 005806BA
    • ScreenToClient.USER32(?,00000000), ref: 005806C7
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientCursorRectScreenWindow
    • String ID: pxf
    • API String ID: 3342839850-3901195985
    • Opcode ID: 9e08f0fbef5b527413e321e99cae71bdc8e5a35ef0090d0d5a3aa0e976790b30
    • Instruction ID: f0d0300936339074bc8853cc580d8300ae0a6266b15ecd0f9e8b707af2ccd863
    • Opcode Fuzzy Hash: 9e08f0fbef5b527413e321e99cae71bdc8e5a35ef0090d0d5a3aa0e976790b30
    • Instruction Fuzzy Hash: BD015276500605AFDB00DF95CC88BEABBB9FF85325F100165EC04A7115DB716905CB60
    Function 005439D6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F8B
      • Part of subcall function 00569F51: InitializeCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569F9D
      • Part of subcall function 00569F51: LeaveCriticalSection.KERNEL32(006A97D0,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FAA
      • Part of subcall function 00569F51: EnterCriticalSection.KERNEL32(-006A9638,?,?,?,?,00546667,00000010,00000008,0053EC36,0053EBCD,0053646D,0053CEB8,?,005410DB,?,0053A01D), ref: 00569FBA
      • Part of subcall function 0054664C: __EH_prolog3_catch.LIBCMT ref: 00546653
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • GetProcAddress.KERNEL32(00000000,HtmlHelpW), ref: 00543A1F
    • FreeLibrary.KERNEL32(?), ref: 00543A2F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3H_prolog3_catchInitializeLeaveLibraryProcThrow
    • String ID: HtmlHelpW$hhctrl.ocx
    • API String ID: 2853499158-3773518134
    • Opcode ID: 3e9cdb13206ce54ac21f4de76e1241ababfbd3439834f3c34467affa637beed1
    • Instruction ID: 68911991091762bb732d3c81d2ab3c365fb600f0d568bff24235b014c4a163f7
    • Opcode Fuzzy Hash: 3e9cdb13206ce54ac21f4de76e1241ababfbd3439834f3c34467affa637beed1
    • Instruction Fuzzy Hash: 04014431180707ABCF21AFA2DC0AB9A3FD6BF00329F00C818F58A92060CFB0D810AA51
    Function 00547872 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
    Download Yara Rule
    APIs
    • GetWindowLongW.USER32(?,000000F0), ref: 00547893
    • GetClassNameW.USER32(?,?,0000000A), ref: 005478A8
    • CompareStringW.KERNEL32(00000409,00000001,?,000000FF,combobox,000000FF,?,00540D31,?,?), ref: 005478C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClassCompareLongNameStringWindow
    • String ID: combobox
    • API String ID: 1414938635-2240613097
    • Opcode ID: a1855d57be6ed38bc202b32e2a5f83869f55fabbd41c147490c978aadaeb3d9c
    • Instruction ID: cb2dc52aa79116f79c4d9fab75931556f079d4d76019218c3383b34d3cd1c896
    • Opcode Fuzzy Hash: a1855d57be6ed38bc202b32e2a5f83869f55fabbd41c147490c978aadaeb3d9c
    • Instruction Fuzzy Hash: 58F0C8316542187FCB00EBA89C06EEE7BA9EF0A721F500715F522E71C0DB60A905C795
    Function 005DFEC6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40timewindowCOMMON
    Download Yara Rule
    APIs
    • KillTimer.USER32(?,00000002), ref: 005DFEED
    • GetFocus.USER32 ref: 005DFEF9
    • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000), ref: 005DFF2A
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FocusKillRedrawTimerWindow
    • String ID: y
    • API String ID: 1950525498-4225443349
    • Opcode ID: b17f3921d364eca8ede5fba439a42f62a726551f05bc0b19e9400e854f18fca1
    • Instruction ID: 0ee08d7387c2cf13dc6987601c6c4e3a5b20f1f2b6d2816fea06fb692d648a63
    • Opcode Fuzzy Hash: b17f3921d364eca8ede5fba439a42f62a726551f05bc0b19e9400e854f18fca1
    • Instruction Fuzzy Hash: C6F0C231550305EBDB309BA8EC09F693F69FB4672AF10883BF557852A2D7709980CF91
    Function 00539801 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 39libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 00539813
    • GetProcAddress.KERNEL32(00000000,RegCreateKeyTransactedW), ref: 00539823
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegCreateKeyTransactedW
    • API String ID: 1646373207-2994018265
    • Opcode ID: 8a07110aa8a93ad6bf598fe2cfcaab0f52e5bbefc82ae27cbbadce063a42e87a
    • Instruction ID: 584302a2570c417cf306dffa0e74aaf7e1bac11bb6a152146979cfc5dc806d5a
    • Opcode Fuzzy Hash: 8a07110aa8a93ad6bf598fe2cfcaab0f52e5bbefc82ae27cbbadce063a42e87a
    • Instruction Fuzzy Hash: 71F03C32104209FBCF114FD09D04BD67FAAFF49756F054529FA4491460C7B6C460EB54
    Function 00546B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(?), ref: 00546B69
    • GetProcAddress.KERNEL32(00000000,AfxmReleaseManagedReferences), ref: 00546B79
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: AfxmReleaseManagedReferences$mfcm100u.dll
    • API String ID: 1646373207-3074801404
    • Opcode ID: e166ea7c2476ccce26feb526ae9eeb7b74cede7e597d73e22d3bc06422a577cf
    • Instruction ID: 019a8bde661c5d612b469e332466d88150a50c60ecec8c2bfcc0e76b89627286
    • Opcode Fuzzy Hash: e166ea7c2476ccce26feb526ae9eeb7b74cede7e597d73e22d3bc06422a577cf
    • Instruction Fuzzy Hash: AAF05472600308ABCB10DFA6AD45EAF7BEDFB89765F101029F905E7141CE74D905C6A0
    Function 0053D8CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 0053D8DE
    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyTransactedW), ref: 0053D8EE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegDeleteKeyTransactedW
    • API String ID: 1646373207-2168864297
    • Opcode ID: 8d83d546018f29946c0127a24cbd6411296dafdad7c1dc79f0e42c04dde7ebd5
    • Instruction ID: 945ff9abe7b9f0996989324a3d8ab0e68d1570737d8b43c928ae144629f739f2
    • Opcode Fuzzy Hash: 8d83d546018f29946c0127a24cbd6411296dafdad7c1dc79f0e42c04dde7ebd5
    • Instruction Fuzzy Hash: FDF08C33200204BB8B215A9ABC08D67BFBBFBC2B63B25462AF545C1020D6728955DB70
    Function 005397A8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(Advapi32.dll), ref: 005397BA
    • GetProcAddress.KERNEL32(00000000,RegOpenKeyTransactedW), ref: 005397CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: Advapi32.dll$RegOpenKeyTransactedW
    • API String ID: 1646373207-3913318428
    • Opcode ID: a05c338c5945691bf23260619cb214d4b4c313ac23fe17dd39986ac606fa8301
    • Instruction ID: 3ca0338a8bb3dc040e540312cf3758e06aa09cd2b23f4ac4d85772abbf62ec95
    • Opcode Fuzzy Hash: a05c338c5945691bf23260619cb214d4b4c313ac23fe17dd39986ac606fa8301
    • Instruction Fuzzy Hash: D5F05E3226021AABCF215FD59C48BA63FAAFF05752F044425B942A10E1DBB1C861DBA1
    Function 0056FAF1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 31libraryloaderCOMMON
    Download Yara Rule
    APIs
    • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0056FB03
    • GetProcAddress.KERNEL32(00000000,GetFileAttributesTransactedW), ref: 0056FB13
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleModuleProc
    • String ID: GetFileAttributesTransactedW$kernel32.dll
    • API String ID: 1646373207-1378992308
    • Opcode ID: 132fbeb94d35c8375cf5a76e9697985afe6bae415d765ad2d63fd5ee123c30fc
    • Instruction ID: d7faebaf5c8337985a781b654f7d679dcf1c38a9ffa57abd8c83250bff241fc4
    • Opcode Fuzzy Hash: 132fbeb94d35c8375cf5a76e9697985afe6bae415d765ad2d63fd5ee123c30fc
    • Instruction Fuzzy Hash: 72F08C32640315FBCF215FE4EC28FAA7F9ABB04752F148439A805C2070DB71C850DB51
    Function 0056EEF6 Relevance: 6.3, APIs: 4, Instructions: 253COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0056EEFD
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • _memset.LIBCMT ref: 0056EF91
    • _memset.LIBCMT ref: 0056F02A
    • _memset.LIBCMT ref: 0056F158
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _memset$H_prolog3$Exception@8Throw
    • String ID:
    • API String ID: 3059216242-0
    • Opcode ID: a16112eaddc722dccbb68b90e2a854be9bb4d4a7644938d4266d1b522c21351b
    • Instruction ID: b562a5a8b061389f7a9dd9640c6ec3e865e901f1bfc3ae75a111ec7bf1c81553
    • Opcode Fuzzy Hash: a16112eaddc722dccbb68b90e2a854be9bb4d4a7644938d4266d1b522c21351b
    • Instruction Fuzzy Hash: D2A1B471900606DBCB14DF68C98A76EBFB6FF90314F25C92DE46A9B291D770EA40CB50
    Function 00553623 Relevance: 6.2, APIs: 4, Instructions: 187windowCOMMON
    Download Yara Rule
    APIs
    • IsWindowVisible.USER32(?), ref: 00553662
    • GetDesktopWindow.USER32 ref: 0055368A
    • GetWindowRect.USER32(?,?), ref: 0055369D
    • GetWindowRect.USER32(?,?), ref: 005536AA
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Rect$DesktopException@8H_prolog3ThrowVisible
    • String ID:
    • API String ID: 584671360-0
    • Opcode ID: b5da2d20f6565dbb14d1fb3a6b66247a040f8e012b6f4d325c9f4e097d779dbc
    • Instruction ID: 59381c147168526052e8a76e8f9672026d7b1762d4150a356205601c5e742476
    • Opcode Fuzzy Hash: b5da2d20f6565dbb14d1fb3a6b66247a040f8e012b6f4d325c9f4e097d779dbc
    • Instruction Fuzzy Hash: D0613DB5E00619AFCF00DFA8C999CAEBBB9FF88741B144559F506E7251DB30AE45CB20
    Function 0055F0F7 Relevance: 6.2, APIs: 4, Instructions: 183COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,00000000,000000F1), ref: 0055F121
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • LoadResource.KERNEL32(?,00000000), ref: 0055F134
    • LockResource.KERNEL32(00000000), ref: 0055F142
    • FreeResource.KERNEL32(?), ref: 0055F2E6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$Exception@8FindFreeH_prolog3LoadLockThrow
    • String ID:
    • API String ID: 1564530344-0
    • Opcode ID: dc62214e6c6557b77f723e3a0645df6d856c28d1652b836598f94fbdb4abb888
    • Instruction ID: 6a4f0710fbc842c1b33a8340f4d9d0fa7145af9968cdf2893db85aa1911d86af
    • Opcode Fuzzy Hash: dc62214e6c6557b77f723e3a0645df6d856c28d1652b836598f94fbdb4abb888
    • Instruction Fuzzy Hash: D961B3B4A00606EFCB15DFA1C964ABEBFB5FF44306F10856AEC0696291EB70DD45CB60
    Function 00591588 Relevance: 6.2, APIs: 4, Instructions: 175COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$Window
    • String ID:
    • API String ID: 1945993337-0
    • Opcode ID: 9216e17f89fbfc9d704d19fb03565b3db2744a0495f0fe9ef25c47383bc6e419
    • Instruction ID: 70d461922b7b07a25e3fb0255bf8d0c55ebb57befdb436d41e4e4b319ab3ee2d
    • Opcode Fuzzy Hash: 9216e17f89fbfc9d704d19fb03565b3db2744a0495f0fe9ef25c47383bc6e419
    • Instruction Fuzzy Hash: C7515D31A006168FDF15DF68C984BAA7BF6FF88300F1905A9EC16AF256DB70AD41CB50
    Function 005AF3FB Relevance: 6.2, APIs: 4, Instructions: 170COMMON
    Download Yara Rule
    APIs
    • _memset.LIBCMT ref: 005AF4C1
    • GetSysColorBrush.USER32(0000000F), ref: 005AF52A
    • SetClassLongW.USER32(?,000000F6,00000000), ref: 005AF536
    • GetWindowRect.USER32(?,?), ref: 005AF559
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: BrushClassColorLongRectWindow_memset
    • String ID:
    • API String ID: 2638262843-0
    • Opcode ID: 3b985217566ac22c7c46085ce3a293bf543b565de77f239084faacc76b654672
    • Instruction ID: bf7f38e404a7d0b986108a4036acdfeb57c31ea390a3ae2b77d69f9b113587e0
    • Opcode Fuzzy Hash: 3b985217566ac22c7c46085ce3a293bf543b565de77f239084faacc76b654672
    • Instruction Fuzzy Hash: DF61F971E002099FCF10EFA9C885AEEBFF6BF89300F10452AE959E7251DB749941CB51
    Function 005D8443 Relevance: 6.2, APIs: 4, Instructions: 162windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005D84DF
    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005D8525
    • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 005D8535
    • IsWindowVisible.USER32(?), ref: 005D85DA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSendWindow$RedrawVisible
    • String ID:
    • API String ID: 2376333906-0
    • Opcode ID: a7a915af221c2d693be8884c0a094401311f0aed2fd65803b45155b2c8c08718
    • Instruction ID: 91c6b29e73d95691d1c7fe45624d2de9b1acca62cae447e885b4af63ac44861e
    • Opcode Fuzzy Hash: a7a915af221c2d693be8884c0a094401311f0aed2fd65803b45155b2c8c08718
    • Instruction Fuzzy Hash: D0515D30200600AFC7319F68D899E7A7BF6FFC9704B24456AF1468B6A5DA32ED41CB11
    Function 0060486F Relevance: 6.2, APIs: 4, Instructions: 157COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$CopyEmptyWindow
    • String ID:
    • API String ID: 2176940440-0
    • Opcode ID: 906e2f078f0fddebb0e5abcd2bf6ba94c5b49a5b271f21a4187e6685ad01b6cd
    • Instruction ID: fee30986552ae6a198a7ba03a50ba9f01c088c69d8fc6b847415bb5e23025d15
    • Opcode Fuzzy Hash: 906e2f078f0fddebb0e5abcd2bf6ba94c5b49a5b271f21a4187e6685ad01b6cd
    • Instruction Fuzzy Hash: C451F5B1D00219AFCB14DFA9D9848EEFBFAFF88700B14416AE511A7240DB706E41CFA1
    Function 0054AB2F Relevance: 6.1, APIs: 4, Instructions: 149COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _wcslen
    • String ID:
    • API String ID: 176396367-0
    • Opcode ID: b58c7ae0f81eec214a0845589f87d226f9f45fa333e4d12d7ebd0e3acfb072a8
    • Instruction ID: a7b286b9586915a62b9bbcc67a9ae711d72f4567396f79f8d5003faddc66cce6
    • Opcode Fuzzy Hash: b58c7ae0f81eec214a0845589f87d226f9f45fa333e4d12d7ebd0e3acfb072a8
    • Instruction Fuzzy Hash: 19519F72D40219EF8F92DFA8C9818EEBBB5FF48314B20855AF801B7201D730AE418BD5
    Function 0057540A Relevance: 6.1, APIs: 4, Instructions: 137keyboardwindowCOMMON
    Download Yara Rule
    APIs
    • GetAsyncKeyState.USER32(00000001), ref: 0057544B
    • WindowFromPoint.USER32(?,?), ref: 0057548B
    • SendMessageW.USER32(?,00000000,?,00000000), ref: 005754FE
    • ScreenToClient.USER32(?,?), ref: 0057555F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AsyncClientFromMessagePointScreenSendStateWindow
    • String ID:
    • API String ID: 227561881-0
    • Opcode ID: 309766290f291a00f092cbf79658284228ab167dcefcf3acf72ad41acd3d9d5c
    • Instruction ID: e7002c211d5e388506e62c857cfa8bd70fa496e812404c39dbc462780150d209
    • Opcode Fuzzy Hash: 309766290f291a00f092cbf79658284228ab167dcefcf3acf72ad41acd3d9d5c
    • Instruction Fuzzy Hash: DC519F71600606EFCF149F64E844ABEBFB6FF48300F10852AF95A97250FBB0A950DB91
    Function 005453BA Relevance: 6.1, APIs: 4, Instructions: 132windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005453C1
    • SendDlgItemMessageA.USER32(?,?,?,00000000,?), ref: 0054550D
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • SendDlgItemMessageW.USER32(?,?,0000040B,00000000,00000001), ref: 00545499
      • Part of subcall function 00555D23: __EH_prolog3.LIBCMT ref: 00555D2A
    • SendDlgItemMessageW.USER32(?,?,0000037C,?,?), ref: 005454CB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ItemMessageSend$H_prolog3$_malloc
    • String ID:
    • API String ID: 2480034192-0
    • Opcode ID: 15410505698ee67f9bc00728b9a26e5396e41792acb65beb11193b7608f8010f
    • Instruction ID: af34678607d293f10b53066c3179a2ef824fb0148b3d9a30b04c586a129d22fa
    • Opcode Fuzzy Hash: 15410505698ee67f9bc00728b9a26e5396e41792acb65beb11193b7608f8010f
    • Instruction Fuzzy Hash: 9A41E171900905ABDF25AF64CC54BFE7EB6FB80325F604619F961AB2D2E7708E42CB50
    Function 005B3044 Relevance: 6.1, APIs: 4, Instructions: 129COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3_GS.LIBCMT ref: 005B304B
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
      • Part of subcall function 005464CC: __EH_prolog3_catch.LIBCMT ref: 005464D3
    • GetWindowRect.USER32(?,?), ref: 005B313F
    • GetSystemMetrics.USER32(00000010), ref: 005B314D
    • GetSystemMetrics.USER32(00000011), ref: 005B3158
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$Exception@8H_prolog3H_prolog3_H_prolog3_catchRectThrowWindow
    • String ID:
    • API String ID: 3575448974-0
    • Opcode ID: 86929277372bbfeab49bade18117b3f5f8295b8efe293c97e5aed4fc3bb23452
    • Instruction ID: 17d2e195ea087ab01fa6f11b7086416dc378f248a103d0e36941f7c0938aba80
    • Opcode Fuzzy Hash: 86929277372bbfeab49bade18117b3f5f8295b8efe293c97e5aed4fc3bb23452
    • Instruction Fuzzy Hash: 2A414D71A006059FCB04EFA4C899AEEBBF6BF88300F054569F906AB291CB71A944CF50
    Function 005331C1 Relevance: 6.1, APIs: 4, Instructions: 123networktimeCOMMON
    Download Yara Rule
    APIs
    • SetWaitableTimer.KERNEL32(?,?,?,00000000,00000000,00000000,?,00000000,FFFFD8F0,000000FF), ref: 00533208
    • WSAWaitForMultipleEvents.WS2_32(00000004,?,00000000,000000FF,00000000), ref: 00533275
    • GetLastError.KERNEL32(?,00000000,000000FF,00000000), ref: 005332EB
    • WSAGetLastError.WS2_32(?,00000000,000000FF,00000000), ref: 0053331C
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ErrorLast$EventsMultipleTimerWaitWaitable
    • String ID:
    • API String ID: 3439003633-0
    • Opcode ID: 4ce44bf64d76d4093156d642b69b7ced47c58307381bd52dfce924732e682cc7
    • Instruction ID: 77750de62dd6c5f45073f5f1d897213e8b38b3fb1ac091423fb9efb6c752d61a
    • Opcode Fuzzy Hash: 4ce44bf64d76d4093156d642b69b7ced47c58307381bd52dfce924732e682cc7
    • Instruction Fuzzy Hash: E4415874600612ABDB659F68C985BAAFBA4FF49710F104229F919D7250DB70EA20CBD1
    Function 00539D71 Relevance: 6.1, APIs: 4, Instructions: 121registryCOMMON
    Download Yara Rule
    APIs
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,00000000,434C7695,?,?,?,?,0064C286,000000FF), ref: 00539E27
    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?,?,?,?,?,?,0064C286,000000FF), ref: 00539E63
    • RegCloseKey.ADVAPI32(?,?,?,?,?,0064C286,000000FF), ref: 00539E7E
    • GetPrivateProfileStringW.KERNEL32(?,?,?,?,00001000,?), ref: 00539EE7
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: QueryValue$ClosePrivateProfileString
    • String ID:
    • API String ID: 1042844925-0
    • Opcode ID: e51be25d0bb05f44acaed1fad6b6a93033781486a4dd730b14452b7502a00239
    • Instruction ID: a4fa0ed50d5a8fbefffb0e1dce61edb7661f4073d6ce7dc96df1eb837465177f
    • Opcode Fuzzy Hash: e51be25d0bb05f44acaed1fad6b6a93033781486a4dd730b14452b7502a00239
    • Instruction Fuzzy Hash: 49412DB1D00328DBCB26DF54CC4C99EBBB9FF48310F10459AE509A2292DB709E95DFA4
    Function 005616BC Relevance: 6.1, APIs: 4, Instructions: 120COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect
    • String ID:
    • API String ID: 2270935405-0
    • Opcode ID: c8ac7a85364738b41c10d8bb9246984fac56683d8efb09db5a496096c0aca721
    • Instruction ID: 9363d974a880a87031deb6ddf30a85b7f4f2fefe24e8988628269172633a76b0
    • Opcode Fuzzy Hash: c8ac7a85364738b41c10d8bb9246984fac56683d8efb09db5a496096c0aca721
    • Instruction Fuzzy Hash: 2651A9B1804B858EC360DF7AC5856E7FAE9BF99300F144E2FD1AAD3261DBB065819F10
    Function 005734E5 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientScreenWindow
    • String ID:
    • API String ID: 1643562046-0
    • Opcode ID: 6864f2816b571736a09fb825617813d2f88796a1cc0e5472397cc382cd0dd800
    • Instruction ID: b877e5c3b492af3093a02f9dc7f7fe0582ab8218dd3e2fa0218da2cbf7465432
    • Opcode Fuzzy Hash: 6864f2816b571736a09fb825617813d2f88796a1cc0e5472397cc382cd0dd800
    • Instruction Fuzzy Hash: 34419C75500601ABDB209F64DC84EAEBFB9FF08320F108829F989D6161E735EA81FB10
    Function 00593831 Relevance: 6.1, APIs: 4, Instructions: 111COMMON
    Download Yara Rule
    APIs
    • SetRectEmpty.USER32(?), ref: 005938BE
    • RedrawWindow.USER32(?,?,00000000,00000105), ref: 005938D9
    • IsRectEmpty.USER32(?), ref: 0059392B
    • RedrawWindow.USER32(?,?,00000000,00000105), ref: 00593946
      • Part of subcall function 00591489: RedrawWindow.USER32(00000000,?,00000000,00000105), ref: 005914F3
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RedrawWindow$EmptyRect
    • String ID:
    • API String ID: 138230908-0
    • Opcode ID: af0ba38b18ebd1aa8351335378d3ebb7a71bb19bb257c05587c26e04cad1e7a9
    • Instruction ID: f3f9487774c00467a2b29397e77f8b74b8b47b110828dd14b6512206d3a9c971
    • Opcode Fuzzy Hash: af0ba38b18ebd1aa8351335378d3ebb7a71bb19bb257c05587c26e04cad1e7a9
    • Instruction Fuzzy Hash: EC416F71A01616EBCF14DFA4CC85BEE7BB9FB88311F144079E905AB251D7B1AE41CBA0
    Function 00647601 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00647635
    • __isleadbyte_l.LIBCMT ref: 00647668
    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?,?), ref: 00647699
    • MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?,?), ref: 00647707
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
    • String ID:
    • API String ID: 3058430110-0
    • Opcode ID: 90ea889f47027326d3da7fe5d879c69b9a9f7096149b60e4185cb09e046a88c2
    • Instruction ID: 458dbeab4d10f022a92f2a39d7f590357d3e64e229ced29fc491c9b2a75611ff
    • Opcode Fuzzy Hash: 90ea889f47027326d3da7fe5d879c69b9a9f7096149b60e4185cb09e046a88c2
    • Instruction Fuzzy Hash: 0F318E31A08656EFDB20EF68C880DFA7BA7EF01311F1685A9E4659B291E730DD50DB50
    Function 00568AEE Relevance: 6.1, APIs: 4, Instructions: 102COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$MessageSend
    • String ID:
    • API String ID: 2251359880-0
    • Opcode ID: 457beb13936a1dfcca719d33c0949b8b2c926486a704590bb73fd67e2b0ae8b1
    • Instruction ID: 9f64490e9a4f1b6982e94006d422da8598e61bb3b23c79ff043693e60c210224
    • Opcode Fuzzy Hash: 457beb13936a1dfcca719d33c0949b8b2c926486a704590bb73fd67e2b0ae8b1
    • Instruction Fuzzy Hash: C2317EB1600246EFCB249FA4C848EBEBFB9FF49305B108669E146D3260DF709D01DB54
    Function 0059D725 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$ClientEmptyWindow
    • String ID:
    • API String ID: 742297903-0
    • Opcode ID: 60891888bb85214b8eae420ed63fdca196933220e28143a69cbdff01aff94d88
    • Instruction ID: 4dad54b2855cec6914cfafcc5fcf4da3a63f52b7b70e99cd4452ba9cc78b8cd8
    • Opcode Fuzzy Hash: 60891888bb85214b8eae420ed63fdca196933220e28143a69cbdff01aff94d88
    • Instruction Fuzzy Hash: DC312EB5600209EFCB04DFA8C994AA9BBF5FF49304B108569E51ADB251D734ED00CFA1
    Function 00604B09 Relevance: 6.1, APIs: 4, Instructions: 92COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect
    • String ID:
    • API String ID: 2270935405-0
    • Opcode ID: c5921157f9ad55e2c0e63bbb76fc3244a2ffd6edd38861f00751672f696d03a3
    • Instruction ID: b9021b3133c9cfcce82746d93263fb83b2381f25d6dc3b61b6db9662289a572d
    • Opcode Fuzzy Hash: c5921157f9ad55e2c0e63bbb76fc3244a2ffd6edd38861f00751672f696d03a3
    • Instruction Fuzzy Hash: 383184B1900218DFCF29DF95C8C0AEEB7BAFF88710F10406AEA05A7245DB71D941CB91
    Function 00568799 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 005687C4
    • PtInRect.USER32(?,?,?), ref: 005687E8
      • Part of subcall function 00567E03: ScreenToClient.USER32(?,?), ref: 00567E20
      • Part of subcall function 00567E03: GetParent.USER32(?), ref: 00567E37
    • MapWindowPoints.USER32(?,?,?,00000001), ref: 00568813
    • SendMessageW.USER32(?,00000202,?,?), ref: 00568832
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientRect$MessageParentPointsScreenSendWindow
    • String ID:
    • API String ID: 4233697448-0
    • Opcode ID: fc2d54a215487863ac43d4f52f673b1e138282b005c2684e560157ce639de875
    • Instruction ID: faf2e7c4022147a53c7419e2c526ba9ffd4dbb6f832fffdbde244f63a6247112
    • Opcode Fuzzy Hash: fc2d54a215487863ac43d4f52f673b1e138282b005c2684e560157ce639de875
    • Instruction Fuzzy Hash: BF314A71A0020AEFDF10DFA5CC849BE7FB6FB48300B504A2EF91A97110DB70A950DB90
    Function 005926C3 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
    Download Yara Rule
    APIs
    • GetCursorPos.USER32(00000000), ref: 005926E4
    • ScreenToClient.USER32(?,00000000), ref: 005926F1
    • SetCursor.USER32 ref: 0059271E
    • PtInRect.USER32(?,00000000,00000000), ref: 00592788
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Cursor$ClientRectScreen
    • String ID:
    • API String ID: 2390797981-0
    • Opcode ID: 37833f8287767ef885237421c23e86d4e983a9a858d4a71c8a86a9c2d8ccfd30
    • Instruction ID: 525394b3c087e2593ec0a8b1107b1bfa4cf52e87240815a822e65f78afa9c52d
    • Opcode Fuzzy Hash: 37833f8287767ef885237421c23e86d4e983a9a858d4a71c8a86a9c2d8ccfd30
    • Instruction Fuzzy Hash: 0D216B3A51060AFFCF21EBE4C948AAEBFBAFB44365F204459E005E2110DB30EA40DF50
    Function 00580248 Relevance: 6.1, APIs: 4, Instructions: 73keyboardCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect$CursorState
    • String ID:
    • API String ID: 2369637639-0
    • Opcode ID: e064d4d8a3272d417fec5aafa1961e5a7c1e1c3646ee306ae80cebb0849f27f0
    • Instruction ID: d7b6ba3a953e0f73437909d88e463dc9cbdea9ca40c165dcd02c3cd7b7c721c2
    • Opcode Fuzzy Hash: e064d4d8a3272d417fec5aafa1961e5a7c1e1c3646ee306ae80cebb0849f27f0
    • Instruction Fuzzy Hash: 70211275A002199FCF51EFE4C8489FEBFB9FF48741F501526E515F2140DB749A058BA1
    Function 0054D5E7 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CharNext$__fassign_wcstoulwcstoxl
    • String ID:
    • API String ID: 2919217853-0
    • Opcode ID: 07724b1ec6f555d8355cade506d2ac640c8741d156b4d1df79ed0148c7ea91b2
    • Instruction ID: 79006050a09a9876b13352a7c1c9184a9aac0c300469ec4fbd91722fe26c1e38
    • Opcode Fuzzy Hash: 07724b1ec6f555d8355cade506d2ac640c8741d156b4d1df79ed0148c7ea91b2
    • Instruction Fuzzy Hash: 8021C0B1500306AACB20AF68CC45BAABBB9BF49348F214459F919DB141EB34DD408AA4
    Function 005686C9 Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32 ref: 00568704
    • PtInRect.USER32(?,?,?), ref: 0056871C
      • Part of subcall function 00567E03: ScreenToClient.USER32(?,?), ref: 00567E20
      • Part of subcall function 00567E03: GetParent.USER32(?), ref: 00567E37
    • MapWindowPoints.USER32(?,?,?,00000001), ref: 00568753
    • SendMessageW.USER32(?,00000201,?,?), ref: 00568772
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientRect$MessageParentPointsScreenSendWindow
    • String ID:
    • API String ID: 4233697448-0
    • Opcode ID: 702750b701b2eb1430b4e84050346d5c36cff3cafa9a1ec018d7a25decc787ff
    • Instruction ID: 5e7efa9b1fb9f1de56da6828b2e6bbc277adc0ace3a90ccb7ccb6a3e8a89d313
    • Opcode Fuzzy Hash: 702750b701b2eb1430b4e84050346d5c36cff3cafa9a1ec018d7a25decc787ff
    • Instruction Fuzzy Hash: 99210575A0020AAFDF109FA5CC849AEBFB6FB48301F10452AF91596260DB71A910DB90
    Function 0059ACCC Relevance: 6.1, APIs: 4, Instructions: 71windowCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0059ACD3
    • GetSystemPaletteEntries.GDI32(?,00000000,00000100,00000004), ref: 0059AD3B
    • CreatePalette.GDI32(00000000), ref: 0059AD86
      • Part of subcall function 0059A87F: GetObjectW.GDI32(?,00000002,?), ref: 0059A88E
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • GetPaletteEntries.GDI32(00000000,00000000,00000000,00000004), ref: 0059AD6D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Palette$Entries$CreateH_prolog3ObjectSystem_malloc
    • String ID:
    • API String ID: 437169817-0
    • Opcode ID: bbf2971336bafb6e0a223de1df4620277e82aba5b6943e145e2c8368e0c96fdc
    • Instruction ID: cc59a6bfd4bd646b6b4622d8ef1b454eac1fb17c79eeba98eb36a34e017c65da
    • Opcode Fuzzy Hash: bbf2971336bafb6e0a223de1df4620277e82aba5b6943e145e2c8368e0c96fdc
    • Instruction Fuzzy Hash: 8E219F32600301AFDB55AFA4C949B9E7BE5BF48311F18842DF64ADB1D2DF349904CBA6
    Function 00638811 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
    Download Yara Rule
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __getptd_noexit
    • String ID:
    • API String ID: 3074181302-0
    • Opcode ID: 58a910f717fff8a33fe8f43e8d2218f44d229d2bf95e4489c7263d8b06769341
    • Instruction ID: c698e3853c9b47e889683f1b0804af2b7a63e8f7e4592b2dc231701739300a9c
    • Opcode Fuzzy Hash: 58a910f717fff8a33fe8f43e8d2218f44d229d2bf95e4489c7263d8b06769341
    • Instruction Fuzzy Hash: 0A118131900704AFDF206BA4DC05BDA7AABEF85761F650224F912972E0DB718E41CBE5
    Function 0053C923 Relevance: 6.1, APIs: 4, Instructions: 66COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$CallCursorHookNextWindow
    • String ID:
    • API String ID: 3719484595-0
    • Opcode ID: 01398120301e840feb186379926b2460f512cce12f0b05baa38ffc468e507700
    • Instruction ID: f0d4d5343eb2414dbb09c09b887bb2592159c61beb98e4a612b138e1c84a77cc
    • Opcode Fuzzy Hash: 01398120301e840feb186379926b2460f512cce12f0b05baa38ffc468e507700
    • Instruction Fuzzy Hash: 40212C36A0020AAFCF04DFA9DD449AEFFB9FF89311F05415AE510F2260D670AA11DF51
    Function 005829A1 Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
    • GetForegroundWindow.USER32 ref: 005829DE
    • GetLastActivePopup.USER32(?), ref: 00582A02
    • SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 00582A1A
    • SendMessageW.USER32(?,0000036D,00000000,00000000), ref: 00582A3F
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSendWindow$ActiveException@8ForegroundH_prolog3LastLongPopupThrow
    • String ID:
    • API String ID: 2019557511-0
    • Opcode ID: 5de235fd92d545568b5adb5fb2a12b8ae0704d81f6451e5269c3a778383abb27
    • Instruction ID: 6a8097fc335f7d0d23e96a6ac8b287967129056c45c5fc3764385f141c423f3f
    • Opcode Fuzzy Hash: 5de235fd92d545568b5adb5fb2a12b8ae0704d81f6451e5269c3a778383abb27
    • Instruction Fuzzy Hash: 9711A772B206017BDB25BBA58C49F6E3EADFF84704F000065FA01E3161EAB4DE41CB65
    Function 005366E5 Relevance: 6.1, APIs: 4, Instructions: 62windowCOMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005366EC
      • Part of subcall function 00536304: _malloc.LIBCMT ref: 00536322
    • __CxxThrowException@8.LIBCMT ref: 00536731
    • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,80004005,00000000,00000000,?,?,0068E6CC,00000004,00534426,8007000E,00534FD0,80004005,00000001), ref: 0053675B
      • Part of subcall function 005357FA: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 005357FA: __EH_prolog3.LIBCMT ref: 00536474
    • LocalFree.KERNEL32(?), ref: 00536789
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Exception@8H_prolog3Throw$FormatFreeLocalMessage_malloc
    • String ID:
    • API String ID: 489379502-0
    • Opcode ID: b7daa1a8f609c234e6687c1422b0deb471d6b2011877489ff98609c368d78008
    • Instruction ID: a9b36ecc999f4c45d0959ad43772c51d45beea83fcc601a00ea20c3e6e28d2b9
    • Opcode Fuzzy Hash: b7daa1a8f609c234e6687c1422b0deb471d6b2011877489ff98609c368d78008
    • Instruction Fuzzy Hash: 771190B1500309BFDB11DFA4CC05AAE3FAAFF44B15F20CA1DF9269B190D7719A518B90
    Function 0055102B Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 0053EC52: ActivateActCtx.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,0058B3E3,000000FF,00000050), ref: 0053EC75
    • IntersectRect.USER32(?,?,?), ref: 00551081
    • EqualRect.USER32(?,?), ref: 0055108C
    • IsRectEmpty.USER32(?), ref: 00551096
    • InvalidateRect.USER32(?,?,?), ref: 005510B3
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$ActivateEmptyEqualIntersectInvalidate
    • String ID:
    • API String ID: 4049613494-0
    • Opcode ID: 2d697ed502e630611e41ede3b83b844eaf73b8eca10a3ee48d98ce96ba71226d
    • Instruction ID: 018d272187a5e59fc42da9f9eb7875c92b649fe73c9095437e3b8c832e4aaa5e
    • Opcode Fuzzy Hash: 2d697ed502e630611e41ede3b83b844eaf73b8eca10a3ee48d98ce96ba71226d
    • Instruction Fuzzy Hash: 0A11FC72900219EFCF00DFA9D988DAEBBB9FF89301F114156E915E7161D770AA05CFA1
    Function 0061B268 Relevance: 6.1, APIs: 4, Instructions: 62COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,00000005,00000005,?,00000000,?,0061B54B,00000005,?), ref: 0061B288
    • LoadResource.KERNEL32(?,00000000,?,00000000,?,0061B54B,00000005,?), ref: 0061B29D
    • LockResource.KERNEL32(00000000,?,00000000,?,0061B54B,00000005,?), ref: 0061B2AF
    • GlobalFree.KERNEL32(?), ref: 0061B2E9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeGlobalLoadLock
    • String ID:
    • API String ID: 3898064442-0
    • Opcode ID: 8d127e0d8cce30ab9a55651c6de75d514f1b296da987f019d3f5708e3c3c4a92
    • Instruction ID: e4879ae1303bfcb376dccce311659a3916194b880a8fce7f731501baa8cec40c
    • Opcode Fuzzy Hash: 8d127e0d8cce30ab9a55651c6de75d514f1b296da987f019d3f5708e3c3c4a92
    • Instruction Fuzzy Hash: 3811D031100706ABCB22AFB5D849BAB7BE7BF85361F18901DF855C7221DB30DA458B60
    Function 005710A0 Relevance: 6.1, APIs: 4, Instructions: 61windowCOMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 005710B1
    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 005710F4
    • RedrawWindow.USER32(?,00000000,00000000,00000185), ref: 00571100
    • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 005710DF
      • Part of subcall function 005D7ECF: SendMessageW.USER32(?,00000234,00000000,00000000), ref: 005D7F4A
      • Part of subcall function 005D7ECF: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 005D7F71
      • Part of subcall function 005D7ECF: SendMessageW.USER32(?,00000229,00000000,00000000), ref: 005D7F8E
      • Part of subcall function 005D7ECF: SendMessageW.USER32(?,00000222,?,00000000), ref: 005D7FA5
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend$ParentRedrawWindow
    • String ID:
    • API String ID: 2139789815-0
    • Opcode ID: cb27cb81382aca5546397dcc9b3813d31b435dc8e69cefa12cd479e4296986ed
    • Instruction ID: e19fb76cf65f8571c37c731c92ac18f2ec9d706570e70973ebbf09154fcb710a
    • Opcode Fuzzy Hash: cb27cb81382aca5546397dcc9b3813d31b435dc8e69cefa12cd479e4296986ed
    • Instruction Fuzzy Hash: 9A11E372600709BBDB206F64DCC9E6A7EAAFBC4340F504129F2499B150D7709C40EB50
    Function 0058A9F6 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 005459C6: GetDlgItem.USER32(?,?), ref: 005459D7
    • GetWindowLongW.USER32(?,000000F0), ref: 0058AA13
    • GetWindowTextLengthW.USER32(?), ref: 0058AA40
    • GetWindowTextW.USER32(?,00000000,00000100), ref: 0058AA6F
    • SendMessageW.USER32(?,0000014D,000000FF,?), ref: 0058AA90
      • Part of subcall function 00547729: lstrlenW.KERNEL32(?,?,?), ref: 00547755
      • Part of subcall function 00547729: _memset.LIBCMT ref: 00547773
      • Part of subcall function 00547729: GetWindowTextW.USER32(00000000,?,00000100), ref: 0054778D
      • Part of subcall function 00547729: lstrcmpW.KERNEL32(?,?,?,?), ref: 0054779F
      • Part of subcall function 00547729: SetWindowTextW.USER32(00000000,?), ref: 005477AB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Text$ItemLengthLongMessageSend_memsetlstrcmplstrlen
    • String ID:
    • API String ID: 205973220-0
    • Opcode ID: 47f3c7324629e5152c2c21b55368ec40013c9274334e14cab64bff57b2da1b1b
    • Instruction ID: ccf743de5c3bb26e7517821cdf1903fdad15e00f368761cff7e5e85b5ebdfe17
    • Opcode Fuzzy Hash: 47f3c7324629e5152c2c21b55368ec40013c9274334e14cab64bff57b2da1b1b
    • Instruction Fuzzy Hash: 1211D03110420ABFEF05AF90CC09EA93FA6FF48320F18860AFD256A1E0CB319851DF52
    Function 00540CEF Relevance: 6.1, APIs: 4, Instructions: 57COMMON
    Download Yara Rule
    APIs
    • GetObjectW.GDI32(?,0000000C,?), ref: 00540D3C
    • SetBkColor.GDI32(?,?), ref: 00540D46
    • GetSysColor.USER32(00000008), ref: 00540D56
    • SetTextColor.GDI32(?,?), ref: 00540D5E
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Color$ObjectText
    • String ID:
    • API String ID: 829078354-0
    • Opcode ID: c59f240a5851ea8bab129d5ebe9c19dc4d82ff7b1c222e25b0cd270af80d2503
    • Instruction ID: e02807d61471f41c87e2cb6a0f67f381d9c87fc1a7d16bfd6cae640f6344ae41
    • Opcode Fuzzy Hash: c59f240a5851ea8bab129d5ebe9c19dc4d82ff7b1c222e25b0cd270af80d2503
    • Instruction Fuzzy Hash: 3C113C35A00205AF8B20EFA89D44AEFBBA9FB49719F241A15FA11D31D4CB30ED0586A1
    Function 005816A0 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow$CursorFromPoint
    • String ID:
    • API String ID: 3445796726-0
    • Opcode ID: a9be52b51f0f5ab98d567c2b5308692f4812f72318a4c2dcd6c1d4e6cf169eb2
    • Instruction ID: 6e6c8d4070d2fc51d91831af366424156ee6ea0cd8188a30169a327ed92d4345
    • Opcode Fuzzy Hash: a9be52b51f0f5ab98d567c2b5308692f4812f72318a4c2dcd6c1d4e6cf169eb2
    • Instruction Fuzzy Hash: 4011DD71D00209AF8B11EFE5D8858BFBFF9FF88301B10051AE556E2210DB7499069B65
    Function 00539A05 Relevance: 6.1, APIs: 4, Instructions: 57registryCOMMON
    Download Yara Rule
    APIs
    • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 00539A42
    • RegCloseKey.ADVAPI32(00000000), ref: 00539A4B
    • swprintf.LIBCMT ref: 00539A68
    • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 00539A79
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClosePrivateProfileStringValueWriteswprintf
    • String ID:
    • API String ID: 22681860-0
    • Opcode ID: 3f195d7aac5afe11db4258c9672b4ff32e8adcafe0d3986b1494e4fae788bb92
    • Instruction ID: c85e24d78a36f6ea9ba9d0b98783f6eef5ac59b804ca36050c4cf9cce8f87776
    • Opcode Fuzzy Hash: 3f195d7aac5afe11db4258c9672b4ff32e8adcafe0d3986b1494e4fae788bb92
    • Instruction Fuzzy Hash: 3801A172600309BBDB10DFA48C46FAA77EDFF88714F140519F601E7180DAB0ED018BA4
    Function 005389FB Relevance: 6.1, APIs: 4, Instructions: 56COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,000000F0), ref: 00538A21
    • LoadResource.KERNEL32(?,00000000), ref: 00538A2D
    • LockResource.KERNEL32(00000000), ref: 00538A3B
    • FreeResource.KERNEL32(00000000), ref: 00538A69
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeLoadLock
    • String ID:
    • API String ID: 1078018258-0
    • Opcode ID: 8490187a9930fec4d4a6ac44c44f34bd18ede113fc67ea73b9e871f4ec8528a9
    • Instruction ID: dcc1c7aeb0790e9638bcc3151a4ddf29d734252494adea0382556ef501702c60
    • Opcode Fuzzy Hash: 8490187a9930fec4d4a6ac44c44f34bd18ede113fc67ea73b9e871f4ec8528a9
    • Instruction Fuzzy Hash: F3113671600309EFDB11CF95C848AAE7BAAFF44365F04806AF905972A0CB74DE00CF61
    Function 0053CF17 Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
    Download Yara Rule
    APIs
    • EnableMenuItem.USER32(?,00000000,?), ref: 0053CF53
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    • GetFocus.USER32 ref: 0053CF69
    • GetParent.USER32(?), ref: 0053CF77
    • SendMessageW.USER32(?,00000028,00000000,00000000), ref: 0053CF8A
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EnableException@8FocusH_prolog3ItemMenuMessageParentSendThrow
    • String ID:
    • API String ID: 3849708097-0
    • Opcode ID: 2b1860216fb07c92d63edf5a6ace81aab2fae49a17ff22305c364266eaba4700
    • Instruction ID: 61463f7d2f12ecdc7617d97d9fe04cb062ea8b20ccf5bb2e695c7a84ec06e9de
    • Opcode Fuzzy Hash: 2b1860216fb07c92d63edf5a6ace81aab2fae49a17ff22305c364266eaba4700
    • Instruction Fuzzy Hash: 98118E71100700AFCB20AF60DC89D6ABFBBFF88316F108629F18656960D771EC44CBA1
    Function 0056C028 Relevance: 6.1, APIs: 4, Instructions: 52fileCOMMON
    Download Yara Rule
    APIs
    • SetActiveWindow.USER32(?), ref: 0056C046
    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0056C05F
    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0056C092
    • DragFinish.SHELL32(?), ref: 0056C0BA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Drag$FileQuery$ActiveFinishWindow
    • String ID:
    • API String ID: 892977027-0
    • Opcode ID: f32be712d3f4c2293627e0f23beefd3143d48688f5ce24705f9198f3b3e25fe7
    • Instruction ID: 5f9774336b0b3dc1af07ba227110292ec15ff586c1bf4ca1dc3b63ee3d5d6e19
    • Opcode Fuzzy Hash: f32be712d3f4c2293627e0f23beefd3143d48688f5ce24705f9198f3b3e25fe7
    • Instruction Fuzzy Hash: F6115171940218ABCB20EB64CC8DFEDBBB9FB54311F100595E119A7191CBB0AE44CF61
    Function 0058EE68 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 0058EEA5
    • GetSystemMetrics.USER32(0000002D), ref: 0058EEB9
    • GetSystemMetrics.USER32(00000002), ref: 0058EEC1
    • SendMessageW.USER32(?,0000101E,00000000,00000000), ref: 0058EED9
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MetricsSystem$ClientMessageRectSend
    • String ID:
    • API String ID: 2251314529-0
    • Opcode ID: 634746c6621f2efc3e5417beffc3ca72a681ce9e5505e136f3d910432c705d5a
    • Instruction ID: abd72baeecb25fc875774f5424daf68671b60302a866f552edabc66fd9e8e97e
    • Opcode Fuzzy Hash: 634746c6621f2efc3e5417beffc3ca72a681ce9e5505e136f3d910432c705d5a
    • Instruction Fuzzy Hash: 40012572A00215AFCF10EFB99D45AAE7BF5FF48300F150166E945E7191DAB09D40CB61
    Function 0059198A Relevance: 6.1, APIs: 4, Instructions: 52COMMON
    Download Yara Rule
    APIs
    • GetStockObject.GDI32(00000011), ref: 005919C7
    • _memset.LIBCMT ref: 005919DD
    • GetObjectW.GDI32(?,0000005C,?), ref: 005919EE
    • CreateFontIndirectW.GDI32(?), ref: 005919FF
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Object$CreateFontIndirectStock_memset
    • String ID:
    • API String ID: 1064234985-0
    • Opcode ID: 96e206b61e26183273d1f35852bba0541ef9671f2541c541f5d0533ff22b7428
    • Instruction ID: cce9879eaf09e6478672380db5dbccba7ca9d105b06cf2c9174a1301b8643cfb
    • Opcode Fuzzy Hash: 96e206b61e26183273d1f35852bba0541ef9671f2541c541f5d0533ff22b7428
    • Instruction Fuzzy Hash: 41019631600A19AFDF15AFA4DD09B9EBBBABF80705F140119A60597280DFB0AD05CBC5
    Function 0054300E Relevance: 6.0, APIs: 4, Instructions: 50COMMON
    Download Yara Rule
    APIs
    • GetTopWindow.USER32(?), ref: 0054301E
    • GetTopWindow.USER32(00000000), ref: 0054305D
    • GetWindow.USER32(00000000,00000002), ref: 0054307B
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window
    • String ID:
    • API String ID: 2353593579-0
    • Opcode ID: 8de887bd58da975dfba989c6379643204c243beb49dae993945b12c197f42e61
    • Instruction ID: a5544e79bf0d21f2d8c4e31dbbcd892100f7e4570da11b0f6c70b97e8ac007f4
    • Opcode Fuzzy Hash: 8de887bd58da975dfba989c6379643204c243beb49dae993945b12c197f42e61
    • Instruction Fuzzy Hash: CF01E53200061ABBDF22AF919D0DEEE3F6ABF58395F044210FA1855070C736CA61EBA5
    Function 005D73C0 Relevance: 6.0, APIs: 4, Instructions: 50windowCOMMON
    Download Yara Rule
    APIs
    • GetMenuItemCount.USER32(00000000), ref: 005D73DD
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CountItemMenu
    • String ID:
    • API String ID: 1409047151-0
    • Opcode ID: f3955aa5a0c49c4bc77b60bf62ebd36227517a3a19fe8e131e18e87e0939fccf
    • Instruction ID: 293f2d55408021af2cb5a4680335439fbe678ffcc7f6452389e3d42fde9f3536
    • Opcode Fuzzy Hash: f3955aa5a0c49c4bc77b60bf62ebd36227517a3a19fe8e131e18e87e0939fccf
    • Instruction Fuzzy Hash: 1001A77590410DBBDF229BADDC8496E7EA9FB4C341F204837E801D2310F630CD819A60
    Function 005426F8 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
    Download Yara Rule
    APIs
    • GetDlgItem.USER32(?,?), ref: 00542705
    • GetTopWindow.USER32(00000000), ref: 00542718
      • Part of subcall function 005426F8: GetWindow.USER32(00000000,00000002), ref: 0054275F
    • GetTopWindow.USER32(?), ref: 00542748
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Item
    • String ID:
    • API String ID: 369458955-0
    • Opcode ID: 6cd4fb35f8bf9794064ef33f8124dd47dfac12a3f9294a46f80643509c84d721
    • Instruction ID: 6791cbcaffbad4f58010d566a2d2173e43d2d1ebcb9592a4dc04b7f9db2a772b
    • Opcode Fuzzy Hash: 6cd4fb35f8bf9794064ef33f8124dd47dfac12a3f9294a46f80643509c84d721
    • Instruction Fuzzy Hash: E0016236101A3AB7CF222F618D08EDF3E69FF993A9F458114FD1466120EB31C911E6A5
    Function 0053347F Relevance: 6.0, APIs: 4, Instructions: 48networkCOMMON
    Download Yara Rule
    APIs
    • WSAEventSelect.WS2_32(00000023,?,00000023), ref: 005334A6
    • WSAGetLastError.WS2_32 ref: 005334B1
      • Part of subcall function 00533E0C: timeGetTime.WINMM(00000001,?,00000001,?,005334D7,?,?), ref: 00533E23
      • Part of subcall function 00533E0C: InterlockedIncrement.KERNEL32(?), ref: 00533E32
      • Part of subcall function 00533E0C: InterlockedIncrement.KERNEL32(?), ref: 00533E3F
      • Part of subcall function 00533E0C: timeGetTime.WINMM(?,005334D7,?,?), ref: 00533E57
    • send.WS2_32(00000000,00000000,00000000,00000000), ref: 005334E0
    • WSAGetLastError.WS2_32 ref: 005334EB
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ErrorIncrementInterlockedLastTimetime$EventSelectsend
    • String ID:
    • API String ID: 4019454066-0
    • Opcode ID: d512362c7ba9c4a61a06a1ce1e5d4371ef7e416c3a9dee790be0100eb239bdeb
    • Instruction ID: d0b2f7e3023719080b8fc6a0bea5661de26a2441e7977b4aaed9b4c3d4230821
    • Opcode Fuzzy Hash: d512362c7ba9c4a61a06a1ce1e5d4371ef7e416c3a9dee790be0100eb239bdeb
    • Instruction Fuzzy Hash: 940188702007019BDB609B7AEC48B56BFE5FF90721F500A19F2A3C69E0C771EA419B10
    Function 00559D93 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
    Download Yara Rule
    APIs
    • InflateRect.USER32(?,00000002,00000002), ref: 00559DCF
    • InvalidateRect.USER32(?,?,00000001), ref: 00559DE0
    • UpdateWindow.USER32(?), ref: 00559DE9
    • SetRectEmpty.USER32(?), ref: 00559DF6
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$EmptyInflateInvalidateUpdateWindow
    • String ID:
    • API String ID: 3040190709-0
    • Opcode ID: c8ea5967820f4530d9750db823cddc82aa3973e341f0dbb5e74d0fed6241994e
    • Instruction ID: 07807e53505e5df8e608e63234a355c76026611628f139e1b2dbba790c687584
    • Opcode Fuzzy Hash: c8ea5967820f4530d9750db823cddc82aa3973e341f0dbb5e74d0fed6241994e
    • Instruction Fuzzy Hash: 010196715002059FCB00DF98DC89AD67BBDFF49321F101265ED05AF0A5CB706A05CFA1
    Function 0059150A Relevance: 6.0, APIs: 4, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • InvalidateRect.USER32(?,?,00000001,?,?,00591922), ref: 00591529
    • InvalidateRect.USER32(?,?,00000001), ref: 0059154A
    • InvalidateRect.USER32(?,?,00000001,00000000), ref: 0059156F
    • UpdateWindow.USER32(?), ref: 0059157F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: InvalidateRect$UpdateWindow
    • String ID:
    • API String ID: 488614814-0
    • Opcode ID: afbb256bc97dd0118fd48baea5a1f652fd5ad85115b7e5cb82de938f6a933963
    • Instruction ID: ccf1063d5543cc2227d8d4d1e4b1d30f9f9fe53e38f8f241a2f7a7c712ede810
    • Opcode Fuzzy Hash: afbb256bc97dd0118fd48baea5a1f652fd5ad85115b7e5cb82de938f6a933963
    • Instruction Fuzzy Hash: AB01E976200A11DFE7219B69DC84F92BBF9FB88310F160659E15A871A1D771E880CF54
    Function 005458BA Relevance: 6.0, APIs: 4, Instructions: 45COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,000000F0), ref: 005458E0
    • LoadResource.KERNEL32(?,00000000), ref: 005458EC
    • LockResource.KERNEL32(00000000), ref: 005458F9
    • FreeResource.KERNEL32(00000000,00000000), ref: 00545915
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeLoadLock
    • String ID:
    • API String ID: 1078018258-0
    • Opcode ID: cff848ae8c1b8202c26b568ad6c9ebbeeab606adbb14d775081de71f6e9a823a
    • Instruction ID: e83708c86cedcb6a04d67fd63cd21d9a3e681e7153cb91d488d228c0cb1537b6
    • Opcode Fuzzy Hash: cff848ae8c1b8202c26b568ad6c9ebbeeab606adbb14d775081de71f6e9a823a
    • Instruction Fuzzy Hash: 4AF0A472200715AB97119FE68C889AF7EAEBF85765B085038FA05D3252EA70CD00C661
    Function 00533E0C Relevance: 6.0, APIs: 4, Instructions: 43timeCOMMON
    Download Yara Rule
    APIs
    • timeGetTime.WINMM(00000001,?,00000001,?,005334D7,?,?), ref: 00533E23
    • InterlockedIncrement.KERNEL32(?), ref: 00533E32
    • InterlockedIncrement.KERNEL32(?), ref: 00533E3F
    • timeGetTime.WINMM(?,005334D7,?,?), ref: 00533E57
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: IncrementInterlockedTimetime
    • String ID:
    • API String ID: 159728177-0
    • Opcode ID: 8f5f291cac1edfd946531856352ce9e2073e0bddd90e9250acd892b3d961715d
    • Instruction ID: 8d0ebe218ef1d0c566f3a5f8cd9c2f082dc561a4fae881ef66e3e980cf06506a
    • Opcode Fuzzy Hash: 8f5f291cac1edfd946531856352ce9e2073e0bddd90e9250acd892b3d961715d
    • Instruction Fuzzy Hash: F7011A765007049FC720DFAAD844A8AFBF8FF58721F00892AE949C7610DB74E6448F90
    Function 00599838 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
    Download Yara Rule
    APIs
    • ScreenToClient.USER32(?,?), ref: 0059985E
    • PtInRect.USER32(?,?,?), ref: 00599871
    • SetCapture.USER32(?), ref: 0059987E
    • RedrawWindow.USER32(?,00000000,00000000,00000401,00000000), ref: 0059989D
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CaptureClientRectRedrawScreenWindow
    • String ID:
    • API String ID: 2178243973-0
    • Opcode ID: 7a900c44549b1fe8e718a6e3818ea47953fc956bbea38b64ff651d395b2fc3fc
    • Instruction ID: 309fa2ce501a502354770e64081c7b8b44cd1a4d8d906aef8d813baa4507f992
    • Opcode Fuzzy Hash: 7a900c44549b1fe8e718a6e3818ea47953fc956bbea38b64ff651d395b2fc3fc
    • Instruction Fuzzy Hash: CD014B72510708BFDF109FA0CC09F8ABFF9FB48301F00451AF94692160EBB1A945DB65
    Function 00545DC1 Relevance: 6.0, APIs: 4, Instructions: 39windowCOMMON
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Parent$Focus
    • String ID:
    • API String ID: 384096180-0
    • Opcode ID: 7ca179bce0b8c19a0498a0df7b1f2ba8e79689fd8a218f67c096c441f5df23d7
    • Instruction ID: 1d23ac1b76ca9a46dc85d5351ce8afd29f8e7715a7220fcab10f05a9f98d69dc
    • Opcode Fuzzy Hash: 7ca179bce0b8c19a0498a0df7b1f2ba8e79689fd8a218f67c096c441f5df23d7
    • Instruction Fuzzy Hash: 37F04F32510B15ABCB2077B1DC0CE9B7ABABFC8315F051968F48183161DB34D855CA68
    Function 0053A97F Relevance: 6.0, APIs: 4, Instructions: 38COMMON
    Download Yara Rule
    APIs
    • FindResourceW.KERNEL32(?,?,00000005), ref: 0053A99B
    • LoadResource.KERNEL32(?,00000000), ref: 0053A9A3
    • LockResource.KERNEL32(00000000), ref: 0053A9B0
    • FreeResource.KERNEL32(00000000,00000000,?,?), ref: 0053A9C8
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Resource$FindFreeLoadLock
    • String ID:
    • API String ID: 1078018258-0
    • Opcode ID: a6e22e1a3798177d68cca3b9f65d9cbb855b8ef2c53e98e8efab18d7481f2d35
    • Instruction ID: 276af931c22dab8ade8a569e2f8c84386afdc3f50dc6e1f502dde5d730a4e5b7
    • Opcode Fuzzy Hash: a6e22e1a3798177d68cca3b9f65d9cbb855b8ef2c53e98e8efab18d7481f2d35
    • Instruction Fuzzy Hash: A2F0B433100214BBC701ABE59C4DC9FBFBEEF8A262F015159F605D3251DA748D008B61
    Function 005338DE Relevance: 6.0, APIs: 4, Instructions: 34COMMON
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(00000164,00000004,00533990,00000000,00000000,?,?,?,?,?,00534052,00000001,00000000,?,00000000,000000FF), ref: 005338E6
    • LeaveCriticalSection.KERNEL32(00000164,?,?,?,?,?,00534052,00000001,00000000,?,00000000,000000FF,00000000), ref: 005338F4
    • LeaveCriticalSection.KERNEL32(00000164,?,?,?,?,?,00534052,00000001,00000000,?,00000000,000000FF,00000000), ref: 0053392F
    • SetEvent.KERNEL32(?,?,?,?,?,?,00534052,00000001,00000000,?,00000000,000000FF,00000000), ref: 00533949
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$Leave$EnterEvent
    • String ID:
    • API String ID: 3394196147-0
    • Opcode ID: 753c6a389c30bab917932d03d4cb92ba0c07a389682bd40886448bf31cfb11f4
    • Instruction ID: 75bc16ec482e7d682592edb716ead119f3a35551f6ea914cdb595ef75b92539f
    • Opcode Fuzzy Hash: 753c6a389c30bab917932d03d4cb92ba0c07a389682bd40886448bf31cfb11f4
    • Instruction Fuzzy Hash: DF01C471204B069BD720DFB8D988BA6BBE9BF08316F005918E59AC7611DB71F925CB11
    Function 0062398C Relevance: 6.0, APIs: 4, Instructions: 30COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00545B7D: ShowWindow.USER32(?,?,?,00541B96,00000001,?,00000000,?,?,00000064), ref: 00545B8E
    • UpdateWindow.USER32(?), ref: 006239B9
    • UpdateWindow.USER32(?), ref: 006239C5
    • SetRectEmpty.USER32(?), ref: 006239D1
    • SetRectEmpty.USER32(?), ref: 006239DA
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$EmptyRectUpdate$Show
    • String ID:
    • API String ID: 1262231214-0
    • Opcode ID: 892d7304cdf9a7e00137007e09627745409ece0dc8f19df673820f723709d8f2
    • Instruction ID: 3a28835e23453345d095115dff6b7c079cf28e1eb8eabe1d255037956f9a499f
    • Opcode Fuzzy Hash: 892d7304cdf9a7e00137007e09627745409ece0dc8f19df673820f723709d8f2
    • Instruction Fuzzy Hash: D9F08232600B249FD721AB35DC00F97B7EABF85711F060529E19497270E775E801CE61
    Function 0058C36D Relevance: 6.0, APIs: 4, Instructions: 25COMMON
    Download Yara Rule
    APIs
    • GetTickCount.KERNEL32 ref: 0058C392
    • GetTickCount.KERNEL32 ref: 0058C39F
    • CoFreeUnusedLibraries.OLE32 ref: 0058C3AE
    • GetTickCount.KERNEL32 ref: 0058C3B4
      • Part of subcall function 0058C311: CoFreeUnusedLibraries.OLE32 ref: 0058C359
      • Part of subcall function 0058C311: OleUninitialize.OLE32 ref: 0058C35F
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CountTick$FreeLibrariesUnused$Uninitialize
    • String ID:
    • API String ID: 685759847-0
    • Opcode ID: 89e73f618567e1abc206199732ad139114f58febb5c495370921c470a97b95a8
    • Instruction ID: debd5614c8382fdf7742da1921d096861e6151e44612c5c86ae2afdfd3ac0a8a
    • Opcode Fuzzy Hash: 89e73f618567e1abc206199732ad139114f58febb5c495370921c470a97b95a8
    • Instruction Fuzzy Hash: 86E06531404258DFD720BFA4EC496683FA6F74B361F509953E804A6060DB706845CFA2
    Function 005CA6BC Relevance: 6.0, APIs: 4, Instructions: 25COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyRect
    • String ID:
    • API String ID: 2270935405-0
    • Opcode ID: 9c5988ea4bf3c293e66e9752529399fca214b97ff4d243bc29271992e48a3d14
    • Instruction ID: d7dd6b9b9b7ba97fb5a822a014904e8a8b04fa457affaadeb1e48f1eb15d31f0
    • Opcode Fuzzy Hash: 9c5988ea4bf3c293e66e9752529399fca214b97ff4d243bc29271992e48a3d14
    • Instruction Fuzzy Hash: 21E0C9B64007199AC730ABAAEC44AC7B3FCAF84310F11491EE586C3514D678F58ACF50
    Function 0053975E Relevance: 6.0, APIs: 4, Instructions: 19COMMON
    Download Yara Rule
    APIs
    • _free.LIBCMT ref: 00539769
      • Part of subcall function 00634D52: RtlFreeHeap.NTDLL(00000000,00000000,?,0063D74D,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1), ref: 00634D68
      • Part of subcall function 00634D52: GetLastError.KERNEL32(00000000,?,0063D74D,00000000,?,0063DBE9,?,00000001,?,?,0063FF61,00000018,0069BB48,0000000C,0063FFF1,?), ref: 00634D7A
    • __wcsdup.LIBCMT ref: 00539771
    • _free.LIBCMT ref: 0053977C
    • __wcsdup.LIBCMT ref: 00539784
      • Part of subcall function 0063688F: _wcslen.LIBCMT ref: 006368A5
      • Part of subcall function 0063688F: _calloc.LIBCMT ref: 006368B0
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __wcsdup_free$ErrorFreeHeapLast_calloc_wcslen
    • String ID:
    • API String ID: 2928601483-0
    • Opcode ID: c112be65eda98c027f935357e3597ad86e29582f06ff03580aa54c22cddb82ec
    • Instruction ID: b167feb3924b0e9a820fd8e0ecead38d295f6b10217c486a0dce156ab7f46bc4
    • Opcode Fuzzy Hash: c112be65eda98c027f935357e3597ad86e29582f06ff03580aa54c22cddb82ec
    • Instruction Fuzzy Hash: 2AE0EC724007446BC7617B65C802856FB96EF44354B40897EB69552631DEB2A820DAD4
    Function 005521C4 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 195COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClearVariant
    • String ID: (
    • API String ID: 1473721057-3887548279
    • Opcode ID: b4f8157cbf782f8fce47a0876fb0192566b1cda15b6a145be95281463f4d0061
    • Instruction ID: 0f589a8f81dc9fa3037ea592b434a8dac521979c61fceb6a4a7b6ca26fb877e0
    • Opcode Fuzzy Hash: b4f8157cbf782f8fce47a0876fb0192566b1cda15b6a145be95281463f4d0061
    • Instruction Fuzzy Hash: E861BB31A00B019FD764CF69C995A2ABBF5FF88310B548A2EE886CBA51C770F845CB40
    Function 0054EE73 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 161COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: _memcmp
    • String ID: 0<h
    • API String ID: 2931989736-3954224151
    • Opcode ID: 08afab6789f9a76dd13538c845f3c41dfc73d8102f4e8f797c0ae38207345241
    • Instruction ID: eb1bfac787bd62ad1a736bbef08ab00d53e91529580d04422cc7c22f4fac2df5
    • Opcode Fuzzy Hash: 08afab6789f9a76dd13538c845f3c41dfc73d8102f4e8f797c0ae38207345241
    • Instruction Fuzzy Hash: A0510C75A00219EFDB00DFE5C889DAEBBBAFF89704B144498F905EB251D771E902DB60
    Function 0057116D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 133COMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00570DA7: GetModuleHandleW.KERNEL32(DWMAPI,?,?,00000000,?,?,?,?,?,?,?,?,005D8F36), ref: 00570E1E
      • Part of subcall function 00570DA7: GetProcAddress.KERNEL32(00000000,DwmInvalidateIconicBitmaps), ref: 00570E2E
      • Part of subcall function 0055731F: __EH_prolog3.LIBCMT ref: 00557326
    • GetWindowRect.USER32(?,?), ref: 005711E0
    • SetWindowRgn.USER32(?,00000000,00000001), ref: 0057122D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$AddressH_prolog3HandleModuleProcRect
    • String ID:
    • API String ID: 2106468464-3916222277
    • Opcode ID: 64c2c6e8165f707e716b266b938a0af0ca0f0671e3846a5b901260acfb722b72
    • Instruction ID: 941517b335f6479ff4e9f4ab8c2a4d2d952a18902fc54a5199a52fbf2d167dd4
    • Opcode Fuzzy Hash: 64c2c6e8165f707e716b266b938a0af0ca0f0671e3846a5b901260acfb722b72
    • Instruction Fuzzy Hash: 1C516074A00B09DFCB22DF6AD8489EEBFF6FF88741F10852EE45A92211DB305941DA49
    Function 00575176 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005751E5
    • SystemParametersInfoW.USER32(00000026,00000000,?,00000000), ref: 00575282
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: InfoParametersRectSystemWindow
    • String ID:
    • API String ID: 85510744-3916222277
    • Opcode ID: 3bd711fe706ea11b84703f2073818707c3929458e8a6a40c0ed76ccb58b71af3
    • Instruction ID: c269f5512d53db85d4265d701098ec67b29ccd5e879828a8db46dcfb89d2f5ac
    • Opcode Fuzzy Hash: 3bd711fe706ea11b84703f2073818707c3929458e8a6a40c0ed76ccb58b71af3
    • Instruction Fuzzy Hash: 43411A75900708DFCB21DF65D8889EEBFF5FF88300F10842EE85AA6251EB715A40DB50
    Function 00587C98 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 121COMMON
    Download Yara Rule
    APIs
    • BringWindowToTop.USER32(00000000), ref: 00587DC5
    • BringWindowToTop.USER32(00000000), ref: 00587DCD
      • Part of subcall function 00545A26: GetWindowLongW.USER32(?,000000F0), ref: 00545A31
      • Part of subcall function 00545B7D: ShowWindow.USER32(?,?,?,00541B96,00000001,?,00000000,?,?,00000064), ref: 00545B8E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Bring$LongShow
    • String ID: \g
    • API String ID: 1322630393-568947263
    • Opcode ID: 5b1a72673d2ca67964435a50f25f407a47e346da5a29474db3bb305e6acc9877
    • Instruction ID: 123c420c5838482fcf887947660123122b65914f7115c3c6d44e4c93b7109c57
    • Opcode Fuzzy Hash: 5b1a72673d2ca67964435a50f25f407a47e346da5a29474db3bb305e6acc9877
    • Instruction Fuzzy Hash: E3414171B00205AFDB14AF64C859BBEBBF6FF88710F110159F905AB291DBB19D418B90
    Function 00562F5B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3_Parent
    • String ID: pe
    • API String ID: 383333065-324909747
    • Opcode ID: 71ebe1cb413255dd71cd2e6f753dde35a078e4649cef1b30cf875fe19cb9707d
    • Instruction ID: efe95d7d38943cf6a0796fb27d32df8243007fa8d1155a04d94585d46f9d295c
    • Opcode Fuzzy Hash: 71ebe1cb413255dd71cd2e6f753dde35a078e4649cef1b30cf875fe19cb9707d
    • Instruction Fuzzy Hash: 1731FD326046435FCF246FB4889EABDFEE5BF81320F14053EF51997192EE715A449A11
    Function 005E07C5 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105timeCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 005E0899
    • KillTimer.USER32(?,00000002), ref: 005E08C8
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: KillRectTimerWindow
    • String ID:
    • API String ID: 1987732032-3916222277
    • Opcode ID: dc9b886161d9c5d903ca404dc37dff882c1785697ae8b6df67730a962f38d4f7
    • Instruction ID: 6873160516f10e9ce0c77bb02b0ebac7de530bbf13bcb11fc240301b8623df3d
    • Opcode Fuzzy Hash: dc9b886161d9c5d903ca404dc37dff882c1785697ae8b6df67730a962f38d4f7
    • Instruction Fuzzy Hash: FF31B631A046459FCB14DF69C885AAFBBF5FF84300F11152EE49A97282DBB4B981CF90
    Function 0055240C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100COMMON
    Download Yara Rule
    APIs
    • CoTaskMemFree.OLE32(00000000), ref: 005524CC
    • CoTaskMemFree.OLE32(?), ref: 005524D6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: FreeTask
    • String ID: TDh
    • API String ID: 734271698-1133001749
    • Opcode ID: 1c7b16b18b0c3212818f371309a990b29d28370c38f460fe2fe8dbb49b9ea5ba
    • Instruction ID: 924f304b0082a8f165d515d8bc51d6166e2a730e0b70aea740b8c2af975c4c2e
    • Opcode Fuzzy Hash: 1c7b16b18b0c3212818f371309a990b29d28370c38f460fe2fe8dbb49b9ea5ba
    • Instruction Fuzzy Hash: 9B312D75A00215DFCF00CFA8C8549EEBBF6BF8D311F14856AE805BB210D775E9458B60
    Function 00554D0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99COMMON
    Download Yara Rule
    APIs
    • IsChild.USER32(?,?), ref: 00554D2C
    • GetWindowLongW.USER32(?,000000EC), ref: 00554D43
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ChildLongWindow
    • String ID: 0
    • API String ID: 1178903432-4108050209
    • Opcode ID: 4da8d0b009b4a3eda201e6889b505f0135772bafbe4093618e21aea54f2b60da
    • Instruction ID: 24523625de7f0002f2895330ac3de6bed2736eac15e43711b9004858f7846dc6
    • Opcode Fuzzy Hash: 4da8d0b009b4a3eda201e6889b505f0135772bafbe4093618e21aea54f2b60da
    • Instruction Fuzzy Hash: 2621F17610070677DB21A6648C6ABAF6EBCBF8136FF24151BFC01A6196DB60CDC88D60
    Function 0057DE34 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 97COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0057DE3B
      • Part of subcall function 0053B692: MoveToEx.GDI32(?,?,00000000,?), ref: 0053B6BC
      • Part of subcall function 0053B692: MoveToEx.GDI32(?,?,00000000,?), ref: 0053B6CD
      • Part of subcall function 0053B096: MoveToEx.GDI32(?,?,?,00000000), ref: 0053B0B3
      • Part of subcall function 0053B096: LineTo.GDI32(?,?,?), ref: 0053B0C2
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,00000000), ref: 0053BDA8
      • Part of subcall function 0053BD82: SelectObject.GDI32(?,?), ref: 0053BDBE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Move$ObjectSelect$H_prolog3Line
    • String ID: iii$iii
    • API String ID: 3726201289-3499908146
    • Opcode ID: 98f8d138a232ac44ff4385da98823f5845d918337a6f26e9a4c8ee7c6e69da31
    • Instruction ID: 96ec919655b9fa29778b11b23639a52a24d774958998ecf642509f97d3006d34
    • Opcode Fuzzy Hash: 98f8d138a232ac44ff4385da98823f5845d918337a6f26e9a4c8ee7c6e69da31
    • Instruction Fuzzy Hash: 9C315E7190010AEFCF06EFA8C9959EF7F7ABF54300F004519FA15A72A1CB319A11DBA1
    Function 005821AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
    Download Yara Rule
    APIs
    • GetClientRect.USER32(?,?), ref: 005821DB
    • RedrawWindow.USER32(?,00000000,00000000,00000105), ref: 0058228F
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClientRectRedrawWindow
    • String ID: pxf
    • API String ID: 804678526-3901195985
    • Opcode ID: 7a24dcfaae419e5ed194e100dfad8378a874f428bf0b7a9352946f9c77c2c415
    • Instruction ID: 88719bad32bc147b82a46adb350ae1c580eb6b2e435ab9047c269647ae1ff701
    • Opcode Fuzzy Hash: 7a24dcfaae419e5ed194e100dfad8378a874f428bf0b7a9352946f9c77c2c415
    • Instruction Fuzzy Hash: 6731F775A00209AFCB14DF99C9889BEBFF5FF88700F20416AE906A7255D7716A41CF60
    Function 00582EF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Rect$Window
    • String ID: pxf
    • API String ID: 924285169-3901195985
    • Opcode ID: 802e935202d524c6cfbc5aff265d0ae4a74f15463597df2567563fce2b8692f6
    • Instruction ID: e57bb93d8c1dfd2a198bf33dd4489513d973b008991c7a5eedb98f6b35235c2f
    • Opcode Fuzzy Hash: 802e935202d524c6cfbc5aff265d0ae4a74f15463597df2567563fce2b8692f6
    • Instruction Fuzzy Hash: 50310970A00209DFCB10EFA9C8889EEBBF6FF48300F14406EE855A3211DB30AA00CF54
    Function 006353FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMONLIBRARYCODE
    Download Yara Rule
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: __getptd_noexit
    • String ID: B
    • API String ID: 3074181302-1255198513
    • Opcode ID: 6a152972316c051e4e994162f22f5b2dbeeda79c4a7bc1b4e8c375d3f70d3e3b
    • Instruction ID: 488279b7dd6172f7dbc6baf95970e502c23e132fcfaf873f0daea6e0d54d94d1
    • Opcode Fuzzy Hash: 6a152972316c051e4e994162f22f5b2dbeeda79c4a7bc1b4e8c375d3f70d3e3b
    • Instruction Fuzzy Hash: 8C31D671800619DFCF149FA8C8414EE7BF6FF04325F20461AF932A7292D73499968BE1
    Function 0061D3BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 85COMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 0061D3C3
      • Part of subcall function 0061B6D5: __EH_prolog3.LIBCMT ref: 0061B6DC
      • Part of subcall function 006313AE: __EH_prolog3.LIBCMT ref: 006313B5
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3
    • String ID: DLf$DLf
    • API String ID: 431132790-3810402303
    • Opcode ID: 2ea7289b19a4923475cf4b1779a6afe6a2689356941007d36e3346d736fc53b0
    • Instruction ID: 8dd3b6b5078cf77233011ea9456b0e65dc6307474f5702d0be10505417455f47
    • Opcode Fuzzy Hash: 2ea7289b19a4923475cf4b1779a6afe6a2689356941007d36e3346d736fc53b0
    • Instruction Fuzzy Hash: 694158B4801B85DED365EF78C0897DABFE4BF61304F10485DA5AE57282DF702688CB25
    Function 0055DA72 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 78COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: EmptyH_prolog3_Rect
    • String ID: Afx:ToolBar
    • API String ID: 2941628838-177727192
    • Opcode ID: 4fc7a5da9e3aa4fd76609bd6deacb71f9c89eee79b716c78e98d4cc49d9007ad
    • Instruction ID: 7181bf8d0331e52fd79f32b7bc05b5ff674491a5edf6cb6d22d8de702e47ac6d
    • Opcode Fuzzy Hash: 4fc7a5da9e3aa4fd76609bd6deacb71f9c89eee79b716c78e98d4cc49d9007ad
    • Instruction Fuzzy Hash: 94218D71A1021A9FCB10DFB4C956AEE7FB9FF48351F14012AF915E3280EB348A04CBA1
    Function 005820FB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00582153
    • GetClientRect.USER32(?,?), ref: 0058216C
      • Part of subcall function 00545D83: SetWindowPos.USER32(?,00000000,00000064,?,?,?,?,?,0053A8C8,00000000,00000000,00000000,00000000,00000000,00000097,?), ref: 00545DAB
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: RectWindow$Client
    • String ID: pxf
    • API String ID: 3228027793-3901195985
    • Opcode ID: 0cb7d064c44c1688dd3f2db509be9a6b19bf1ab56fe6e523cfb195c9d5ae6120
    • Instruction ID: f4ab60f7794776ef93ac99ad58d16cbf49d9827282538888bce8d7e32cd7e631
    • Opcode Fuzzy Hash: 0cb7d064c44c1688dd3f2db509be9a6b19bf1ab56fe6e523cfb195c9d5ae6120
    • Instruction Fuzzy Hash: D021E472D0020AAFCB10DFA9CD899EEFBF9FF88704F10415AE515A3255DB70AA01CB65
    Function 00583C68 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59windowCOMMON
    Download Yara Rule
    APIs
    • GetWindowRect.USER32(?,?), ref: 00583CBE
    • SendMessageW.USER32(00000000,00000085,00000000,00000000), ref: 00583CF6
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageRectSendWindow
    • String ID: pxf
    • API String ID: 2814762282-3901195985
    • Opcode ID: 0f2d2f792de0b92b4ea98a2bc3aef0035012e2359b35f66d1dcc81617001a0d9
    • Instruction ID: 9f995b345a1ca89764c804f23eecf180e13bdf173fa6ff97a9ec0ce3553761d7
    • Opcode Fuzzy Hash: 0f2d2f792de0b92b4ea98a2bc3aef0035012e2359b35f66d1dcc81617001a0d9
    • Instruction Fuzzy Hash: D5114F71A00605AFCB10ABA68C0DDAFBFFAFFC5700F10011AF506A2261DA709A01DB61
    Function 0059C55B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    • GetParent.USER32(?), ref: 0059C568
      • Part of subcall function 00545BA4: IsWindowEnabled.USER32(?), ref: 00545BAD
      • Part of subcall function 00554947: GetNextDlgGroupItem.USER32(?,?,?), ref: 0055495D
    • RedrawWindow.USER32(?,00000000,00000000,00000105,00000000,00000000,?,?,?,?,0059C762), ref: 0059C5C2
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$EnabledGroupItemNextParentRedraw
    • String ID: kf
    • API String ID: 2138113633-3337216669
    • Opcode ID: 51989a97313766e092d2b662d6c9596fb3819b00dbdea8997fd7a41992e4aca3
    • Instruction ID: 0dbe986a2505f695a07b82386f4d61c531aafacc770e3e89b578110977143f34
    • Opcode Fuzzy Hash: 51989a97313766e092d2b662d6c9596fb3819b00dbdea8997fd7a41992e4aca3
    • Instruction Fuzzy Hash: BB01F272242321AFCF206BA58C4DCAF7EAEFBC5B11B16007AF10587052DA709D40CAA1
    Function 005879C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Window$Show
    • String ID: X'f
    • API String ID: 990937876-3824865298
    • Opcode ID: 534b73768a5e72898df080bfd8417932316a80028e1b1f2e3f6cfe8987cfedb2
    • Instruction ID: d9e2dabbf85893385511c1837479af5796aba23d646be7ed41b431d43e59e467
    • Opcode Fuzzy Hash: 534b73768a5e72898df080bfd8417932316a80028e1b1f2e3f6cfe8987cfedb2
    • Instruction Fuzzy Hash: 4E014C332053165BE7146EA98848FAA7F9DFF95724F280129ED08BB201DB30DD0187E0
    Function 0054A131 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
    Download Yara Rule
    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CopyInfoMonitorRect
    • String ID: (
    • API String ID: 2119610155-3887548279
    • Opcode ID: 43ebff408a0b477d49d38c8ce48878848d1c972e293b05796f20aebb31a1fd36
    • Instruction ID: dd4b645ffd31908c7220eacecba3d937fab9348f28e2a8dadc8864a6bd34e276
    • Opcode Fuzzy Hash: 43ebff408a0b477d49d38c8ce48878848d1c972e293b05796f20aebb31a1fd36
    • Instruction Fuzzy Hash: E911C275A0020AAFCB50DFA8D98599EBBF9FF48304F509859E456E3210DB70F941CF61
    Function 0056AEA2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48libraryloaderCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00541C91: GetModuleHandleW.KERNEL32(?,?,00541D79,InitCommonControlsEx,00000000,?,00542B1D,00080000,00008000,?,?,0054584C,00000064,00080000,?), ref: 00541C9F
      • Part of subcall function 00541C91: LoadLibraryW.KERNEL32(?,?,00541D79,InitCommonControlsEx,00000000,?,00542B1D,00080000,00008000,?,?,0054584C,00000064,00080000,?), ref: 00541CAF
    • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 0056AED5
    • _memset.LIBCMT ref: 0056AEEE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: AddressHandleLibraryLoadModuleProc_memset
    • String ID: DllGetVersion
    • API String ID: 3385804498-2861820592
    • Opcode ID: d6c2821fc6aa525be3f98b3f038c8e8852362c273afa8c50a997fe70d3900edc
    • Instruction ID: 6b85e31ddf4288228fd9aa39a413865457ee1bef2c9aa57f8a7734813ef45c44
    • Opcode Fuzzy Hash: d6c2821fc6aa525be3f98b3f038c8e8852362c273afa8c50a997fe70d3900edc
    • Instruction Fuzzy Hash: A701B5B1A002199BDB00EBE8DD86BAEBBE9BB45354F500125FA00F7291DB70DD048BE1
    Function 0058D28F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47windowCOMMON
    Download Yara Rule
    APIs
    • SendMessageW.USER32(?,00001200,00000000,00000000), ref: 0058D2B5
    • SendMessageW.USER32(00000000,0000101C,00000000,00000000), ref: 0058D2CA
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: MessageSend
    • String ID: 4f
    • API String ID: 3850602802-4224361222
    • Opcode ID: 94e4023ec185873552391a47a36605a2c4eec8c911fefac614679a3735983503
    • Instruction ID: 2b79b9209549f4a2768a875d520e7d47a99769b68d1f7f43c6ebce4e409ed3bb
    • Opcode Fuzzy Hash: 94e4023ec185873552391a47a36605a2c4eec8c911fefac614679a3735983503
    • Instruction Fuzzy Hash: 5A018472600354BBDB21AF558D09FAE7EF5BBC4710F110165E901BA291C7B1AA019B65
    Function 0059430A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 00594311
      • Part of subcall function 00534EC8: __EH_prolog3_catch.LIBCMT ref: 00534EE7
    • ~_Task_impl.LIBCPMT ref: 0059439B
      • Part of subcall function 005CBC93: __EH_prolog3.LIBCMT ref: 005CBC9A
      • Part of subcall function 006111C2: __EH_prolog3.LIBCMT ref: 006111C9
      • Part of subcall function 006111C2: ~_Task_impl.LIBCPMT ref: 006111F1
      • Part of subcall function 005C406B: __EH_prolog3.LIBCMT ref: 005C4072
      • Part of subcall function 00542E47: __EH_prolog3.LIBCMT ref: 00542E4E
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$Task_impl$H_prolog3_catch
    • String ID: 4Lf
    • API String ID: 4186658647-608063546
    • Opcode ID: 0d928b53343c3534650cd4ae7ffb1527afca57a38e899f9dfbcf24fe14a2e237
    • Instruction ID: 0d9c65fd4f13687503ac7847e32163e8348a831096c032631c02d2a084812c26
    • Opcode Fuzzy Hash: 0d928b53343c3534650cd4ae7ffb1527afca57a38e899f9dfbcf24fe14a2e237
    • Instruction Fuzzy Hash: 51116A70401B85CADB16EFB4C25A7EDBFA5BF51304F50458CE49617282CBB52B09DB12
    Function 005377A4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
    Download Yara Rule
    APIs
    • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 005377CC
    • PathFindExtensionW.SHLWAPI(?), ref: 005377E2
      • Part of subcall function 005375CE: GetProcAddress.KERNEL32(00000000,GetThreadPreferredUILanguages), ref: 00537613
      • Part of subcall function 005375CE: _memset.LIBCMT ref: 0053763F
      • Part of subcall function 005375CE: _wcstoul.LIBCMT ref: 00537687
      • Part of subcall function 005375CE: _wcslen.LIBCMT ref: 005376A8
      • Part of subcall function 005375CE: GetUserDefaultUILanguage.KERNEL32 ref: 005376B8
      • Part of subcall function 005375CE: ConvertDefaultLocale.KERNEL32(?), ref: 005376DF
      • Part of subcall function 005375CE: ConvertDefaultLocale.KERNEL32(?), ref: 005376EE
      • Part of subcall function 005375CE: GetSystemDefaultUILanguage.KERNEL32 ref: 005376F7
      • Part of subcall function 005375CE: ConvertDefaultLocale.KERNEL32(?), ref: 00537713
      • Part of subcall function 005375CE: ConvertDefaultLocale.KERNEL32(?), ref: 00537722
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: Default$ConvertLocale$Language$AddressExtensionFileFindModuleNamePathProcSystemUser_memset_wcslen_wcstoul
    • String ID: %s%s.dll
    • API String ID: 1415830068-1649984862
    • Opcode ID: 2d5e4f5b90ea17e0392bd1d65139736767ce134d7e03ee6f517e19bdc38f7c98
    • Instruction ID: 43c102b6503c5afb4106266db18f93eed719f03c63c70c52fa144ada21063474
    • Opcode Fuzzy Hash: 2d5e4f5b90ea17e0392bd1d65139736767ce134d7e03ee6f517e19bdc38f7c98
    • Instruction Fuzzy Hash: 85014F71A0411CABC711DBA8ED499EBBBE9BF4D300F110469A505E7151EA60DA05CB90
    Function 005A4FCB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34registryclipboardCOMMON
    Download Yara Rule
    APIs
    • __EH_prolog3.LIBCMT ref: 005A4FD2
    • RegisterClipboardFormatW.USER32(00000010), ref: 005A501B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: ClipboardFormatH_prolog3Register
    • String ID: ToolbarButton%p
    • API String ID: 1070914459-899657487
    • Opcode ID: 15fc1a541d6ca23493147dd7976f37e352a2dd1d9b4a2f6a49f6abc734fcb5be
    • Instruction ID: 1874d553b3c5c3a25b8a644dfbf5e0bb5578c4bf5f320cdcd59bddf6492cbb1a
    • Opcode Fuzzy Hash: 15fc1a541d6ca23493147dd7976f37e352a2dd1d9b4a2f6a49f6abc734fcb5be
    • Instruction Fuzzy Hash: 83F08CB48006128ACF10FFA0EC09EAD7B65BF11314F04651AF01063292EB786948CF96
    Function 00544408 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32threadCOMMON
    Download Yara Rule
    APIs
      • Part of subcall function 00546A4D: __EH_prolog3.LIBCMT ref: 00546A54
    • GetCurrentThreadId.KERNEL32 ref: 00544437
    • SetWindowsHookExW.USER32(00000005,005441F7,00000000,00000000), ref: 00544447
      • Part of subcall function 00536451: __CxxThrowException@8.LIBCMT ref: 00536467
      • Part of subcall function 00536451: __EH_prolog3.LIBCMT ref: 00536474
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: H_prolog3$CurrentException@8HookThreadThrowWindows
    • String ID: ,nj
    • API String ID: 1415497866-2551163129
    • Opcode ID: 6a2866466bbe41d0d2a873cd4b461f730beb8cd98721c39b67a38edc6a690f2f
    • Instruction ID: 43420f9a07ed943e7239098011cbc67aa7f7b006dddf5b5d561588c76c78feb0
    • Opcode Fuzzy Hash: 6a2866466bbe41d0d2a873cd4b461f730beb8cd98721c39b67a38edc6a690f2f
    • Instruction Fuzzy Hash: 96F02731A80701A7CF306FD2A809B577FA9FBC0B66F04012DF71546540CAB0D8008AB2
    Function 005465E0 Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
    Download Yara Rule
    APIs
    • EnterCriticalSection.KERNEL32(006A8878,?,?,?,?,00546AB4,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 005465EE
    • TlsGetValue.KERNEL32(006A885C,?,?,?,?,00546AB4,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546602
    • LeaveCriticalSection.KERNEL32(006A8878,?,?,?,?,00546AB4,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546618
    • LeaveCriticalSection.KERNEL32(006A8878,?,?,?,?,00546AB4,?,00000004,00541F59,0053646D,?,00535501,434C7695), ref: 00546623
    Memory Dump Source
    • Source File: 00000000.00000002.2914318734.0000000000531000.00000020.00000001.01000000.00000003.sdmp, Offset: 00530000, based on PE: true
    • Associated: 00000000.00000002.2914301211.0000000000530000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914414421.000000000065A000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A0000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914461166.00000000006A8000.00000004.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.00000000006B1000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000820000.00000002.00000001.01000000.00000003.sdmpDownload File
    • Associated: 00000000.00000002.2914491411.0000000000823000.00000002.00000001.01000000.00000003.sdmpDownload File
    Joe Sandbox IDA Plugin
    • Snapshot File: hcaresult_0_2_530000_51FZ8pgLbe.jbxd
    Similarity
    • API ID: CriticalSection$Leave$EnterValue
    • String ID:
    • API String ID: 3969253408-0
    • Opcode ID: ac36c9cd8a6a2a04c0abbf8a3f5bf20adb58ddcd3b4783a39e8cd41c822147e9
    • Instruction ID: cb394d75e9de8219cd84ac9a1ce33c5a936077886ab6f6549c6a768a7d094389
    • Opcode Fuzzy Hash: ac36c9cd8a6a2a04c0abbf8a3f5bf20adb58ddcd3b4783a39e8cd41c822147e9
    • Instruction Fuzzy Hash: 0DF054762003049FC720AF98DC4CD967FEEFA85365B1A5915E44593115D670F8058A62